From 7d44bc5e22b479aab9a365128f73246f2c864a99 Mon Sep 17 00:00:00 2001 From: AWS CDK Team Date: Thu, 9 Jan 2025 19:52:08 +0000 Subject: [PATCH 01/17] chore(release): 2.175.0 --- CHANGELOG.v2.alpha.md | 13 ++++++ CHANGELOG.v2.md | 21 ++++++++++ packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md | 40 +++++++++---------- packages/aws-cdk-lib/cx-api/lib/features.ts | 4 +- .../recommended-feature-flags.json | 2 + version.v2.json | 4 +- 6 files changed, 60 insertions(+), 24 deletions(-) diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md index e24b1d917785b..5e43526fa0cf1 100644 --- a/CHANGELOG.v2.alpha.md +++ b/CHANGELOG.v2.alpha.md @@ -2,6 +2,19 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [2.175.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.174.1-alpha.0...v2.175.0-alpha.0) (2025-01-09) + + +### Features + +* **s3objectlambda:** open s3 access point arn ([#32661](https://github.com/aws/aws-cdk/issues/32661)) ([0486b9c](https://github.com/aws/aws-cdk/commit/0486b9c5e2b4286499a9d3f87a0db7c95741fb6b)), closes [#31950](https://github.com/aws/aws-cdk/issues/31950) + + +### Bug Fixes + +* **apprunner:** the Service class does not implement IService ([#32771](https://github.com/aws/aws-cdk/issues/32771)) ([3d56efa](https://github.com/aws/aws-cdk/commit/3d56efa20ef92761ed22f12e4f651856b6889be3)), closes [#32745](https://github.com/aws/aws-cdk/issues/32745) +* **integ-runner:** `ENOENT` no such file or directory 'recommended-feature-flags.json' ([#32750](https://github.com/aws/aws-cdk/issues/32750)) ([f809b94](https://github.com/aws/aws-cdk/commit/f809b94d9952b8203221e73e177d2615c21248a8)) + ## [2.174.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.174.0-alpha.0...v2.174.1-alpha.0) (2025-01-07) ## [2.174.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.173.4-alpha.0...v2.174.0-alpha.0) (2025-01-04) diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md index 4e92b63270aee..606096c14a563 100644 --- a/CHANGELOG.v2.md +++ b/CHANGELOG.v2.md @@ -2,6 +2,27 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [2.175.0](https://github.com/aws/aws-cdk/compare/v2.174.1...v2.175.0) (2025-01-09) + + +### Features + +* **ecs:** enable fault injection flag ([#32598](https://github.com/aws/aws-cdk/issues/32598)) ([ed366ce](https://github.com/aws/aws-cdk/commit/ed366ce812a94066de04e9862d6cbd1083bf5d9c)) +* **ecs:** warning when creating a service with the default minHealthyPercent ([#31738](https://github.com/aws/aws-cdk/issues/31738)) ([3606deb](https://github.com/aws/aws-cdk/commit/3606deb5b519365d846e6e66406c835889827055)), closes [#31705](https://github.com/aws/aws-cdk/issues/31705) +* update L1 CloudFormation resource definitions ([#32768](https://github.com/aws/aws-cdk/issues/32768)) ([107eed3](https://github.com/aws/aws-cdk/commit/107eed3b50e86246da03d6b59197452e2af0bfaf)) +* **cli:** warn of non-existent stacks in `cdk destroy` ([#32636](https://github.com/aws/aws-cdk/issues/32636)) ([c199378](https://github.com/aws/aws-cdk/commit/c199378667cb63ffe8636dda6b6316dcc6eb47e9)), closes [#32545](https://github.com/aws/aws-cdk/issues/32545) [#27179](https://github.com/aws/aws-cdk/issues/27179) [40aws-cdk-testing/cli-integ/tests/cli-integ-tests/cli.integtest.ts#L190](https://github.com/40aws-cdk-testing/cli-integ/tests/cli-integ-tests/cli.integtest.ts/issues/L190) [aws-cdk-testing/cli-integ/tests/cli-integ-tests/cli.integtest.ts#L286-L291](https://github.com/aws-cdk-testing/cli-integ/tests/cli-integ-tests/cli.integtest.ts/issues/L286-L291) +* **eks:** update nodegroup gpu check ([#32715](https://github.com/aws/aws-cdk/issues/32715)) ([693afea](https://github.com/aws/aws-cdk/commit/693afea86310fd444d237b9f70204fbf4bb5a68d)), closes [#31347](https://github.com/aws/aws-cdk/issues/31347) +* update L1 CloudFormation resource definitions ([#32755](https://github.com/aws/aws-cdk/issues/32755)) ([8f97112](https://github.com/aws/aws-cdk/commit/8f97112c89c6b39e299b0cd437336bab11cfdaf8)) +* **kms:** add sign and verify related grant methods ([#32681](https://github.com/aws/aws-cdk/issues/32681)) ([86d2853](https://github.com/aws/aws-cdk/commit/86d2853a9a919669694a2448805a092839a7f4db)), closes [#23185](https://github.com/aws/aws-cdk/issues/23185) + + +### Bug Fixes + +* **cli:** cannot set environment variable `CI=false` ([#32749](https://github.com/aws/aws-cdk/issues/32749)) ([26b361d](https://github.com/aws/aws-cdk/commit/26b361de357a3b83c59dc4931d4797328d220534)) +* **cli:** requiresRefresh function does not respect null ([#32666](https://github.com/aws/aws-cdk/issues/32666)) ([2abc23c](https://github.com/aws/aws-cdk/commit/2abc23c4cfdf27e8623fea3d3fbb71ad7e25dbbe)), closes [#32653](https://github.com/aws/aws-cdk/issues/32653) [/github.com/smithy-lang/smithy-typescript/blob/main/packages/property-provider/src/memoize.ts#L27](https://github.com/aws//github.com/smithy-lang/smithy-typescript/blob/main/packages/property-provider/src/memoize.ts/issues/L27) +* **cloudwatch:** render region and accountId when directly set on metrics ([#32325](https://github.com/aws/aws-cdk/issues/32325)) ([c393481](https://github.com/aws/aws-cdk/commit/c3934817ea15bb3187f67112a1d56c13aa555524)), closes [#28731](https://github.com/aws/aws-cdk/issues/28731) +* **ecs:** outdated linux commands for `canContainersAccessInstanceRole=false` and also deprecate property ([#32763](https://github.com/aws/aws-cdk/issues/32763)) ([bbdd42c](https://github.com/aws/aws-cdk/commit/bbdd42c8f45916d5c6945f3429916f6199d2ec66)), closes [#28518](https://github.com/aws/aws-cdk/issues/28518) + ## [2.174.1](https://github.com/aws/aws-cdk/compare/v2.174.0...v2.174.1) (2025-01-07) diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md index de5aece1f4e59..d278d6b3064ac 100644 --- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md +++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md @@ -84,8 +84,8 @@ Flags come in three types: | [@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault](#aws-cdkaws-ec2bastionhostuseamazonlinux2023bydefault) | When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2. | 2.172.0 | (default) | | [@aws-cdk/core:aspectStabilization](#aws-cdkcoreaspectstabilization) | When enabled, a stabilization loop will be run when invoking Aspects during synthesis. | 2.172.0 | (config) | | [@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource](#aws-cdkaws-route53-targetsuserpooldomainnamemethodwithoutcustomresource) | When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource. | 2.174.0 | (fix) | -| [@aws-cdk/aws-ecs:disableEcsImdsBlocking](#aws-cdkaws-ecsdisableecsimdsblocking) | When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)** | V2NEXT | (temporary) | -| [@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature](#aws-cdkaws-ecsenableimdsblockingdeprecatedfeature) | When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)** | V2NEXT | (temporary) | +| [@aws-cdk/aws-ecs:disableEcsImdsBlocking](#aws-cdkaws-ecsdisableecsimdsblocking) | When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)** | 2.175.0 | (temporary) | +| [@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature](#aws-cdkaws-ecsenableimdsblockingdeprecatedfeature) | When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)** | 2.175.0 | (temporary) | @@ -1573,6 +1573,22 @@ When this feature flag is enabled, a stabilization loop is run to recurse the co | 2.172.0 | `true` | `true` | +### @aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource + +*When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource.* (fix) + +When this feature flag is enabled, a new method will be used to get the DNS Name of the user pool domain target. The old method +creates a custom resource internally, but the new method doesn't need a custom resource. + +If the flag is set to false then a custom resource will be created when using `UserPoolDomainTarget`. + + +| Since | Default | Recommended | +| ----- | ----- | ----- | +| (not in v1) | | | +| 2.174.0 | `false` | `true` | + + ### @aws-cdk/aws-ecs:disableEcsImdsBlocking *When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)*** (temporary) @@ -1588,7 +1604,7 @@ It is recommended to follow ECS documentation to block IMDS for your specific pl | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | -| V2NEXT | `false` | `true` | +| 2.175.0 | `false` | `true` | **Compatibility with old behavior:** It is strongly recommended to set this flag to true. However, if necessary, set this flag to false to continue using the old implementation. @@ -1607,25 +1623,9 @@ It is recommended to follow ECS documentation to block IMDS for your specific pl | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | -| V2NEXT | `false` | `false` | +| 2.175.0 | `false` | `false` | **Compatibility with old behavior:** Set this flag to false in order to continue using old and outdated commands. However, it is **not** recommended. -### @aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource - -*When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource.* (fix) - -When this feature flag is enabled, a new method will be used to get the DNS Name of the user pool domain target. The old method -creates a custom resource internally, but the new method doesn't need a custom resource. - -If the flag is set to false then a custom resource will be created when using `UserPoolDomainTarget`. - - -| Since | Default | Recommended | -| ----- | ----- | ----- | -| (not in v1) | | | -| 2.174.0 | `false` | `true` | - - diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts index 2117c431e66c8..98189fd5a3965 100644 --- a/packages/aws-cdk-lib/cx-api/lib/features.ts +++ b/packages/aws-cdk-lib/cx-api/lib/features.ts @@ -1153,7 +1153,7 @@ export const FLAGS: Record = { guarantee the correct execution of the feature in all platforms. See [Github discussion](https://github.com/aws/aws-cdk/discussions/32609) for more information. It is recommended to follow ECS documentation to block IMDS for your specific platform and cluster configuration. `, - introducedIn: { v2: 'V2NEXT' }, + introducedIn: { v2: '2.175.0' }, recommendedValue: false, compatibilityWithOldBehaviorMd: 'Set this flag to false in order to continue using old and outdated commands. ' + 'However, it is **not** recommended.', @@ -1172,7 +1172,7 @@ export const FLAGS: Record = { It is recommended to follow ECS documentation to block IMDS for your specific platform and cluster configuration. `, - introducedIn: { v2: 'V2NEXT' }, + introducedIn: { v2: '2.175.0' }, recommendedValue: true, compatibilityWithOldBehaviorMd: 'It is strongly recommended to set this flag to true. However, if necessary, set ' + 'this flag to false to continue using the old implementation.', diff --git a/packages/aws-cdk-lib/recommended-feature-flags.json b/packages/aws-cdk-lib/recommended-feature-flags.json index 30a08f65a928c..71285e804b547 100644 --- a/packages/aws-cdk-lib/recommended-feature-flags.json +++ b/packages/aws-cdk-lib/recommended-feature-flags.json @@ -50,6 +50,8 @@ "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true, "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false, "@aws-cdk/aws-s3:keepNotificationInImportedBucket": false, + "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": false, + "@aws-cdk/aws-ecs:disableEcsImdsBlocking": true, "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": true, "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": true, "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": true, diff --git a/version.v2.json b/version.v2.json index f370a12f2e0cc..59ce09bc5156d 100644 --- a/version.v2.json +++ b/version.v2.json @@ -1,4 +1,4 @@ { - "version": "2.174.1", - "alphaVersion": "2.174.1-alpha.0" + "version": "2.175.0", + "alphaVersion": "2.175.0-alpha.0" } \ No newline at end of file From d6013a7bb0ce52bc8b85d4403cd1dfe337a7224a Mon Sep 17 00:00:00 2001 From: Kaizen Conroy <36202692+kaizencc@users.noreply.github.com> Date: Thu, 9 Jan 2025 17:04:34 -0500 Subject: [PATCH 02/17] chore(cli): aliased commands can be converted to cli args (#32806) This PR does not currently change CLI functionality. The function `convertToCliArgs` is not used in the CLI yet which is why this PR is not fixing a regression. It will eventually be used to strongly-type cli arguments. Previously, aliased commands, like `cdk ack` instead of `cdk acknowledge` would fall through the cracks of the generated convert function. The switch statement was only switching on command names so we would not store any options associated with an aliased command. Specifically, `cdk synth --exclusively` would _not_ store the `exclusively` flag in the ensuing `CliArguments` object because `synth` is an alias. Now we do. This is an additional step forward to being able to use `CliArguments` in `cli.ts` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/aws-cdk/lib/convert-to-cli-args.ts | 4 ++++ packages/aws-cdk/lib/settings.ts | 2 ++ tools/@aws-cdk/cli-args-gen/lib/cli-args-function-gen.ts | 9 ++++++++- .../cli-args-gen/test/cli-args-function-gen.test.ts | 2 ++ 4 files changed, 16 insertions(+), 1 deletion(-) diff --git a/packages/aws-cdk/lib/convert-to-cli-args.ts b/packages/aws-cdk/lib/convert-to-cli-args.ts index 3fc1b9a2bc541..dd11a124f9a3e 100644 --- a/packages/aws-cdk/lib/convert-to-cli-args.ts +++ b/packages/aws-cdk/lib/convert-to-cli-args.ts @@ -38,6 +38,7 @@ export function convertToCliArgs(args: any): CliArguments { let commandOptions; switch (args._[0] as Command) { case 'list': + case 'ls': commandOptions = { long: args.long, showDependencies: args.showDependencies, @@ -46,6 +47,7 @@ export function convertToCliArgs(args: any): CliArguments { break; case 'synthesize': + case 'synth': commandOptions = { exclusively: args.exclusively, validation: args.validation, @@ -193,6 +195,7 @@ export function convertToCliArgs(args: any): CliArguments { break; case 'acknowledge': + case 'ack': commandOptions = { ID: args.ID, }; @@ -237,6 +240,7 @@ export function convertToCliArgs(args: any): CliArguments { break; case 'docs': + case 'doc': commandOptions = { browser: args.browser, }; diff --git a/packages/aws-cdk/lib/settings.ts b/packages/aws-cdk/lib/settings.ts index c29ae2045c0ac..9c6e680e6c8d8 100644 --- a/packages/aws-cdk/lib/settings.ts +++ b/packages/aws-cdk/lib/settings.ts @@ -36,10 +36,12 @@ export enum Command { ROLLBACK = 'rollback', IMPORT = 'import', ACKNOWLEDGE = 'acknowledge', + ACK = 'ack', NOTICES = 'notices', MIGRATE = 'migrate', CONTEXT = 'context', DOCS = 'docs', + DOC = 'doc', DOCTOR = 'doctor', } diff --git a/tools/@aws-cdk/cli-args-gen/lib/cli-args-function-gen.ts b/tools/@aws-cdk/cli-args-gen/lib/cli-args-function-gen.ts index cb7e6a6dd22d4..9cb34988da8ea 100644 --- a/tools/@aws-cdk/cli-args-gen/lib/cli-args-function-gen.ts +++ b/tools/@aws-cdk/cli-args-gen/lib/cli-args-function-gen.ts @@ -64,7 +64,9 @@ function buildCommandSwitch(config: CliConfig): string { const commandSwitchExprs = ['let commandOptions;', 'switch (args._[0] as Command) {']; for (const commandName of Object.keys(config.commands)) { commandSwitchExprs.push( - `case '${commandName}':`, + // All aliases of the command should map to the same switch branch + // This ensures that we store options of the command regardless of what alias is specified + ...buildAliases(commandName, config.commands[commandName].aliases), 'commandOptions = {', ...buildCommandOptions(config.commands[commandName]), ...(config.commands[commandName].arg ? [buildPositionalArguments(config.commands[commandName].arg)] : []), @@ -76,6 +78,11 @@ function buildCommandSwitch(config: CliConfig): string { return commandSwitchExprs.join('\n'); } +function buildAliases(commandName: string, aliases: string[] = []): string[] { + const cases = [commandName, ...aliases]; + return cases.map((c) => `case '${c}':`); +} + function buildCommandOptions(options: CliAction): string[] { const commandOptions: string[] = []; for (const optionName of Object.keys(options.options ?? {})) { diff --git a/tools/@aws-cdk/cli-args-gen/test/cli-args-function-gen.test.ts b/tools/@aws-cdk/cli-args-gen/test/cli-args-function-gen.test.ts index 24b92c7fe291e..0660f7df34468 100644 --- a/tools/@aws-cdk/cli-args-gen/test/cli-args-function-gen.test.ts +++ b/tools/@aws-cdk/cli-args-gen/test/cli-args-function-gen.test.ts @@ -31,6 +31,7 @@ describe('render', () => { variadic: true, }, description: 'Deploy a stack', + aliases: ['d'], options: { all: { type: 'boolean', @@ -62,6 +63,7 @@ describe('render', () => { let commandOptions; switch (args._[0] as Command) { case 'deploy': + case 'd': commandOptions = { all: args.all, STACKS: args.STACKS, From b670ba88eedd98a3e6e78eca1e7dc46c83aefa51 Mon Sep 17 00:00:00 2001 From: Kaizen Conroy <36202692+kaizencc@users.noreply.github.com> Date: Thu, 9 Jan 2025 18:14:43 -0500 Subject: [PATCH 03/17] chore(cli): generate conversion from cdk.json to cli arguments (#32803) This PR does not change the functionality of the CLI (yet) It does however articulate a schema for what `cdk.json` should look like in the future. I'm aware that we honor a slightly different set of rules in `cdk.json` that _is not documented anywhere_, and we will have to honor those rules ad-hoc. However, this will hopefully move us towards a strongly-typed future where `cdk.json` contents mirror CLI argument options. - global options are specified at the base level of `cdk.json` - command specific options will be prefixed by their command name. NOTE: some options are honored at the base level today. I will have to, in a separate PR, find each of these instances and take care of them but ensuring we still map them to the correct place in `CliArguments`. ```json { "app": "npx ts-node -P tsconfig.json --prefer-ts-exts src/main.ts", "output": "cdk.out", "build": "npx projen bundle", "watch": { "exclude": [ "README.md", "cdk*.json", "**/*.d.ts", "**/*.js", "tsconfig.json", "package*.json", "yarn.lock", "node_modules" ] } ``` This will turn into the following `CliArgument` object: ```ts { globalOptions: { app: 'npx ts-node -P tsconfig.json --prefer-ts-exts src/main.ts', output: 'cdk.out', build: 'npx projen bundle', watch: { exclude: [ "README.md", "cdk*.json", "**/*.d.ts", "**/*.js", "tsconfig.json", "package*.json", "yarn.lock", "node_modules", ], }, }; ``` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --------- Co-authored-by: Momo Kornher --- packages/aws-cdk/lib/cli-arguments.ts | 2 +- packages/aws-cdk/lib/convert-to-cli-args.ts | 196 ++++++++++++++++- packages/aws-cdk/test/cli-arguments.test.ts | 208 +++++++++++------- .../cli-args-gen/lib/cli-args-function-gen.ts | 90 ++++++-- .../@aws-cdk/cli-args-gen/lib/cli-args-gen.ts | 1 + .../test/cli-args-function-gen.test.ts | 21 +- .../cli-args-gen/test/cli-args-gen.test.ts | 6 +- 7 files changed, 420 insertions(+), 104 deletions(-) diff --git a/packages/aws-cdk/lib/cli-arguments.ts b/packages/aws-cdk/lib/cli-arguments.ts index 665f81b2ce9d1..f67451c73176a 100644 --- a/packages/aws-cdk/lib/cli-arguments.ts +++ b/packages/aws-cdk/lib/cli-arguments.ts @@ -14,7 +14,7 @@ export interface CliArguments { /** * The CLI command name */ - readonly _: Command; + readonly _?: Command; /** * Global options available to all CLI commands diff --git a/packages/aws-cdk/lib/convert-to-cli-args.ts b/packages/aws-cdk/lib/convert-to-cli-args.ts index dd11a124f9a3e..9b742c8b0f303 100644 --- a/packages/aws-cdk/lib/convert-to-cli-args.ts +++ b/packages/aws-cdk/lib/convert-to-cli-args.ts @@ -7,7 +7,7 @@ import { CliArguments, GlobalOptions } from './cli-arguments'; import { Command } from './settings'; // @ts-ignore TS6133 -export function convertToCliArgs(args: any): CliArguments { +export function convertYargsToCliArgs(args: any): CliArguments { const globalOptions: GlobalOptions = { app: args.app, build: args.build, @@ -258,3 +258,197 @@ export function convertToCliArgs(args: any): CliArguments { return cliArguments; } + +// @ts-ignore TS6133 +export function convertConfigToCliArgs(config: any): CliArguments { + const globalOptions: GlobalOptions = { + app: config.app, + build: config.build, + context: config.context, + plugin: config.plugin, + trace: config.trace, + strict: config.strict, + lookups: config.lookups, + ignoreErrors: config.ignoreErrors, + json: config.json, + verbose: config.verbose, + debug: config.debug, + profile: config.profile, + proxy: config.proxy, + caBundlePath: config.caBundlePath, + ec2creds: config.ec2creds, + versionReporting: config.versionReporting, + pathMetadata: config.pathMetadata, + assetMetadata: config.assetMetadata, + roleArn: config.roleArn, + staging: config.staging, + output: config.output, + notices: config.notices, + noColor: config.noColor, + ci: config.ci, + unstable: config.unstable, + }; + const listOptions = { + long: config.list?.long, + showDependencies: config.list?.showDependencies, + }; + const synthesizeOptions = { + exclusively: config.synthesize?.exclusively, + validation: config.synthesize?.validation, + quiet: config.synthesize?.quiet, + }; + const bootstrapOptions = { + bootstrapBucketName: config.bootstrap?.bootstrapBucketName, + bootstrapKmsKeyId: config.bootstrap?.bootstrapKmsKeyId, + examplePermissionsBoundary: config.bootstrap?.examplePermissionsBoundary, + customPermissionsBoundary: config.bootstrap?.customPermissionsBoundary, + bootstrapCustomerKey: config.bootstrap?.bootstrapCustomerKey, + qualifier: config.bootstrap?.qualifier, + publicAccessBlockConfiguration: config.bootstrap?.publicAccessBlockConfiguration, + tags: config.bootstrap?.tags, + execute: config.bootstrap?.execute, + trust: config.bootstrap?.trust, + trustForLookup: config.bootstrap?.trustForLookup, + cloudformationExecutionPolicies: config.bootstrap?.cloudformationExecutionPolicies, + force: config.bootstrap?.force, + terminationProtection: config.bootstrap?.terminationProtection, + showTemplate: config.bootstrap?.showTemplate, + toolkitStackName: config.bootstrap?.toolkitStackName, + template: config.bootstrap?.template, + previousParameters: config.bootstrap?.previousParameters, + }; + const gcOptions = { + action: config.gc?.action, + type: config.gc?.type, + rollbackBufferDays: config.gc?.rollbackBufferDays, + createdBufferDays: config.gc?.createdBufferDays, + confirm: config.gc?.confirm, + bootstrapStackName: config.gc?.bootstrapStackName, + }; + const deployOptions = { + all: config.deploy?.all, + buildExclude: config.deploy?.buildExclude, + exclusively: config.deploy?.exclusively, + requireApproval: config.deploy?.requireApproval, + notificationArns: config.deploy?.notificationArns, + tags: config.deploy?.tags, + execute: config.deploy?.execute, + changeSetName: config.deploy?.changeSetName, + method: config.deploy?.method, + importExistingResources: config.deploy?.importExistingResources, + force: config.deploy?.force, + parameters: config.deploy?.parameters, + outputsFile: config.deploy?.outputsFile, + previousParameters: config.deploy?.previousParameters, + toolkitStackName: config.deploy?.toolkitStackName, + progress: config.deploy?.progress, + rollback: config.deploy?.rollback, + hotswap: config.deploy?.hotswap, + hotswapFallback: config.deploy?.hotswapFallback, + watch: config.deploy?.watch, + logs: config.deploy?.logs, + concurrency: config.deploy?.concurrency, + assetParallelism: config.deploy?.assetParallelism, + assetPrebuild: config.deploy?.assetPrebuild, + ignoreNoStacks: config.deploy?.ignoreNoStacks, + }; + const rollbackOptions = { + all: config.rollback?.all, + toolkitStackName: config.rollback?.toolkitStackName, + force: config.rollback?.force, + validateBootstrapVersion: config.rollback?.validateBootstrapVersion, + orphan: config.rollback?.orphan, + }; + const importOptions = { + execute: config.import?.execute, + changeSetName: config.import?.changeSetName, + toolkitStackName: config.import?.toolkitStackName, + rollback: config.import?.rollback, + force: config.import?.force, + recordResourceMapping: config.import?.recordResourceMapping, + resourceMapping: config.import?.resourceMapping, + }; + const watchOptions = { + buildExclude: config.watch?.buildExclude, + exclusively: config.watch?.exclusively, + changeSetName: config.watch?.changeSetName, + force: config.watch?.force, + toolkitStackName: config.watch?.toolkitStackName, + progress: config.watch?.progress, + rollback: config.watch?.rollback, + hotswap: config.watch?.hotswap, + hotswapFallback: config.watch?.hotswapFallback, + logs: config.watch?.logs, + concurrency: config.watch?.concurrency, + }; + const destroyOptions = { + all: config.destroy?.all, + exclusively: config.destroy?.exclusively, + force: config.destroy?.force, + }; + const diffOptions = { + exclusively: config.diff?.exclusively, + contextLines: config.diff?.contextLines, + template: config.diff?.template, + strict: config.diff?.strict, + securityOnly: config.diff?.securityOnly, + fail: config.diff?.fail, + processed: config.diff?.processed, + quiet: config.diff?.quiet, + changeSet: config.diff?.changeSet, + }; + const metadataOptions = {}; + const acknowledgeOptions = {}; + const noticesOptions = { + unacknowledged: config.notices?.unacknowledged, + }; + const initOptions = { + language: config.init?.language, + list: config.init?.list, + generateOnly: config.init?.generateOnly, + }; + const migrateOptions = { + stackName: config.migrate?.stackName, + language: config.migrate?.language, + account: config.migrate?.account, + region: config.migrate?.region, + fromPath: config.migrate?.fromPath, + fromStack: config.migrate?.fromStack, + outputPath: config.migrate?.outputPath, + fromScan: config.migrate?.fromScan, + filter: config.migrate?.filter, + compress: config.migrate?.compress, + }; + const contextOptions = { + reset: config.context?.reset, + force: config.context?.force, + clear: config.context?.clear, + }; + const docsOptions = { + browser: config.docs?.browser, + }; + const doctorOptions = {}; + const cliArguments: CliArguments = { + globalOptions, + list: listOptions, + synthesize: synthesizeOptions, + bootstrap: bootstrapOptions, + gc: gcOptions, + deploy: deployOptions, + rollback: rollbackOptions, + import: importOptions, + watch: watchOptions, + destroy: destroyOptions, + diff: diffOptions, + metadata: metadataOptions, + acknowledge: acknowledgeOptions, + notices: noticesOptions, + init: initOptions, + migrate: migrateOptions, + context: contextOptions, + docs: docsOptions, + doctor: doctorOptions, + }; + + return cliArguments; +} diff --git a/packages/aws-cdk/test/cli-arguments.test.ts b/packages/aws-cdk/test/cli-arguments.test.ts index 3024bfaae524a..ddcf9d02b6fb3 100644 --- a/packages/aws-cdk/test/cli-arguments.test.ts +++ b/packages/aws-cdk/test/cli-arguments.test.ts @@ -1,95 +1,143 @@ -import { convertToCliArgs } from '../lib/convert-to-cli-args'; +import { convertConfigToCliArgs, convertYargsToCliArgs } from '../lib/convert-to-cli-args'; import { parseCommandLineArguments } from '../lib/parse-command-line-arguments'; -test('yargs object can be converted to cli arguments', async () => { - const input = await parseCommandLineArguments(['deploy', '-R', '-v', '--ci']); +describe('yargs', () => { + test('yargs object can be converted to cli arguments', async () => { + const input = await parseCommandLineArguments(['deploy', '-R', '-v', '--ci']); - const result = convertToCliArgs(input); + const result = convertYargsToCliArgs(input); - expect(result).toEqual({ - _: 'deploy', - globalOptions: { - app: undefined, - assetMetadata: undefined, - build: undefined, - caBundlePath: undefined, - context: [], - ignoreErrors: false, - noColor: false, - pathMetadata: undefined, - plugin: [], - profile: undefined, - proxy: undefined, - roleArn: undefined, - staging: true, - strict: undefined, - verbose: 1, - versionReporting: undefined, - ci: true, - debug: false, - ec2creds: undefined, - json: false, - lookups: true, - trace: undefined, - unstable: [], - notices: undefined, - output: undefined, - }, - deploy: { - STACKS: undefined, - all: false, - assetParallelism: undefined, - assetPrebuild: true, - buildExclude: [], - changeSetName: undefined, - concurrency: 1, - execute: undefined, - exclusively: undefined, - force: false, - hotswap: undefined, - hotswapFallback: undefined, - ignoreNoStacks: false, - importExistingResources: false, - logs: true, - method: undefined, - notificationArns: undefined, - outputsFile: undefined, - parameters: [{}], - previousParameters: true, - progress: undefined, - requireApproval: undefined, - rollback: false, - tags: [], - toolkitStackName: undefined, - watch: undefined, - }, + expect(result).toEqual({ + _: 'deploy', + globalOptions: { + app: undefined, + assetMetadata: undefined, + build: undefined, + caBundlePath: undefined, + context: [], + ignoreErrors: false, + noColor: false, + pathMetadata: undefined, + plugin: [], + profile: undefined, + proxy: undefined, + roleArn: undefined, + staging: true, + strict: undefined, + verbose: 1, + versionReporting: undefined, + ci: true, + debug: false, + ec2creds: undefined, + json: false, + lookups: true, + trace: undefined, + unstable: [], + notices: undefined, + output: undefined, + }, + deploy: { + STACKS: undefined, + all: false, + assetParallelism: undefined, + assetPrebuild: true, + buildExclude: [], + changeSetName: undefined, + concurrency: 1, + execute: undefined, + exclusively: undefined, + force: false, + hotswap: undefined, + hotswapFallback: undefined, + ignoreNoStacks: false, + importExistingResources: false, + logs: true, + method: undefined, + notificationArns: undefined, + outputsFile: undefined, + parameters: [{}], + previousParameters: true, + progress: undefined, + requireApproval: undefined, + rollback: false, + tags: [], + toolkitStackName: undefined, + watch: undefined, + }, + }); + }); + + test('positional argument is correctly passed through -- variadic', async () => { + const input = await parseCommandLineArguments(['deploy', 'stack1', 'stack2', '-R', '-v', '--ci']); + + const result = convertYargsToCliArgs(input); + + expect(result).toEqual({ + _: 'deploy', + deploy: expect.objectContaining({ + STACKS: ['stack1', 'stack2'], + }), + globalOptions: expect.anything(), + }); }); -}); -test('positional argument is correctly passed through -- variadic', async () => { - const input = await parseCommandLineArguments(['deploy', 'stack1', 'stack2', '-R', '-v', '--ci']); + test('positional argument is correctly passed through -- single', async () => { + const input = await parseCommandLineArguments(['acknowledge', 'id1', '-v', '--ci']); - const result = convertToCliArgs(input); + const result = convertYargsToCliArgs(input); - expect(result).toEqual({ - _: 'deploy', - deploy: expect.objectContaining({ - STACKS: ['stack1', 'stack2'], - }), - globalOptions: expect.anything(), + expect(result).toEqual({ + _: 'acknowledge', + acknowledge: expect.objectContaining({ + ID: 'id1', + }), + globalOptions: expect.anything(), + }); }); }); -test('positional argument is correctly passed through -- single', async () => { - const input = await parseCommandLineArguments(['acknowledge', 'id1', '-v', '--ci']); +describe('config', () => { + test('cdk.json arguments can be converted to cli argumets', async () => { + const input = { + output: 'blah.out', + build: 'yarn build', + list: { + long: true, + }, + bootstrap: { + bootstrapBucketName: 'bucketName', + }, + }; - const result = convertToCliArgs(input); + const result = convertConfigToCliArgs(input); - expect(result).toEqual({ - _: 'acknowledge', - acknowledge: expect.objectContaining({ - ID: 'id1', - }), - globalOptions: expect.anything(), + expect(result).toEqual({ + globalOptions: expect.objectContaining({ + output: 'blah.out', + build: 'yarn build', + }), + list: expect.objectContaining({ + long: true, + }), + bootstrap: expect.objectContaining({ + bootstrapBucketName: 'bucketName', + }), + context: expect.anything(), + acknowledge: expect.anything(), + deploy: expect.anything(), + destroy: expect.anything(), + diff: expect.anything(), + init: expect.anything(), + metadata: expect.anything(), + migrate: expect.anything(), + rollback: expect.anything(), + synthesize: expect.anything(), + watch: expect.anything(), + notices: expect.anything(), + import: expect.anything(), + gc: expect.anything(), + doctor: expect.anything(), + docs: expect.anything(), + }); }); }); diff --git a/tools/@aws-cdk/cli-args-gen/lib/cli-args-function-gen.ts b/tools/@aws-cdk/cli-args-gen/lib/cli-args-function-gen.ts index 9cb34988da8ea..ffe1d947abed4 100644 --- a/tools/@aws-cdk/cli-args-gen/lib/cli-args-function-gen.ts +++ b/tools/@aws-cdk/cli-args-gen/lib/cli-args-function-gen.ts @@ -4,6 +4,9 @@ import * as prettier from 'prettier'; import { kebabToCamelCase } from './util'; import { CliAction, CliConfig } from './yargs-types'; +const CLI_ARG_NAME = 'args'; +const CONFIG_ARG_NAME = 'config'; + export async function renderCliArgsFunc(config: CliConfig): Promise { const scope = new Module('aws-cdk'); @@ -18,7 +21,7 @@ export async function renderCliArgsFunc(config: CliConfig): Promise { scope.addImport(new SelectiveModuleImport(scope, './settings', ['Command'])); const createCliArguments = new FreeFunction(scope, { - name: 'convertToCliArgs', + name: 'convertYargsToCliArgs', export: true, returnType: cliArgType, parameters: [ @@ -27,6 +30,16 @@ export async function renderCliArgsFunc(config: CliConfig): Promise { }); createCliArguments.addBody(code.expr.directCode(buildCliArgsFunction(config))); + const createConfigArguments = new FreeFunction(scope, { + name: 'convertConfigToCliArgs', + export: true, + returnType: cliArgType, + parameters: [ + { name: 'config', type: Type.ANY }, + ], + }); + createConfigArguments.addBody(code.expr.directCode(buildConfigArgsFunction(config))); + const ts = new TypeScriptRenderer({ disabledEsLintRules: [EsLintRules.MAX_LEN], // the default disabled rules result in 'Definition for rule 'prettier/prettier' was not found' }).render(scope); @@ -40,9 +53,9 @@ export async function renderCliArgsFunc(config: CliConfig): Promise { } function buildCliArgsFunction(config: CliConfig): string { - const globalOptions = buildGlobalOptions(config); - const commandSwitch = buildCommandSwitch(config); - const cliArgs = buildCliArgs(); + const globalOptions = buildGlobalOptions(config, CLI_ARG_NAME); + const commandSwitch = buildCommandSwitch(config, CLI_ARG_NAME); + const cliArgs = buildCliArgs(CLI_ARG_NAME); return [ globalOptions, commandSwitch, @@ -50,26 +63,50 @@ function buildCliArgsFunction(config: CliConfig): string { ].join('\n'); } -function buildGlobalOptions(config: CliConfig): string { +function buildConfigArgsFunction(config: CliConfig): string { + const globalOptions = buildGlobalOptions(config, CONFIG_ARG_NAME); + const commandList = buildCommandsList(config, CONFIG_ARG_NAME); + const configArgs = buildConfigArgs(config); + return [ + globalOptions, + commandList, + configArgs, + ].join('\n'); +} + +function buildGlobalOptions(config: CliConfig, argName: string): string { const globalOptionExprs = ['const globalOptions: GlobalOptions = {']; for (const optionName of Object.keys(config.globalOptions)) { const name = kebabToCamelCase(optionName); - globalOptionExprs.push(`'${name}': args.${name},`); + globalOptionExprs.push(`'${name}': ${argName}.${name},`); } globalOptionExprs.push('}'); return globalOptionExprs.join('\n'); } -function buildCommandSwitch(config: CliConfig): string { - const commandSwitchExprs = ['let commandOptions;', 'switch (args._[0] as Command) {']; +function buildCommandsList(config: CliConfig, argName: string): string { + const commandOptions = []; + // Note: we are intentionally not including aliases for the default options that can be + // specified via `cdk.json`. These options must be specified by the command name + // i.e. acknowledge rather than ack. + for (const commandName of Object.keys(config.commands)) { + commandOptions.push(`const ${kebabToCamelCase(commandName)}Options = {`); + commandOptions.push(...buildCommandOptions(config.commands[commandName], argName, kebabToCamelCase(commandName))); + commandOptions.push('}'); + } + return commandOptions.join('\n'); +} + +function buildCommandSwitch(config: CliConfig, argName: string): string { + const commandSwitchExprs = ['let commandOptions;', `switch (${argName}._[0] as Command) {`]; for (const commandName of Object.keys(config.commands)) { commandSwitchExprs.push( // All aliases of the command should map to the same switch branch // This ensures that we store options of the command regardless of what alias is specified ...buildAliases(commandName, config.commands[commandName].aliases), 'commandOptions = {', - ...buildCommandOptions(config.commands[commandName]), - ...(config.commands[commandName].arg ? [buildPositionalArguments(config.commands[commandName].arg)] : []), + ...buildCommandOptions(config.commands[commandName], argName), + ...(config.commands[commandName].arg ? [buildPositionalArguments(config.commands[commandName].arg, argName)] : []), '};', `break; `); @@ -83,28 +120,45 @@ function buildAliases(commandName: string, aliases: string[] = []): string[] { return cases.map((c) => `case '${c}':`); } -function buildCommandOptions(options: CliAction): string[] { +function buildCommandOptions(options: CliAction, argName: string, prefix?: string): string[] { const commandOptions: string[] = []; for (const optionName of Object.keys(options.options ?? {})) { const name = kebabToCamelCase(optionName); - commandOptions.push(`'${name}': args.${name},`); + if (prefix) { + commandOptions.push(`'${name}': ${argName}.${prefix}?.${name},`); + } else { + commandOptions.push(`'${name}': ${argName}.${name},`); + } } return commandOptions; } -function buildPositionalArguments(arg: { name: string; variadic: boolean }): string { +function buildPositionalArguments(arg: { name: string; variadic: boolean }, argName: string): string { if (arg.variadic) { - return `${arg.name}: args.${arg.name}`; + return `${arg.name}: ${argName}.${arg.name}`; } - return `${arg.name}: args.${arg.name}`; + return `${arg.name}: ${argName}.${arg.name}`; +} + +function buildCliArgs(argName: string): string { + return [ + 'const cliArguments: CliArguments = {', + `_: ${argName}._[0],`, + 'globalOptions,', + `[${argName}._[0]]: commandOptions`, + '}', + '', + 'return cliArguments', + ].join('\n'); } -function buildCliArgs(): string { +function buildConfigArgs(config: CliConfig): string { return [ 'const cliArguments: CliArguments = {', - '_: args._[0],', 'globalOptions,', - '[args._[0]]: commandOptions', + ...(Object.keys(config.commands).map((commandName) => { + return `'${commandName}': ${kebabToCamelCase(commandName)}Options,`; + })), '}', '', 'return cliArguments', diff --git a/tools/@aws-cdk/cli-args-gen/lib/cli-args-gen.ts b/tools/@aws-cdk/cli-args-gen/lib/cli-args-gen.ts index da469e5cb9dc0..b8be1e8a636a6 100644 --- a/tools/@aws-cdk/cli-args-gen/lib/cli-args-gen.ts +++ b/tools/@aws-cdk/cli-args-gen/lib/cli-args-gen.ts @@ -30,6 +30,7 @@ export async function renderCliArgsType(config: CliConfig): Promise { docs: { summary: 'The CLI command name', }, + optional: true, }); // add global options diff --git a/tools/@aws-cdk/cli-args-gen/test/cli-args-function-gen.test.ts b/tools/@aws-cdk/cli-args-gen/test/cli-args-function-gen.test.ts index 0660f7df34468..0ea58ff8fde91 100644 --- a/tools/@aws-cdk/cli-args-gen/test/cli-args-function-gen.test.ts +++ b/tools/@aws-cdk/cli-args-gen/test/cli-args-function-gen.test.ts @@ -53,7 +53,7 @@ describe('render', () => { import { Command } from './settings'; // @ts-ignore TS6133 - export function convertToCliArgs(args: any): CliArguments { + export function convertYargsToCliArgs(args: any): CliArguments { const globalOptions: GlobalOptions = { app: args.app, debug: args.debug, @@ -78,6 +78,25 @@ describe('render', () => { return cliArguments; } + + // @ts-ignore TS6133 + export function convertConfigToCliArgs(config: any): CliArguments { + const globalOptions: GlobalOptions = { + app: config.app, + debug: config.debug, + context: config.context, + plugin: config.plugin, + }; + const deployOptions = { + all: config.deploy?.all, + }; + const cliArguments: CliArguments = { + globalOptions, + deploy: deployOptions, + }; + + return cliArguments; + } " `); }); diff --git a/tools/@aws-cdk/cli-args-gen/test/cli-args-gen.test.ts b/tools/@aws-cdk/cli-args-gen/test/cli-args-gen.test.ts index 341931d53e8f8..3e1fa8e69305a 100644 --- a/tools/@aws-cdk/cli-args-gen/test/cli-args-gen.test.ts +++ b/tools/@aws-cdk/cli-args-gen/test/cli-args-gen.test.ts @@ -60,7 +60,7 @@ describe('render', () => { /** * The CLI command name */ - readonly _: Command; + readonly _?: Command; /** * Global options available to all CLI commands @@ -169,7 +169,7 @@ describe('render', () => { /** * The CLI command name */ - readonly _: Command; + readonly _?: Command; /** * Global options available to all CLI commands @@ -251,7 +251,7 @@ describe('render', () => { /** * The CLI command name */ - readonly _: Command; + readonly _?: Command; /** * Global options available to all CLI commands From 393e5c0058560ff10acdc2892cc40ad542dc1629 Mon Sep 17 00:00:00 2001 From: Kazuho Cryer-Shinozuka Date: Fri, 10 Jan 2025 08:47:12 +0900 Subject: [PATCH 04/17] feat(appconfig): environment deletion protection (#32737) ### Issue # (if applicable) None ### Reason for this change AWS AppConfig environment supports [deletion protection](https://docs.aws.amazon.com/appconfig/latest/userguide/deletion-protection.html) and this feature is not configurable from AWS CDK. ### Description of changes - Add `DeletionProtectionCheck` enum - Add `deletionProtectionCheck` prop to `EnvironmentOption` There are two entities, `EnvironmentOptions` and `EnvironmentProps`, where `EnvironmentProps` is designed as an extension of `EnvironmentOptions` with the addition of an `application` prop. ```ts export interface EnvironmentProps extends EnvironmentOptions { /** * The application to be associated with the environment. */ readonly application: IApplication; } abstract class ApplicationBase extends cdk.Resource implements IApplication, IExtensible { public addEnvironment(id: string, options: EnvironmentOptions = {}): IEnvironment { return new Environment(this, id, { application: this, ...options, }); } ``` Therefore, the current argument addition has also been made to `EnvironmentOptions`. ### Describe any new or updated permissions being added None ### Description of how you validated changes Add both unit and integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- ...efaultTestDeployAssert75BD28E7.assets.json | 2 +- .../aws-appconfig-environment.assets.json | 6 +- .../aws-appconfig-environment.template.json | 1 + .../integ.environment.js.snapshot/cdk.out | 2 +- .../integ.environment.js.snapshot/integ.json | 2 +- .../manifest.json | 13 +- .../integ.environment.js.snapshot/tree.json | 113 +++++++++--------- .../aws-appconfig/test/integ.environment.ts | 3 +- packages/aws-cdk-lib/aws-appconfig/README.md | 18 +++ .../aws-appconfig/lib/environment.ts | 9 ++ .../aws-cdk-lib/aws-appconfig/lib/index.ts | 1 + .../aws-cdk-lib/aws-appconfig/lib/util.ts | 25 ++++ .../aws-appconfig/test/environment.test.ts | 23 +++- 13 files changed, 143 insertions(+), 75 deletions(-) create mode 100644 packages/aws-cdk-lib/aws-appconfig/lib/util.ts diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/appconfigenvironmentDefaultTestDeployAssert75BD28E7.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/appconfigenvironmentDefaultTestDeployAssert75BD28E7.assets.json index 947e7fb4d76ea..13d8dae10ffa1 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/appconfigenvironmentDefaultTestDeployAssert75BD28E7.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/appconfigenvironmentDefaultTestDeployAssert75BD28E7.assets.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "39.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/aws-appconfig-environment.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/aws-appconfig-environment.assets.json index 8ffcd1a6d5b6d..cdc65b59c1ce0 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/aws-appconfig-environment.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/aws-appconfig-environment.assets.json @@ -1,7 +1,7 @@ { - "version": "36.0.0", + "version": "39.0.0", "files": { - "6ec3a45c455c20f3072a3622b3e548aa72a4c1b8e5a1fac757962194d9f1c82d": { + "8b5317b754f85f2bf23708deb5bed067016cee6070da8f8fdf848daf7d5e028c": { "source": { "path": "aws-appconfig-environment.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "6ec3a45c455c20f3072a3622b3e548aa72a4c1b8e5a1fac757962194d9f1c82d.json", + "objectKey": "8b5317b754f85f2bf23708deb5bed067016cee6070da8f8fdf848daf7d5e028c.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/aws-appconfig-environment.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/aws-appconfig-environment.template.json index ea327d13d23c1..6d109a20eb71e 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/aws-appconfig-environment.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/aws-appconfig-environment.template.json @@ -126,6 +126,7 @@ "ApplicationId": { "Ref": "MyApplicationForEnv1F597ED9" }, + "DeletionProtectionCheck": "ACCOUNT_DEFAULT", "Description": "This is the environment for integ testing", "Monitors": [ { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/cdk.out index 1f0068d32659a..91e1a8b9901d5 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"36.0.0"} \ No newline at end of file +{"version":"39.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/integ.json index c314a395d9c88..49e33ed13ba49 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "39.0.0", "testCases": { "appconfig-environment/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/manifest.json index e21ade66747e8..7d7faf972f4ea 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "39.0.0", "artifacts": { "aws-appconfig-environment.assets": { "type": "cdk:asset-manifest", @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/6ec3a45c455c20f3072a3622b3e548aa72a4c1b8e5a1fac757962194d9f1c82d.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/8b5317b754f85f2bf23708deb5bed067016cee6070da8f8fdf848daf7d5e028c.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -105,15 +105,6 @@ "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } - ], - "MyConfigDeployment36077E0B58611": [ - { - "type": "aws:cdk:logicalId", - "data": "MyConfigDeployment36077E0B58611", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] - } ] }, "displayName": "aws-appconfig-environment" diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/tree.json index fd96c532cfa58..0e8689629772d 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.js.snapshot/tree.json @@ -22,14 +22,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnApplication", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-appconfig-alpha.Application", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } }, "StartDeploymentCallCountAlarm": { @@ -69,14 +69,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_cloudwatch.CfnAlarm", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_cloudwatch.Alarm", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } }, "MyRole": { @@ -87,8 +87,8 @@ "id": "ImportMyRole", "path": "aws-appconfig-environment/MyRole/ImportMyRole", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } }, "Resource": { @@ -127,14 +127,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } }, "MyCompositeAlarm": { @@ -166,14 +166,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_cloudwatch.CfnCompositeAlarm", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_cloudwatch.CompositeAlarm", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } }, "MyEnvironment": { @@ -188,8 +188,8 @@ "id": "ImportRole1963C", "path": "aws-appconfig-environment/MyEnvironment/Role1963C/ImportRole1963C", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } }, "Resource": { @@ -228,14 +228,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } }, "Resource": { @@ -247,6 +247,7 @@ "applicationId": { "Ref": "MyApplicationForEnv1F597ED9" }, + "deletionProtectionCheck": "ACCOUNT_DEFAULT", "description": "This is the environment for integ testing", "monitors": [ { @@ -296,14 +297,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnEnvironment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-appconfig-alpha.Environment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } }, "MyDeploymentStrategy": { @@ -324,14 +325,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnDeploymentStrategy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-appconfig-alpha.DeploymentStrategy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } }, "MyConfig": { @@ -352,8 +353,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnConfigurationProfile", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } }, "Resource": { @@ -373,8 +374,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnHostedConfigurationVersion", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } }, "Deployment1963C": { @@ -401,36 +402,36 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_appconfig.CfnDeployment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-appconfig-alpha.HostedConfiguration", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } }, "BootstrapVersion": { "id": "BootstrapVersion", "path": "aws-appconfig-environment/BootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", "path": "aws-appconfig-environment/CheckBootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } }, "appconfig-environment": { @@ -446,7 +447,7 @@ "path": "appconfig-environment/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } }, "DeployAssert": { @@ -457,22 +458,22 @@ "id": "BootstrapVersion", "path": "appconfig-environment/DefaultTest/DeployAssert/BootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", "path": "appconfig-environment/DefaultTest/DeployAssert/CheckBootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } } }, @@ -492,13 +493,13 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.App", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } } } \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.ts index e9c8b1bc81e60..aa11622386de7 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.environment.ts @@ -2,7 +2,7 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha'; import { App, Duration, PhysicalName, Stack } from 'aws-cdk-lib'; import { Alarm, ComparisonOperator, CompositeAlarm, Metric, TreatMissingData } from 'aws-cdk-lib/aws-cloudwatch'; import { Role, ServicePrincipal, Effect, PolicyStatement, PolicyDocument } from 'aws-cdk-lib/aws-iam'; -import { Application, ConfigurationContent, DeploymentStrategy, Environment, HostedConfiguration, Monitor, RolloutStrategy } from 'aws-cdk-lib/aws-appconfig'; +import { Application, ConfigurationContent, DeletionProtectionCheck, DeploymentStrategy, Environment, HostedConfiguration, Monitor, RolloutStrategy } from 'aws-cdk-lib/aws-appconfig'; const app = new App(); @@ -54,6 +54,7 @@ const compositeAlarm = new CompositeAlarm(stack, 'MyCompositeAlarm', { const env = new Environment(stack, 'MyEnvironment', { application: appForEnv, description: 'This is the environment for integ testing', + deletionProtectionCheck: DeletionProtectionCheck.ACCOUNT_DEFAULT, monitors: [ Monitor.fromCloudWatchAlarm(alarm), Monitor.fromCfnMonitorsProperty({ diff --git a/packages/aws-cdk-lib/aws-appconfig/README.md b/packages/aws-cdk-lib/aws-appconfig/README.md index 66c7034db0c23..2a84c45645b03 100644 --- a/packages/aws-cdk-lib/aws-appconfig/README.md +++ b/packages/aws-cdk-lib/aws-appconfig/README.md @@ -96,6 +96,24 @@ const user = new iam.User(this, 'MyUser'); env.grantReadConfig(user); ``` +### Deletion Protection Check + +You can enable [deletion protection](https://docs.aws.amazon.com/appconfig/latest/userguide/deletion-protection.html) on the environment by setting the `deletionProtectionCheck` property. + +- ACCOUNT_DEFAULT: The default setting, which uses account-level deletion protection. To configure account-level deletion protection, use the UpdateAccountSettings API. +- APPLY: Instructs the deletion protection check to run, even if deletion protection is disabled at the account level. APPLY also forces the deletion protection check to run against resources created in the past hour, which are normally excluded from deletion protection checks. +- BYPASS: Instructs AWS AppConfig to bypass the deletion protection check and delete an environment even if deletion protection would have otherwise prevented it. + +```ts +declare const application: appconfig.Application; +declare const alarm: cloudwatch.Alarm; +declare const compositeAlarm: cloudwatch.CompositeAlarm; + +new appconfig.Environment(this, 'MyEnvironment', { + application, + deletionProtectionCheck: appconfig.DeletionProtectionCheck.APPLY, +}); +``` ## Deployment Strategy diff --git a/packages/aws-cdk-lib/aws-appconfig/lib/environment.ts b/packages/aws-cdk-lib/aws-appconfig/lib/environment.ts index 705cc9c2144cc..9c3c4318f33ca 100644 --- a/packages/aws-cdk-lib/aws-appconfig/lib/environment.ts +++ b/packages/aws-cdk-lib/aws-appconfig/lib/environment.ts @@ -4,6 +4,7 @@ import { IApplication } from './application'; import { IConfiguration } from './configuration'; import { ActionPoint, IEventDestination, ExtensionOptions, IExtension, IExtensible, ExtensibleBase } from './extension'; import { getHash } from './private/hash'; +import { DeletionProtectionCheck } from './util'; import * as cloudwatch from '../../aws-cloudwatch'; import * as iam from '../../aws-iam'; import { Resource, IResource, Stack, ArnFormat, PhysicalName, Names } from '../../core'; @@ -165,6 +166,13 @@ export interface EnvironmentOptions { * @default - No monitors. */ readonly monitors?: Monitor[]; + + /** + * A property to prevent accidental deletion of active environments. + * + * @default undefined - AppConfig default is ACCOUNT_DEFAULT + */ + readonly deletionProtectionCheck?: DeletionProtectionCheck; } /** @@ -309,6 +317,7 @@ export class Environment extends EnvironmentBase { applicationId: this.applicationId, name: this.name, description: this.description, + deletionProtectionCheck: props.deletionProtectionCheck, monitors: this.monitors?.map((monitor) => { return { alarmArn: monitor.alarmArn, diff --git a/packages/aws-cdk-lib/aws-appconfig/lib/index.ts b/packages/aws-cdk-lib/aws-appconfig/lib/index.ts index ff835da7514d6..062dfeee027b1 100644 --- a/packages/aws-cdk-lib/aws-appconfig/lib/index.ts +++ b/packages/aws-cdk-lib/aws-appconfig/lib/index.ts @@ -3,6 +3,7 @@ export * from './deployment-strategy'; export * from './extension'; export * from './application'; export * from './configuration'; +export * from './util'; // AWS::AppConfig CloudFormation Resources: export * from './appconfig.generated'; diff --git a/packages/aws-cdk-lib/aws-appconfig/lib/util.ts b/packages/aws-cdk-lib/aws-appconfig/lib/util.ts new file mode 100644 index 0000000000000..9e054d837b94b --- /dev/null +++ b/packages/aws-cdk-lib/aws-appconfig/lib/util.ts @@ -0,0 +1,25 @@ +/** + * The deletion protection check options. + */ +export enum DeletionProtectionCheck { + /** + * The default setting, + * which uses account-level deletion protection. To configure account-level deletion protection, use the UpdateAccountSettings API. + */ + ACCOUNT_DEFAULT = 'ACCOUNT_DEFAULT', + + /** + * Instructs the deletion protection check to run, + * even if deletion protection is disabled at the account level. + * + * APPLY also forces the deletion protection check to run against resources created in the past hour, + * which are normally excluded from deletion protection checks. + */ + APPLY = 'APPLY', + + /** + * Instructs AWS AppConfig to bypass the deletion protection check and delete an environment or a configuration profile + * even if deletion protection would have otherwise prevented it. + */ + BYPASS = 'BYPASS', +} diff --git a/packages/aws-cdk-lib/aws-appconfig/test/environment.test.ts b/packages/aws-cdk-lib/aws-appconfig/test/environment.test.ts index 398a5dbc728ee..4ee3b62abe865 100644 --- a/packages/aws-cdk-lib/aws-appconfig/test/environment.test.ts +++ b/packages/aws-cdk-lib/aws-appconfig/test/environment.test.ts @@ -2,7 +2,7 @@ import { Template } from '../../assertions'; import { Alarm, CompositeAlarm, Metric } from '../../aws-cloudwatch'; import * as iam from '../../aws-iam'; import * as cdk from '../../core'; -import { Application, ConfigurationContent, Environment, HostedConfiguration, Monitor } from '../lib'; +import { Application, ConfigurationContent, DeletionProtectionCheck, Environment, HostedConfiguration, Monitor } from '../lib'; describe('environment', () => { test('default environment', () => { @@ -20,6 +20,27 @@ describe('environment', () => { }); }); + test.each([ + DeletionProtectionCheck.ACCOUNT_DEFAULT, + DeletionProtectionCheck.APPLY, + DeletionProtectionCheck.BYPASS, + ])('environment with deletion protection check', (deletionProtectionCheck) => { + const stack = new cdk.Stack(); + const app = new Application(stack, 'MyAppConfig'); + new Environment(stack, 'MyEnvironment', { + application: app, + deletionProtectionCheck, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::AppConfig::Environment', { + Name: 'MyEnvironment', + ApplicationId: { + Ref: 'MyAppConfigB4B63E75', + }, + DeletionProtectionCheck: deletionProtectionCheck, + }); + }); + test('environment with name', () => { const stack = new cdk.Stack(); const app = new Application(stack, 'MyAppConfig'); From aff160b62a067bcd89feb97e020287e614e39111 Mon Sep 17 00:00:00 2001 From: Grace Luo <54298030+gracelu0@users.noreply.github.com> Date: Thu, 9 Jan 2025 17:48:24 -0800 Subject: [PATCH 05/17] fix(elasticloadbalancingv2): open, dual-stack-without-public-ipv4 ALB does not allow IPv6 inbound traffic (under feature flag) (#32765) ### Issue # (if applicable) Closes #32197 . ### Reason for this change Default generated security group ingress rules for open, dual-stack-without-public-ipv4 ALB does not allow IPv6 traffic. Only a rule for IPv4 ingress traffic is added to the security group rules currently. ### Description of changes Introduced a new feature flag which is enabled by default so that default generated security group ingress rules now have an additional rule that allows IPv6 ingress from anywhere. ### Describe any new or updated permissions being added No new IAM permissions. Added IPv6 security group ingress rules for open, internet-facing ALBs if IP address type is `dual-stack-without-public-ipv4` and feature flag is set to `true` (default). ### Description of how you validated changes Added unit test which checks the security group rules for both cases where feature flag is enabled/disabled. Updated integration test snapshot. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- Co-authored-by: Clare Liguori *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- ...efaultTestDeployAssertFA6F90DD.assets.json | 2 +- ...-dualstack-without-public-ipv4.assets.json | 6 +- ...ualstack-without-public-ipv4.template.json | 7 + .../cdk.out | 2 +- .../integ.json | 2 +- .../manifest.json | 4 +- .../tree.json | 97 ++++---- .../aws-elasticloadbalancingv2/README.md | 57 +++-- .../lib/alb/application-listener.ts | 6 +- .../lib/alb/application-load-balancer.ts | 9 + .../test/alb/listener.test.ts | 74 ++++++ packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md | 221 ++++-------------- packages/aws-cdk-lib/cx-api/README.md | 48 ++-- packages/aws-cdk-lib/cx-api/lib/features.ts | 16 ++ .../aws-cdk-lib/cx-api/test/features.test.ts | 2 +- 15 files changed, 287 insertions(+), 266 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/AlbDualstackWithoutPublicIpv4DefaultTestDeployAssertFA6F90DD.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/AlbDualstackWithoutPublicIpv4DefaultTestDeployAssertFA6F90DD.assets.json index 4a0f5e0c5e4b3..659ffb1cc71f4 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/AlbDualstackWithoutPublicIpv4DefaultTestDeployAssertFA6F90DD.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/AlbDualstackWithoutPublicIpv4DefaultTestDeployAssertFA6F90DD.assets.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "39.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/aws-cdk-elbv2-integ-dualstack-without-public-ipv4.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/aws-cdk-elbv2-integ-dualstack-without-public-ipv4.assets.json index 5091d2e660924..fb6e143f30005 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/aws-cdk-elbv2-integ-dualstack-without-public-ipv4.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/aws-cdk-elbv2-integ-dualstack-without-public-ipv4.assets.json @@ -1,7 +1,7 @@ { - "version": "36.0.0", + "version": "39.0.0", "files": { - "688bf4caeb2845f3dc89826da60063b380e5d0fe7ab50a95f9ffc76451c42a77": { + "0fac4619627ba59020023785c5d86d47abad0759e7add3aa2f150f8cbfcd7a9a": { "source": { "path": "aws-cdk-elbv2-integ-dualstack-without-public-ipv4.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "688bf4caeb2845f3dc89826da60063b380e5d0fe7ab50a95f9ffc76451c42a77.json", + "objectKey": "0fac4619627ba59020023785c5d86d47abad0759e7add3aa2f150f8cbfcd7a9a.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/aws-cdk-elbv2-integ-dualstack-without-public-ipv4.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/aws-cdk-elbv2-integ-dualstack-without-public-ipv4.template.json index 8882537e5df34..d430a9159e6c5 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/aws-cdk-elbv2-integ-dualstack-without-public-ipv4.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/aws-cdk-elbv2-integ-dualstack-without-public-ipv4.template.json @@ -530,6 +530,13 @@ "FromPort": 80, "IpProtocol": "tcp", "ToPort": 80 + }, + { + "CidrIpv6": "::/0", + "Description": "Allow from anyone on port 80", + "FromPort": 80, + "IpProtocol": "tcp", + "ToPort": 80 } ], "VpcId": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/cdk.out index 1f0068d32659a..91e1a8b9901d5 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"36.0.0"} \ No newline at end of file +{"version":"39.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/integ.json index 4fd4fa6f896d6..b780151e89492 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "39.0.0", "testCases": { "AlbDualstackWithoutPublicIpv4/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/manifest.json index 87f61f9552ca1..6534e24089c8d 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "39.0.0", "artifacts": { "aws-cdk-elbv2-integ-dualstack-without-public-ipv4.assets": { "type": "cdk:asset-manifest", @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/688bf4caeb2845f3dc89826da60063b380e5d0fe7ab50a95f9ffc76451c42a77.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/0fac4619627ba59020023785c5d86d47abad0759e7add3aa2f150f8cbfcd7a9a.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/tree.json index 07d5c271d52c2..4810b354d0d71 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/tree.json @@ -31,7 +31,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnVPC", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -97,7 +97,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -127,7 +127,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -146,7 +146,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -166,7 +166,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -186,7 +186,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -214,7 +214,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -234,13 +234,13 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -306,7 +306,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -336,7 +336,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -355,7 +355,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -375,7 +375,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -395,7 +395,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -423,7 +423,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -443,13 +443,13 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -493,7 +493,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -523,7 +523,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -542,7 +542,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -562,13 +562,13 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -612,7 +612,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -642,7 +642,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -661,7 +661,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -681,13 +681,13 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -706,7 +706,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnInternetGateway", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -725,13 +725,13 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnVPCGatewayAttachment", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.Vpc", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -748,7 +748,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnVPCCidrBlock", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -790,7 +790,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnLoadBalancer", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -821,6 +821,13 @@ "fromPort": 80, "toPort": 80, "description": "Allow from anyone on port 80" + }, + { + "cidrIpv6": "::/0", + "ipProtocol": "tcp", + "fromPort": 80, + "toPort": 80, + "description": "Allow from anyone on port 80" } ], "vpcId": { @@ -829,13 +836,13 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroup", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.SecurityGroup", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -865,7 +872,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnListener", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -899,7 +906,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnTargetGroup", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } @@ -939,7 +946,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnTargetGroup", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } @@ -982,14 +989,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnListenerRule", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationListenerRule", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } }, "action1Rule": { @@ -1028,14 +1035,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnListenerRule", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationListenerRule", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } } }, @@ -1269,7 +1276,7 @@ "path": "AlbDualstackWithoutPublicIpv4/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } }, "DeployAssert": { @@ -1315,7 +1322,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } } }, diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md index d780b7bb410cb..82b10a3417ef6 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md @@ -1,7 +1,5 @@ # Amazon Elastic Load Balancing V2 Construct Library - - The `aws-cdk-lib/aws-elasticloadbalancingv2` package provides constructs for configuring application and network load balancers. @@ -49,6 +47,13 @@ listener.addTargets('ApplicationFleet', { The security groups of the load balancer and the target are automatically updated to allow the network traffic. +> NOTE: If the `@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault` feature flag is set (the default for new projects), and `addListener()` is called with `open: true`, +the load balancer's security group will automatically include both IPv4 and IPv6 ingress rules when using `IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4`. +> +> For existing projects that only have IPv4 rules, you can opt-in to IPv6 ingress rules +by enabling the feature flag in your cdk.json file. Note that enabling this feature flag +will modify existing security group rules. + One (or more) security groups can be associated with the load balancer; if a security group isn't provided, one will be automatically created. @@ -100,8 +105,8 @@ where all requests that didn't match any of the conditions will be sent. Routing traffic from a Load Balancer to a Target involves the following steps: -- Create a Target Group, register the Target into the Target Group -- Add an Action to the Listener which forwards traffic to the Target Group. +* Create a Target Group, register the Target into the Target Group +* Add an Action to the Listener which forwards traffic to the Target Group. A new listener can be added to the Load Balancer by calling `addListener()`. Listeners that have been added to the load balancer can be listed using the @@ -111,27 +116,27 @@ for imported or looked up Load Balancers. Various methods on the `Listener` take care of this work for you to a greater or lesser extent: -- `addTargets()` performs both steps: automatically creates a Target Group and the +* `addTargets()` performs both steps: automatically creates a Target Group and the required Action. -- `addTargetGroups()` gives you more control: you create the Target Group (or +* `addTargetGroups()` gives you more control: you create the Target Group (or Target Groups) yourself and the method creates Action that routes traffic to the Target Groups. -- `addAction()` gives you full control: you supply the Action and wire it up +* `addAction()` gives you full control: you supply the Action and wire it up to the Target Groups yourself (or access one of the other ELB routing features). Using `addAction()` gives you access to some of the features of an Elastic Load Balancer that the other two convenience methods don't: -- **Routing stickiness**: use `ListenerAction.forward()` and supply a +* **Routing stickiness**: use `ListenerAction.forward()` and supply a `stickinessDuration` to make sure requests are routed to the same target group for a given duration. -- **Weighted Target Groups**: use `ListenerAction.weightedForward()` +* **Weighted Target Groups**: use `ListenerAction.weightedForward()` to give different weights to different target groups. -- **Fixed Responses**: use `ListenerAction.fixedResponse()` to serve +* **Fixed Responses**: use `ListenerAction.fixedResponse()` to serve a static response (ALB only). -- **Redirects**: use `ListenerAction.redirect()` to serve an HTTP +* **Redirects**: use `ListenerAction.redirect()` to serve an HTTP redirect response (ALB only). -- **Authentication**: use `ListenerAction.authenticateOidc()` to +* **Authentication**: use `ListenerAction.authenticateOidc()` to perform OpenID authentication before serving a request (see the `aws-cdk-lib/aws-elasticloadbalancingv2-actions` package for direct authentication integration with Cognito) (ALB only). @@ -254,7 +259,7 @@ For more information, see [Load balancer attributes](https://docs.aws.amazon.com ### Setting up Access Log Bucket on Application Load Balancer The only server-side encryption option that's supported is Amazon S3-managed keys (SSE-S3). For more information -Documentation: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html +Documentation: ```ts @@ -272,7 +277,7 @@ lb.logAccessLogs(bucket); ### Setting up Connection Log Bucket on Application Load Balancer Like access log bucket, the only server-side encryption option that's supported is Amazon S3-managed keys (SSE-S3). For more information -Documentation: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-connection-logging.html +Documentation: ```ts declare const vpc: ec2.Vpc; @@ -298,13 +303,14 @@ const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', { }); ``` -By setting `DUAL_STACK_WITHOUT_PUBLIC_IPV4`, you can provision load balancers without public IPv4s +By setting `DUAL_STACK_WITHOUT_PUBLIC_IPV4`, you can provision load balancers without public IPv4s: ```ts declare const vpc: ec2.Vpc; const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', { vpc, + internetFacing: true, ipAddressType: elbv2.IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4, }); ``` @@ -441,6 +447,7 @@ const listener = lb.addListener('Listener', { ``` ### Network Load Balancer and EC2 IConnectable interface + Network Load Balancer implements EC2 `IConnectable` and exposes `connections` property. EC2 Connections allows manage the allowed network connections for constructs with Security Groups. This class makes it easy to allow network connections to and from security groups, and between security groups individually. One thing to keep in mind is that network load balancers do not have security groups, and no automatic security group configuration is done for you. You will have to configure the security groups of the target yourself to allow traffic by clients and/or load balancer instances, depending on your target types. ```ts @@ -530,7 +537,7 @@ const tg = new elbv2.ApplicationTargetGroup(this, 'TG', { }); ``` -For more information see: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/sticky-sessions.html#application-based-stickiness +For more information see: ### Setting the target group protocol version @@ -809,12 +816,12 @@ Node.of(resource).addDependency(targetGroup.loadBalancerAttached); You may look up load balancers and load balancer listeners by using one of the following lookup methods: -- `ApplicationLoadBalancer.fromLookup(options)` - Look up an application load +* `ApplicationLoadBalancer.fromLookup(options)` - Look up an application load balancer. -- `ApplicationListener.fromLookup(options)` - Look up an application load +* `ApplicationListener.fromLookup(options)` - Look up an application load balancer listener. -- `NetworkLoadBalancer.fromLookup(options)` - Look up a network load balancer. -- `NetworkListener.fromLookup(options)` - Look up a network load balancer +* `NetworkLoadBalancer.fromLookup(options)` - Look up a network load balancer. +* `NetworkListener.fromLookup(options)` - Look up a network load balancer listener. ### Load Balancer lookup options @@ -850,11 +857,11 @@ const loadBalancer = elbv2.ApplicationLoadBalancer.fromLookup(this, 'ALB', { You may look up a load balancer listener by the following criteria: -- Associated load balancer ARN -- Associated load balancer tags -- Listener ARN -- Listener port -- Listener protocol +* Associated load balancer ARN +* Associated load balancer tags +* Listener ARN +* Listener port +* Listener protocol The lookup method will return the matching listener. If more than one listener matches, CDK will throw an error requesting that you specify additional diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts index 07cfb949f3b83..d55466374bdd5 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts @@ -8,7 +8,7 @@ import { ListenerCondition } from './conditions'; import { ITrustStore } from './trust-store'; import * as ec2 from '../../../aws-ec2'; import * as cxschema from '../../../cloud-assembly-schema'; -import { Duration, Lazy, Resource, Token } from '../../../core'; +import { Duration, FeatureFlags, Lazy, Resource, Token } from '../../../core'; import * as cxapi from '../../../cx-api'; import { BaseListener, BaseListenerLookupOptions, IListener } from '../shared/base-listener'; import { HealthCheck } from '../shared/base-target-group'; @@ -303,7 +303,9 @@ export class ApplicationListener extends BaseListener implements IApplicationLis if (props.open !== false) { this.connections.allowDefaultPortFrom(ec2.Peer.anyIpv4(), `Allow from anyone on port ${port}`); - if (this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK) { + if (this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK || + (this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4 && + FeatureFlags.of(this).isEnabled(cxapi.ALB_DUALSTACK_WITHOUT_PUBLIC_IPV4_SECURITY_GROUP_RULES_DEFAULT))) { this.connections.allowDefaultPortFrom(ec2.Peer.anyIpv6(), `Allow from anyone on port ${port}`); } } diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts index 57410eeb3a08a..89594b0654250 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts @@ -1079,6 +1079,15 @@ export interface IApplicationLoadBalancer extends ILoadBalancerV2, ec2.IConnecta /** * The IP Address Type for this load balancer * + * If the `@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault` + * feature flag is set (the default for new projects), and `addListener()` is called with `open: true`, + * the load balancer's security group will automatically include both IPv4 and IPv6 ingress rules + * when using `IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4`. + * + * For existing projects that only have IPv4 rules, you can opt-in to IPv6 ingress rules + * by enabling the feature flag in your cdk.json file. Note that enabling this feature flag + * will modify existing security group rules. + * * @default IpAddressType.IPV4 */ readonly ipAddressType?: IpAddressType; diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts index 1943a1945ac2a..9cb4fc15eb471 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts @@ -7,6 +7,7 @@ import * as ec2 from '../../../aws-ec2'; import * as s3 from '../../../aws-s3'; import * as cdk from '../../../core'; import { SecretValue } from '../../../core'; +import * as cxapi from '../../../cx-api'; import * as elbv2 from '../../lib'; import { FakeSelfRegisteringTarget } from '../helpers'; @@ -107,6 +108,79 @@ describe('tests', () => { }); }); + test('Listener default to open - IPv6 (dual stack without public IPv4) with feature flag enabled', () => { + // GIVEN + const app = new cdk.App({ + context: { [cxapi.ALB_DUALSTACK_WITHOUT_PUBLIC_IPV4_SECURITY_GROUP_RULES_DEFAULT]: true }, + }); + const stack = new cdk.Stack(app); + const vpc = new ec2.Vpc(stack, 'Stack'); + const loadBalancer = new elbv2.ApplicationLoadBalancer(stack, 'LB', { + vpc, + internetFacing: true, + ipAddressType: elbv2.IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4, + }); + + // WHEN + loadBalancer.addListener('MyListener', { + port: 80, + defaultTargetGroups: [new elbv2.ApplicationTargetGroup(stack, 'Group', { vpc, port: 80 })], + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::EC2::SecurityGroup', { + SecurityGroupIngress: [ + { + Description: 'Allow from anyone on port 80', + CidrIp: '0.0.0.0/0', + FromPort: 80, + IpProtocol: 'tcp', + ToPort: 80, + }, + { + Description: 'Allow from anyone on port 80', + CidrIpv6: '::/0', + FromPort: 80, + IpProtocol: 'tcp', + ToPort: 80, + }, + ], + }); + }); + + test('Listener default to open - IPv6 (dual stack without public IPv4) with feature flag disabled', () => { + // GIVEN + const app = new cdk.App({ + context: { [cxapi.ALB_DUALSTACK_WITHOUT_PUBLIC_IPV4_SECURITY_GROUP_RULES_DEFAULT]: false }, + }); + const stack = new cdk.Stack(app); + const vpc = new ec2.Vpc(stack, 'Stack'); + const loadBalancer = new elbv2.ApplicationLoadBalancer(stack, 'LB', { + vpc, + internetFacing: true, + ipAddressType: elbv2.IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4, + }); + + // WHEN + loadBalancer.addListener('MyListener', { + port: 80, + defaultTargetGroups: [new elbv2.ApplicationTargetGroup(stack, 'Group', { vpc, port: 80 })], + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::EC2::SecurityGroup', { + SecurityGroupIngress: [ + { + Description: 'Allow from anyone on port 80', + CidrIp: '0.0.0.0/0', + FromPort: 80, + IpProtocol: 'tcp', + ToPort: 80, + }, + ], + }); + }); + test('HTTPS listener requires certificate', () => { // GIVEN const stack = new cdk.Stack(); diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md index d278d6b3064ac..12075ff16f731 100644 --- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md +++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md @@ -84,8 +84,9 @@ Flags come in three types: | [@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault](#aws-cdkaws-ec2bastionhostuseamazonlinux2023bydefault) | When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2. | 2.172.0 | (default) | | [@aws-cdk/core:aspectStabilization](#aws-cdkcoreaspectstabilization) | When enabled, a stabilization loop will be run when invoking Aspects during synthesis. | 2.172.0 | (config) | | [@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource](#aws-cdkaws-route53-targetsuserpooldomainnamemethodwithoutcustomresource) | When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource. | 2.174.0 | (fix) | -| [@aws-cdk/aws-ecs:disableEcsImdsBlocking](#aws-cdkaws-ecsdisableecsimdsblocking) | When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)** | 2.175.0 | (temporary) | -| [@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature](#aws-cdkaws-ecsenableimdsblockingdeprecatedfeature) | When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)** | 2.175.0 | (temporary) | +| [@aws-cdk/aws-ecs:disableEcsImdsBlocking](#aws-cdkaws-ecsdisableecsimdsblocking) | When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)** | V2NEXT | (temporary) | +| [@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature](#aws-cdkaws-ecsenableimdsblockingdeprecatedfeature) | When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)** | V2NEXT | (temporary) | +| [@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault](#aws-cdkaws-elasticloadbalancingv2albdualstackwithoutpublicipv4securitygrouprulesdefault) | When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere | V2NEXT | (fix) | @@ -159,7 +160,8 @@ The following json shows the current recommended set of flags, as `cdk init` wou "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": true, "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": true, "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": true, - "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true + "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true, + "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true } } ``` @@ -238,7 +240,6 @@ different environments). This means that the name of the synthesized template file will be based on the construct path and not on the defined `stackName` of the stack. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.16.0 | `false` | `true` | @@ -246,7 +247,6 @@ of the stack. **Compatibility with old behavior:** Pass stack identifiers to the CLI instead of stack names. - ### aws-cdk:enableDiffNoFail *Make `cdk diff` not fail when there are differences* (default) @@ -254,14 +254,13 @@ of the stack. Determines what status code `cdk diff` should return when the specified stack differs from the deployed stack or the local CloudFormation template: -* `aws-cdk:enableDiffNoFail=true` => status code == 0 -* `aws-cdk:enableDiffNoFail=false` => status code == 1 +- `aws-cdk:enableDiffNoFail=true` => status code == 0 +- `aws-cdk:enableDiffNoFail=false` => status code == 1 You can override this behavior with the --fail flag: -* `--fail` => status code == 1 -* `--no-fail` => status code == 0 - +- `--fail` => status code == 1 +- `--no-fail` => status code == 0 | Since | Default | Recommended | | ----- | ----- | ----- | @@ -270,7 +269,6 @@ You can override this behavior with the --fail flag: **Compatibility with old behavior:** Specify `--fail` to the CLI. - ### @aws-cdk/aws-ecr-assets:dockerIgnoreSupport *DockerImageAsset properly supports `.dockerignore` files by default* (default) @@ -282,7 +280,6 @@ is standard Docker ignore semantics. This is a feature flag as the old behavior was technically incorrect but users may have come to depend on it. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.73.0 | `false` | `true` | @@ -290,7 +287,6 @@ users may have come to depend on it. **Compatibility with old behavior:** Update your `.dockerignore` file to match standard Docker ignore rules, if necessary. - ### @aws-cdk/aws-secretsmanager:parseOwnedSecretName *Fix the referencing of SecretsManager names from ARNs* (default) @@ -301,7 +297,6 @@ rather than the default full resource name, which includes the SecretsManager su If this flag is not set, Secret.secretName will include the SecretsManager suffix, which cannot be directly used by SecretsManager.DescribeSecret, and must be parsed by the user first (e.g., Fn:Join, Fn:Select, Fn:Split). - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.77.0 | `false` | `true` | @@ -309,7 +304,6 @@ used by SecretsManager.DescribeSecret, and must be parsed by the user first (e.g **Compatibility with old behavior:** Use `parseArn(secret.secretName).resourceName` to emulate the incorrect old parsing. - ### @aws-cdk/aws-kms:defaultKeyPolicies *Tighten default KMS key policies* (default) @@ -326,7 +320,6 @@ true, the policy matches what happens when this feature flag is set. Additionally, if this flag is not set and the user supplies a custom key policy, this will be appended to the key's default policy (rather than replacing it). - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.78.0 | `false` | `true` | @@ -334,7 +327,6 @@ to the key's default policy (rather than replacing it). **Compatibility with old behavior:** Pass `trustAccountIdentities: false` to `Key` construct to restore the old behavior. - ### @aws-cdk/aws-s3:grantWriteWithoutAcl *Remove `PutObjectAcl` from Bucket.grantWrite* (default) @@ -345,7 +337,6 @@ which could be used to grant read/write object access to IAM principals in other Use a feature flag to make sure existing customers who might be relying on the overly-broad permissions are not broken. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.85.0 | `false` | `true` | @@ -353,7 +344,6 @@ on the overly-broad permissions are not broken. **Compatibility with old behavior:** Call `bucket.grantPutAcl()` in addition to `bucket.grantWrite()` to grant ACL permissions. - ### @aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount *Do not specify a default DesiredCount for ECS services* (default) @@ -368,7 +358,6 @@ If this flag is not set, the default behaviour for CfnService.desiredCount is to desiredCount of 1, if one is not provided. If true, a default will not be defined for CfnService.desiredCount and as such desiredCount will be undefined, if one is not provided. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.92.0 | `false` | `true` | @@ -376,14 +365,12 @@ CfnService.desiredCount and as such desiredCount will be undefined, if one is no **Compatibility with old behavior:** You can pass `desiredCount: 1` explicitly, but you should never need this. - ### @aws-cdk/aws-efs:defaultEncryptionAtRest *Enable this feature flag to have elastic file systems encrypted at rest by default.* (default) Encryption can also be configured explicitly using the `encrypted` property. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.98.0 | `false` | `true` | @@ -391,7 +378,6 @@ Encryption can also be configured explicitly using the `encrypted` property. **Compatibility with old behavior:** Pass the `encrypted: false` property to the `FileSystem` construct to disable encryption. - ### @aws-cdk/core:newStyleStackSynthesis *Switch to new stack synthesis method which enables CI/CD* (fix) @@ -399,13 +385,11 @@ Encryption can also be configured explicitly using the `encrypted` property. If this flag is specified, all `Stack`s will use the `DefaultStackSynthesizer` by default. If it is not set, they will use the `LegacyStackSynthesizer`. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.39.0 | `false` | `true` | | 2.0.0 | `true` | `true` | - ### @aws-cdk/core:stackRelativeExports *Name exports based on the construct paths relative to the stack, rather than the global construct path* (fix) @@ -415,13 +399,11 @@ ensure uniqueness, and makes the export names robust against refactoring the location of the stack in the construct tree (specifically, moving the Stack into a Stage). - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.58.0 | `false` | `true` | | 2.0.0 | `true` | `true` | - ### @aws-cdk/aws-rds:lowercaseDbIdentifier *Force lowercasing of RDS Cluster names in CDK* (fix) @@ -436,13 +418,11 @@ Must be behind a permanent flag because changing a name from mixed case to lower would lead CloudFormation to think the name was changed and would trigger a cluster replacement (losing data!). - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.97.0 | `false` | `true` | | 2.0.0 | `true` | `true` | - ### @aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId *Allow adding/removing multiple UsagePlanKeys independently* (fix) @@ -460,13 +440,11 @@ which again is disallowed. In effect, there is no way to get out of this mess in a backwards compatible way, while supporting existing stacks. This flag changes the logical id layout of UsagePlanKey to not be sensitive to order. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.98.0 | `false` | `true` | | 2.0.0 | `true` | `true` | - ### @aws-cdk/aws-lambda:recognizeVersionProps *Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.* (fix) @@ -476,26 +454,22 @@ not constitute creating a new Version. See 'currentVersion' section in the aws-lambda module's README for more details. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.106.0 | `false` | `true` | | 2.0.0 | `true` | `true` | - ### @aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021 *Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.* (fix) The security policy can also be configured explicitly using the `minimumProtocolVersion` property. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.117.0 | `false` | `true` | | 2.0.0 | `true` | `true` | - ### @aws-cdk/core:target-partitions *What regions to include in lookup tables of environment agnostic stacks* (config) @@ -505,13 +479,11 @@ of unnecessary regions included in stacks without a known region. The type of this value should be a list of strings. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.137.0 | `false` | `["aws","aws-cn"]` | | 2.4.0 | `false` | `["aws","aws-cn"]` | - ### @aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver *ECS extensions will automatically add an `awslogs` driver if no logging is specified* (default) @@ -521,7 +493,6 @@ Enable this feature flag to configure default logging behavior for the ECS Servi This is a feature flag as the new behavior provides a better default experience for the users. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.140.0 | `false` | `true` | @@ -529,7 +500,6 @@ This is a feature flag as the new behavior provides a better default experience **Compatibility with old behavior:** Specify a log driver explicitly. - ### @aws-cdk/aws-ec2:uniqueImdsv2TemplateName *Enable this feature flag to have Launch Templates generated by the `InstanceRequireImdsv2Aspect` use unique names.* (fix) @@ -540,13 +510,11 @@ account and region, the deployments would always fail as the generated Launch Te The new implementation addresses this issue by generating the Launch Template name with the `Names.uniqueId` method. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.140.0 | `false` | `true` | | 2.8.0 | `false` | `true` | - ### @aws-cdk/aws-iam:minimizePolicies *Minimize IAM policies by combining Statements* (config) @@ -555,13 +523,11 @@ Minimize IAM policies by combining Principals, Actions and Resources of two Statements in the policies, as long as it doesn't change the meaning of the policy. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.150.0 | `false` | `true` | | 2.18.0 | `false` | `true` | - ### @aws-cdk/core:checkSecretUsage *Enable this flag to make it impossible to accidentally use SecretValues in unsafe locations* (config) @@ -570,13 +536,11 @@ With this flag enabled, `SecretValue` instances can only be passed to constructs that accept `SecretValue`s; otherwise, `unsafeUnwrap()` must be called to use it as a regular string. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.153.0 | `false` | `true` | | 2.21.0 | `false` | `true` | - ### @aws-cdk/aws-lambda:recognizeLayerVersion *Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.* (fix) @@ -585,13 +549,11 @@ This flag correct incorporates Lambda Layer properties into the Lambda Function See 'currentVersion' section in the aws-lambda module's README for more details. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.159.0 | `false` | `true` | | 2.27.0 | `false` | `true` | - ### @aws-cdk/core:validateSnapshotRemovalPolicy *Error on snapshot removal policies on resources that do not support it.* (default) @@ -601,7 +563,6 @@ If supplied on an unsupported resource, CloudFormation ignores the policy altoge This flag will reduce confusion and unexpected loss of data when erroneously supplying the snapshot removal policy. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -609,7 +570,6 @@ the snapshot removal policy. **Compatibility with old behavior:** The old behavior was incorrect. Update your source to not specify SNAPSHOT policies on resources that do not support it. - ### @aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName *Generate key aliases that include the stack name* (fix) @@ -621,13 +581,11 @@ the KMS key alias name created for these pipelines may be the same due to how th This new implementation creates a stack safe resource name for the alias using the stack name instead of the stack ID. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.29.0 | `false` | `true` | - ### @aws-cdk/aws-s3:createDefaultLoggingPolicy *Enable this feature flag to create an S3 bucket policy by default in cases where an AWS service would automatically create the Policy if one does not exist.* (fix) @@ -641,15 +599,13 @@ and error indicating that a bucket policy already exists. In cases where we know what the required policy is we can go ahead and create the policy so we can remain in control of it. -@see https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-S3 - +@see | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.31.0 | `false` | `true` | - ### @aws-cdk/aws-sns-subscriptions:restrictSqsDescryption *Restrict KMS key policy for encrypted Queues a bit more* (fix) @@ -661,13 +617,11 @@ Previously the decryption was only restricted to the SNS service principal. To m secure, it is a good practice to restrict the decryption further and only allow the connected SNS topic to decryption the subscribed queue. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.32.0 | `false` | `true` | - ### @aws-cdk/aws-ecs:arnFormatIncludesClusterName *ARN format used by ECS. In the new ARN format, the cluster name is part of the resource ID.* (fix) @@ -677,35 +631,31 @@ If this flag is set, the new ARN format (with cluster name) for ECS is used. This is a feature flag as the old format is still valid for existing ECS clusters. -See https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#ecs-resource-ids - +See | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.35.0 | `false` | `true` | - ### @aws-cdk/aws-apigateway:disableCloudWatchRole *Make default CloudWatch Role behavior safe for multiple API Gateways in one environment* (fix) Enable this feature flag to change the default behavior for aws-apigateway.RestApi and aws-apigateway.SpecRestApi -to _not_ create a CloudWatch role and Account. There is only a single ApiGateway account per AWS +to *not* create a CloudWatch role and Account. There is only a single ApiGateway account per AWS environment which means that each time you create a RestApi in your account the ApiGateway account is overwritten. If at some point the newest RestApi is deleted, the ApiGateway Account and CloudWatch role will also be deleted, breaking any existing ApiGateways that were depending on them. When this flag is enabled you should either create the ApiGateway account and CloudWatch role -separately _or_ only enable the cloudWatchRole on a single RestApi. - +separately *or* only enable the cloudWatchRole on a single RestApi. | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.38.0 | `false` | `true` | - ### @aws-cdk/core:enablePartitionLiterals *Make ARNs concrete if AWS partition is known* (fix) @@ -734,13 +684,11 @@ Principal: The intrinsic function will still be used in Stacks where no region is defined or the region's partition is unknown. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.38.0 | `false` | `true` | - ### @aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker *Avoid setting the "ECS" deployment controller when adding a circuit breaker* (fix) @@ -751,13 +699,11 @@ This does not change any behaviour as the default deployment controller when it This is a feature flag as the new behavior provides a better default experience for the users. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.51.0 | `false` | `true` | - ### @aws-cdk/aws-events:eventsTargetQueueSameAccount *Event Rules may only push to encrypted SQS queues in the same account* (fix) @@ -766,13 +712,11 @@ This flag applies to SQS Queues that are used as the target of event Rules. When from the same account as the Rule can send messages. If a queue is unencrypted, this restriction will always apply, regardless of the value of this flag. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.51.0 | `false` | `true` | - ### @aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName *Enable this feature to by default create default policy names for imported roles that depend on the stack the role is in.* (fix) @@ -783,13 +727,11 @@ of a role using the same default policy name. This new implementation creates default policy names based on the constructs node path in their stack. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.60.0 | `false` | `true` | - ### @aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy *Use S3 Bucket Policy instead of ACLs for Server Access Logging* (fix) @@ -801,15 +743,13 @@ enabled on the bucket. This flag uses a Bucket Policy statement to allow Server Access Log delivery, following best practices for S3. -@see https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html - +@see | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.60.0 | `false` | `true` | - ### @aws-cdk/customresources:installLatestAwsSdkDefault *Whether to install the latest SDK by default in AwsCustomResource* (default) @@ -821,7 +761,6 @@ do not have internet access, or in environments where 'npmjs.com' is not availab The recommended setting is to disable the default installation behavior, and pass the flag on a resource-by-resource basis to enable it if necessary. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -829,7 +768,6 @@ flag on a resource-by-resource basis to enable it if necessary. **Compatibility with old behavior:** Set installLatestAwsSdk: true on all resources that need it. - ### @aws-cdk/aws-route53-patters:useCertificate *Use the official `Certificate` resource instead of `DnsValidatedCertificate`* (default) @@ -839,7 +777,6 @@ of the deprecated `DnsValidatedCertificate` construct. If this flag is enabled a the stack in a region other than us-east-1 then you must also set `crossRegionReferences=true` on the stack. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -847,7 +784,6 @@ stack. **Compatibility with old behavior:** Define a `DnsValidatedCertificate` explicitly and pass in the `certificate` property - ### @aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup *Remove CloudWatch alarms from deployment group* (fix) @@ -856,13 +792,11 @@ Enable this flag to be able to remove all CloudWatch alarms from a deployment gr the alarms from the construct. If this flag is not set, removing all alarms from the construct will still leave the alarms configured for the deployment group. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.65.0 | `false` | `true` | - ### @aws-cdk/aws-rds:databaseProxyUniqueResourceName *Use unique resource name for Database Proxy* (fix) @@ -875,13 +809,11 @@ If this flag is set, the default behavior is to use unique resource names for ea This is a feature flag as the old behavior was technically incorrect, but users may have come to depend on it. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.65.0 | `false` | `true` | - ### @aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId *Include authorizer configuration in the calculation of the API deployment logical ID.* (fix) @@ -891,13 +823,11 @@ the API configuration, including methods, and resources, etc. Enable this featur to also include the configuration of any authorizer attached to the API in the calculation, so any changes made to an authorizer will create a new deployment. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.66.0 | `false` | `true` | - ### @aws-cdk/aws-ec2:launchTemplateDefaultUserData *Define user data for a launch template by default when a machine image is provided.* (fix) @@ -906,13 +836,11 @@ The ec2.LaunchTemplate construct did not define user data when a machine image i provided despite the document. If this is set, a user data is automatically defined according to the OS of the machine image. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.67.0 | `false` | `true` | - ### @aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments *SecretTargetAttachments uses the ResourcePolicy of the attached Secret.* (fix) @@ -928,13 +856,11 @@ This won't be possible without intervention due to limitation outlined above. First remove all permissions granted to the Secret and deploy without the ResourcePolicies. Then you can re-add the permissions and deploy again. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.67.0 | `false` | `true` | - ### @aws-cdk/aws-redshift:columnId *Whether to use an ID to track Redshift column changes* (fix) @@ -951,13 +877,11 @@ than their `name`. This will prevent data loss when columns are renamed. initial deployment, the columns will be dropped and recreated, causing data loss. After the initial deployment of the `id`s, the `name`s of the columns can be changed without data loss. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.68.0 | `false` | `true` | - ### @aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2 *Enable AmazonEMRServicePolicy_v2 managed policies* (fix) @@ -971,13 +895,11 @@ managed policies. This is a feature flag as the old behavior will be deprecated, but some resources may require manual intervention since they might not have the appropriate tags propagated automatically. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.72.0 | `false` | `true` | - ### @aws-cdk/aws-apigateway:requestValidatorUniqueId *Generate a unique id for each RequestValidator added to a method* (fix) @@ -988,13 +910,11 @@ providing the `RequestValidatorOptions` in the `addMethod()` method. If the flag is not set then only a single RequestValidator can be added in this way. Any additional RequestValidators have to be created directly with `new RequestValidator`. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.78.0 | `false` | `true` | - ### @aws-cdk/aws-ec2:restrictDefaultSecurityGroup *Restrict access to the VPC default security group* (default) @@ -1004,20 +924,17 @@ VPC default security group. When a VPC is created, a default security group is created as well and this cannot be deleted. The default security group is created with ingress/egress rules that allow -_all_ traffic. [AWS Security best practices recommend](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-2) +*all* traffic. [AWS Security best practices recommend](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-2) removing these ingress/egress rules in order to restrict access to the default security group. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.78.0 | `false` | `true` | -**Compatibility with old behavior:** +**Compatibility with old behavior:** To allow all ingress/egress traffic to the VPC default security group you can set the `restrictDefaultSecurityGroup: false`. - - ### @aws-cdk/aws-kms:aliasNameRef @@ -1029,13 +946,11 @@ when referencing key.aliasName or key.keyArn. If the flag is not set then a raw string is passed as the Alias name and no implicit dependencies will be set. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.83.0 | `false` | `true` | - ### @aws-cdk/core:includePrefixInUniqueNameGeneration *Include the stack prefix in the stack name generation process* (fix) @@ -1049,13 +964,11 @@ If the flag is not set, then the prefix of the stack is prepended to the generat feature flag can lead to a change in stacks' name. Changing a stack name mean recreating the whole stack, which is not viable in some productive setups. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.84.0 | `false` | `true` | - ### @aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig *Generate a launch template when creating an AutoScalingGroup* (fix) @@ -1068,17 +981,14 @@ will now create an equivalent 'launchTemplate'. Alternatively, users can provide attempt to set user data according to the OS of the machine image if explicit user data is not provided. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.88.0 | `false` | `true` | -**Compatibility with old behavior:** +**Compatibility with old behavior:** If backwards compatibility needs to be maintained due to an existing autoscaling group using a launch config, set this flag to false. - - ### @aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby @@ -1087,7 +997,6 @@ provided. If this is set, an opensearch domain will automatically be created with multi-az with standby enabled. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1095,7 +1004,6 @@ multi-az with standby enabled. **Compatibility with old behavior:** Pass `capacity.multiAzWithStandbyEnabled: false` to `Domain` construct to restore the old behavior. - ### @aws-cdk/aws-efs:denyAnonymousAccess *EFS denies anonymous clients accesses* (default) @@ -1106,7 +1014,6 @@ access to `efs.FileSystem`. If this flag is not set, `efs.FileSystem` will allow all anonymous clients that can access over the network. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1114,7 +1021,6 @@ that can access over the network. **Compatibility with old behavior:** You can pass `allowAnonymousAccess: true` so allow anonymous clients access. - ### @aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId *When enabled, mount targets will have a stable logicalId that is linked to the associated subnet.* (fix) @@ -1126,13 +1032,11 @@ subnets changes. Set this flag to false for existing mount targets. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.93.0 | `false` | `true` | - ### @aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion *Enables aws-lambda-nodejs.Function to use the latest available NodeJs runtime as the default* (default) @@ -1142,7 +1046,6 @@ functions will us the latest version of the runtime provided by the Lambda service. Do not use this if you your lambda function is reliant on dependencies shipped as part of the runtime environment. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1150,7 +1053,6 @@ shipped as part of the runtime environment. **Compatibility with old behavior:** Pass `runtime: lambda.Runtime.NODEJS_16_X` to `Function` construct to restore the previous behavior. - ### @aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier *When enabled, will always use the arn for identifiers for CfnSourceApiAssociation in the GraphqlApi construct rather than id.* (fix) @@ -1159,13 +1061,11 @@ When this feature flag is enabled, we use the IGraphqlApi ARN rather than ID whe the GraphqlApi construct. Using the ARN allows the association to support an association with a source api or merged api in another account. Note that for existing source api associations created with this flag disabled, enabling the flag will lead to a resource replacement. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.97.0 | `false` | `true` | - ### @aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters *When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change.* (fix) @@ -1177,13 +1077,11 @@ from AuroraCluster. If the flag is set to false then it can only make one `AuroraClusterInstance` with each `InstanceParameterGroup` in the AuroraCluster. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.97.0 | `false` | `true` | - ### @aws-cdk/aws-rds:preventRenderingDeprecatedCredentials *When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials.* (fix) @@ -1201,13 +1099,11 @@ Set this flag to prevent rendering deprecated `credentials` and creating an extra database secret when only using `snapshotCredentials` to create an RDS database cluster from a snapshot. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.98.0 | `false` | `true` | - ### @aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource *When enabled, the CodeCommit source action is using the default branch name 'main'.* (fix) @@ -1216,13 +1112,11 @@ When setting up a CodeCommit source action for the source stage of a pipeline, p default branch is 'master'. However, with the activation of this feature flag, the default branch is updated to 'main'. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.103.1 | `false` | `true` | - ### @aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction *When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID.* (fix) @@ -1234,13 +1128,11 @@ can be created with `LambdaAction`. If the flag is set to false then it can only make one alarm for the Lambda with `LambdaAction`. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.124.0 | `false` | `true` | - ### @aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse *Enables Pipeline to set the default value for crossAccountKeys to false.* (default) @@ -1248,7 +1140,6 @@ If the flag is set to false then it can only make one alarm for the Lambda with When this feature flag is enabled, and the `crossAccountKeys` property is not provided in a `Pipeline` construct, the construct automatically defaults the value of this property to false. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1256,7 +1147,6 @@ construct, the construct automatically defaults the value of this property to fa **Compatibility with old behavior:** Pass `crossAccountKeys: true` to `Pipeline` construct to restore the previous behavior. - ### @aws-cdk/aws-codepipeline:defaultPipelineTypeToV2 *Enables Pipeline to set the default pipeline type to V2.* (default) @@ -1264,7 +1154,6 @@ construct, the construct automatically defaults the value of this property to fa When this feature flag is enabled, and the `pipelineType` property is not provided in a `Pipeline` construct, the construct automatically defaults the value of this property to `PipelineType.V2`. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1272,7 +1161,6 @@ construct, the construct automatically defaults the value of this property to `P **Compatibility with old behavior:** Pass `pipelineType: PipelineType.V1` to `Pipeline` construct to restore the previous behavior. - ### @aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope *When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only.* (fix) @@ -1280,13 +1168,11 @@ construct, the construct automatically defaults the value of this property to `P When this feature flag is enabled and calling KMS key grant method, the created IAM policy will reduce the resource scope from '*' to this specific granting KMS key. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.134.0 | `false` | `true` | - ### @aws-cdk/aws-eks:nodegroupNameAttribute *When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix.* (fix) @@ -1294,20 +1180,17 @@ When this feature flag is enabled and calling KMS key grant method, the created When this feature flag is enabled, the nodegroupName attribute will be exactly the name of the nodegroup without any prefix. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.139.0 | `false` | `true` | - ### @aws-cdk/aws-ec2:ebsDefaultGp3Volume *When enabled, the default volume type of the EBS volume will be GP3* (default) When this featuer flag is enabled, the default volume type of the EBS volume will be `EbsDeviceVolumeType.GENERAL_PURPOSE_SSD_GP3`. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1315,7 +1198,6 @@ When this featuer flag is enabled, the default volume type of the EBS volume wil **Compatibility with old behavior:** Pass `volumeType: EbsDeviceVolumeType.GENERAL_PURPOSE_SSD` to `Volume` construct to restore the previous behavior. - ### @aws-cdk/pipelines:reduceAssetRoleTrustScope *Remove the root account principal from PipelineAssetsFileRole trust policy* (default) @@ -1323,7 +1205,6 @@ When this featuer flag is enabled, the default volume type of the EBS volume wil When this feature flag is enabled, the root account principal will not be added to the trust policy of asset role. When this feature flag is disabled, it will keep the root account principal in the trust policy. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1331,14 +1212,12 @@ When this feature flag is disabled, it will keep the root account principal in t **Compatibility with old behavior:** Disable the feature flag to add the root account principal back - ### @aws-cdk/aws-ecs:removeDefaultDeploymentAlarm *When enabled, remove default deployment alarm settings* (default) When this featuer flag is enabled, remove the default deployment alarm settings when creating a AWS ECS service. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1346,7 +1225,6 @@ When this featuer flag is enabled, remove the default deployment alarm settings **Compatibility with old behavior:** Set AWS::ECS::Service 'DeploymentAlarms' manually to restore the previous behavior. - ### @aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault *When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default* (fix) @@ -1354,19 +1232,17 @@ When this featuer flag is enabled, remove the default deployment alarm settings This results in 'logApiResponseData' being passed as true to the custom resource provider. This will cause the custom resource handler to receive an 'Update' event. If you don't have an SDK call configured for the 'Update' event and you're dependent on specific SDK call response data, you will see this error from CFN: -CustomResource attribute error: Vendor response doesn't contain attribute in object. See https://github.com/aws/aws-cdk/issues/29949) for more details. +CustomResource attribute error: Vendor response doesn't contain attribute in object. See ) for more details. Unlike most feature flags, we don't recommend setting this feature flag to true. However, if you're using the 'AwsCustomResource' construct with 'logApiResponseData' as true in the event object, then setting this feature flag will keep this behavior. Otherwise, setting this feature flag to false will trigger an 'Update' event by removing the 'logApiResponseData' property from the event object. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.145.0 | `false` | `false` | - ### @aws-cdk/aws-s3:keepNotificationInImportedBucket *When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack.* (fix) @@ -1376,13 +1252,11 @@ Currently, adding notifications to a bucket where it was created by ourselves wi When this feature flag is enabled, adding notifications to a bucket in the current stack will only update notification defined in this stack. Other notifications that are not managed by this stack will be kept. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.155.0 | `false` | `false` | - ### @aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask *When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model.* (fix) @@ -1393,7 +1267,6 @@ of State Machine Task definition. When this feature flag is enabled, specify newly introduced props 's3InputUri' and 's3OutputUri' to populate S3 uri under input and output fields in state machine task definition for Bedrock invoke model. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1401,7 +1274,6 @@ When this feature flag is enabled, specify newly introduced props 's3InputUri' a **Compatibility with old behavior:** Disable the feature flag to use input and output path fields for s3 URI - ### @aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions *When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration* (fix) @@ -1411,7 +1283,6 @@ specified as logConfiguration and it will grant 'Resources': ['*'] to the task r When this feature flag is enabled, we will only grant the necessary permissions when users specify cloudwatch log group. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1419,7 +1290,6 @@ When this feature flag is enabled, we will only grant the necessary permissions **Compatibility with old behavior:** Disable the feature flag to continue grant permissions to log group when no log group is specified - ### @aws-cdk/aws-ec2:ec2SumTImeoutEnabled *When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together.* (fix) @@ -1429,13 +1299,11 @@ only the value from 'resourceSignalTimeout' will be used. When this feature flag is enabled, if both initOptions.timeout and resourceSignalTimeout are specified, the values will to be summed together. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.160.0 | `false` | `true` | - ### @aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission *When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn.* (fix) @@ -1447,13 +1315,11 @@ it allows invocations from any source. When this feature flag is enabled, the AWS::Lambda::Permission will be properly scoped with the SourceArn corresponding to the specific AppSync GraphQL API. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.161.0 | `false` | `true` | - ### @aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages *When enabled, both `@aws-sdk` and `@smithy` packages will be excluded from the Lambda Node.js 18.x runtime to prevent version mismatches in bundled applications.* (fix) @@ -1464,13 +1330,11 @@ However, this can cause version mismatches between the '@aws-sdk/*' and '@smithy When this feature flag is enabled, both '@aws-sdk/*' and '@smithy/*' packages will be excluded during the bundling process. This ensures that no mismatches occur between these tightly coupled dependencies when using the AWS SDK v3 in Lambda functions. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.161.0 | `false` | `true` | - ### @aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId *When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn`* (fix) @@ -1479,7 +1343,6 @@ Currently, the value of the property 'instanceResourceId' in construct 'Database When this feature flag is enabled, the value of that property will be as expected set to 'DbiResourceId' attribute, and that will fix the grantConnect method. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1487,7 +1350,6 @@ When this feature flag is enabled, the value of that property will be as expecte **Compatibility with old behavior:** Disable the feature flag to use `DbInstanceArn` as value for property `instanceResourceId` - ### @aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics *When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values.* (fix) @@ -1496,13 +1358,11 @@ Without enabling this feature flag, `cfn-include` will silently drop resource up Enabling this feature flag will make `cfn-include` throw on these templates, unless you specify the logical ID of the resource in the 'unhydratedResources' property. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.161.0 | `false` | `true` | - ### @aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy *When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN.* (fix) @@ -1512,13 +1372,11 @@ The revision number at the end will be replaced with a wildcard which it shouldn When this feature flag is enabled, if the task definition is created in the stack, the 'Resource' section will 'Ref' the taskDefinition. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.163.0 | `false` | `true` | - ### @aws-cdk/aws-dynamodb:resourcePolicyPerReplica *When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas* (fix) @@ -1530,13 +1388,11 @@ This will prevent you from creating a new table which has an additional replica This is a feature flag as the old behavior was technically incorrect but users may have come to depend on it. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.164.0 | `false` | `true` | - ### @aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault *When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2.* (default) @@ -1548,7 +1404,6 @@ and secure option. When this feature flag is enabled, if you do not pass the machineImage property to the BastionHost construct, the latest Amazon Linux 2023 version will be used instead of Amazon Linux 2. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1556,7 +1411,6 @@ the latest Amazon Linux 2023 version will be used instead of Amazon Linux 2. **Compatibility with old behavior:** Disable the feature flag or explicitly pass an Amazon Linux 2 machine image to the BastionHost construct. - ### @aws-cdk/core:aspectStabilization *When enabled, a stabilization loop will be run when invoking Aspects during synthesis.* (config) @@ -1566,12 +1420,24 @@ This means that the Aspects that create other Aspects are not run and Aspects th When this feature flag is enabled, a stabilization loop is run to recurse the construct tree multiple times when invoking Aspects. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.172.0 | `true` | `true` | +### @aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource + +*When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource.* (fix) + +When this feature flag is enabled, a new method will be used to get the DNS Name of the user pool domain target. The old method +creates a custom resource internally, but the new method doesn't need a custom resource. + +If the flag is set to false then a custom resource will be created when using `UserPoolDomainTarget`. + +| Since | Default | Recommended | +| ----- | ----- | ----- | +| (not in v1) | | | +| 2.174.0 | `false` | `true` | ### @aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource @@ -1595,12 +1461,11 @@ If the flag is set to false then a custom resource will be created when using `U In an ECS Cluster with `MachineImageType.AMAZON_LINUX_2`, the canContainersAccessInstanceRole=false option attempts to add commands to block containers from accessing IMDS. CDK cannot guarantee the correct execution of the feature in all platforms. Setting this feature flag -to true will ensure CDK does not attempt to implement IMDS blocking. By **end of 2025**, CDK will remove the +to true will ensure CDK does not attempt to implement IMDS blocking. By **end of 2025**, CDK will remove the IMDS blocking feature. See [Github discussion](https://github.com/aws/aws-cdk/discussions/32609) for more information. It is recommended to follow ECS documentation to block IMDS for your specific platform and cluster configuration. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1608,18 +1473,16 @@ It is recommended to follow ECS documentation to block IMDS for your specific pl **Compatibility with old behavior:** It is strongly recommended to set this flag to true. However, if necessary, set this flag to false to continue using the old implementation. - ### @aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature *When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)*** (temporary) In an ECS Cluster with `MachineImageType.AMAZON_LINUX_2`, the canContainersAccessInstanceRole=false option attempts to add commands to block containers from -accessing IMDS. Set this flag to true in order to use new and updated commands. Please note that this -feature alone with this feature flag will be deprecated by **end of 2025** as CDK cannot +accessing IMDS. Set this flag to true in order to use new and updated commands. Please note that this +feature alone with this feature flag will be deprecated by **end of 2025** as CDK cannot guarantee the correct execution of the feature in all platforms. See [Github discussion](https://github.com/aws/aws-cdk/discussions/32609) for more information. It is recommended to follow ECS documentation to block IMDS for your specific platform and cluster configuration. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1627,5 +1490,21 @@ It is recommended to follow ECS documentation to block IMDS for your specific pl **Compatibility with old behavior:** Set this flag to false in order to continue using old and outdated commands. However, it is **not** recommended. +### @aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault + +*When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere* (fix) + +For internet facing ALBs with 'dualstack-without-public-ipv4' IP address type, the default security group rules +will allow IPv6 ingress from anywhere (::/0). Previously, the default security group rules would only allow IPv4 ingress. + +Using a feature flag to make sure existing customers who might be relying +on the overly restrictive permissions are not broken. + +| Since | Default | Recommended | +| ----- | ----- | ----- | +| (not in v1) | | | +| V2NEXT | `false` | `true` | + +**Compatibility with old behavior:** Disable the feature flag to only allow IPv4 ingress in the default security group rules. diff --git a/packages/aws-cdk-lib/cx-api/README.md b/packages/aws-cdk-lib/cx-api/README.md index e1cf51ff8364e..46da524a70ede 100644 --- a/packages/aws-cdk-lib/cx-api/README.md +++ b/packages/aws-cdk-lib/cx-api/README.md @@ -1,6 +1,5 @@ # Cloud Executable API - This module is part of the [AWS Cloud Development Kit](https://github.com/aws/aws-cdk) project. ## V2 Feature Flags @@ -19,7 +18,7 @@ and error indicating that a bucket policy already exists. In cases where we know what the required policy is we can go ahead and create the policy so we can remain in control of it. -https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-S3 + _cdk.json_ @@ -122,7 +121,7 @@ enabled on the bucket. This flag uses a Bucket Policy statement to allow Server Access Log delivery, following best practices for S3. -https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html + ```json { @@ -172,7 +171,7 @@ Enable this feature flag to use the \`AmazonEMRServicePolicy_v2\` managed polici This is a feature flag as the old behavior will be deprecated, but some resources may require manual intervention since they might not have the appropriate tags propagated automatically. -https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-managed-iam-policies.html + _cdk.json_ @@ -189,8 +188,9 @@ _cdk.json_ Enable this feature flag to include the stack's prefixes to the name generation process. Not doing so can cause the name of stack to exceed 128 characters: -- The name generation ensures it doesn't exceed 128 characters -- Without this feature flag, the prefix is prepended to the generated name, which result can exceed 128 characters + +* The name generation ensures it doesn't exceed 128 characters +* Without this feature flag, the prefix is prepended to the generated name, which result can exceed 128 characters This is a feature flag as it changes the name generated for stacks. Any CDK application deployed prior this fix will most likely be generated with a new name, causing the stack to be recreated with the new name, and then deleting the old one. @@ -228,8 +228,8 @@ _cdk.json_ Enable this feature flag to update the default branch for CodeCommit source actions to `main`. -Previously, the default branch for CodeCommit source actions was set to `master`. -However, this convention is no longer supported, and repositories created after March 2021 now have `main` as +Previously, the default branch for CodeCommit source actions was set to `master`. +However, this convention is no longer supported, and repositories created after March 2021 now have `main` as their default branch. _cdk.json_ @@ -364,7 +364,7 @@ _cdk.json_ When enabled, IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN. When this feature flag is enabled, the IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN. -The revision ARN is more specific than the task definition ARN. See https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html +The revision ARN is more specific than the task definition ARN. See for more details. _cdk.json_ @@ -412,8 +412,8 @@ _cdk.json_ * `@aws-cdk/aws-ec2:ec2SumTImeoutEnabled` -Currently is both initOptions.timeout and resourceSignalTimeout are both specified in the options for creating an EC2 Instance, only the value from 'resourceSignalTimeout' will be used. - +Currently is both initOptions.timeout and resourceSignalTimeout are both specified in the options for creating an EC2 Instance, only the value from 'resourceSignalTimeout' will be used. + When this feature flag is enabled, if both initOptions.timeout and resourceSignalTimeout are specified, the values will to be summed together. _cdk.json_ @@ -478,7 +478,7 @@ _cdk.json_ * `@aws-cdk/aws-dynamodb:resourcePolicyPerReplica` -If this flag is not set, the default behavior for \`TableV2\` is to use a different \`resourcePolicy\` for each replica. +If this flag is not set, the default behavior for \`TableV2\` is to use a different \`resourcePolicy\` for each replica. If this flag is set to false, the behavior is that each replica shares the same \`resourcePolicy\` as the source table. This will prevent you from creating a new table which has an additional replica and a resource policy. @@ -546,7 +546,6 @@ guarantee the correct execution of the feature in all platforms. See [Github dis **It is recommended to follow ECS documentation to block IMDS for your specific platform and cluster configuration.** - _cdk.json_ ```json @@ -555,4 +554,25 @@ _cdk.json_ "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": false, }, } -``` \ No newline at end of file +``` + +* `@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault` + +When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere, +For internet facing ALBs with `dualstack-without-public-ipv4` IP address type, the default security group rules +will allow IPv6 ingress from anywhere (::/0). Previously, the default security group rules would only allow IPv4 ingress. + +Using a feature flag to make sure existing customers who might be relying +on the overly restrictive permissions are not broken., + +If the flag is set to false then the default security group rules will only allow IPv4 ingress. + +_cdk.json_ + +```json +{ + "context": { + "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true + } +} +``` diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts index 98189fd5a3965..b50c93df54da0 100644 --- a/packages/aws-cdk-lib/cx-api/lib/features.ts +++ b/packages/aws-cdk-lib/cx-api/lib/features.ts @@ -120,6 +120,7 @@ export const ASPECT_STABILIZATION = '@aws-cdk/core:aspectStabilization'; export const USER_POOL_DOMAIN_NAME_METHOD_WITHOUT_CUSTOM_RESOURCE = '@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource'; export const Enable_IMDS_Blocking_Deprecated_Feature = '@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature'; export const Disable_ECS_IMDS_Blocking = '@aws-cdk/aws-ecs:disableEcsImdsBlocking'; +export const ALB_DUALSTACK_WITHOUT_PUBLIC_IPV4_SECURITY_GROUP_RULES_DEFAULT = '@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault'; export const FLAGS: Record = { ////////////////////////////////////////////////////////////////////// @@ -1339,6 +1340,21 @@ export const FLAGS: Record = { introducedIn: { v2: '2.174.0' }, recommendedValue: true, }, + + ////////////////////////////////////////////////////////////////////// + [ALB_DUALSTACK_WITHOUT_PUBLIC_IPV4_SECURITY_GROUP_RULES_DEFAULT]: { + type: FlagType.BugFix, + summary: 'When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere', + detailsMd: ` + For internet facing ALBs with 'dualstack-without-public-ipv4' IP address type, the default security group rules + will allow IPv6 ingress from anywhere (::/0). Previously, the default security group rules would only allow IPv4 ingress. + + Using a feature flag to make sure existing customers who might be relying + on the overly restrictive permissions are not broken.`, + introducedIn: { v2: 'V2NEXT' }, + recommendedValue: true, + compatibilityWithOldBehaviorMd: 'Disable the feature flag to only allow IPv4 ingress in the default security group rules.', + }, }; const CURRENT_MV = 'v2'; diff --git a/packages/aws-cdk-lib/cx-api/test/features.test.ts b/packages/aws-cdk-lib/cx-api/test/features.test.ts index 6b54f5f272a14..87d06dfaa78df 100644 --- a/packages/aws-cdk-lib/cx-api/test/features.test.ts +++ b/packages/aws-cdk-lib/cx-api/test/features.test.ts @@ -5,7 +5,7 @@ import { MAGIC_V2NEXT, compareVersions } from '../lib/private/flag-modeling'; test('all future flags have defaults configured', () => { Object.keys(feats.FLAGS).forEach(flag => { - expect(typeof(feats.futureFlagDefault(flag))).toEqual('boolean'); + expect(typeof (feats.futureFlagDefault(flag))).toEqual('boolean'); }); }); From a8ad62c02ab83017af20e4b348ca301ead9aa0d4 Mon Sep 17 00:00:00 2001 From: Kaizen Conroy <36202692+kaizencc@users.noreply.github.com> Date: Thu, 9 Jan 2025 21:23:44 -0500 Subject: [PATCH 06/17] chore(cli): rename cli-args-gen into user-input-gen (#32821) This PR does not change CLI functionality because we are not using `CliArguments` yet. This PR includes the following related changes: - `CliArguments` are renamed `UserInput` to reflect what the schema represents -- they are options available to be specified via CLI options or `cdk.json`. - the tool previously known as `cli-arg-gen` is now named `user-input-gen` to reflect this change. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- aws-cdk.code-workspace | 2 +- lerna.json | 2 +- package.json | 2 +- packages/aws-cdk/CONTRIBUTING.md | 8 ++-- packages/aws-cdk/jest.config.js | 4 +- packages/aws-cdk/lib/config.ts | 9 +++-- ...o-cli-args.ts => convert-to-user-input.ts} | 14 +++---- .../lib/{cli-arguments.ts => user-input.ts} | 4 +- packages/aws-cdk/package.json | 6 +-- packages/aws-cdk/scripts/cli-args-gen | 2 - packages/aws-cdk/scripts/cli-args-gen.ts | 15 -------- packages/aws-cdk/scripts/user-input-gen | 2 + packages/aws-cdk/scripts/user-input-gen.ts | 16 ++++++++ packages/aws-cdk/test/cli-arguments.test.ts | 10 ++--- tools/@aws-cdk/cli-args-gen/lib/index.ts | 4 -- .../.eslintrc.js | 0 .../.gitignore | 0 .../.npmignore | 0 .../{cli-args-gen => user-input-gen}/LICENSE | 0 .../{cli-args-gen => user-input-gen}/NOTICE | 0 .../README.md | 8 ++-- .../jest.config.js | 0 .../lib/convert-to-user-input-gen.ts} | 37 +++++++++---------- tools/@aws-cdk/user-input-gen/lib/index.ts | 4 ++ .../lib/user-input-gen.ts} | 14 +++---- .../lib/util.ts | 0 .../lib/yargs-gen.ts | 0 .../lib/yargs-types.ts | 0 .../package.json | 6 +-- .../test/convert-to-user-input-gen.test.ts} | 18 ++++----- .../test/user-input-gen.test.ts} | 22 +++++------ .../test/yargs-gen.test.ts | 0 .../tsconfig.json | 0 33 files changed, 106 insertions(+), 103 deletions(-) rename packages/aws-cdk/lib/{convert-to-cli-args.ts => convert-to-user-input.ts} (97%) rename packages/aws-cdk/lib/{cli-arguments.ts => user-input.ts} (99%) delete mode 100755 packages/aws-cdk/scripts/cli-args-gen delete mode 100644 packages/aws-cdk/scripts/cli-args-gen.ts create mode 100755 packages/aws-cdk/scripts/user-input-gen create mode 100644 packages/aws-cdk/scripts/user-input-gen.ts delete mode 100644 tools/@aws-cdk/cli-args-gen/lib/index.ts rename tools/@aws-cdk/{cli-args-gen => user-input-gen}/.eslintrc.js (100%) rename tools/@aws-cdk/{cli-args-gen => user-input-gen}/.gitignore (100%) rename tools/@aws-cdk/{cli-args-gen => user-input-gen}/.npmignore (100%) rename tools/@aws-cdk/{cli-args-gen => user-input-gen}/LICENSE (100%) rename tools/@aws-cdk/{cli-args-gen => user-input-gen}/NOTICE (100%) rename tools/@aws-cdk/{cli-args-gen => user-input-gen}/README.md (76%) rename tools/@aws-cdk/{cli-args-gen => user-input-gen}/jest.config.js (100%) rename tools/@aws-cdk/{cli-args-gen/lib/cli-args-function-gen.ts => user-input-gen/lib/convert-to-user-input-gen.ts} (85%) create mode 100644 tools/@aws-cdk/user-input-gen/lib/index.ts rename tools/@aws-cdk/{cli-args-gen/lib/cli-args-gen.ts => user-input-gen/lib/user-input-gen.ts} (93%) rename tools/@aws-cdk/{cli-args-gen => user-input-gen}/lib/util.ts (100%) rename tools/@aws-cdk/{cli-args-gen => user-input-gen}/lib/yargs-gen.ts (100%) rename tools/@aws-cdk/{cli-args-gen => user-input-gen}/lib/yargs-types.ts (100%) rename tools/@aws-cdk/{cli-args-gen => user-input-gen}/package.json (90%) rename tools/@aws-cdk/{cli-args-gen/test/cli-args-function-gen.test.ts => user-input-gen/test/convert-to-user-input-gen.test.ts} (83%) rename tools/@aws-cdk/{cli-args-gen/test/cli-args-gen.test.ts => user-input-gen/test/user-input-gen.test.ts} (89%) rename tools/@aws-cdk/{cli-args-gen => user-input-gen}/test/yargs-gen.test.ts (100%) rename tools/@aws-cdk/{cli-args-gen => user-input-gen}/tsconfig.json (100%) diff --git a/aws-cdk.code-workspace b/aws-cdk.code-workspace index a7ebb6636469f..406bc32a95401 100644 --- a/aws-cdk.code-workspace +++ b/aws-cdk.code-workspace @@ -31,7 +31,7 @@ "name": "aws-custom-resource-sdk-adapter", "rootPath": "packages/@aws-cdk/aws-custom-resource-sdk-adapter" }, - { "name": "cli-args-gen", "rootPath": "tools/@aws-cdk/cli-args-gen" } + { "name": "user-input-gen", "rootPath": "tools/@aws-cdk/user-input-gen" } ] }, "extensions": { diff --git a/lerna.json b/lerna.json index c10809593a0e4..05a0f3ac14fb5 100644 --- a/lerna.json +++ b/lerna.json @@ -10,7 +10,7 @@ "packages/@aws-cdk-testing/*", "packages/@aws-cdk/*/lambda-packages/*", "tools/@aws-cdk/cdk-build-tools", - "tools/@aws-cdk/cli-args-gen", + "tools/@aws-cdk/user-input-gen", "tools/@aws-cdk/cdk-release", "tools/@aws-cdk/node-bundle", "tools/@aws-cdk/pkglint", diff --git a/package.json b/package.json index 0f3eb7971f811..a75d010d3c217 100644 --- a/package.json +++ b/package.json @@ -77,7 +77,7 @@ "packages/@aws-cdk-testing/*", "packages/@aws-cdk/*/lambda-packages/*", "tools/@aws-cdk/cdk-build-tools", - "tools/@aws-cdk/cli-args-gen", + "tools/@aws-cdk/user-input-gen", "tools/@aws-cdk/cdk-release", "tools/@aws-cdk/node-bundle", "tools/@aws-cdk/pkglint", diff --git a/packages/aws-cdk/CONTRIBUTING.md b/packages/aws-cdk/CONTRIBUTING.md index 7619772294894..f3c967f03c9e4 100644 --- a/packages/aws-cdk/CONTRIBUTING.md +++ b/packages/aws-cdk/CONTRIBUTING.md @@ -1,21 +1,21 @@ ## CLI Commands All CDK CLI Commands are defined in `lib/config.ts`. This file is translated -into a valid `yargs` configuration by `bin/cli-args-gen`, which is generated by `@aws-cdk/cli-args-gen`. +into a valid `yargs` configuration by `bin/user-input-gen`, which is generated by `@aws-cdk/user-input-gen`. The `yargs` configuration is generated into the function `parseCommandLineArguments()`, in `lib/parse-command-line-arguments.ts`, and is checked into git for readability and inspectability; do not edit this file by hand, as every subsequent `yarn build` will overwrite any manual edits. If you need to leverage a `yargs` feature not used by -the CLI, you must add support for it to `@aws-cdk/cli-args-gen`. +the CLI, you must add support for it to `@aws-cdk/user-input-gen`. -Note that `bin/cli-args-gen` is executed by `ts-node`, which allows `config.ts` to +Note that `bin/user-input-gen` is executed by `ts-node`, which allows `config.ts` to reference functions and other identifiers defined in the CLI before the CLI is built. ### Dynamic Values Some values, such as the user's platform, cannot be computed at build time. -Some commands depend on these values, and thus `cli-args-gen` must generate the +Some commands depend on these values, and thus `user-input-gen` must generate the code to compute these values at build time. The only way to do this today is to reference a parameter with `DynamicValue.fromParameter`. diff --git a/packages/aws-cdk/jest.config.js b/packages/aws-cdk/jest.config.js index f82ca932d08a3..23f1a71b38590 100644 --- a/packages/aws-cdk/jest.config.js +++ b/packages/aws-cdk/jest.config.js @@ -19,8 +19,8 @@ const config = { "/lib/api/aws-auth/sdk.ts", // Files generated by cli-args-gen "/lib/parse-command-line-arguments.ts", - "/lib/cli-arguments.ts", - "/lib/convert-to-cli-args.ts", + "/lib/user-input.ts", + "/lib/convert-to-user-input.ts", ], // We have many tests here that commonly time out diff --git a/packages/aws-cdk/lib/config.ts b/packages/aws-cdk/lib/config.ts index 5e881733a3606..13898df29fa7a 100644 --- a/packages/aws-cdk/lib/config.ts +++ b/packages/aws-cdk/lib/config.ts @@ -1,5 +1,5 @@ // eslint-disable-next-line import/no-extraneous-dependencies -import { CliHelpers, type CliConfig } from '@aws-cdk/cli-args-gen'; +import { CliHelpers, type CliConfig } from '@aws-cdk/user-input-gen'; import { StackActivityProgress } from './api/util/cloudformation/stack-activity-monitor'; import { MIGRATE_SUPPORTED_LANGUAGES } from './commands/migrate'; import { RequireApproval } from './diff'; @@ -8,8 +8,11 @@ import { availableInitLanguages } from './init'; export const YARGS_HELPERS = new CliHelpers('./util/yargs-helpers'); /** - * Source of truth for all CDK CLI commands. `cli-args-gen` translates this into the `yargs` definition - * in `lib/parse-command-line-arguments.ts`. + * Source of truth for all CDK CLI commands. `user-input-gen` translates this into: + * + * - the `yargs` definition in `lib/parse-command-line-arguments.ts`. + * - the `UserInput` type in `lib/user-input.ts`. + * - the `convertXxxToUserInput` functions in `lib/convert-to-user-input.ts`. */ export async function makeConfig(): Promise { return { diff --git a/packages/aws-cdk/lib/convert-to-cli-args.ts b/packages/aws-cdk/lib/convert-to-user-input.ts similarity index 97% rename from packages/aws-cdk/lib/convert-to-cli-args.ts rename to packages/aws-cdk/lib/convert-to-user-input.ts index 9b742c8b0f303..de07f9b3c0eef 100644 --- a/packages/aws-cdk/lib/convert-to-cli-args.ts +++ b/packages/aws-cdk/lib/convert-to-user-input.ts @@ -3,11 +3,11 @@ // Do not edit by hand; all changes will be overwritten at build time from the config file. // ------------------------------------------------------------------------------------------- /* eslint-disable @stylistic/max-len */ -import { CliArguments, GlobalOptions } from './cli-arguments'; import { Command } from './settings'; +import { UserInput, GlobalOptions } from './user-input'; // @ts-ignore TS6133 -export function convertYargsToCliArgs(args: any): CliArguments { +export function convertYargsToUserInput(args: any): UserInput { const globalOptions: GlobalOptions = { app: args.app, build: args.build, @@ -250,17 +250,17 @@ export function convertYargsToCliArgs(args: any): CliArguments { commandOptions = {}; break; } - const cliArguments: CliArguments = { + const userInput: UserInput = { _: args._[0], globalOptions, [args._[0]]: commandOptions, }; - return cliArguments; + return userInput; } // @ts-ignore TS6133 -export function convertConfigToCliArgs(config: any): CliArguments { +export function convertConfigToUserInput(config: any): UserInput { const globalOptions: GlobalOptions = { app: config.app, build: config.build, @@ -428,7 +428,7 @@ export function convertConfigToCliArgs(config: any): CliArguments { browser: config.docs?.browser, }; const doctorOptions = {}; - const cliArguments: CliArguments = { + const userInput: UserInput = { globalOptions, list: listOptions, synthesize: synthesizeOptions, @@ -450,5 +450,5 @@ export function convertConfigToCliArgs(config: any): CliArguments { doctor: doctorOptions, }; - return cliArguments; + return userInput; } diff --git a/packages/aws-cdk/lib/cli-arguments.ts b/packages/aws-cdk/lib/user-input.ts similarity index 99% rename from packages/aws-cdk/lib/cli-arguments.ts rename to packages/aws-cdk/lib/user-input.ts index f67451c73176a..13ae60938f6ff 100644 --- a/packages/aws-cdk/lib/cli-arguments.ts +++ b/packages/aws-cdk/lib/user-input.ts @@ -6,11 +6,11 @@ import { Command } from './settings'; /** - * The structure of the CLI configuration, generated from packages/aws-cdk/lib/config.ts + * The structure of the user input -- either CLI options or cdk.json -- generated from packages/aws-cdk/lib/config.ts * * @struct */ -export interface CliArguments { +export interface UserInput { /** * The CLI command name */ diff --git a/packages/aws-cdk/package.json b/packages/aws-cdk/package.json index 609be4d5af8fa..e77fbb90d7ea2 100644 --- a/packages/aws-cdk/package.json +++ b/packages/aws-cdk/package.json @@ -7,7 +7,7 @@ }, "scripts": { "build": "cdk-build", - "cli-args-gen": "ts-node --preferTsExts scripts/cli-args-gen.ts", + "user-input-gen": "ts-node --preferTsExts scripts/user-input-gen.ts", "watch": "cdk-watch", "lint": "cdk-lint", "pkglint": "pkglint -f", @@ -29,7 +29,7 @@ }, "cdk-build": { "pre": [ - "yarn cli-args-gen" + "yarn user-input-gen" ], "post": [ "cp ../../node_modules/cdk-from-cfn/index_bg.wasm ./lib/", @@ -70,7 +70,7 @@ "@aws-cdk/cdk-build-tools": "0.0.0", "@aws-cdk/cli-plugin-contract": "0.0.0", "@aws-cdk/pkglint": "0.0.0", - "@aws-cdk/cli-args-gen": "0.0.0", + "@aws-cdk/user-input-gen": "0.0.0", "@octokit/rest": "^18.12.0", "@types/archiver": "^5.3.4", "@types/fs-extra": "^9.0.13", diff --git a/packages/aws-cdk/scripts/cli-args-gen b/packages/aws-cdk/scripts/cli-args-gen deleted file mode 100755 index 29484fb39cf9f..0000000000000 --- a/packages/aws-cdk/scripts/cli-args-gen +++ /dev/null @@ -1,2 +0,0 @@ -#!/usr/bin/env node -require('./cli-args-gen.js'); diff --git a/packages/aws-cdk/scripts/cli-args-gen.ts b/packages/aws-cdk/scripts/cli-args-gen.ts deleted file mode 100644 index 68d53eeff0597..0000000000000 --- a/packages/aws-cdk/scripts/cli-args-gen.ts +++ /dev/null @@ -1,15 +0,0 @@ -import * as fs from 'fs'; -// eslint-disable-next-line import/no-extraneous-dependencies -import { renderYargs, renderCliArgsType, renderCliArgsFunc } from '@aws-cdk/cli-args-gen'; -import { makeConfig, YARGS_HELPERS } from '../lib/config'; - -async function main() { - fs.writeFileSync('./lib/parse-command-line-arguments.ts', await renderYargs(await makeConfig(), YARGS_HELPERS)); - fs.writeFileSync('./lib/cli-arguments.ts', await renderCliArgsType(await makeConfig())); - fs.writeFileSync('./lib/convert-to-cli-args.ts', await renderCliArgsFunc(await makeConfig())); -} - -main().then(() => { -}).catch((e) => { - throw e; -}); diff --git a/packages/aws-cdk/scripts/user-input-gen b/packages/aws-cdk/scripts/user-input-gen new file mode 100755 index 0000000000000..8e9fe2a7c9bfc --- /dev/null +++ b/packages/aws-cdk/scripts/user-input-gen @@ -0,0 +1,2 @@ +#!/usr/bin/env node +require('./user-input-gen.js'); diff --git a/packages/aws-cdk/scripts/user-input-gen.ts b/packages/aws-cdk/scripts/user-input-gen.ts new file mode 100644 index 0000000000000..3ef7e03204165 --- /dev/null +++ b/packages/aws-cdk/scripts/user-input-gen.ts @@ -0,0 +1,16 @@ +import * as fs from 'fs'; +// eslint-disable-next-line import/no-extraneous-dependencies +import { renderYargs, renderUserInputType, renderUserInputFuncs } from '@aws-cdk/user-input-gen'; +import { makeConfig, YARGS_HELPERS } from '../lib/config'; + +async function main() { + const config = await makeConfig(); + fs.writeFileSync('./lib/parse-command-line-arguments.ts', await renderYargs(config, YARGS_HELPERS)); + fs.writeFileSync('./lib/user-input.ts', await renderUserInputType(config)); + fs.writeFileSync('./lib/convert-to-user-input.ts', await renderUserInputFuncs(config)); +} + +main().then(() => { +}).catch((e) => { + throw e; +}); diff --git a/packages/aws-cdk/test/cli-arguments.test.ts b/packages/aws-cdk/test/cli-arguments.test.ts index ddcf9d02b6fb3..32ad80da77e84 100644 --- a/packages/aws-cdk/test/cli-arguments.test.ts +++ b/packages/aws-cdk/test/cli-arguments.test.ts @@ -1,11 +1,11 @@ -import { convertConfigToCliArgs, convertYargsToCliArgs } from '../lib/convert-to-cli-args'; +import { convertConfigToUserInput, convertYargsToUserInput } from '../lib/convert-to-user-input'; import { parseCommandLineArguments } from '../lib/parse-command-line-arguments'; describe('yargs', () => { test('yargs object can be converted to cli arguments', async () => { const input = await parseCommandLineArguments(['deploy', '-R', '-v', '--ci']); - const result = convertYargsToCliArgs(input); + const result = convertYargsToUserInput(input); expect(result).toEqual({ _: 'deploy', @@ -70,7 +70,7 @@ describe('yargs', () => { test('positional argument is correctly passed through -- variadic', async () => { const input = await parseCommandLineArguments(['deploy', 'stack1', 'stack2', '-R', '-v', '--ci']); - const result = convertYargsToCliArgs(input); + const result = convertYargsToUserInput(input); expect(result).toEqual({ _: 'deploy', @@ -84,7 +84,7 @@ describe('yargs', () => { test('positional argument is correctly passed through -- single', async () => { const input = await parseCommandLineArguments(['acknowledge', 'id1', '-v', '--ci']); - const result = convertYargsToCliArgs(input); + const result = convertYargsToUserInput(input); expect(result).toEqual({ _: 'acknowledge', @@ -109,7 +109,7 @@ describe('config', () => { }, }; - const result = convertConfigToCliArgs(input); + const result = convertConfigToUserInput(input); expect(result).toEqual({ globalOptions: expect.objectContaining({ diff --git a/tools/@aws-cdk/cli-args-gen/lib/index.ts b/tools/@aws-cdk/cli-args-gen/lib/index.ts deleted file mode 100644 index 6dfee4beeac38..0000000000000 --- a/tools/@aws-cdk/cli-args-gen/lib/index.ts +++ /dev/null @@ -1,4 +0,0 @@ -export * from './yargs-gen'; -export * from './yargs-types'; -export * from './cli-args-gen'; -export * from './cli-args-function-gen'; diff --git a/tools/@aws-cdk/cli-args-gen/.eslintrc.js b/tools/@aws-cdk/user-input-gen/.eslintrc.js similarity index 100% rename from tools/@aws-cdk/cli-args-gen/.eslintrc.js rename to tools/@aws-cdk/user-input-gen/.eslintrc.js diff --git a/tools/@aws-cdk/cli-args-gen/.gitignore b/tools/@aws-cdk/user-input-gen/.gitignore similarity index 100% rename from tools/@aws-cdk/cli-args-gen/.gitignore rename to tools/@aws-cdk/user-input-gen/.gitignore diff --git a/tools/@aws-cdk/cli-args-gen/.npmignore b/tools/@aws-cdk/user-input-gen/.npmignore similarity index 100% rename from tools/@aws-cdk/cli-args-gen/.npmignore rename to tools/@aws-cdk/user-input-gen/.npmignore diff --git a/tools/@aws-cdk/cli-args-gen/LICENSE b/tools/@aws-cdk/user-input-gen/LICENSE similarity index 100% rename from tools/@aws-cdk/cli-args-gen/LICENSE rename to tools/@aws-cdk/user-input-gen/LICENSE diff --git a/tools/@aws-cdk/cli-args-gen/NOTICE b/tools/@aws-cdk/user-input-gen/NOTICE similarity index 100% rename from tools/@aws-cdk/cli-args-gen/NOTICE rename to tools/@aws-cdk/user-input-gen/NOTICE diff --git a/tools/@aws-cdk/cli-args-gen/README.md b/tools/@aws-cdk/user-input-gen/README.md similarity index 76% rename from tools/@aws-cdk/cli-args-gen/README.md rename to tools/@aws-cdk/user-input-gen/README.md index 8915e8d8de23b..1bf6701f61e4d 100644 --- a/tools/@aws-cdk/cli-args-gen/README.md +++ b/tools/@aws-cdk/user-input-gen/README.md @@ -1,16 +1,16 @@ -# cli-args-gen +# user-input-gen Generates CDK CLI configurations from the source of truth in `packages/aws-cdk/lib/config.ts`. Currently generates the following files: - `packages/aws-cdk/lib/parse-command-line-arguments.ts`: `yargs` config. -- `packages/aws-cdk-lib/cli-arguments.ts`: strongly typed `CliArguments` interface. -- `packages/aws-cdk-lib/convert-to-cli-args.ts`: converts the `any` returned by `yargs` to `CliArguments`. +- `packages/aws-cdk/lib/user-input.ts`: strongly typed `UserInput` interface. +- `packages/aws-cdk/lib/convert-to-user-inpu.ts`: converts input from the CLI or `cdk.json` into `UserInput`. ## Usage ```ts -import { renderYargs } from '@aws-cdk/cli-args-gen'; +import { renderYargs } from '@aws-cdk/user-input-gen'; declare const config: CliConfig; diff --git a/tools/@aws-cdk/cli-args-gen/jest.config.js b/tools/@aws-cdk/user-input-gen/jest.config.js similarity index 100% rename from tools/@aws-cdk/cli-args-gen/jest.config.js rename to tools/@aws-cdk/user-input-gen/jest.config.js diff --git a/tools/@aws-cdk/cli-args-gen/lib/cli-args-function-gen.ts b/tools/@aws-cdk/user-input-gen/lib/convert-to-user-input-gen.ts similarity index 85% rename from tools/@aws-cdk/cli-args-gen/lib/cli-args-function-gen.ts rename to tools/@aws-cdk/user-input-gen/lib/convert-to-user-input-gen.ts index ffe1d947abed4..1ea751e15afeb 100644 --- a/tools/@aws-cdk/cli-args-gen/lib/cli-args-function-gen.ts +++ b/tools/@aws-cdk/user-input-gen/lib/convert-to-user-input-gen.ts @@ -7,7 +7,7 @@ import { CliAction, CliConfig } from './yargs-types'; const CLI_ARG_NAME = 'args'; const CONFIG_ARG_NAME = 'config'; -export async function renderCliArgsFunc(config: CliConfig): Promise { +export async function renderUserInputFuncs(config: CliConfig): Promise { const scope = new Module('aws-cdk'); scope.documentation.push( '-------------------------------------------------------------------------------------------'); @@ -15,25 +15,24 @@ export async function renderCliArgsFunc(config: CliConfig): Promise { scope.documentation.push('Do not edit by hand; all changes will be overwritten at build time from the config file.'); scope.documentation.push('-------------------------------------------------------------------------------------------'); - scope.addImport(new SelectiveModuleImport(scope, './cli-arguments', ['CliArguments', 'GlobalOptions'])); - const cliArgType = Type.fromName(scope, 'CliArguments'); - scope.addImport(new SelectiveModuleImport(scope, './settings', ['Command'])); + scope.addImport(new SelectiveModuleImport(scope, './user-input', ['UserInput', 'GlobalOptions'])); + const userInputType = Type.fromName(scope, 'UserInput'); - const createCliArguments = new FreeFunction(scope, { - name: 'convertYargsToCliArgs', + const convertYargsToUserInput = new FreeFunction(scope, { + name: 'convertYargsToUserInput', export: true, - returnType: cliArgType, + returnType: userInputType, parameters: [ { name: 'args', type: Type.ANY }, ], }); - createCliArguments.addBody(code.expr.directCode(buildCliArgsFunction(config))); + convertYargsToUserInput.addBody(code.expr.directCode(buildYargsToUserInputFunction(config))); const createConfigArguments = new FreeFunction(scope, { - name: 'convertConfigToCliArgs', + name: 'convertConfigToUserInput', export: true, - returnType: cliArgType, + returnType: userInputType, parameters: [ { name: 'config', type: Type.ANY }, ], @@ -52,14 +51,14 @@ export async function renderCliArgsFunc(config: CliConfig): Promise { }); } -function buildCliArgsFunction(config: CliConfig): string { +function buildYargsToUserInputFunction(config: CliConfig): string { const globalOptions = buildGlobalOptions(config, CLI_ARG_NAME); const commandSwitch = buildCommandSwitch(config, CLI_ARG_NAME); - const cliArgs = buildCliArgs(CLI_ARG_NAME); + const userInput = buildUserInput(CLI_ARG_NAME); return [ globalOptions, commandSwitch, - cliArgs, + userInput, ].join('\n'); } @@ -85,7 +84,7 @@ function buildGlobalOptions(config: CliConfig, argName: string): string { } function buildCommandsList(config: CliConfig, argName: string): string { - const commandOptions = []; + const commandOptions: string[] = []; // Note: we are intentionally not including aliases for the default options that can be // specified via `cdk.json`. These options must be specified by the command name // i.e. acknowledge rather than ack. @@ -140,27 +139,27 @@ function buildPositionalArguments(arg: { name: string; variadic: boolean }, argN return `${arg.name}: ${argName}.${arg.name}`; } -function buildCliArgs(argName: string): string { +function buildUserInput(argName: string): string { return [ - 'const cliArguments: CliArguments = {', + 'const userInput: UserInput = {', `_: ${argName}._[0],`, 'globalOptions,', `[${argName}._[0]]: commandOptions`, '}', '', - 'return cliArguments', + 'return userInput', ].join('\n'); } function buildConfigArgs(config: CliConfig): string { return [ - 'const cliArguments: CliArguments = {', + 'const userInput: UserInput = {', 'globalOptions,', ...(Object.keys(config.commands).map((commandName) => { return `'${commandName}': ${kebabToCamelCase(commandName)}Options,`; })), '}', '', - 'return cliArguments', + 'return userInput', ].join('\n'); } diff --git a/tools/@aws-cdk/user-input-gen/lib/index.ts b/tools/@aws-cdk/user-input-gen/lib/index.ts new file mode 100644 index 0000000000000..be47e3278f75e --- /dev/null +++ b/tools/@aws-cdk/user-input-gen/lib/index.ts @@ -0,0 +1,4 @@ +export * from './yargs-gen'; +export * from './yargs-types'; +export * from './user-input-gen'; +export * from './convert-to-user-input-gen'; diff --git a/tools/@aws-cdk/cli-args-gen/lib/cli-args-gen.ts b/tools/@aws-cdk/user-input-gen/lib/user-input-gen.ts similarity index 93% rename from tools/@aws-cdk/cli-args-gen/lib/cli-args-gen.ts rename to tools/@aws-cdk/user-input-gen/lib/user-input-gen.ts index b8be1e8a636a6..1d39585fb0692 100644 --- a/tools/@aws-cdk/cli-args-gen/lib/cli-args-gen.ts +++ b/tools/@aws-cdk/user-input-gen/lib/user-input-gen.ts @@ -4,7 +4,7 @@ import * as prettier from 'prettier'; import { generateDefault, kebabToCamelCase, kebabToPascal } from './util'; import { CliConfig } from './yargs-types'; -export async function renderCliArgsType(config: CliConfig): Promise { +export async function renderUserInputType(config: CliConfig): Promise { const scope = new Module('aws-cdk'); scope.documentation.push( '-------------------------------------------------------------------------------------------'); @@ -12,11 +12,11 @@ export async function renderCliArgsType(config: CliConfig): Promise { scope.documentation.push('Do not edit by hand; all changes will be overwritten at build time from the config file.'); scope.documentation.push('-------------------------------------------------------------------------------------------'); - const cliArgType = new StructType(scope, { + const userInputType = new StructType(scope, { export: true, - name: 'CliArguments', + name: 'UserInput', docs: { - summary: 'The structure of the CLI configuration, generated from packages/aws-cdk/lib/config.ts', + summary: 'The structure of the user input -- either CLI options or cdk.json -- generated from packages/aws-cdk/lib/config.ts', }, }); @@ -24,7 +24,7 @@ export async function renderCliArgsType(config: CliConfig): Promise { scope.addImport(new SelectiveModuleImport(scope, './settings', ['Command'])); const commandEnum = Type.fromName(scope, 'Command'); - cliArgType.addProperty({ + userInputType.addProperty({ name: '_', type: commandEnum, docs: { @@ -54,7 +54,7 @@ export async function renderCliArgsType(config: CliConfig): Promise { }); } - cliArgType.addProperty({ + userInputType.addProperty({ name: 'globalOptions', type: Type.fromName(scope, globalOptionType.name), docs: { @@ -102,7 +102,7 @@ export async function renderCliArgsType(config: CliConfig): Promise { }); } - cliArgType.addProperty({ + userInputType.addProperty({ name: kebabToCamelCase(commandName), type: Type.fromName(scope, commandType.name), docs: { diff --git a/tools/@aws-cdk/cli-args-gen/lib/util.ts b/tools/@aws-cdk/user-input-gen/lib/util.ts similarity index 100% rename from tools/@aws-cdk/cli-args-gen/lib/util.ts rename to tools/@aws-cdk/user-input-gen/lib/util.ts diff --git a/tools/@aws-cdk/cli-args-gen/lib/yargs-gen.ts b/tools/@aws-cdk/user-input-gen/lib/yargs-gen.ts similarity index 100% rename from tools/@aws-cdk/cli-args-gen/lib/yargs-gen.ts rename to tools/@aws-cdk/user-input-gen/lib/yargs-gen.ts diff --git a/tools/@aws-cdk/cli-args-gen/lib/yargs-types.ts b/tools/@aws-cdk/user-input-gen/lib/yargs-types.ts similarity index 100% rename from tools/@aws-cdk/cli-args-gen/lib/yargs-types.ts rename to tools/@aws-cdk/user-input-gen/lib/yargs-types.ts diff --git a/tools/@aws-cdk/cli-args-gen/package.json b/tools/@aws-cdk/user-input-gen/package.json similarity index 90% rename from tools/@aws-cdk/cli-args-gen/package.json rename to tools/@aws-cdk/user-input-gen/package.json index 29a15729acc0c..53444e58fbfac 100644 --- a/tools/@aws-cdk/cli-args-gen/package.json +++ b/tools/@aws-cdk/user-input-gen/package.json @@ -1,12 +1,12 @@ { - "name": "@aws-cdk/cli-args-gen", + "name": "@aws-cdk/user-input-gen", "private": true, "version": "0.0.0", - "description": "Generate CLI arguments", + "description": "Generate User Inputs", "repository": { "type": "git", "url": "https://github.com/aws/aws-cdk.git", - "directory": "tools/@aws-cdk/cli-args-gen" + "directory": "tools/@aws-cdk/user-input-gen" }, "main": "./lib/index.js", "types": "./lib/index.d.ts", diff --git a/tools/@aws-cdk/cli-args-gen/test/cli-args-function-gen.test.ts b/tools/@aws-cdk/user-input-gen/test/convert-to-user-input-gen.test.ts similarity index 83% rename from tools/@aws-cdk/cli-args-gen/test/cli-args-function-gen.test.ts rename to tools/@aws-cdk/user-input-gen/test/convert-to-user-input-gen.test.ts index 0ea58ff8fde91..427213e09f37d 100644 --- a/tools/@aws-cdk/cli-args-gen/test/cli-args-function-gen.test.ts +++ b/tools/@aws-cdk/user-input-gen/test/convert-to-user-input-gen.test.ts @@ -1,4 +1,4 @@ -import { CliConfig, renderCliArgsFunc } from '../lib'; +import { CliConfig, renderUserInputFuncs } from '../lib'; describe('render', () => { test('can generate conversion function', async () => { @@ -43,17 +43,17 @@ describe('render', () => { }, }; - expect(await renderCliArgsFunc(config)).toMatchInlineSnapshot(` + expect(await renderUserInputFuncs(config)).toMatchInlineSnapshot(` "// ------------------------------------------------------------------------------------------- // GENERATED FROM packages/aws-cdk/lib/config.ts. // Do not edit by hand; all changes will be overwritten at build time from the config file. // ------------------------------------------------------------------------------------------- /* eslint-disable @stylistic/max-len */ - import { CliArguments, GlobalOptions } from './cli-arguments'; import { Command } from './settings'; + import { UserInput, GlobalOptions } from './user-input'; // @ts-ignore TS6133 - export function convertYargsToCliArgs(args: any): CliArguments { + export function convertYargsToUserInput(args: any): UserInput { const globalOptions: GlobalOptions = { app: args.app, debug: args.debug, @@ -70,17 +70,17 @@ describe('render', () => { }; break; } - const cliArguments: CliArguments = { + const userInput: UserInput = { _: args._[0], globalOptions, [args._[0]]: commandOptions, }; - return cliArguments; + return userInput; } // @ts-ignore TS6133 - export function convertConfigToCliArgs(config: any): CliArguments { + export function convertConfigToUserInput(config: any): UserInput { const globalOptions: GlobalOptions = { app: config.app, debug: config.debug, @@ -90,12 +90,12 @@ describe('render', () => { const deployOptions = { all: config.deploy?.all, }; - const cliArguments: CliArguments = { + const userInput: UserInput = { globalOptions, deploy: deployOptions, }; - return cliArguments; + return userInput; } " `); diff --git a/tools/@aws-cdk/cli-args-gen/test/cli-args-gen.test.ts b/tools/@aws-cdk/user-input-gen/test/user-input-gen.test.ts similarity index 89% rename from tools/@aws-cdk/cli-args-gen/test/cli-args-gen.test.ts rename to tools/@aws-cdk/user-input-gen/test/user-input-gen.test.ts index 3e1fa8e69305a..0fa06bc261492 100644 --- a/tools/@aws-cdk/cli-args-gen/test/cli-args-gen.test.ts +++ b/tools/@aws-cdk/user-input-gen/test/user-input-gen.test.ts @@ -1,7 +1,7 @@ -import { CliConfig, renderCliArgsType } from '../lib'; +import { CliConfig, renderUserInputType } from '../lib'; describe('render', () => { - test('can generate CliArguments type', async () => { + test('can generate UserInput type', async () => { const config: CliConfig = { globalOptions: { app: { @@ -43,7 +43,7 @@ describe('render', () => { }, }; - expect(await renderCliArgsType(config)).toMatchInlineSnapshot(` + expect(await renderUserInputType(config)).toMatchInlineSnapshot(` "// ------------------------------------------------------------------------------------------- // GENERATED FROM packages/aws-cdk/lib/config.ts. // Do not edit by hand; all changes will be overwritten at build time from the config file. @@ -52,11 +52,11 @@ describe('render', () => { import { Command } from './settings'; /** - * The structure of the CLI configuration, generated from packages/aws-cdk/lib/config.ts + * The structure of the user input -- either CLI options or cdk.json -- generated from packages/aws-cdk/lib/config.ts * * @struct */ - export interface CliArguments { + export interface UserInput { /** * The CLI command name */ @@ -152,7 +152,7 @@ describe('render', () => { globalOptions: {}, }; - expect(await renderCliArgsType(config)).toMatchInlineSnapshot(` + expect(await renderUserInputType(config)).toMatchInlineSnapshot(` "// ------------------------------------------------------------------------------------------- // GENERATED FROM packages/aws-cdk/lib/config.ts. // Do not edit by hand; all changes will be overwritten at build time from the config file. @@ -161,11 +161,11 @@ describe('render', () => { import { Command } from './settings'; /** - * The structure of the CLI configuration, generated from packages/aws-cdk/lib/config.ts + * The structure of the user input -- either CLI options or cdk.json -- generated from packages/aws-cdk/lib/config.ts * * @struct */ - export interface CliArguments { + export interface UserInput { /** * The CLI command name */ @@ -234,7 +234,7 @@ describe('render', () => { globalOptions: {}, }; - expect(await renderCliArgsType(config)).toMatchInlineSnapshot(` + expect(await renderUserInputType(config)).toMatchInlineSnapshot(` "// ------------------------------------------------------------------------------------------- // GENERATED FROM packages/aws-cdk/lib/config.ts. // Do not edit by hand; all changes will be overwritten at build time from the config file. @@ -243,11 +243,11 @@ describe('render', () => { import { Command } from './settings'; /** - * The structure of the CLI configuration, generated from packages/aws-cdk/lib/config.ts + * The structure of the user input -- either CLI options or cdk.json -- generated from packages/aws-cdk/lib/config.ts * * @struct */ - export interface CliArguments { + export interface UserInput { /** * The CLI command name */ diff --git a/tools/@aws-cdk/cli-args-gen/test/yargs-gen.test.ts b/tools/@aws-cdk/user-input-gen/test/yargs-gen.test.ts similarity index 100% rename from tools/@aws-cdk/cli-args-gen/test/yargs-gen.test.ts rename to tools/@aws-cdk/user-input-gen/test/yargs-gen.test.ts diff --git a/tools/@aws-cdk/cli-args-gen/tsconfig.json b/tools/@aws-cdk/user-input-gen/tsconfig.json similarity index 100% rename from tools/@aws-cdk/cli-args-gen/tsconfig.json rename to tools/@aws-cdk/user-input-gen/tsconfig.json From 62ae02e9c95a2226e9ec4bd60ae7fc3658819fb1 Mon Sep 17 00:00:00 2001 From: Kaizen Conroy <36202692+kaizencc@users.noreply.github.com> Date: Fri, 10 Jan 2025 00:55:03 -0500 Subject: [PATCH 07/17] chore(cli): synth is now default command name, synthesize is alias (#32823) As a product we have standardized on `cdk synth`. This change reflects that while not changing behavior of the CDK CLI at all. It will however matter for the behavior of a future feature where we allow defaults specified in a schematic way in `cdk.json`. The payoff is that instead of requiring `synthesize: { ... }` we instead will require `synth: { ... }`. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/aws-cdk/lib/config.ts | 4 ++-- packages/aws-cdk/lib/convert-to-user-input.ts | 12 ++++++------ packages/aws-cdk/lib/parse-command-line-arguments.ts | 2 +- packages/aws-cdk/lib/user-input.ts | 10 +++++----- packages/aws-cdk/test/cli-arguments.test.ts | 2 +- 5 files changed, 15 insertions(+), 15 deletions(-) diff --git a/packages/aws-cdk/lib/config.ts b/packages/aws-cdk/lib/config.ts index 13898df29fa7a..2ef82baf3304e 100644 --- a/packages/aws-cdk/lib/config.ts +++ b/packages/aws-cdk/lib/config.ts @@ -56,12 +56,12 @@ export async function makeConfig(): Promise { 'show-dependencies': { type: 'boolean', default: false, alias: 'd', desc: 'Display stack dependency information for each stack' }, }, }, - synthesize: { + synth: { arg: { name: 'STACKS', variadic: true, }, - aliases: ['synth'], + aliases: ['synthesize'], description: 'Synthesizes and prints the CloudFormation template for this stack', options: { exclusively: { type: 'boolean', alias: 'e', desc: 'Only synthesize requested stacks, don\'t include dependencies' }, diff --git a/packages/aws-cdk/lib/convert-to-user-input.ts b/packages/aws-cdk/lib/convert-to-user-input.ts index de07f9b3c0eef..f3ffcd4eee611 100644 --- a/packages/aws-cdk/lib/convert-to-user-input.ts +++ b/packages/aws-cdk/lib/convert-to-user-input.ts @@ -46,8 +46,8 @@ export function convertYargsToUserInput(args: any): UserInput { }; break; - case 'synthesize': case 'synth': + case 'synthesize': commandOptions = { exclusively: args.exclusively, validation: args.validation, @@ -292,10 +292,10 @@ export function convertConfigToUserInput(config: any): UserInput { long: config.list?.long, showDependencies: config.list?.showDependencies, }; - const synthesizeOptions = { - exclusively: config.synthesize?.exclusively, - validation: config.synthesize?.validation, - quiet: config.synthesize?.quiet, + const synthOptions = { + exclusively: config.synth?.exclusively, + validation: config.synth?.validation, + quiet: config.synth?.quiet, }; const bootstrapOptions = { bootstrapBucketName: config.bootstrap?.bootstrapBucketName, @@ -431,7 +431,7 @@ export function convertConfigToUserInput(config: any): UserInput { const userInput: UserInput = { globalOptions, list: listOptions, - synthesize: synthesizeOptions, + synth: synthOptions, bootstrap: bootstrapOptions, gc: gcOptions, deploy: deployOptions, diff --git a/packages/aws-cdk/lib/parse-command-line-arguments.ts b/packages/aws-cdk/lib/parse-command-line-arguments.ts index b0d4f3060024e..20b09694290fa 100644 --- a/packages/aws-cdk/lib/parse-command-line-arguments.ts +++ b/packages/aws-cdk/lib/parse-command-line-arguments.ts @@ -172,7 +172,7 @@ export function parseCommandLineArguments(args: Array): any { desc: 'Display stack dependency information for each stack', }), ) - .command(['synthesize [STACKS..]', 'synth [STACKS..]'], 'Synthesizes and prints the CloudFormation template for this stack', (yargs: Argv) => + .command(['synth [STACKS..]', 'synthesize [STACKS..]'], 'Synthesizes and prints the CloudFormation template for this stack', (yargs: Argv) => yargs .option('exclusively', { default: undefined, diff --git a/packages/aws-cdk/lib/user-input.ts b/packages/aws-cdk/lib/user-input.ts index 13ae60938f6ff..992202dfaec72 100644 --- a/packages/aws-cdk/lib/user-input.ts +++ b/packages/aws-cdk/lib/user-input.ts @@ -31,9 +31,9 @@ export interface UserInput { /** * Synthesizes and prints the CloudFormation template for this stack * - * aliases: synth + * aliases: synthesize */ - readonly synthesize?: SynthesizeOptions; + readonly synth?: SynthOptions; /** * Deploys the CDK toolkit stack into an AWS environment @@ -337,11 +337,11 @@ export interface ListOptions { /** * Synthesizes and prints the CloudFormation template for this stack * - * aliases: synth + * aliases: synthesize * * @struct */ -export interface SynthesizeOptions { +export interface SynthOptions { /** * Only synthesize requested stacks, don't include dependencies * @@ -368,7 +368,7 @@ export interface SynthesizeOptions { readonly quiet?: boolean; /** - * Positional argument for synthesize + * Positional argument for synth */ readonly STACKS?: Array; } diff --git a/packages/aws-cdk/test/cli-arguments.test.ts b/packages/aws-cdk/test/cli-arguments.test.ts index 32ad80da77e84..ad0bfecd0cf74 100644 --- a/packages/aws-cdk/test/cli-arguments.test.ts +++ b/packages/aws-cdk/test/cli-arguments.test.ts @@ -131,7 +131,7 @@ describe('config', () => { metadata: expect.anything(), migrate: expect.anything(), rollback: expect.anything(), - synthesize: expect.anything(), + synth: expect.anything(), watch: expect.anything(), notices: expect.anything(), import: expect.anything(), From 78fba2305c8e1710a3b83d810486a6875a82bf8b Mon Sep 17 00:00:00 2001 From: Kaizen Conroy <36202692+kaizencc@users.noreply.github.com> Date: Fri, 10 Jan 2025 01:33:58 -0500 Subject: [PATCH 08/17] chore(cli): rename `_` to `command` in `UserInput` (#32822) This does not change CLI functionality because `UserInput` is not in use yet. Since we have full control over `UserInput`, i.e. we control the input functions from the CLI or `cdk.json`, we can rename properties however we like. `_` is a relic of `yargs`, we do not need to maintain that convention. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/aws-cdk/lib/convert-to-user-input.ts | 2 +- packages/aws-cdk/lib/user-input.ts | 2 +- packages/aws-cdk/test/cli-arguments.test.ts | 6 +++--- .../user-input-gen/lib/convert-to-user-input-gen.ts | 2 +- tools/@aws-cdk/user-input-gen/lib/user-input-gen.ts | 2 +- .../user-input-gen/test/convert-to-user-input-gen.test.ts | 2 +- tools/@aws-cdk/user-input-gen/test/user-input-gen.test.ts | 6 +++--- 7 files changed, 11 insertions(+), 11 deletions(-) diff --git a/packages/aws-cdk/lib/convert-to-user-input.ts b/packages/aws-cdk/lib/convert-to-user-input.ts index f3ffcd4eee611..4b400aa844424 100644 --- a/packages/aws-cdk/lib/convert-to-user-input.ts +++ b/packages/aws-cdk/lib/convert-to-user-input.ts @@ -251,7 +251,7 @@ export function convertYargsToUserInput(args: any): UserInput { break; } const userInput: UserInput = { - _: args._[0], + command: args._[0], globalOptions, [args._[0]]: commandOptions, }; diff --git a/packages/aws-cdk/lib/user-input.ts b/packages/aws-cdk/lib/user-input.ts index 992202dfaec72..369a7fe325515 100644 --- a/packages/aws-cdk/lib/user-input.ts +++ b/packages/aws-cdk/lib/user-input.ts @@ -14,7 +14,7 @@ export interface UserInput { /** * The CLI command name */ - readonly _?: Command; + readonly command?: Command; /** * Global options available to all CLI commands diff --git a/packages/aws-cdk/test/cli-arguments.test.ts b/packages/aws-cdk/test/cli-arguments.test.ts index ad0bfecd0cf74..4158e6569fa80 100644 --- a/packages/aws-cdk/test/cli-arguments.test.ts +++ b/packages/aws-cdk/test/cli-arguments.test.ts @@ -8,7 +8,7 @@ describe('yargs', () => { const result = convertYargsToUserInput(input); expect(result).toEqual({ - _: 'deploy', + command: 'deploy', globalOptions: { app: undefined, assetMetadata: undefined, @@ -73,7 +73,7 @@ describe('yargs', () => { const result = convertYargsToUserInput(input); expect(result).toEqual({ - _: 'deploy', + command: 'deploy', deploy: expect.objectContaining({ STACKS: ['stack1', 'stack2'], }), @@ -87,7 +87,7 @@ describe('yargs', () => { const result = convertYargsToUserInput(input); expect(result).toEqual({ - _: 'acknowledge', + command: 'acknowledge', acknowledge: expect.objectContaining({ ID: 'id1', }), diff --git a/tools/@aws-cdk/user-input-gen/lib/convert-to-user-input-gen.ts b/tools/@aws-cdk/user-input-gen/lib/convert-to-user-input-gen.ts index 1ea751e15afeb..b348059eff33e 100644 --- a/tools/@aws-cdk/user-input-gen/lib/convert-to-user-input-gen.ts +++ b/tools/@aws-cdk/user-input-gen/lib/convert-to-user-input-gen.ts @@ -142,7 +142,7 @@ function buildPositionalArguments(arg: { name: string; variadic: boolean }, argN function buildUserInput(argName: string): string { return [ 'const userInput: UserInput = {', - `_: ${argName}._[0],`, + `command: ${argName}._[0],`, 'globalOptions,', `[${argName}._[0]]: commandOptions`, '}', diff --git a/tools/@aws-cdk/user-input-gen/lib/user-input-gen.ts b/tools/@aws-cdk/user-input-gen/lib/user-input-gen.ts index 1d39585fb0692..e6f97f90e8865 100644 --- a/tools/@aws-cdk/user-input-gen/lib/user-input-gen.ts +++ b/tools/@aws-cdk/user-input-gen/lib/user-input-gen.ts @@ -25,7 +25,7 @@ export async function renderUserInputType(config: CliConfig): Promise { const commandEnum = Type.fromName(scope, 'Command'); userInputType.addProperty({ - name: '_', + name: 'command', type: commandEnum, docs: { summary: 'The CLI command name', diff --git a/tools/@aws-cdk/user-input-gen/test/convert-to-user-input-gen.test.ts b/tools/@aws-cdk/user-input-gen/test/convert-to-user-input-gen.test.ts index 427213e09f37d..6afc40e224592 100644 --- a/tools/@aws-cdk/user-input-gen/test/convert-to-user-input-gen.test.ts +++ b/tools/@aws-cdk/user-input-gen/test/convert-to-user-input-gen.test.ts @@ -71,7 +71,7 @@ describe('render', () => { break; } const userInput: UserInput = { - _: args._[0], + command: args._[0], globalOptions, [args._[0]]: commandOptions, }; diff --git a/tools/@aws-cdk/user-input-gen/test/user-input-gen.test.ts b/tools/@aws-cdk/user-input-gen/test/user-input-gen.test.ts index 0fa06bc261492..f88360f34f1d7 100644 --- a/tools/@aws-cdk/user-input-gen/test/user-input-gen.test.ts +++ b/tools/@aws-cdk/user-input-gen/test/user-input-gen.test.ts @@ -60,7 +60,7 @@ describe('render', () => { /** * The CLI command name */ - readonly _?: Command; + readonly command?: Command; /** * Global options available to all CLI commands @@ -169,7 +169,7 @@ describe('render', () => { /** * The CLI command name */ - readonly _?: Command; + readonly command?: Command; /** * Global options available to all CLI commands @@ -251,7 +251,7 @@ describe('render', () => { /** * The CLI command name */ - readonly _?: Command; + readonly command?: Command; /** * Global options available to all CLI commands From c3ff8211f8d753925323bda5aca2cb7576967216 Mon Sep 17 00:00:00 2001 From: Ian Hou <45278651+iankhou@users.noreply.github.com> Date: Fri, 10 Jan 2025 10:20:54 -0500 Subject: [PATCH 09/17] chore(lambda): fix snapstart warning grammar issue (#32829) ### Issue #32210 Closes #32210 ### Reason for this change Incorrect grammar in a SnapStart warning that appears during cdk deployment. ### Description of changes Corrected the line: `SnapStart only support published Lambda versions. Ignore if function already have published versions` to: `SnapStart only supports published Lambda versions. Ignore if function already has published versions.` ### Describe any new or updated permissions being added No permissions changes. ### Description of how you validated changes No testing needed, only changed text in a warning. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/aws-cdk-lib/aws-lambda/lib/function.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-lambda/lib/function.ts b/packages/aws-cdk-lib/aws-lambda/lib/function.ts index ad239483b50ef..68dc147ac5d3b 100644 --- a/packages/aws-cdk-lib/aws-lambda/lib/function.ts +++ b/packages/aws-cdk-lib/aws-lambda/lib/function.ts @@ -1620,7 +1620,7 @@ Environment variables can be marked for removal when used in Lambda@Edge by sett // so it can't be checked at function set up time // SnapStart supports the Java 11 and Java 17 (java11 and java17) managed runtimes. // See https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html - Annotations.of(this).addWarningV2('@aws-cdk/aws-lambda:snapStartRequirePublish', 'SnapStart only support published Lambda versions. Ignore if function already have published versions'); + Annotations.of(this).addWarningV2('@aws-cdk/aws-lambda:snapStartRequirePublish', 'SnapStart only supports published Lambda versions. Ignore if function already has published versions.'); if (!props.runtime.supportsSnapStart) { throw new ValidationError(`SnapStart currently not supported by runtime ${props.runtime.name}`, this); From c997022bf587e3aca96e07b87d5cad120e71e09b Mon Sep 17 00:00:00 2001 From: yuanhaoz Date: Thu, 9 Jan 2025 13:58:45 -0800 Subject: [PATCH 10/17] feat(core): enable additional metadata collection --- ...efaultTestDeployAssert3F14AD57.assets.json | 19 + ...aultTestDeployAssert3F14AD57.template.json | 311 +++++++++++++++ .../EnableTelemtryStack.assets.json | 19 + .../EnableTelemtryStack.template.json | 369 ++++++++++++++++++ .../cdk.out | 1 + .../integ.json | 12 + .../manifest.json | 190 +++++++++ .../tree.json | 313 +++++++++++++++ .../test/integ.enable-additional-metadata.ts | 37 ++ .../aws-cdk-lib/core/lib/metadata-resource.ts | 22 ++ .../core/lib/private/metadata-resource.ts | 24 +- .../core/lib/private/runtime-info.ts | 87 ++++- .../core/test/metadata-resource.test.ts | 41 +- .../core/test/private/runtime-info.test.ts | 93 +++++ packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md | 4 +- packages/aws-cdk-lib/cx-api/README.md | 18 + packages/aws-cdk-lib/cx-api/lib/features.ts | 15 + packages/aws-cdk-lib/package.json | 1 + .../recommended-feature-flags.json | 3 +- 19 files changed, 1563 insertions(+), 16 deletions(-) create mode 100644 packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableTelemtryStack.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableTelemtryStack.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/cdk.out create mode 100644 packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/integ.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/manifest.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/tree.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.ts create mode 100644 packages/aws-cdk-lib/core/lib/metadata-resource.ts create mode 100644 packages/aws-cdk-lib/core/test/private/runtime-info.test.ts diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.assets.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.assets.json new file mode 100644 index 0000000000000..f9c69df08d490 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.assets.json @@ -0,0 +1,19 @@ +{ + "version": "39.0.0", + "files": { + "d1a201f6686b51e0991e72889d4bd4a576adc2c45fed86dbb7418437b2cb3251": { + "source": { + "path": "EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "d1a201f6686b51e0991e72889d4bd4a576adc2c45fed86dbb7418437b2cb3251.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.template.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.template.json new file mode 100644 index 0000000000000..4db2325abb27a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.template.json @@ -0,0 +1,311 @@ +{ + "Resources": { + "CDKMetadata": { + "Type": "AWS::CDK::Metadata", + "Properties": { + "Analytics": "v2:deflate64:H4sIAAAAAAAA/zPQM9AzUEwsL9ZNTsnWzclM0gsuSUzO1snLT0nVyyrWLzMy0DM00jNSzCrOzNQtKs0rycxN1QuC0ADFzrfTPQAAAA==" + }, + "Condition": "CDKMetadataAvailable" + } + }, + "Conditions": { + "CDKMetadataAvailable": { + "Fn::Or": [ + { + "Fn::Or": [ + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "af-south-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-east-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-northeast-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-northeast-2" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-northeast-3" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-south-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-south-2" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-southeast-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-southeast-2" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-southeast-3" + ] + } + ] + }, + { + "Fn::Or": [ + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-southeast-4" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ca-central-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ca-west-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "cn-north-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "cn-northwest-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "eu-central-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "eu-central-2" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "eu-north-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "eu-south-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "eu-south-2" + ] + } + ] + }, + { + "Fn::Or": [ + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "eu-west-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "eu-west-2" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "eu-west-3" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "il-central-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "me-central-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "me-south-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "sa-east-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "us-east-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "us-east-2" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "us-west-1" + ] + } + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "us-west-2" + ] + } + ] + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableTelemtryStack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableTelemtryStack.assets.json new file mode 100644 index 0000000000000..a3cdf26389b7a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableTelemtryStack.assets.json @@ -0,0 +1,19 @@ +{ + "version": "39.0.0", + "files": { + "9febe67ad809636564602131bb0c8b1291904d92789bd3e6803a3cb2409d768b": { + "source": { + "path": "EnableTelemtryStack.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "9febe67ad809636564602131bb0c8b1291904d92789bd3e6803a3cb2409d768b.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableTelemtryStack.template.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableTelemtryStack.template.json new file mode 100644 index 0000000000000..4ddaba9ac1273 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableTelemtryStack.template.json @@ -0,0 +1,369 @@ +{ + "Resources": { + "01234test13C610BE": { + "Type": "AWS::SQS::Queue", + "Properties": { + "VisibilityTimeout": 300 + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "MyFunctionServiceRole3C357FF2": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "MyFunction3BAA72D1": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "ZipFile": "def handler(event, context):\n\tprint('The function has been invoked.')" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "MyFunctionServiceRole3C357FF2", + "Arn" + ] + }, + "Runtime": "python3.8" + }, + "DependsOn": [ + "MyFunctionServiceRole3C357FF2" + ] + }, + "CDKMetadata": { + "Type": "AWS::CDK::Metadata", + "Properties": { + "Analytics": "v2:deflate64:H4sIAAAAAAAA/5WQTU/DMAyGfws5oiyMHXsF8SGBBBviMiHkpt4wS50RJ0xTlf+OmrbAEU7+iP3meT03czM/gYPMbLObOapNt4pgdxoO8trJh5juMWHCdaficY+qUnCQyja7ChjcMZKVynqWGJKNSqsGIqiqU58kVJOjeHyiFn2KfRNanziqSp0qrRJTaTqo0Y09En/3u+R7co6klDnn/KIvNlx4snbQ1g2Y7iqxjeT5v4QhcaQW+5Shj+VLSfu9D1Fu2RHjhW9QVTEk1GoDLbnjN+gzBILaoao24AS1qhM3jnh76e0Ow20L26JNQ1K2XktxA/I2OPpZ+uP4RNdzXaeQHoLfUL8/QU4DK4b9KkKII17W6g24cRhGbVucdWMcPQ2mB63p2tN5syZoTbf0Dtfloc9y1ksUn4LF9UvW7Bs073L2uZib84VZnLwL0Ww8tFkO8Qsy2kO1cgIAAA==" + }, + "Condition": "CDKMetadataAvailable" + } + }, + "Conditions": { + "CDKMetadataAvailable": { + "Fn::Or": [ + { + "Fn::Or": [ + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "af-south-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-east-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-northeast-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-northeast-2" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-northeast-3" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-south-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-south-2" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-southeast-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-southeast-2" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-southeast-3" + ] + } + ] + }, + { + "Fn::Or": [ + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-southeast-4" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ca-central-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ca-west-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "cn-north-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "cn-northwest-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "eu-central-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "eu-central-2" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "eu-north-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "eu-south-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "eu-south-2" + ] + } + ] + }, + { + "Fn::Or": [ + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "eu-west-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "eu-west-2" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "eu-west-3" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "il-central-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "me-central-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "me-south-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "sa-east-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "us-east-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "us-east-2" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "us-west-1" + ] + } + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "us-west-2" + ] + } + ] + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/cdk.out new file mode 100644 index 0000000000000..91e1a8b9901d5 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"39.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/integ.json new file mode 100644 index 0000000000000..6d5977883c3cb --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/integ.json @@ -0,0 +1,12 @@ +{ + "version": "39.0.0", + "testCases": { + "Enable Additional Metadata/DefaultTest": { + "stacks": [ + "EnableTelemtryStack" + ], + "assertionStack": "Enable Additional Metadata/DefaultTest/DeployAssert", + "assertionStackName": "EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/manifest.json new file mode 100644 index 0000000000000..d78fe74894290 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/manifest.json @@ -0,0 +1,190 @@ +{ + "version": "39.0.0", + "artifacts": { + "EnableTelemtryStack.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "EnableTelemtryStack.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "EnableTelemtryStack": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "EnableTelemtryStack.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/9febe67ad809636564602131bb0c8b1291904d92789bd3e6803a3cb2409d768b.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "EnableTelemtryStack.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "EnableTelemtryStack.assets" + ], + "metadata": { + "/EnableTelemtryStack/01234test": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "visibilityTimeout": { + "amount": 300, + "unit": { + "label": "seconds", + "isoLabel": "S", + "inMillis": 1000 + } + } + } + } + ], + "/EnableTelemtryStack/01234test/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "01234test13C610BE" + } + ], + "/EnableTelemtryStack/MyFunction": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "runtime": { + "name": "python3.8", + "supportsInlineCode": true, + "family": 2, + "isVariable": false, + "bundlingDockerImage": { + "image": "public.ecr.aws/sam/build-python3.8" + }, + "bundlingImage": { + "image": "public.ecr.aws/sam/build-python3.8" + }, + "supportsCodeGuruProfiling": true, + "supportsSnapStart": false + }, + "handler": "index.handler", + "code": { + "code": "def handler(event, context):\n\tprint('The function has been invoked.')", + "isInline": true + } + } + } + ], + "/EnableTelemtryStack/MyFunction/ServiceRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "MyFunctionServiceRole3C357FF2" + } + ], + "/EnableTelemtryStack/MyFunction/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "MyFunction3BAA72D1" + } + ], + "/EnableTelemtryStack/CDKMetadata/Default": [ + { + "type": "aws:cdk:logicalId", + "data": "CDKMetadata" + } + ], + "/EnableTelemtryStack/CDKMetadata/Condition": [ + { + "type": "aws:cdk:logicalId", + "data": "CDKMetadataAvailable" + } + ], + "/EnableTelemtryStack/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/EnableTelemtryStack/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "EnableTelemtryStack" + }, + "EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/d1a201f6686b51e0991e72889d4bd4a576adc2c45fed86dbb7418437b2cb3251.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.assets" + ], + "metadata": { + "/Enable Additional Metadata/DefaultTest/DeployAssert/CDKMetadata/Default": [ + { + "type": "aws:cdk:logicalId", + "data": "CDKMetadata" + } + ], + "/Enable Additional Metadata/DefaultTest/DeployAssert/CDKMetadata/Condition": [ + { + "type": "aws:cdk:logicalId", + "data": "CDKMetadataAvailable" + } + ], + "/Enable Additional Metadata/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/Enable Additional Metadata/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "Enable Additional Metadata/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/tree.json new file mode 100644 index 0000000000000..6aa4f30c3198e --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/tree.json @@ -0,0 +1,313 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "EnableTelemtryStack": { + "id": "EnableTelemtryStack", + "path": "EnableTelemtryStack", + "children": { + "01234test": { + "id": "01234test", + "path": "EnableTelemtryStack/01234test", + "children": { + "Resource": { + "id": "Resource", + "path": "EnableTelemtryStack/01234test/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::SQS::Queue", + "aws:cdk:cloudformation:props": { + "visibilityTimeout": 300 + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_sqs.CfnQueue", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_sqs.Queue", + "version": "0.0.0", + "metadata": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "visibilityTimeout": { + "amount": "*", + "unit": { + "label": "*", + "isoLabel": "*", + "inMillis": "*" + } + } + } + } + ] + } + }, + "MyFunction": { + "id": "MyFunction", + "path": "EnableTelemtryStack/MyFunction", + "children": { + "ServiceRole": { + "id": "ServiceRole", + "path": "EnableTelemtryStack/MyFunction/ServiceRole", + "children": { + "ImportServiceRole": { + "id": "ImportServiceRole", + "path": "EnableTelemtryStack/MyFunction/ServiceRole/ImportServiceRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0", + "metadata": [] + } + }, + "Resource": { + "id": "Resource", + "path": "EnableTelemtryStack/MyFunction/ServiceRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "managedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0", + "metadata": [] + } + }, + "Resource": { + "id": "Resource", + "path": "EnableTelemtryStack/MyFunction/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::Function", + "aws:cdk:cloudformation:props": { + "code": { + "zipFile": "def handler(event, context):\n\tprint('The function has been invoked.')" + }, + "handler": "index.handler", + "role": { + "Fn::GetAtt": [ + "MyFunctionServiceRole3C357FF2", + "Arn" + ] + }, + "runtime": "python3.8" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.CfnFunction", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.Function", + "version": "0.0.0", + "metadata": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "runtime": { + "name": "*", + "supportsInlineCode": true, + "family": "*", + "isVariable": false, + "bundlingDockerImage": { + "image": "*", + "_imageHash": "*" + }, + "bundlingImage": { + "image": "*", + "_imageHash": "*" + }, + "supportsCodeGuruProfiling": true, + "supportsSnapStart": false + }, + "handler": "*", + "code": { + "code": "*", + "isInline": true + } + } + } + ] + } + }, + "CDKMetadata": { + "id": "CDKMetadata", + "path": "EnableTelemtryStack/CDKMetadata", + "children": { + "Default": { + "id": "Default", + "path": "EnableTelemtryStack/CDKMetadata/Default", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnResource", + "version": "0.0.0" + } + }, + "Condition": { + "id": "Condition", + "path": "EnableTelemtryStack/CDKMetadata/Condition", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnCondition", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.4.2" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "EnableTelemtryStack/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "EnableTelemtryStack/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "Enable Additional Metadata": { + "id": "Enable Additional Metadata", + "path": "Enable Additional Metadata", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "Enable Additional Metadata/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "Enable Additional Metadata/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.4.2" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "Enable Additional Metadata/DefaultTest/DeployAssert", + "children": { + "CDKMetadata": { + "id": "CDKMetadata", + "path": "Enable Additional Metadata/DefaultTest/DeployAssert/CDKMetadata", + "children": { + "Default": { + "id": "Default", + "path": "Enable Additional Metadata/DefaultTest/DeployAssert/CDKMetadata/Default", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnResource", + "version": "0.0.0" + } + }, + "Condition": { + "id": "Condition", + "path": "Enable Additional Metadata/DefaultTest/DeployAssert/CDKMetadata/Condition", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnCondition", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.4.2" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "Enable Additional Metadata/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "Enable Additional Metadata/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.4.2" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.ts b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.ts new file mode 100644 index 0000000000000..06d822f3e9764 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.ts @@ -0,0 +1,37 @@ +import * as cdk from 'aws-cdk-lib/core'; +import * as integ from '@aws-cdk/integ-tests-alpha'; +import * as lambda from 'aws-cdk-lib/aws-lambda'; +import * as sqs from 'aws-cdk-lib/aws-sqs'; +import { ENABLE_ADDITIONAL_METADATA_COLLECTION } from 'aws-cdk-lib/cx-api'; +import { MetadataType } from 'aws-cdk-lib/core/lib/metadata-resource'; + +/** + * This test creates resources using alphanumeric logical IDs. + */ + +const app = new cdk.App({ + analyticsReporting: true, + postCliContext: { + [ENABLE_ADDITIONAL_METADATA_COLLECTION]: true, + }, +}); + +const stack = new cdk.Stack(app, 'EnableTelemtryStack'); + +const queueProp = { + visibilityTimeout: cdk.Duration.seconds(300), +}; +const queue = new sqs.Queue(stack, '01234test', queueProp); +queue.node.addMetadata(MetadataType.CONSTRUCT, queueProp); + +const funcProp = { + runtime: lambda.Runtime.PYTHON_3_8, + handler: 'index.handler', + code: lambda.Code.fromInline('def handler(event, context):\n\tprint(\'The function has been invoked.\')'), +}; +const func = new lambda.Function(stack, 'MyFunction', funcProp); +func.node.addMetadata(MetadataType.CONSTRUCT, funcProp); + +new integ.IntegTest(app, 'Enable Additional Metadata', { + testCases: [stack], +}); diff --git a/packages/aws-cdk-lib/core/lib/metadata-resource.ts b/packages/aws-cdk-lib/core/lib/metadata-resource.ts new file mode 100644 index 0000000000000..0fccef20f3334 --- /dev/null +++ b/packages/aws-cdk-lib/core/lib/metadata-resource.ts @@ -0,0 +1,22 @@ +/** + * Enumeration of metadata types used for tracking analytics in AWS CDK. + */ +export enum MetadataType { + /** + * Metadata type for construct properties. + * This is used to represent properties of CDK constructs. + */ + CONSTRUCT = 'aws:cdk:analytics:construct', + + /** + * Metadata type for method properties. + * This is used to track parameters and details of CDK method calls. + */ + METHOD = 'aws:cdk:analytics:method', + + /** + * Metadata type for feature flags. + * This is used to track analytics related to feature flags in the CDK. + */ + FEATURE_FLAGS = 'aws:cdk:analytics:featureflag', +} diff --git a/packages/aws-cdk-lib/core/lib/private/metadata-resource.ts b/packages/aws-cdk-lib/core/lib/private/metadata-resource.ts index 494fd33bf7790..6c808bdc28872 100644 --- a/packages/aws-cdk-lib/core/lib/private/metadata-resource.ts +++ b/packages/aws-cdk-lib/core/lib/private/metadata-resource.ts @@ -1,11 +1,13 @@ import * as zlib from 'zlib'; import { Construct } from 'constructs'; import { ConstructInfo, constructInfoFromStack } from './runtime-info'; +import * as cxapi from '../../../cx-api'; import { RegionInfo } from '../../../region-info'; import { CfnCondition } from '../cfn-condition'; import { Fn } from '../cfn-fn'; import { Aws } from '../cfn-pseudo'; import { CfnResource } from '../cfn-resource'; +import { FeatureFlags } from '../feature-flags'; import { Lazy } from '../lazy'; import { Stack } from '../stack'; import { Token } from '../token'; @@ -17,11 +19,13 @@ export class MetadataResource extends Construct { constructor(scope: Stack, id: string) { super(scope, id); const metadataServiceExists = Token.isUnresolved(scope.region) || RegionInfo.get(scope.region).cdkMetadataResourceAvailable; + const enableAdditionalTelemtry = FeatureFlags.of(scope).isEnabled(cxapi.ENABLE_ADDITIONAL_METADATA_COLLECTION) ?? false; if (metadataServiceExists) { + const constructInfo = constructInfoFromStack(scope); const resource = new CfnResource(this, 'Default', { type: 'AWS::CDK::Metadata', properties: { - Analytics: Lazy.string({ produce: () => formatAnalytics(constructInfoFromStack(scope)) }), + Analytics: Lazy.string({ produce: () => formatAnalytics(constructInfo, enableAdditionalTelemtry) }), }, }); @@ -76,9 +80,16 @@ class Trie extends Map { } * * Exported/visible for ease of testing. */ -export function formatAnalytics(infos: ConstructInfo[]) { +export function formatAnalytics(infos: ConstructInfo[], enableAdditionalTelemtry: boolean = false) { const trie = new Trie(); - infos.forEach(info => insertFqnInTrie(`${info.version}!${info.fqn}`, trie)); + + // only append additional telemetry information to prefix encoding and gzip compress + // if feature flag is enabled; otherwise keep the old behaviour. + if (enableAdditionalTelemtry) { + infos.forEach(info => insertFqnInTrie(`${info.version}!${info.fqn}`, trie, info.metadata)); + } else { + infos.forEach(info => insertFqnInTrie(`${info.version}!${info.fqn}`, trie)); + } const plaintextEncodedConstructs = prefixEncodeTrie(trie); const compressedConstructsBuffer = zlib.gzipSync(Buffer.from(plaintextEncodedConstructs)); @@ -103,12 +114,17 @@ export function formatAnalytics(infos: ConstructInfo[]) { * Splits after non-alphanumeric characters (e.g., '.', '/') in the FQN * and insert each piece of the FQN in nested map (i.e., simple trie). */ -function insertFqnInTrie(fqn: string, trie: Trie) { +function insertFqnInTrie(fqn: string, trie: Trie, metadata?: Record[]) { for (const fqnPart of fqn.replace(/[^a-z0-9]/gi, '$& ').split(' ')) { const nextLevelTreeRef = trie.get(fqnPart) ?? new Trie(); trie.set(fqnPart, nextLevelTreeRef); trie = nextLevelTreeRef; } + + // if 'metadata' is defined, add it to end of Trie + if (metadata) { + trie.set(JSON.stringify(metadata), new Trie()); + } return trie; } diff --git a/packages/aws-cdk-lib/core/lib/private/runtime-info.ts b/packages/aws-cdk-lib/core/lib/private/runtime-info.ts index 6371b6bc84138..1323f8da0ffd8 100644 --- a/packages/aws-cdk-lib/core/lib/private/runtime-info.ts +++ b/packages/aws-cdk-lib/core/lib/private/runtime-info.ts @@ -1,5 +1,7 @@ -import { IConstruct } from 'constructs'; +import { IConstruct, MetadataEntry } from 'constructs'; import { App } from '../app'; +import { MetadataType } from '../metadata-resource'; +import { Resource } from '../resource'; import { Stack } from '../stack'; import { Stage } from '../stage'; import { IPolicyValidationPluginBeta1 } from '../validation'; @@ -24,6 +26,7 @@ const JSII_RUNTIME_SYMBOL = Symbol.for('jsii.rtti'); export interface ConstructInfo { readonly fqn: string; readonly version: string; + readonly metadata?: Record[]; } export function constructInfoFromConstruct(construct: IConstruct): ConstructInfo | undefined { @@ -32,7 +35,11 @@ export function constructInfoFromConstruct(construct: IConstruct): ConstructInfo && jsiiRuntimeInfo !== null && typeof jsiiRuntimeInfo.fqn === 'string' && typeof jsiiRuntimeInfo.version === 'string') { - return { fqn: jsiiRuntimeInfo.fqn, version: jsiiRuntimeInfo.version }; + return { + fqn: jsiiRuntimeInfo.fqn, + version: jsiiRuntimeInfo.version, + metadata: isResource(construct) ? redactTelemetryData(construct.node.metadata) : undefined, + }; } else if (jsiiRuntimeInfo) { // There is something defined, but doesn't match our expectations. Fail fast and hard. throw new Error(`malformed jsii runtime info for construct: '${construct.node.path}'`); @@ -40,6 +47,56 @@ export function constructInfoFromConstruct(construct: IConstruct): ConstructInfo return undefined; } +/** + * Filter for Construct, Method, and Feature flag metadata. Redact values from it. + * + * @param metadata a list of metadata entries + */ +export function redactTelemetryData(metadata: MetadataEntry[]): Record[] { + const validTypes = new Set([ + MetadataType.CONSTRUCT, + MetadataType.METHOD, + MetadataType.FEATURE_FLAGS, + ]); + + return metadata + .filter((entry) => validTypes.has(entry.type as MetadataType)) + .map((entry) => ({ + type: entry.type, + data: redactTelemetryDataHelper(entry.data), + })); +} + +/** + * Redact values from dictionary values other than Boolean and ENUM-type values. + * @TODO complete the ENUM-type values redaction in a follow-up change. + */ +function redactTelemetryDataHelper(data: any): any { + if (typeof data === 'boolean') { + return data; // Return booleans as-is + } + + if (Array.isArray(data)) { + // Handle arrays by recursively redacting each element + return data.map((item) => redactTelemetryDataHelper(item)); + } + + if (data && typeof data === 'object') { + // Handle objects by iterating over their key-value pairs + if (isResource(data)) { + return '*'; + } + + const result: Record = {}; + for (const [key, value] of Object.entries(data)) { + result[key] = redactTelemetryDataHelper(value); + } + return result; + } + + return '*'; +} + /** * Add analytics data for any validation plugins that are used. * Since validation plugins are not constructs we have to handle them @@ -106,14 +163,26 @@ export function constructInfoFromStack(stack: Stack): ConstructInfo[] { addValidationPluginInfo(stack, allConstructInfos); - // Filter out duplicate values - const uniqKeys = new Set(); - return allConstructInfos.filter(construct => { - const constructKey = `${construct.fqn}@${construct.version}`; - const isDuplicate = uniqKeys.has(constructKey); - uniqKeys.add(constructKey); - return !isDuplicate; + // Filter out duplicate values and append the metadata information to the array + const uniqueMap = new Map(); + allConstructInfos.forEach(info => { + const key = `${info.fqn}@${info.version}`; + if (uniqueMap.has(key)) { + const existingInfo = uniqueMap.get(key); + if (existingInfo && existingInfo.metadata && info.metadata) { + existingInfo.metadata.push(...info.metadata); + } + } else { + uniqueMap.set(key, info); + } }); + + return Array.from(uniqueMap.values()); +} + +function isResource(construct: IConstruct): construct is Resource { + const RESOURCE_SYMBOL = Symbol.for('@aws-cdk/core.Resource'); + return construct !== null && typeof(construct) === 'object' && RESOURCE_SYMBOL in construct; } /** diff --git a/packages/aws-cdk-lib/core/test/metadata-resource.test.ts b/packages/aws-cdk-lib/core/test/metadata-resource.test.ts index fa05b0d501f16..fb842d739241e 100644 --- a/packages/aws-cdk-lib/core/test/metadata-resource.test.ts +++ b/packages/aws-cdk-lib/core/test/metadata-resource.test.ts @@ -1,6 +1,9 @@ import * as zlib from 'zlib'; import { Construct } from 'constructs'; -import { App, Stack, IPolicyValidationPluginBeta1, IPolicyValidationContextBeta1, Stage, PolicyValidationPluginReportBeta1 } from '../lib'; +import { Code, Function, Runtime } from '../../aws-lambda'; +import { ENABLE_ADDITIONAL_METADATA_COLLECTION } from '../../cx-api'; +import { App, Stack, IPolicyValidationPluginBeta1, IPolicyValidationContextBeta1, Stage, PolicyValidationPluginReportBeta1, FeatureFlags } from '../lib'; +import { MetadataType } from '../lib/metadata-resource'; import { formatAnalytics } from '../lib/private/metadata-resource'; import { ConstructInfo } from '../lib/private/runtime-info'; @@ -49,6 +52,30 @@ describe('MetadataResource', () => { expect(stackTemplate.Resources?.CDKMetadata?.Condition).toBeDefined(); }); + it.each( + [ + [true, { Condition: 'CDKMetadataAvailable', Properties: { Analytics: 'v2:deflate64:H4sIAAAAAAAA/8vLT0nVyyrWLzMy0DM00jNSzCrOzNQtKs0rycxN1QuC0ACoQHZIJQAAAA==' }, Type: 'AWS::CDK::Metadata' }], + [false, { Condition: 'CDKMetadataAvailable', Properties: { Analytics: 'v2:deflate64:H4sIAAAAAAAA/8vLT0nVyyrWLzMy0DM00jNSzCrOzNQtKs0rycxN1QuC0ACoQHZIJQAAAA==' }, Type: 'AWS::CDK::Metadata' }], + [undefined, { Condition: 'CDKMetadataAvailable', Properties: { Analytics: 'v2:deflate64:H4sIAAAAAAAA/8vLT0nVyyrWLzMy0DM00jNSzCrOzNQtKs0rycxN1QuC0ACoQHZIJQAAAA==' }, Type: 'AWS::CDK::Metadata' }], + ], + )('when no metadata is added by default, CDKMetadata should be the same', (enableAdditionalTelemtry, cdkMetadata) => { + const myApp = new App({ + analyticsReporting: true, + }); + myApp.node.setContext(ENABLE_ADDITIONAL_METADATA_COLLECTION, enableAdditionalTelemtry); + const myStack = new Stack(myApp, 'MyStack'); + new Function(myStack, 'MyFunction', { + runtime: Runtime.PYTHON_3_9, + handler: 'index.handler', + code: Code.fromInline( + "def handler(event, context):\n\tprint('The function has been invoked.')", + ), + }); + + const stackTemplate = myApp.synth().getStackByName('MyStack').template; + expect(stackTemplate.Resources?.CDKMetadata).toEqual(cdkMetadata); + }); + test('includes the formatted Analytics property', () => { // A very simple check that the jsii runtime psuedo-construct is present. // This check works whether we're running locally or on CodeBuild, on v1 or v2. @@ -162,6 +189,18 @@ describe('formatAnalytics', () => { expectAnalytics(constructInfo, '1.2.3!aws-cdk-lib.{Construct,CfnResource,Stack},0.1.2!aws-cdk-lib.{CoolResource,OtherResource}'); }); + it.each([ + [true, '1.2.3!aws-cdk-lib.Construct[{\"custom\":{\"foo\":\"bar\"}}]'], + [false, '1.2.3!aws-cdk-lib.Construct'], + [undefined, '1.2.3!aws-cdk-lib.Construct'], + ])('format analytics with metadata and enabled additional telemetry', (enableAdditionalTelemtry, output) => { + const constructInfo = [ + { fqn: 'aws-cdk-lib.Construct', version: '1.2.3', metadata: [{ custom: { foo: 'bar' } }] }, + ]; + + expect(plaintextConstructsFromAnalytics(formatAnalytics(constructInfo, enableAdditionalTelemtry))).toMatch(output); + }); + test('ensure gzip is encoded with "unknown" operating system to maintain consistent output across systems', () => { const constructInfo = [{ fqn: 'aws-cdk-lib.Construct', version: '1.2.3' }]; const analytics = formatAnalytics(constructInfo); diff --git a/packages/aws-cdk-lib/core/test/private/runtime-info.test.ts b/packages/aws-cdk-lib/core/test/private/runtime-info.test.ts new file mode 100644 index 0000000000000..ac1d506d4f05d --- /dev/null +++ b/packages/aws-cdk-lib/core/test/private/runtime-info.test.ts @@ -0,0 +1,93 @@ +import { MetadataEntry } from 'constructs'; +import { Code, Function, Runtime } from '../../../aws-lambda'; +import { Stack } from '../../lib'; +import { MetadataType } from '../../lib/metadata-resource'; +import { + constructInfoFromConstruct, + redactTelemetryData, +} from '../../lib/private/runtime-info'; + +test('test constructInfoFromConstruct can correctly get metadata information', () => { + const stack = new Stack(); + const myFunction = new Function(stack, 'MyFunction', { + runtime: Runtime.PYTHON_3_9, + handler: 'index.handler', + code: Code.fromInline( + "def handler(event, context):\n\tprint('The function has been invoked.')", + ), + }); + myFunction.node.addMetadata('hello', 'foo'); + myFunction.node.addMetadata(MetadataType.CONSTRUCT, { foo: 'bar' }); + + const constructInfo = constructInfoFromConstruct(myFunction); + expect(constructInfo?.metadata).toEqual([ + { type: MetadataType.CONSTRUCT, data: { foo: '*' } }, + ]); +}); + +test('test metadata is redacted correctly', () => { + const stack = new Stack(); + const myFunction = new Function(stack, 'MyFunction', { + runtime: Runtime.PYTHON_3_9, + handler: 'index.handler', + code: Code.fromInline( + "def handler(event, context):\n\tprint('The function has been invoked.')", + ), + }); + + const metadata: MetadataEntry[] = [ + { type: 'foo', data: { hello: 'world' } }, + { + type: MetadataType.CONSTRUCT, + data: { + bool: true, + nested: { foo: 'bar' }, + arr: [1, 2, 3], + str: 'foo', + arrOfObjects: [{ foo: { hello: 'world' } }, { myFunc: myFunction }], + }, + }, + { + type: MetadataType.METHOD, + data: { bool: true, nested: { foo: 'bar' }, arr: [1, 2, 3], str: 'foo' }, + }, + { + type: MetadataType.FEATURE_FLAGS, + data: 'foobar', + }, + { + type: 'aws:cdk:analytics:construct', + data: 'foo', + }, + ]; + + expect(redactTelemetryData(metadata)).toEqual([ + { + type: MetadataType.CONSTRUCT, + data: { + bool: true, + nested: { foo: '*' }, + arr: ['*', '*', '*'], + str: '*', + arrOfObjects: [{ foo: { hello: '*' } }, { myFunc: '*' }], + }, + }, + { + type: MetadataType.METHOD, + data: { + bool: true, + nested: { foo: '*' }, + arr: ['*', '*', '*'], + str: '*', + }, + }, + { + type: MetadataType.FEATURE_FLAGS, + data: '*', + }, + { + type: 'aws:cdk:analytics:construct', + data: '*', + }, + ]); +}); diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md index 12075ff16f731..9f6fe9017ee75 100644 --- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md +++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md @@ -87,6 +87,7 @@ Flags come in three types: | [@aws-cdk/aws-ecs:disableEcsImdsBlocking](#aws-cdkaws-ecsdisableecsimdsblocking) | When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)** | V2NEXT | (temporary) | | [@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature](#aws-cdkaws-ecsenableimdsblockingdeprecatedfeature) | When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)** | V2NEXT | (temporary) | | [@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault](#aws-cdkaws-elasticloadbalancingv2albdualstackwithoutpublicipv4securitygrouprulesdefault) | When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere | V2NEXT | (fix) | +| [@aws-cdk/core:enableAdditionalMetadataCollection](#aws-cdkcoreenableadditionalmetadatacollection) | When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues. | V2NEXT | (config) | @@ -161,7 +162,8 @@ The following json shows the current recommended set of flags, as `cdk init` wou "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": true, "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": true, "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true, - "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true + "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true, + "@aws-cdk/core:enableAdditionalMetadataCollection": true } } ``` diff --git a/packages/aws-cdk-lib/cx-api/README.md b/packages/aws-cdk-lib/cx-api/README.md index 46da524a70ede..bb03f06fa7a24 100644 --- a/packages/aws-cdk-lib/cx-api/README.md +++ b/packages/aws-cdk-lib/cx-api/README.md @@ -576,3 +576,21 @@ _cdk.json_ } } ``` + +* `@aws-cdk/core:enableAdditionalMetadataCollection` + +When this feature flag is enabled, CDK expands the scope of usage data collection to include the: + +* L2 construct property keys - Collect which property keys you use from the L2 constructs in your app. This includes property keys nested in dictionary objects. +* L2 construct property values of BOOL and ENUM types - Collect property key values of only BOOL and ENUM types. All other types, such as string values or construct references will be redacted. +* L2 construct method usage - Collection method name, parameter keys and parameter values of BOOL and ENUM type. + +_cdk.json_ + +```json +{ + "context": { + "@aws-cdk/core:enableAdditionalMetadataCollection": true + } +} +``` diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts index b50c93df54da0..9d20a24930233 100644 --- a/packages/aws-cdk-lib/cx-api/lib/features.ts +++ b/packages/aws-cdk-lib/cx-api/lib/features.ts @@ -121,6 +121,7 @@ export const USER_POOL_DOMAIN_NAME_METHOD_WITHOUT_CUSTOM_RESOURCE = '@aws-cdk/aw export const Enable_IMDS_Blocking_Deprecated_Feature = '@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature'; export const Disable_ECS_IMDS_Blocking = '@aws-cdk/aws-ecs:disableEcsImdsBlocking'; export const ALB_DUALSTACK_WITHOUT_PUBLIC_IPV4_SECURITY_GROUP_RULES_DEFAULT = '@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault'; +export const ENABLE_ADDITIONAL_METADATA_COLLECTION = '@aws-cdk/core:enableAdditionalMetadataCollection'; export const FLAGS: Record = { ////////////////////////////////////////////////////////////////////// @@ -1355,6 +1356,20 @@ export const FLAGS: Record = { recommendedValue: true, compatibilityWithOldBehaviorMd: 'Disable the feature flag to only allow IPv4 ingress in the default security group rules.', }, + + ////////////////////////////////////////////////////////////////////// + [ENABLE_ADDITIONAL_METADATA_COLLECTION]: { + type: FlagType.VisibleContext, + summary: 'When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues.', + detailsMd: ` + When this feature flag is enabled, CDK expands the scope of usage data collection to include the following: + * L2 construct property keys - Collect which property keys you use from the L2 constructs in your app. This includes property keys nested in dictionary objects. + * L2 construct property values of BOOL and ENUM types - Collect property key values of only BOOL and ENUM types. All other types, such as string values or construct references will be redacted. + * L2 construct method usage - Collection method name, parameter keys and parameter values of BOOL and ENUM type. + `, + introducedIn: { v2: 'V2NEXT' }, + recommendedValue: true, + }, }; const CURRENT_MV = 'v2'; diff --git a/packages/aws-cdk-lib/package.json b/packages/aws-cdk-lib/package.json index 724c217e5f760..1829fa06c524e 100644 --- a/packages/aws-cdk-lib/package.json +++ b/packages/aws-cdk-lib/package.json @@ -496,6 +496,7 @@ "./cloud-assembly-schema": "./cloud-assembly-schema/index.js", "./cloudformation-include": "./cloudformation-include/index.js", "./core": "./core/index.js", + "./core/lib/metadata-resource": "./core/lib/metadata-resource.js", "./core/lib/helpers-internal": "./core/lib/helpers-internal/index.js", "./custom-resources": "./custom-resources/index.js", "./custom-resources/lib/helpers-internal": "./custom-resources/lib/helpers-internal/index.js", diff --git a/packages/aws-cdk-lib/recommended-feature-flags.json b/packages/aws-cdk-lib/recommended-feature-flags.json index 71285e804b547..74b67518cee72 100644 --- a/packages/aws-cdk-lib/recommended-feature-flags.json +++ b/packages/aws-cdk-lib/recommended-feature-flags.json @@ -61,5 +61,6 @@ "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": true, "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": true, "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": true, - "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true + "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true, + "@aws-cdk/core:enableAdditionalMetadataCollection": true } \ No newline at end of file From 9f27e6fdfd8a37db9639d0d5b9a388401b15cf92 Mon Sep 17 00:00:00 2001 From: yuanhaoz Date: Thu, 9 Jan 2025 17:01:19 -0800 Subject: [PATCH 11/17] update enum name --- packages/aws-cdk-lib/core/lib/metadata-resource.ts | 2 +- packages/aws-cdk-lib/core/lib/private/runtime-info.ts | 2 +- packages/aws-cdk-lib/core/test/private/runtime-info.test.ts | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/aws-cdk-lib/core/lib/metadata-resource.ts b/packages/aws-cdk-lib/core/lib/metadata-resource.ts index 0fccef20f3334..3d18f592b3054 100644 --- a/packages/aws-cdk-lib/core/lib/metadata-resource.ts +++ b/packages/aws-cdk-lib/core/lib/metadata-resource.ts @@ -18,5 +18,5 @@ export enum MetadataType { * Metadata type for feature flags. * This is used to track analytics related to feature flags in the CDK. */ - FEATURE_FLAGS = 'aws:cdk:analytics:featureflag', + FEATURE_FLAG = 'aws:cdk:analytics:featureflag', } diff --git a/packages/aws-cdk-lib/core/lib/private/runtime-info.ts b/packages/aws-cdk-lib/core/lib/private/runtime-info.ts index 1323f8da0ffd8..65d398689d7e2 100644 --- a/packages/aws-cdk-lib/core/lib/private/runtime-info.ts +++ b/packages/aws-cdk-lib/core/lib/private/runtime-info.ts @@ -56,7 +56,7 @@ export function redactTelemetryData(metadata: MetadataEntry[]): Record { data: { bool: true, nested: { foo: 'bar' }, arr: [1, 2, 3], str: 'foo' }, }, { - type: MetadataType.FEATURE_FLAGS, + type: MetadataType.FEATURE_FLAG, data: 'foobar', }, { @@ -82,7 +82,7 @@ test('test metadata is redacted correctly', () => { }, }, { - type: MetadataType.FEATURE_FLAGS, + type: MetadataType.FEATURE_FLAG, data: '*', }, { From d15c0f2bf89b34033cbdead3c591ea9d2cef2aa3 Mon Sep 17 00:00:00 2001 From: yuanhaoz Date: Thu, 9 Jan 2025 17:27:03 -0800 Subject: [PATCH 12/17] update unit test --- .../core/test/metadata-resource.test.ts | 58 ++++++++++++------- 1 file changed, 37 insertions(+), 21 deletions(-) diff --git a/packages/aws-cdk-lib/core/test/metadata-resource.test.ts b/packages/aws-cdk-lib/core/test/metadata-resource.test.ts index fb842d739241e..4e137e93058e9 100644 --- a/packages/aws-cdk-lib/core/test/metadata-resource.test.ts +++ b/packages/aws-cdk-lib/core/test/metadata-resource.test.ts @@ -52,28 +52,44 @@ describe('MetadataResource', () => { expect(stackTemplate.Resources?.CDKMetadata?.Condition).toBeDefined(); }); - it.each( - [ - [true, { Condition: 'CDKMetadataAvailable', Properties: { Analytics: 'v2:deflate64:H4sIAAAAAAAA/8vLT0nVyyrWLzMy0DM00jNSzCrOzNQtKs0rycxN1QuC0ACoQHZIJQAAAA==' }, Type: 'AWS::CDK::Metadata' }], - [false, { Condition: 'CDKMetadataAvailable', Properties: { Analytics: 'v2:deflate64:H4sIAAAAAAAA/8vLT0nVyyrWLzMy0DM00jNSzCrOzNQtKs0rycxN1QuC0ACoQHZIJQAAAA==' }, Type: 'AWS::CDK::Metadata' }], - [undefined, { Condition: 'CDKMetadataAvailable', Properties: { Analytics: 'v2:deflate64:H4sIAAAAAAAA/8vLT0nVyyrWLzMy0DM00jNSzCrOzNQtKs0rycxN1QuC0ACoQHZIJQAAAA==' }, Type: 'AWS::CDK::Metadata' }], - ], - )('when no metadata is added by default, CDKMetadata should be the same', (enableAdditionalTelemtry, cdkMetadata) => { - const myApp = new App({ - analyticsReporting: true, - }); - myApp.node.setContext(ENABLE_ADDITIONAL_METADATA_COLLECTION, enableAdditionalTelemtry); - const myStack = new Stack(myApp, 'MyStack'); - new Function(myStack, 'MyFunction', { - runtime: Runtime.PYTHON_3_9, - handler: 'index.handler', - code: Code.fromInline( - "def handler(event, context):\n\tprint('The function has been invoked.')", - ), - }); + test('when no metadata is added by default, CDKMetadata should be the same', () => { + const myApps = [ + new App({ + analyticsReporting: true, + postCliContext: { + [ENABLE_ADDITIONAL_METADATA_COLLECTION]: true, + }, + }), + new App({ + analyticsReporting: true, + postCliContext: { + [ENABLE_ADDITIONAL_METADATA_COLLECTION]: false, + }, + }), + new App({ + analyticsReporting: true, + postCliContext: { + [ENABLE_ADDITIONAL_METADATA_COLLECTION]: undefined, + }, + }), + ]; + + for (const myApp of myApps) { + const myStack = new Stack(myApp, 'MyStack'); + new Function(myStack, 'MyFunction', { + runtime: Runtime.PYTHON_3_9, + handler: 'index.handler', + code: Code.fromInline( + "def handler(event, context):\n\tprint('The function has been invoked.')", + ), + }); + } - const stackTemplate = myApp.synth().getStackByName('MyStack').template; - expect(stackTemplate.Resources?.CDKMetadata).toEqual(cdkMetadata); + const stackTemplate1 = myApps[0].synth().getStackByName('MyStack').template; + const stackTemplate2 = myApps[1].synth().getStackByName('MyStack').template; + const stackTemplate3 = myApps[2].synth().getStackByName('MyStack').template; + expect(stackTemplate1.Resources?.CDKMetadata).toEqual(stackTemplate2.Resources?.CDKMetadata); + expect(stackTemplate1.Resources?.CDKMetadata).toEqual(stackTemplate3.Resources?.CDKMetadata); }); test('includes the formatted Analytics property', () => { From f9f14d45a4d41d4cd5cc813836dcb96841cc9b2a Mon Sep 17 00:00:00 2001 From: yuanhaoz Date: Fri, 10 Jan 2025 09:30:43 -0800 Subject: [PATCH 13/17] update integ test --- ...efaultTestDeployAssert3F14AD57.assets.json | 4 +- ...aultTestDeployAssert3F14AD57.template.json | 275 ------------------ .../EnableTelemtryStack.assets.json | 4 +- .../EnableTelemtryStack.template.json | 273 ----------------- .../manifest.json | 38 +-- .../tree.json | 52 ---- .../test/integ.enable-additional-metadata.ts | 1 - packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md | 220 ++++++++++++-- packages/aws-cdk-lib/package.json | 2 +- .../recommended-feature-flags.json | 1 + 10 files changed, 211 insertions(+), 659 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.assets.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.assets.json index f9c69df08d490..9e44dfaca42dd 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.assets.json @@ -1,7 +1,7 @@ { "version": "39.0.0", "files": { - "d1a201f6686b51e0991e72889d4bd4a576adc2c45fed86dbb7418437b2cb3251": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { "path": "EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "d1a201f6686b51e0991e72889d4bd4a576adc2c45fed86dbb7418437b2cb3251.json", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.template.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.template.json index 4db2325abb27a..ad9d0fb73d1dd 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.template.json @@ -1,279 +1,4 @@ { - "Resources": { - "CDKMetadata": { - "Type": "AWS::CDK::Metadata", - "Properties": { - "Analytics": "v2:deflate64:H4sIAAAAAAAA/zPQM9AzUEwsL9ZNTsnWzclM0gsuSUzO1snLT0nVyyrWLzMy0DM00jNSzCrOzNQtKs0rycxN1QuC0ADFzrfTPQAAAA==" - }, - "Condition": "CDKMetadataAvailable" - } - }, - "Conditions": { - "CDKMetadataAvailable": { - "Fn::Or": [ - { - "Fn::Or": [ - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "af-south-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-east-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-northeast-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-northeast-2" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-northeast-3" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-south-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-south-2" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-southeast-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-southeast-2" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-southeast-3" - ] - } - ] - }, - { - "Fn::Or": [ - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-southeast-4" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ca-central-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ca-west-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "cn-north-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "cn-northwest-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "eu-central-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "eu-central-2" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "eu-north-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "eu-south-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "eu-south-2" - ] - } - ] - }, - { - "Fn::Or": [ - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "eu-west-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "eu-west-2" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "eu-west-3" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "il-central-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "me-central-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "me-south-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "sa-east-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "us-east-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "us-east-2" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "us-west-1" - ] - } - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "us-west-2" - ] - } - ] - } - }, "Parameters": { "BootstrapVersion": { "Type": "AWS::SSM::Parameter::Value", diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableTelemtryStack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableTelemtryStack.assets.json index a3cdf26389b7a..728de54bd3051 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableTelemtryStack.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableTelemtryStack.assets.json @@ -1,7 +1,7 @@ { "version": "39.0.0", "files": { - "9febe67ad809636564602131bb0c8b1291904d92789bd3e6803a3cb2409d768b": { + "b6503dca5951e510ce013d2525009c961587cc7267ceff8ecacb15d7fb7db461": { "source": { "path": "EnableTelemtryStack.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "9febe67ad809636564602131bb0c8b1291904d92789bd3e6803a3cb2409d768b.json", + "objectKey": "b6503dca5951e510ce013d2525009c961587cc7267ceff8ecacb15d7fb7db461.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableTelemtryStack.template.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableTelemtryStack.template.json index 4ddaba9ac1273..40382f0cbd21a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableTelemtryStack.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableTelemtryStack.template.json @@ -57,279 +57,6 @@ "DependsOn": [ "MyFunctionServiceRole3C357FF2" ] - }, - "CDKMetadata": { - "Type": "AWS::CDK::Metadata", - "Properties": { - "Analytics": "v2:deflate64:H4sIAAAAAAAA/5WQTU/DMAyGfws5oiyMHXsF8SGBBBviMiHkpt4wS50RJ0xTlf+OmrbAEU7+iP3meT03czM/gYPMbLObOapNt4pgdxoO8trJh5juMWHCdaficY+qUnCQyja7ChjcMZKVynqWGJKNSqsGIqiqU58kVJOjeHyiFn2KfRNanziqSp0qrRJTaTqo0Y09En/3u+R7co6klDnn/KIvNlx4snbQ1g2Y7iqxjeT5v4QhcaQW+5Shj+VLSfu9D1Fu2RHjhW9QVTEk1GoDLbnjN+gzBILaoao24AS1qhM3jnh76e0Ow20L26JNQ1K2XktxA/I2OPpZ+uP4RNdzXaeQHoLfUL8/QU4DK4b9KkKII17W6g24cRhGbVucdWMcPQ2mB63p2tN5syZoTbf0Dtfloc9y1ksUn4LF9UvW7Bs073L2uZib84VZnLwL0Ww8tFkO8Qsy2kO1cgIAAA==" - }, - "Condition": "CDKMetadataAvailable" - } - }, - "Conditions": { - "CDKMetadataAvailable": { - "Fn::Or": [ - { - "Fn::Or": [ - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "af-south-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-east-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-northeast-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-northeast-2" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-northeast-3" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-south-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-south-2" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-southeast-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-southeast-2" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-southeast-3" - ] - } - ] - }, - { - "Fn::Or": [ - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-southeast-4" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ca-central-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ca-west-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "cn-north-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "cn-northwest-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "eu-central-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "eu-central-2" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "eu-north-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "eu-south-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "eu-south-2" - ] - } - ] - }, - { - "Fn::Or": [ - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "eu-west-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "eu-west-2" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "eu-west-3" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "il-central-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "me-central-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "me-south-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "sa-east-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "us-east-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "us-east-2" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "us-west-1" - ] - } - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "us-west-2" - ] - } - ] } }, "Parameters": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/manifest.json index d78fe74894290..1ff542acc1419 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/manifest.json @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/9febe67ad809636564602131bb0c8b1291904d92789bd3e6803a3cb2409d768b.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/b6503dca5951e510ce013d2525009c961587cc7267ceff8ecacb15d7fb7db461.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -93,28 +93,34 @@ "data": "MyFunction3BAA72D1" } ], - "/EnableTelemtryStack/CDKMetadata/Default": [ + "/EnableTelemtryStack/BootstrapVersion": [ { "type": "aws:cdk:logicalId", - "data": "CDKMetadata" + "data": "BootstrapVersion" } ], - "/EnableTelemtryStack/CDKMetadata/Condition": [ + "/EnableTelemtryStack/CheckBootstrapVersion": [ { "type": "aws:cdk:logicalId", - "data": "CDKMetadataAvailable" + "data": "CheckBootstrapVersion" } ], - "/EnableTelemtryStack/BootstrapVersion": [ + "MyBucketF68F3FF0": [ { "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" + "data": "MyBucketF68F3FF0", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" + ] } ], - "/EnableTelemtryStack/CheckBootstrapVersion": [ + "CDKMetadata": [ { "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" + "data": "CDKMetadata", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" + ] } ] }, @@ -137,7 +143,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/d1a201f6686b51e0991e72889d4bd4a576adc2c45fed86dbb7418437b2cb3251.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -153,18 +159,6 @@ "EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.assets" ], "metadata": { - "/Enable Additional Metadata/DefaultTest/DeployAssert/CDKMetadata/Default": [ - { - "type": "aws:cdk:logicalId", - "data": "CDKMetadata" - } - ], - "/Enable Additional Metadata/DefaultTest/DeployAssert/CDKMetadata/Condition": [ - { - "type": "aws:cdk:logicalId", - "data": "CDKMetadataAvailable" - } - ], "/Enable Additional Metadata/DefaultTest/DeployAssert/BootstrapVersion": [ { "type": "aws:cdk:logicalId", diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/tree.json index 6aa4f30c3198e..03bb61260684c 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/tree.json @@ -168,32 +168,6 @@ ] } }, - "CDKMetadata": { - "id": "CDKMetadata", - "path": "EnableTelemtryStack/CDKMetadata", - "children": { - "Default": { - "id": "Default", - "path": "EnableTelemtryStack/CDKMetadata/Default", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - }, - "Condition": { - "id": "Condition", - "path": "EnableTelemtryStack/CDKMetadata/Condition", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnCondition", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.4.2" - } - }, "BootstrapVersion": { "id": "BootstrapVersion", "path": "EnableTelemtryStack/BootstrapVersion", @@ -236,32 +210,6 @@ "id": "DeployAssert", "path": "Enable Additional Metadata/DefaultTest/DeployAssert", "children": { - "CDKMetadata": { - "id": "CDKMetadata", - "path": "Enable Additional Metadata/DefaultTest/DeployAssert/CDKMetadata", - "children": { - "Default": { - "id": "Default", - "path": "Enable Additional Metadata/DefaultTest/DeployAssert/CDKMetadata/Default", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - }, - "Condition": { - "id": "Condition", - "path": "Enable Additional Metadata/DefaultTest/DeployAssert/CDKMetadata/Condition", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnCondition", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.4.2" - } - }, "BootstrapVersion": { "id": "BootstrapVersion", "path": "Enable Additional Metadata/DefaultTest/DeployAssert/BootstrapVersion", diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.ts b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.ts index 06d822f3e9764..6199f6e3c0dcc 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.ts @@ -10,7 +10,6 @@ import { MetadataType } from 'aws-cdk-lib/core/lib/metadata-resource'; */ const app = new cdk.App({ - analyticsReporting: true, postCliContext: { [ENABLE_ADDITIONAL_METADATA_COLLECTION]: true, }, diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md index 9f6fe9017ee75..e1b63611acfe2 100644 --- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md +++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md @@ -84,8 +84,8 @@ Flags come in three types: | [@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault](#aws-cdkaws-ec2bastionhostuseamazonlinux2023bydefault) | When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2. | 2.172.0 | (default) | | [@aws-cdk/core:aspectStabilization](#aws-cdkcoreaspectstabilization) | When enabled, a stabilization loop will be run when invoking Aspects during synthesis. | 2.172.0 | (config) | | [@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource](#aws-cdkaws-route53-targetsuserpooldomainnamemethodwithoutcustomresource) | When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource. | 2.174.0 | (fix) | -| [@aws-cdk/aws-ecs:disableEcsImdsBlocking](#aws-cdkaws-ecsdisableecsimdsblocking) | When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)** | V2NEXT | (temporary) | -| [@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature](#aws-cdkaws-ecsenableimdsblockingdeprecatedfeature) | When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)** | V2NEXT | (temporary) | +| [@aws-cdk/aws-ecs:disableEcsImdsBlocking](#aws-cdkaws-ecsdisableecsimdsblocking) | When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)** | 2.175.0 | (temporary) | +| [@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature](#aws-cdkaws-ecsenableimdsblockingdeprecatedfeature) | When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)** | 2.175.0 | (temporary) | | [@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault](#aws-cdkaws-elasticloadbalancingv2albdualstackwithoutpublicipv4securitygrouprulesdefault) | When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere | V2NEXT | (fix) | | [@aws-cdk/core:enableAdditionalMetadataCollection](#aws-cdkcoreenableadditionalmetadatacollection) | When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues. | V2NEXT | (config) | @@ -242,6 +242,7 @@ different environments). This means that the name of the synthesized template file will be based on the construct path and not on the defined `stackName` of the stack. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.16.0 | `false` | `true` | @@ -249,6 +250,7 @@ of the stack. **Compatibility with old behavior:** Pass stack identifiers to the CLI instead of stack names. + ### aws-cdk:enableDiffNoFail *Make `cdk diff` not fail when there are differences* (default) @@ -256,13 +258,14 @@ of the stack. Determines what status code `cdk diff` should return when the specified stack differs from the deployed stack or the local CloudFormation template: -- `aws-cdk:enableDiffNoFail=true` => status code == 0 -- `aws-cdk:enableDiffNoFail=false` => status code == 1 +* `aws-cdk:enableDiffNoFail=true` => status code == 0 +* `aws-cdk:enableDiffNoFail=false` => status code == 1 You can override this behavior with the --fail flag: -- `--fail` => status code == 1 -- `--no-fail` => status code == 0 +* `--fail` => status code == 1 +* `--no-fail` => status code == 0 + | Since | Default | Recommended | | ----- | ----- | ----- | @@ -271,6 +274,7 @@ You can override this behavior with the --fail flag: **Compatibility with old behavior:** Specify `--fail` to the CLI. + ### @aws-cdk/aws-ecr-assets:dockerIgnoreSupport *DockerImageAsset properly supports `.dockerignore` files by default* (default) @@ -282,6 +286,7 @@ is standard Docker ignore semantics. This is a feature flag as the old behavior was technically incorrect but users may have come to depend on it. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.73.0 | `false` | `true` | @@ -289,6 +294,7 @@ users may have come to depend on it. **Compatibility with old behavior:** Update your `.dockerignore` file to match standard Docker ignore rules, if necessary. + ### @aws-cdk/aws-secretsmanager:parseOwnedSecretName *Fix the referencing of SecretsManager names from ARNs* (default) @@ -299,6 +305,7 @@ rather than the default full resource name, which includes the SecretsManager su If this flag is not set, Secret.secretName will include the SecretsManager suffix, which cannot be directly used by SecretsManager.DescribeSecret, and must be parsed by the user first (e.g., Fn:Join, Fn:Select, Fn:Split). + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.77.0 | `false` | `true` | @@ -306,6 +313,7 @@ used by SecretsManager.DescribeSecret, and must be parsed by the user first (e.g **Compatibility with old behavior:** Use `parseArn(secret.secretName).resourceName` to emulate the incorrect old parsing. + ### @aws-cdk/aws-kms:defaultKeyPolicies *Tighten default KMS key policies* (default) @@ -322,6 +330,7 @@ true, the policy matches what happens when this feature flag is set. Additionally, if this flag is not set and the user supplies a custom key policy, this will be appended to the key's default policy (rather than replacing it). + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.78.0 | `false` | `true` | @@ -329,6 +338,7 @@ to the key's default policy (rather than replacing it). **Compatibility with old behavior:** Pass `trustAccountIdentities: false` to `Key` construct to restore the old behavior. + ### @aws-cdk/aws-s3:grantWriteWithoutAcl *Remove `PutObjectAcl` from Bucket.grantWrite* (default) @@ -339,6 +349,7 @@ which could be used to grant read/write object access to IAM principals in other Use a feature flag to make sure existing customers who might be relying on the overly-broad permissions are not broken. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.85.0 | `false` | `true` | @@ -346,6 +357,7 @@ on the overly-broad permissions are not broken. **Compatibility with old behavior:** Call `bucket.grantPutAcl()` in addition to `bucket.grantWrite()` to grant ACL permissions. + ### @aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount *Do not specify a default DesiredCount for ECS services* (default) @@ -360,6 +372,7 @@ If this flag is not set, the default behaviour for CfnService.desiredCount is to desiredCount of 1, if one is not provided. If true, a default will not be defined for CfnService.desiredCount and as such desiredCount will be undefined, if one is not provided. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.92.0 | `false` | `true` | @@ -367,12 +380,14 @@ CfnService.desiredCount and as such desiredCount will be undefined, if one is no **Compatibility with old behavior:** You can pass `desiredCount: 1` explicitly, but you should never need this. + ### @aws-cdk/aws-efs:defaultEncryptionAtRest *Enable this feature flag to have elastic file systems encrypted at rest by default.* (default) Encryption can also be configured explicitly using the `encrypted` property. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.98.0 | `false` | `true` | @@ -380,6 +395,7 @@ Encryption can also be configured explicitly using the `encrypted` property. **Compatibility with old behavior:** Pass the `encrypted: false` property to the `FileSystem` construct to disable encryption. + ### @aws-cdk/core:newStyleStackSynthesis *Switch to new stack synthesis method which enables CI/CD* (fix) @@ -387,11 +403,13 @@ Encryption can also be configured explicitly using the `encrypted` property. If this flag is specified, all `Stack`s will use the `DefaultStackSynthesizer` by default. If it is not set, they will use the `LegacyStackSynthesizer`. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.39.0 | `false` | `true` | | 2.0.0 | `true` | `true` | + ### @aws-cdk/core:stackRelativeExports *Name exports based on the construct paths relative to the stack, rather than the global construct path* (fix) @@ -401,11 +419,13 @@ ensure uniqueness, and makes the export names robust against refactoring the location of the stack in the construct tree (specifically, moving the Stack into a Stage). + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.58.0 | `false` | `true` | | 2.0.0 | `true` | `true` | + ### @aws-cdk/aws-rds:lowercaseDbIdentifier *Force lowercasing of RDS Cluster names in CDK* (fix) @@ -420,11 +440,13 @@ Must be behind a permanent flag because changing a name from mixed case to lower would lead CloudFormation to think the name was changed and would trigger a cluster replacement (losing data!). + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.97.0 | `false` | `true` | | 2.0.0 | `true` | `true` | + ### @aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId *Allow adding/removing multiple UsagePlanKeys independently* (fix) @@ -442,11 +464,13 @@ which again is disallowed. In effect, there is no way to get out of this mess in a backwards compatible way, while supporting existing stacks. This flag changes the logical id layout of UsagePlanKey to not be sensitive to order. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.98.0 | `false` | `true` | | 2.0.0 | `true` | `true` | + ### @aws-cdk/aws-lambda:recognizeVersionProps *Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.* (fix) @@ -456,22 +480,26 @@ not constitute creating a new Version. See 'currentVersion' section in the aws-lambda module's README for more details. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.106.0 | `false` | `true` | | 2.0.0 | `true` | `true` | + ### @aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021 *Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.* (fix) The security policy can also be configured explicitly using the `minimumProtocolVersion` property. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.117.0 | `false` | `true` | | 2.0.0 | `true` | `true` | + ### @aws-cdk/core:target-partitions *What regions to include in lookup tables of environment agnostic stacks* (config) @@ -481,11 +509,13 @@ of unnecessary regions included in stacks without a known region. The type of this value should be a list of strings. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.137.0 | `false` | `["aws","aws-cn"]` | | 2.4.0 | `false` | `["aws","aws-cn"]` | + ### @aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver *ECS extensions will automatically add an `awslogs` driver if no logging is specified* (default) @@ -495,6 +525,7 @@ Enable this feature flag to configure default logging behavior for the ECS Servi This is a feature flag as the new behavior provides a better default experience for the users. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.140.0 | `false` | `true` | @@ -502,6 +533,7 @@ This is a feature flag as the new behavior provides a better default experience **Compatibility with old behavior:** Specify a log driver explicitly. + ### @aws-cdk/aws-ec2:uniqueImdsv2TemplateName *Enable this feature flag to have Launch Templates generated by the `InstanceRequireImdsv2Aspect` use unique names.* (fix) @@ -512,11 +544,13 @@ account and region, the deployments would always fail as the generated Launch Te The new implementation addresses this issue by generating the Launch Template name with the `Names.uniqueId` method. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.140.0 | `false` | `true` | | 2.8.0 | `false` | `true` | + ### @aws-cdk/aws-iam:minimizePolicies *Minimize IAM policies by combining Statements* (config) @@ -525,11 +559,13 @@ Minimize IAM policies by combining Principals, Actions and Resources of two Statements in the policies, as long as it doesn't change the meaning of the policy. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.150.0 | `false` | `true` | | 2.18.0 | `false` | `true` | + ### @aws-cdk/core:checkSecretUsage *Enable this flag to make it impossible to accidentally use SecretValues in unsafe locations* (config) @@ -538,11 +574,13 @@ With this flag enabled, `SecretValue` instances can only be passed to constructs that accept `SecretValue`s; otherwise, `unsafeUnwrap()` must be called to use it as a regular string. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.153.0 | `false` | `true` | | 2.21.0 | `false` | `true` | + ### @aws-cdk/aws-lambda:recognizeLayerVersion *Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.* (fix) @@ -551,11 +589,13 @@ This flag correct incorporates Lambda Layer properties into the Lambda Function See 'currentVersion' section in the aws-lambda module's README for more details. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.159.0 | `false` | `true` | | 2.27.0 | `false` | `true` | + ### @aws-cdk/core:validateSnapshotRemovalPolicy *Error on snapshot removal policies on resources that do not support it.* (default) @@ -565,6 +605,7 @@ If supplied on an unsupported resource, CloudFormation ignores the policy altoge This flag will reduce confusion and unexpected loss of data when erroneously supplying the snapshot removal policy. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -572,6 +613,7 @@ the snapshot removal policy. **Compatibility with old behavior:** The old behavior was incorrect. Update your source to not specify SNAPSHOT policies on resources that do not support it. + ### @aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName *Generate key aliases that include the stack name* (fix) @@ -583,11 +625,13 @@ the KMS key alias name created for these pipelines may be the same due to how th This new implementation creates a stack safe resource name for the alias using the stack name instead of the stack ID. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.29.0 | `false` | `true` | + ### @aws-cdk/aws-s3:createDefaultLoggingPolicy *Enable this feature flag to create an S3 bucket policy by default in cases where an AWS service would automatically create the Policy if one does not exist.* (fix) @@ -601,13 +645,15 @@ and error indicating that a bucket policy already exists. In cases where we know what the required policy is we can go ahead and create the policy so we can remain in control of it. -@see +@see https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-S3 + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.31.0 | `false` | `true` | + ### @aws-cdk/aws-sns-subscriptions:restrictSqsDescryption *Restrict KMS key policy for encrypted Queues a bit more* (fix) @@ -619,11 +665,13 @@ Previously the decryption was only restricted to the SNS service principal. To m secure, it is a good practice to restrict the decryption further and only allow the connected SNS topic to decryption the subscribed queue. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.32.0 | `false` | `true` | + ### @aws-cdk/aws-ecs:arnFormatIncludesClusterName *ARN format used by ECS. In the new ARN format, the cluster name is part of the resource ID.* (fix) @@ -633,31 +681,35 @@ If this flag is set, the new ARN format (with cluster name) for ECS is used. This is a feature flag as the old format is still valid for existing ECS clusters. -See +See https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#ecs-resource-ids + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.35.0 | `false` | `true` | + ### @aws-cdk/aws-apigateway:disableCloudWatchRole *Make default CloudWatch Role behavior safe for multiple API Gateways in one environment* (fix) Enable this feature flag to change the default behavior for aws-apigateway.RestApi and aws-apigateway.SpecRestApi -to *not* create a CloudWatch role and Account. There is only a single ApiGateway account per AWS +to _not_ create a CloudWatch role and Account. There is only a single ApiGateway account per AWS environment which means that each time you create a RestApi in your account the ApiGateway account is overwritten. If at some point the newest RestApi is deleted, the ApiGateway Account and CloudWatch role will also be deleted, breaking any existing ApiGateways that were depending on them. When this flag is enabled you should either create the ApiGateway account and CloudWatch role -separately *or* only enable the cloudWatchRole on a single RestApi. +separately _or_ only enable the cloudWatchRole on a single RestApi. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.38.0 | `false` | `true` | + ### @aws-cdk/core:enablePartitionLiterals *Make ARNs concrete if AWS partition is known* (fix) @@ -686,11 +738,13 @@ Principal: The intrinsic function will still be used in Stacks where no region is defined or the region's partition is unknown. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.38.0 | `false` | `true` | + ### @aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker *Avoid setting the "ECS" deployment controller when adding a circuit breaker* (fix) @@ -701,11 +755,13 @@ This does not change any behaviour as the default deployment controller when it This is a feature flag as the new behavior provides a better default experience for the users. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.51.0 | `false` | `true` | + ### @aws-cdk/aws-events:eventsTargetQueueSameAccount *Event Rules may only push to encrypted SQS queues in the same account* (fix) @@ -714,11 +770,13 @@ This flag applies to SQS Queues that are used as the target of event Rules. When from the same account as the Rule can send messages. If a queue is unencrypted, this restriction will always apply, regardless of the value of this flag. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.51.0 | `false` | `true` | + ### @aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName *Enable this feature to by default create default policy names for imported roles that depend on the stack the role is in.* (fix) @@ -729,11 +787,13 @@ of a role using the same default policy name. This new implementation creates default policy names based on the constructs node path in their stack. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.60.0 | `false` | `true` | + ### @aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy *Use S3 Bucket Policy instead of ACLs for Server Access Logging* (fix) @@ -745,13 +805,15 @@ enabled on the bucket. This flag uses a Bucket Policy statement to allow Server Access Log delivery, following best practices for S3. -@see +@see https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.60.0 | `false` | `true` | + ### @aws-cdk/customresources:installLatestAwsSdkDefault *Whether to install the latest SDK by default in AwsCustomResource* (default) @@ -763,6 +825,7 @@ do not have internet access, or in environments where 'npmjs.com' is not availab The recommended setting is to disable the default installation behavior, and pass the flag on a resource-by-resource basis to enable it if necessary. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -770,6 +833,7 @@ flag on a resource-by-resource basis to enable it if necessary. **Compatibility with old behavior:** Set installLatestAwsSdk: true on all resources that need it. + ### @aws-cdk/aws-route53-patters:useCertificate *Use the official `Certificate` resource instead of `DnsValidatedCertificate`* (default) @@ -779,6 +843,7 @@ of the deprecated `DnsValidatedCertificate` construct. If this flag is enabled a the stack in a region other than us-east-1 then you must also set `crossRegionReferences=true` on the stack. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -786,6 +851,7 @@ stack. **Compatibility with old behavior:** Define a `DnsValidatedCertificate` explicitly and pass in the `certificate` property + ### @aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup *Remove CloudWatch alarms from deployment group* (fix) @@ -794,11 +860,13 @@ Enable this flag to be able to remove all CloudWatch alarms from a deployment gr the alarms from the construct. If this flag is not set, removing all alarms from the construct will still leave the alarms configured for the deployment group. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.65.0 | `false` | `true` | + ### @aws-cdk/aws-rds:databaseProxyUniqueResourceName *Use unique resource name for Database Proxy* (fix) @@ -811,11 +879,13 @@ If this flag is set, the default behavior is to use unique resource names for ea This is a feature flag as the old behavior was technically incorrect, but users may have come to depend on it. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.65.0 | `false` | `true` | + ### @aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId *Include authorizer configuration in the calculation of the API deployment logical ID.* (fix) @@ -825,11 +895,13 @@ the API configuration, including methods, and resources, etc. Enable this featur to also include the configuration of any authorizer attached to the API in the calculation, so any changes made to an authorizer will create a new deployment. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.66.0 | `false` | `true` | + ### @aws-cdk/aws-ec2:launchTemplateDefaultUserData *Define user data for a launch template by default when a machine image is provided.* (fix) @@ -838,11 +910,13 @@ The ec2.LaunchTemplate construct did not define user data when a machine image i provided despite the document. If this is set, a user data is automatically defined according to the OS of the machine image. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.67.0 | `false` | `true` | + ### @aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments *SecretTargetAttachments uses the ResourcePolicy of the attached Secret.* (fix) @@ -858,11 +932,13 @@ This won't be possible without intervention due to limitation outlined above. First remove all permissions granted to the Secret and deploy without the ResourcePolicies. Then you can re-add the permissions and deploy again. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.67.0 | `false` | `true` | + ### @aws-cdk/aws-redshift:columnId *Whether to use an ID to track Redshift column changes* (fix) @@ -879,11 +955,13 @@ than their `name`. This will prevent data loss when columns are renamed. initial deployment, the columns will be dropped and recreated, causing data loss. After the initial deployment of the `id`s, the `name`s of the columns can be changed without data loss. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.68.0 | `false` | `true` | + ### @aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2 *Enable AmazonEMRServicePolicy_v2 managed policies* (fix) @@ -897,11 +975,13 @@ managed policies. This is a feature flag as the old behavior will be deprecated, but some resources may require manual intervention since they might not have the appropriate tags propagated automatically. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.72.0 | `false` | `true` | + ### @aws-cdk/aws-apigateway:requestValidatorUniqueId *Generate a unique id for each RequestValidator added to a method* (fix) @@ -912,11 +992,13 @@ providing the `RequestValidatorOptions` in the `addMethod()` method. If the flag is not set then only a single RequestValidator can be added in this way. Any additional RequestValidators have to be created directly with `new RequestValidator`. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.78.0 | `false` | `true` | + ### @aws-cdk/aws-ec2:restrictDefaultSecurityGroup *Restrict access to the VPC default security group* (default) @@ -926,17 +1008,20 @@ VPC default security group. When a VPC is created, a default security group is created as well and this cannot be deleted. The default security group is created with ingress/egress rules that allow -*all* traffic. [AWS Security best practices recommend](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-2) +_all_ traffic. [AWS Security best practices recommend](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-2) removing these ingress/egress rules in order to restrict access to the default security group. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.78.0 | `false` | `true` | -**Compatibility with old behavior:** +**Compatibility with old behavior:** To allow all ingress/egress traffic to the VPC default security group you can set the `restrictDefaultSecurityGroup: false`. + + ### @aws-cdk/aws-kms:aliasNameRef @@ -948,11 +1033,13 @@ when referencing key.aliasName or key.keyArn. If the flag is not set then a raw string is passed as the Alias name and no implicit dependencies will be set. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.83.0 | `false` | `true` | + ### @aws-cdk/core:includePrefixInUniqueNameGeneration *Include the stack prefix in the stack name generation process* (fix) @@ -966,11 +1053,13 @@ If the flag is not set, then the prefix of the stack is prepended to the generat feature flag can lead to a change in stacks' name. Changing a stack name mean recreating the whole stack, which is not viable in some productive setups. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.84.0 | `false` | `true` | + ### @aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig *Generate a launch template when creating an AutoScalingGroup* (fix) @@ -983,14 +1072,17 @@ will now create an equivalent 'launchTemplate'. Alternatively, users can provide attempt to set user data according to the OS of the machine image if explicit user data is not provided. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.88.0 | `false` | `true` | -**Compatibility with old behavior:** +**Compatibility with old behavior:** If backwards compatibility needs to be maintained due to an existing autoscaling group using a launch config, set this flag to false. + + ### @aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby @@ -999,6 +1091,7 @@ provided. If this is set, an opensearch domain will automatically be created with multi-az with standby enabled. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1006,6 +1099,7 @@ multi-az with standby enabled. **Compatibility with old behavior:** Pass `capacity.multiAzWithStandbyEnabled: false` to `Domain` construct to restore the old behavior. + ### @aws-cdk/aws-efs:denyAnonymousAccess *EFS denies anonymous clients accesses* (default) @@ -1016,6 +1110,7 @@ access to `efs.FileSystem`. If this flag is not set, `efs.FileSystem` will allow all anonymous clients that can access over the network. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1023,6 +1118,7 @@ that can access over the network. **Compatibility with old behavior:** You can pass `allowAnonymousAccess: true` so allow anonymous clients access. + ### @aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId *When enabled, mount targets will have a stable logicalId that is linked to the associated subnet.* (fix) @@ -1034,11 +1130,13 @@ subnets changes. Set this flag to false for existing mount targets. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.93.0 | `false` | `true` | + ### @aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion *Enables aws-lambda-nodejs.Function to use the latest available NodeJs runtime as the default* (default) @@ -1048,6 +1146,7 @@ functions will us the latest version of the runtime provided by the Lambda service. Do not use this if you your lambda function is reliant on dependencies shipped as part of the runtime environment. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1055,6 +1154,7 @@ shipped as part of the runtime environment. **Compatibility with old behavior:** Pass `runtime: lambda.Runtime.NODEJS_16_X` to `Function` construct to restore the previous behavior. + ### @aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier *When enabled, will always use the arn for identifiers for CfnSourceApiAssociation in the GraphqlApi construct rather than id.* (fix) @@ -1063,11 +1163,13 @@ When this feature flag is enabled, we use the IGraphqlApi ARN rather than ID whe the GraphqlApi construct. Using the ARN allows the association to support an association with a source api or merged api in another account. Note that for existing source api associations created with this flag disabled, enabling the flag will lead to a resource replacement. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.97.0 | `false` | `true` | + ### @aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters *When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change.* (fix) @@ -1079,11 +1181,13 @@ from AuroraCluster. If the flag is set to false then it can only make one `AuroraClusterInstance` with each `InstanceParameterGroup` in the AuroraCluster. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.97.0 | `false` | `true` | + ### @aws-cdk/aws-rds:preventRenderingDeprecatedCredentials *When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials.* (fix) @@ -1101,11 +1205,13 @@ Set this flag to prevent rendering deprecated `credentials` and creating an extra database secret when only using `snapshotCredentials` to create an RDS database cluster from a snapshot. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.98.0 | `false` | `true` | + ### @aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource *When enabled, the CodeCommit source action is using the default branch name 'main'.* (fix) @@ -1114,11 +1220,13 @@ When setting up a CodeCommit source action for the source stage of a pipeline, p default branch is 'master'. However, with the activation of this feature flag, the default branch is updated to 'main'. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.103.1 | `false` | `true` | + ### @aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction *When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID.* (fix) @@ -1130,11 +1238,13 @@ can be created with `LambdaAction`. If the flag is set to false then it can only make one alarm for the Lambda with `LambdaAction`. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.124.0 | `false` | `true` | + ### @aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse *Enables Pipeline to set the default value for crossAccountKeys to false.* (default) @@ -1142,6 +1252,7 @@ If the flag is set to false then it can only make one alarm for the Lambda with When this feature flag is enabled, and the `crossAccountKeys` property is not provided in a `Pipeline` construct, the construct automatically defaults the value of this property to false. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1149,6 +1260,7 @@ construct, the construct automatically defaults the value of this property to fa **Compatibility with old behavior:** Pass `crossAccountKeys: true` to `Pipeline` construct to restore the previous behavior. + ### @aws-cdk/aws-codepipeline:defaultPipelineTypeToV2 *Enables Pipeline to set the default pipeline type to V2.* (default) @@ -1156,6 +1268,7 @@ construct, the construct automatically defaults the value of this property to fa When this feature flag is enabled, and the `pipelineType` property is not provided in a `Pipeline` construct, the construct automatically defaults the value of this property to `PipelineType.V2`. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1163,6 +1276,7 @@ construct, the construct automatically defaults the value of this property to `P **Compatibility with old behavior:** Pass `pipelineType: PipelineType.V1` to `Pipeline` construct to restore the previous behavior. + ### @aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope *When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only.* (fix) @@ -1170,11 +1284,13 @@ construct, the construct automatically defaults the value of this property to `P When this feature flag is enabled and calling KMS key grant method, the created IAM policy will reduce the resource scope from '*' to this specific granting KMS key. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.134.0 | `false` | `true` | + ### @aws-cdk/aws-eks:nodegroupNameAttribute *When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix.* (fix) @@ -1182,17 +1298,20 @@ When this feature flag is enabled and calling KMS key grant method, the created When this feature flag is enabled, the nodegroupName attribute will be exactly the name of the nodegroup without any prefix. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.139.0 | `false` | `true` | + ### @aws-cdk/aws-ec2:ebsDefaultGp3Volume *When enabled, the default volume type of the EBS volume will be GP3* (default) When this featuer flag is enabled, the default volume type of the EBS volume will be `EbsDeviceVolumeType.GENERAL_PURPOSE_SSD_GP3`. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1200,6 +1319,7 @@ When this featuer flag is enabled, the default volume type of the EBS volume wil **Compatibility with old behavior:** Pass `volumeType: EbsDeviceVolumeType.GENERAL_PURPOSE_SSD` to `Volume` construct to restore the previous behavior. + ### @aws-cdk/pipelines:reduceAssetRoleTrustScope *Remove the root account principal from PipelineAssetsFileRole trust policy* (default) @@ -1207,6 +1327,7 @@ When this featuer flag is enabled, the default volume type of the EBS volume wil When this feature flag is enabled, the root account principal will not be added to the trust policy of asset role. When this feature flag is disabled, it will keep the root account principal in the trust policy. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1214,12 +1335,14 @@ When this feature flag is disabled, it will keep the root account principal in t **Compatibility with old behavior:** Disable the feature flag to add the root account principal back + ### @aws-cdk/aws-ecs:removeDefaultDeploymentAlarm *When enabled, remove default deployment alarm settings* (default) When this featuer flag is enabled, remove the default deployment alarm settings when creating a AWS ECS service. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1227,6 +1350,7 @@ When this featuer flag is enabled, remove the default deployment alarm settings **Compatibility with old behavior:** Set AWS::ECS::Service 'DeploymentAlarms' manually to restore the previous behavior. + ### @aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault *When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default* (fix) @@ -1234,17 +1358,19 @@ When this featuer flag is enabled, remove the default deployment alarm settings This results in 'logApiResponseData' being passed as true to the custom resource provider. This will cause the custom resource handler to receive an 'Update' event. If you don't have an SDK call configured for the 'Update' event and you're dependent on specific SDK call response data, you will see this error from CFN: -CustomResource attribute error: Vendor response doesn't contain attribute in object. See ) for more details. +CustomResource attribute error: Vendor response doesn't contain attribute in object. See https://github.com/aws/aws-cdk/issues/29949) for more details. Unlike most feature flags, we don't recommend setting this feature flag to true. However, if you're using the 'AwsCustomResource' construct with 'logApiResponseData' as true in the event object, then setting this feature flag will keep this behavior. Otherwise, setting this feature flag to false will trigger an 'Update' event by removing the 'logApiResponseData' property from the event object. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.145.0 | `false` | `false` | + ### @aws-cdk/aws-s3:keepNotificationInImportedBucket *When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack.* (fix) @@ -1254,11 +1380,13 @@ Currently, adding notifications to a bucket where it was created by ourselves wi When this feature flag is enabled, adding notifications to a bucket in the current stack will only update notification defined in this stack. Other notifications that are not managed by this stack will be kept. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.155.0 | `false` | `false` | + ### @aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask *When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model.* (fix) @@ -1269,6 +1397,7 @@ of State Machine Task definition. When this feature flag is enabled, specify newly introduced props 's3InputUri' and 's3OutputUri' to populate S3 uri under input and output fields in state machine task definition for Bedrock invoke model. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1276,6 +1405,7 @@ When this feature flag is enabled, specify newly introduced props 's3InputUri' a **Compatibility with old behavior:** Disable the feature flag to use input and output path fields for s3 URI + ### @aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions *When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration* (fix) @@ -1285,6 +1415,7 @@ specified as logConfiguration and it will grant 'Resources': ['*'] to the task r When this feature flag is enabled, we will only grant the necessary permissions when users specify cloudwatch log group. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1292,6 +1423,7 @@ When this feature flag is enabled, we will only grant the necessary permissions **Compatibility with old behavior:** Disable the feature flag to continue grant permissions to log group when no log group is specified + ### @aws-cdk/aws-ec2:ec2SumTImeoutEnabled *When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together.* (fix) @@ -1301,11 +1433,13 @@ only the value from 'resourceSignalTimeout' will be used. When this feature flag is enabled, if both initOptions.timeout and resourceSignalTimeout are specified, the values will to be summed together. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.160.0 | `false` | `true` | + ### @aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission *When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn.* (fix) @@ -1317,11 +1451,13 @@ it allows invocations from any source. When this feature flag is enabled, the AWS::Lambda::Permission will be properly scoped with the SourceArn corresponding to the specific AppSync GraphQL API. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.161.0 | `false` | `true` | + ### @aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages *When enabled, both `@aws-sdk` and `@smithy` packages will be excluded from the Lambda Node.js 18.x runtime to prevent version mismatches in bundled applications.* (fix) @@ -1332,11 +1468,13 @@ However, this can cause version mismatches between the '@aws-sdk/*' and '@smithy When this feature flag is enabled, both '@aws-sdk/*' and '@smithy/*' packages will be excluded during the bundling process. This ensures that no mismatches occur between these tightly coupled dependencies when using the AWS SDK v3 in Lambda functions. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.161.0 | `false` | `true` | + ### @aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId *When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn`* (fix) @@ -1345,6 +1483,7 @@ Currently, the value of the property 'instanceResourceId' in construct 'Database When this feature flag is enabled, the value of that property will be as expected set to 'DbiResourceId' attribute, and that will fix the grantConnect method. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1352,6 +1491,7 @@ When this feature flag is enabled, the value of that property will be as expecte **Compatibility with old behavior:** Disable the feature flag to use `DbInstanceArn` as value for property `instanceResourceId` + ### @aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics *When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values.* (fix) @@ -1360,11 +1500,13 @@ Without enabling this feature flag, `cfn-include` will silently drop resource up Enabling this feature flag will make `cfn-include` throw on these templates, unless you specify the logical ID of the resource in the 'unhydratedResources' property. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.161.0 | `false` | `true` | + ### @aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy *When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN.* (fix) @@ -1374,11 +1516,13 @@ The revision number at the end will be replaced with a wildcard which it shouldn When this feature flag is enabled, if the task definition is created in the stack, the 'Resource' section will 'Ref' the taskDefinition. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.163.0 | `false` | `true` | + ### @aws-cdk/aws-dynamodb:resourcePolicyPerReplica *When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas* (fix) @@ -1390,11 +1534,13 @@ This will prevent you from creating a new table which has an additional replica This is a feature flag as the old behavior was technically incorrect but users may have come to depend on it. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.164.0 | `false` | `true` | + ### @aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault *When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2.* (default) @@ -1406,6 +1552,7 @@ and secure option. When this feature flag is enabled, if you do not pass the machineImage property to the BastionHost construct, the latest Amazon Linux 2023 version will be used instead of Amazon Linux 2. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1413,6 +1560,7 @@ the latest Amazon Linux 2023 version will be used instead of Amazon Linux 2. **Compatibility with old behavior:** Disable the feature flag or explicitly pass an Amazon Linux 2 machine image to the BastionHost construct. + ### @aws-cdk/core:aspectStabilization *When enabled, a stabilization loop will be run when invoking Aspects during synthesis.* (config) @@ -1422,24 +1570,12 @@ This means that the Aspects that create other Aspects are not run and Aspects th When this feature flag is enabled, a stabilization loop is run to recurse the construct tree multiple times when invoking Aspects. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.172.0 | `true` | `true` | -### @aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource - -*When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource.* (fix) - -When this feature flag is enabled, a new method will be used to get the DNS Name of the user pool domain target. The old method -creates a custom resource internally, but the new method doesn't need a custom resource. - -If the flag is set to false then a custom resource will be created when using `UserPoolDomainTarget`. - -| Since | Default | Recommended | -| ----- | ----- | ----- | -| (not in v1) | | | -| 2.174.0 | `false` | `true` | ### @aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource @@ -1463,11 +1599,12 @@ If the flag is set to false then a custom resource will be created when using `U In an ECS Cluster with `MachineImageType.AMAZON_LINUX_2`, the canContainersAccessInstanceRole=false option attempts to add commands to block containers from accessing IMDS. CDK cannot guarantee the correct execution of the feature in all platforms. Setting this feature flag -to true will ensure CDK does not attempt to implement IMDS blocking. By **end of 2025**, CDK will remove the +to true will ensure CDK does not attempt to implement IMDS blocking. By **end of 2025**, CDK will remove the IMDS blocking feature. See [Github discussion](https://github.com/aws/aws-cdk/discussions/32609) for more information. It is recommended to follow ECS documentation to block IMDS for your specific platform and cluster configuration. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1475,16 +1612,18 @@ It is recommended to follow ECS documentation to block IMDS for your specific pl **Compatibility with old behavior:** It is strongly recommended to set this flag to true. However, if necessary, set this flag to false to continue using the old implementation. + ### @aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature *When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)*** (temporary) In an ECS Cluster with `MachineImageType.AMAZON_LINUX_2`, the canContainersAccessInstanceRole=false option attempts to add commands to block containers from -accessing IMDS. Set this flag to true in order to use new and updated commands. Please note that this -feature alone with this feature flag will be deprecated by **end of 2025** as CDK cannot +accessing IMDS. Set this flag to true in order to use new and updated commands. Please note that this +feature alone with this feature flag will be deprecated by **end of 2025** as CDK cannot guarantee the correct execution of the feature in all platforms. See [Github discussion](https://github.com/aws/aws-cdk/discussions/32609) for more information. It is recommended to follow ECS documentation to block IMDS for your specific platform and cluster configuration. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1492,6 +1631,7 @@ It is recommended to follow ECS documentation to block IMDS for your specific pl **Compatibility with old behavior:** Set this flag to false in order to continue using old and outdated commands. However, it is **not** recommended. + ### @aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault *When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere* (fix) @@ -1502,6 +1642,7 @@ will allow IPv6 ingress from anywhere (::/0). Previously, the default security g Using a feature flag to make sure existing customers who might be relying on the overly restrictive permissions are not broken. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1509,4 +1650,21 @@ on the overly restrictive permissions are not broken. **Compatibility with old behavior:** Disable the feature flag to only allow IPv4 ingress in the default security group rules. + +### @aws-cdk/core:enableAdditionalMetadataCollection + +*When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues.* (config) + +When this feature flag is enabled, CDK expands the scope of usage data collection to include the following: + * L2 construct property keys - Collect which property keys you use from the L2 constructs in your app. This includes property keys nested in dictionary objects. + * L2 construct property values of BOOL and ENUM types - Collect property key values of only BOOL and ENUM types. All other types, such as string values or construct references will be redacted. + * L2 construct method usage - Collection method name, parameter keys and parameter values of BOOL and ENUM type. + + +| Since | Default | Recommended | +| ----- | ----- | ----- | +| (not in v1) | | | +| V2NEXT | `false` | `true` | + + diff --git a/packages/aws-cdk-lib/package.json b/packages/aws-cdk-lib/package.json index 1829fa06c524e..aec2e60db7757 100644 --- a/packages/aws-cdk-lib/package.json +++ b/packages/aws-cdk-lib/package.json @@ -496,8 +496,8 @@ "./cloud-assembly-schema": "./cloud-assembly-schema/index.js", "./cloudformation-include": "./cloudformation-include/index.js", "./core": "./core/index.js", - "./core/lib/metadata-resource": "./core/lib/metadata-resource.js", "./core/lib/helpers-internal": "./core/lib/helpers-internal/index.js", + "./core/lib/metadata-resource": "./core/lib/metadata-resource.js", "./custom-resources": "./custom-resources/index.js", "./custom-resources/lib/helpers-internal": "./custom-resources/lib/helpers-internal/index.js", "./cx-api": "./cx-api/index.js", diff --git a/packages/aws-cdk-lib/recommended-feature-flags.json b/packages/aws-cdk-lib/recommended-feature-flags.json index 74b67518cee72..84da0b493278f 100644 --- a/packages/aws-cdk-lib/recommended-feature-flags.json +++ b/packages/aws-cdk-lib/recommended-feature-flags.json @@ -62,5 +62,6 @@ "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": true, "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": true, "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true, + "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true, "@aws-cdk/core:enableAdditionalMetadataCollection": true } \ No newline at end of file From 0e2bb88f980d795fa6b7583fe8e85b0a42f04829 Mon Sep 17 00:00:00 2001 From: yuanhaoz Date: Fri, 10 Jan 2025 09:43:17 -0800 Subject: [PATCH 14/17] fix spacing --- packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md | 194 ++----------------- 1 file changed, 18 insertions(+), 176 deletions(-) diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md index e1b63611acfe2..1ad9b50f6be19 100644 --- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md +++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md @@ -84,8 +84,8 @@ Flags come in three types: | [@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault](#aws-cdkaws-ec2bastionhostuseamazonlinux2023bydefault) | When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2. | 2.172.0 | (default) | | [@aws-cdk/core:aspectStabilization](#aws-cdkcoreaspectstabilization) | When enabled, a stabilization loop will be run when invoking Aspects during synthesis. | 2.172.0 | (config) | | [@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource](#aws-cdkaws-route53-targetsuserpooldomainnamemethodwithoutcustomresource) | When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource. | 2.174.0 | (fix) | -| [@aws-cdk/aws-ecs:disableEcsImdsBlocking](#aws-cdkaws-ecsdisableecsimdsblocking) | When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)** | 2.175.0 | (temporary) | -| [@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature](#aws-cdkaws-ecsenableimdsblockingdeprecatedfeature) | When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)** | 2.175.0 | (temporary) | +| [@aws-cdk/aws-ecs:disableEcsImdsBlocking](#aws-cdkaws-ecsdisableecsimdsblocking) | When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)** | V2NEXT | (temporary) | +| [@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature](#aws-cdkaws-ecsenableimdsblockingdeprecatedfeature) | When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)** | V2NEXT | (temporary) | | [@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault](#aws-cdkaws-elasticloadbalancingv2albdualstackwithoutpublicipv4securitygrouprulesdefault) | When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere | V2NEXT | (fix) | | [@aws-cdk/core:enableAdditionalMetadataCollection](#aws-cdkcoreenableadditionalmetadatacollection) | When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues. | V2NEXT | (config) | @@ -242,7 +242,6 @@ different environments). This means that the name of the synthesized template file will be based on the construct path and not on the defined `stackName` of the stack. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.16.0 | `false` | `true` | @@ -250,7 +249,6 @@ of the stack. **Compatibility with old behavior:** Pass stack identifiers to the CLI instead of stack names. - ### aws-cdk:enableDiffNoFail *Make `cdk diff` not fail when there are differences* (default) @@ -258,14 +256,13 @@ of the stack. Determines what status code `cdk diff` should return when the specified stack differs from the deployed stack or the local CloudFormation template: -* `aws-cdk:enableDiffNoFail=true` => status code == 0 -* `aws-cdk:enableDiffNoFail=false` => status code == 1 +- `aws-cdk:enableDiffNoFail=true` => status code == 0 +- `aws-cdk:enableDiffNoFail=false` => status code == 1 You can override this behavior with the --fail flag: -* `--fail` => status code == 1 -* `--no-fail` => status code == 0 - +- `--fail` => status code == 1 +- `--no-fail` => status code == 0 | Since | Default | Recommended | | ----- | ----- | ----- | @@ -274,7 +271,6 @@ You can override this behavior with the --fail flag: **Compatibility with old behavior:** Specify `--fail` to the CLI. - ### @aws-cdk/aws-ecr-assets:dockerIgnoreSupport *DockerImageAsset properly supports `.dockerignore` files by default* (default) @@ -286,7 +282,6 @@ is standard Docker ignore semantics. This is a feature flag as the old behavior was technically incorrect but users may have come to depend on it. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.73.0 | `false` | `true` | @@ -294,7 +289,6 @@ users may have come to depend on it. **Compatibility with old behavior:** Update your `.dockerignore` file to match standard Docker ignore rules, if necessary. - ### @aws-cdk/aws-secretsmanager:parseOwnedSecretName *Fix the referencing of SecretsManager names from ARNs* (default) @@ -305,7 +299,6 @@ rather than the default full resource name, which includes the SecretsManager su If this flag is not set, Secret.secretName will include the SecretsManager suffix, which cannot be directly used by SecretsManager.DescribeSecret, and must be parsed by the user first (e.g., Fn:Join, Fn:Select, Fn:Split). - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.77.0 | `false` | `true` | @@ -313,7 +306,6 @@ used by SecretsManager.DescribeSecret, and must be parsed by the user first (e.g **Compatibility with old behavior:** Use `parseArn(secret.secretName).resourceName` to emulate the incorrect old parsing. - ### @aws-cdk/aws-kms:defaultKeyPolicies *Tighten default KMS key policies* (default) @@ -330,7 +322,6 @@ true, the policy matches what happens when this feature flag is set. Additionally, if this flag is not set and the user supplies a custom key policy, this will be appended to the key's default policy (rather than replacing it). - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.78.0 | `false` | `true` | @@ -338,7 +329,6 @@ to the key's default policy (rather than replacing it). **Compatibility with old behavior:** Pass `trustAccountIdentities: false` to `Key` construct to restore the old behavior. - ### @aws-cdk/aws-s3:grantWriteWithoutAcl *Remove `PutObjectAcl` from Bucket.grantWrite* (default) @@ -349,7 +339,6 @@ which could be used to grant read/write object access to IAM principals in other Use a feature flag to make sure existing customers who might be relying on the overly-broad permissions are not broken. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.85.0 | `false` | `true` | @@ -357,7 +346,6 @@ on the overly-broad permissions are not broken. **Compatibility with old behavior:** Call `bucket.grantPutAcl()` in addition to `bucket.grantWrite()` to grant ACL permissions. - ### @aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount *Do not specify a default DesiredCount for ECS services* (default) @@ -372,7 +360,6 @@ If this flag is not set, the default behaviour for CfnService.desiredCount is to desiredCount of 1, if one is not provided. If true, a default will not be defined for CfnService.desiredCount and as such desiredCount will be undefined, if one is not provided. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.92.0 | `false` | `true` | @@ -380,14 +367,12 @@ CfnService.desiredCount and as such desiredCount will be undefined, if one is no **Compatibility with old behavior:** You can pass `desiredCount: 1` explicitly, but you should never need this. - ### @aws-cdk/aws-efs:defaultEncryptionAtRest *Enable this feature flag to have elastic file systems encrypted at rest by default.* (default) Encryption can also be configured explicitly using the `encrypted` property. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.98.0 | `false` | `true` | @@ -395,7 +380,6 @@ Encryption can also be configured explicitly using the `encrypted` property. **Compatibility with old behavior:** Pass the `encrypted: false` property to the `FileSystem` construct to disable encryption. - ### @aws-cdk/core:newStyleStackSynthesis *Switch to new stack synthesis method which enables CI/CD* (fix) @@ -403,13 +387,11 @@ Encryption can also be configured explicitly using the `encrypted` property. If this flag is specified, all `Stack`s will use the `DefaultStackSynthesizer` by default. If it is not set, they will use the `LegacyStackSynthesizer`. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.39.0 | `false` | `true` | | 2.0.0 | `true` | `true` | - ### @aws-cdk/core:stackRelativeExports *Name exports based on the construct paths relative to the stack, rather than the global construct path* (fix) @@ -419,13 +401,11 @@ ensure uniqueness, and makes the export names robust against refactoring the location of the stack in the construct tree (specifically, moving the Stack into a Stage). - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.58.0 | `false` | `true` | | 2.0.0 | `true` | `true` | - ### @aws-cdk/aws-rds:lowercaseDbIdentifier *Force lowercasing of RDS Cluster names in CDK* (fix) @@ -440,13 +420,11 @@ Must be behind a permanent flag because changing a name from mixed case to lower would lead CloudFormation to think the name was changed and would trigger a cluster replacement (losing data!). - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.97.0 | `false` | `true` | | 2.0.0 | `true` | `true` | - ### @aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId *Allow adding/removing multiple UsagePlanKeys independently* (fix) @@ -464,13 +442,11 @@ which again is disallowed. In effect, there is no way to get out of this mess in a backwards compatible way, while supporting existing stacks. This flag changes the logical id layout of UsagePlanKey to not be sensitive to order. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.98.0 | `false` | `true` | | 2.0.0 | `true` | `true` | - ### @aws-cdk/aws-lambda:recognizeVersionProps *Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.* (fix) @@ -480,26 +456,22 @@ not constitute creating a new Version. See 'currentVersion' section in the aws-lambda module's README for more details. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.106.0 | `false` | `true` | | 2.0.0 | `true` | `true` | - ### @aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021 *Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.* (fix) The security policy can also be configured explicitly using the `minimumProtocolVersion` property. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.117.0 | `false` | `true` | | 2.0.0 | `true` | `true` | - ### @aws-cdk/core:target-partitions *What regions to include in lookup tables of environment agnostic stacks* (config) @@ -509,13 +481,11 @@ of unnecessary regions included in stacks without a known region. The type of this value should be a list of strings. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.137.0 | `false` | `["aws","aws-cn"]` | | 2.4.0 | `false` | `["aws","aws-cn"]` | - ### @aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver *ECS extensions will automatically add an `awslogs` driver if no logging is specified* (default) @@ -525,7 +495,6 @@ Enable this feature flag to configure default logging behavior for the ECS Servi This is a feature flag as the new behavior provides a better default experience for the users. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.140.0 | `false` | `true` | @@ -533,7 +502,6 @@ This is a feature flag as the new behavior provides a better default experience **Compatibility with old behavior:** Specify a log driver explicitly. - ### @aws-cdk/aws-ec2:uniqueImdsv2TemplateName *Enable this feature flag to have Launch Templates generated by the `InstanceRequireImdsv2Aspect` use unique names.* (fix) @@ -544,13 +512,11 @@ account and region, the deployments would always fail as the generated Launch Te The new implementation addresses this issue by generating the Launch Template name with the `Names.uniqueId` method. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.140.0 | `false` | `true` | | 2.8.0 | `false` | `true` | - ### @aws-cdk/aws-iam:minimizePolicies *Minimize IAM policies by combining Statements* (config) @@ -559,13 +525,11 @@ Minimize IAM policies by combining Principals, Actions and Resources of two Statements in the policies, as long as it doesn't change the meaning of the policy. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.150.0 | `false` | `true` | | 2.18.0 | `false` | `true` | - ### @aws-cdk/core:checkSecretUsage *Enable this flag to make it impossible to accidentally use SecretValues in unsafe locations* (config) @@ -574,13 +538,11 @@ With this flag enabled, `SecretValue` instances can only be passed to constructs that accept `SecretValue`s; otherwise, `unsafeUnwrap()` must be called to use it as a regular string. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.153.0 | `false` | `true` | | 2.21.0 | `false` | `true` | - ### @aws-cdk/aws-lambda:recognizeLayerVersion *Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.* (fix) @@ -589,13 +551,11 @@ This flag correct incorporates Lambda Layer properties into the Lambda Function See 'currentVersion' section in the aws-lambda module's README for more details. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.159.0 | `false` | `true` | | 2.27.0 | `false` | `true` | - ### @aws-cdk/core:validateSnapshotRemovalPolicy *Error on snapshot removal policies on resources that do not support it.* (default) @@ -605,7 +565,6 @@ If supplied on an unsupported resource, CloudFormation ignores the policy altoge This flag will reduce confusion and unexpected loss of data when erroneously supplying the snapshot removal policy. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -613,7 +572,6 @@ the snapshot removal policy. **Compatibility with old behavior:** The old behavior was incorrect. Update your source to not specify SNAPSHOT policies on resources that do not support it. - ### @aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName *Generate key aliases that include the stack name* (fix) @@ -625,13 +583,11 @@ the KMS key alias name created for these pipelines may be the same due to how th This new implementation creates a stack safe resource name for the alias using the stack name instead of the stack ID. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.29.0 | `false` | `true` | - ### @aws-cdk/aws-s3:createDefaultLoggingPolicy *Enable this feature flag to create an S3 bucket policy by default in cases where an AWS service would automatically create the Policy if one does not exist.* (fix) @@ -645,15 +601,13 @@ and error indicating that a bucket policy already exists. In cases where we know what the required policy is we can go ahead and create the policy so we can remain in control of it. -@see https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-S3 - +@see | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.31.0 | `false` | `true` | - ### @aws-cdk/aws-sns-subscriptions:restrictSqsDescryption *Restrict KMS key policy for encrypted Queues a bit more* (fix) @@ -665,13 +619,11 @@ Previously the decryption was only restricted to the SNS service principal. To m secure, it is a good practice to restrict the decryption further and only allow the connected SNS topic to decryption the subscribed queue. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.32.0 | `false` | `true` | - ### @aws-cdk/aws-ecs:arnFormatIncludesClusterName *ARN format used by ECS. In the new ARN format, the cluster name is part of the resource ID.* (fix) @@ -681,35 +633,31 @@ If this flag is set, the new ARN format (with cluster name) for ECS is used. This is a feature flag as the old format is still valid for existing ECS clusters. -See https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#ecs-resource-ids - +See | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.35.0 | `false` | `true` | - ### @aws-cdk/aws-apigateway:disableCloudWatchRole *Make default CloudWatch Role behavior safe for multiple API Gateways in one environment* (fix) Enable this feature flag to change the default behavior for aws-apigateway.RestApi and aws-apigateway.SpecRestApi -to _not_ create a CloudWatch role and Account. There is only a single ApiGateway account per AWS +to *not* create a CloudWatch role and Account. There is only a single ApiGateway account per AWS environment which means that each time you create a RestApi in your account the ApiGateway account is overwritten. If at some point the newest RestApi is deleted, the ApiGateway Account and CloudWatch role will also be deleted, breaking any existing ApiGateways that were depending on them. When this flag is enabled you should either create the ApiGateway account and CloudWatch role -separately _or_ only enable the cloudWatchRole on a single RestApi. - +separately *or* only enable the cloudWatchRole on a single RestApi. | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.38.0 | `false` | `true` | - ### @aws-cdk/core:enablePartitionLiterals *Make ARNs concrete if AWS partition is known* (fix) @@ -738,13 +686,11 @@ Principal: The intrinsic function will still be used in Stacks where no region is defined or the region's partition is unknown. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.38.0 | `false` | `true` | - ### @aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker *Avoid setting the "ECS" deployment controller when adding a circuit breaker* (fix) @@ -755,13 +701,11 @@ This does not change any behaviour as the default deployment controller when it This is a feature flag as the new behavior provides a better default experience for the users. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.51.0 | `false` | `true` | - ### @aws-cdk/aws-events:eventsTargetQueueSameAccount *Event Rules may only push to encrypted SQS queues in the same account* (fix) @@ -770,13 +714,11 @@ This flag applies to SQS Queues that are used as the target of event Rules. When from the same account as the Rule can send messages. If a queue is unencrypted, this restriction will always apply, regardless of the value of this flag. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.51.0 | `false` | `true` | - ### @aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName *Enable this feature to by default create default policy names for imported roles that depend on the stack the role is in.* (fix) @@ -787,13 +729,11 @@ of a role using the same default policy name. This new implementation creates default policy names based on the constructs node path in their stack. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.60.0 | `false` | `true` | - ### @aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy *Use S3 Bucket Policy instead of ACLs for Server Access Logging* (fix) @@ -805,15 +745,13 @@ enabled on the bucket. This flag uses a Bucket Policy statement to allow Server Access Log delivery, following best practices for S3. -@see https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html - +@see | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.60.0 | `false` | `true` | - ### @aws-cdk/customresources:installLatestAwsSdkDefault *Whether to install the latest SDK by default in AwsCustomResource* (default) @@ -825,7 +763,6 @@ do not have internet access, or in environments where 'npmjs.com' is not availab The recommended setting is to disable the default installation behavior, and pass the flag on a resource-by-resource basis to enable it if necessary. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -833,7 +770,6 @@ flag on a resource-by-resource basis to enable it if necessary. **Compatibility with old behavior:** Set installLatestAwsSdk: true on all resources that need it. - ### @aws-cdk/aws-route53-patters:useCertificate *Use the official `Certificate` resource instead of `DnsValidatedCertificate`* (default) @@ -843,7 +779,6 @@ of the deprecated `DnsValidatedCertificate` construct. If this flag is enabled a the stack in a region other than us-east-1 then you must also set `crossRegionReferences=true` on the stack. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -851,7 +786,6 @@ stack. **Compatibility with old behavior:** Define a `DnsValidatedCertificate` explicitly and pass in the `certificate` property - ### @aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup *Remove CloudWatch alarms from deployment group* (fix) @@ -860,13 +794,11 @@ Enable this flag to be able to remove all CloudWatch alarms from a deployment gr the alarms from the construct. If this flag is not set, removing all alarms from the construct will still leave the alarms configured for the deployment group. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.65.0 | `false` | `true` | - ### @aws-cdk/aws-rds:databaseProxyUniqueResourceName *Use unique resource name for Database Proxy* (fix) @@ -879,13 +811,11 @@ If this flag is set, the default behavior is to use unique resource names for ea This is a feature flag as the old behavior was technically incorrect, but users may have come to depend on it. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.65.0 | `false` | `true` | - ### @aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId *Include authorizer configuration in the calculation of the API deployment logical ID.* (fix) @@ -895,13 +825,11 @@ the API configuration, including methods, and resources, etc. Enable this featur to also include the configuration of any authorizer attached to the API in the calculation, so any changes made to an authorizer will create a new deployment. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.66.0 | `false` | `true` | - ### @aws-cdk/aws-ec2:launchTemplateDefaultUserData *Define user data for a launch template by default when a machine image is provided.* (fix) @@ -910,13 +838,11 @@ The ec2.LaunchTemplate construct did not define user data when a machine image i provided despite the document. If this is set, a user data is automatically defined according to the OS of the machine image. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.67.0 | `false` | `true` | - ### @aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments *SecretTargetAttachments uses the ResourcePolicy of the attached Secret.* (fix) @@ -932,13 +858,11 @@ This won't be possible without intervention due to limitation outlined above. First remove all permissions granted to the Secret and deploy without the ResourcePolicies. Then you can re-add the permissions and deploy again. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.67.0 | `false` | `true` | - ### @aws-cdk/aws-redshift:columnId *Whether to use an ID to track Redshift column changes* (fix) @@ -955,13 +879,11 @@ than their `name`. This will prevent data loss when columns are renamed. initial deployment, the columns will be dropped and recreated, causing data loss. After the initial deployment of the `id`s, the `name`s of the columns can be changed without data loss. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.68.0 | `false` | `true` | - ### @aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2 *Enable AmazonEMRServicePolicy_v2 managed policies* (fix) @@ -975,13 +897,11 @@ managed policies. This is a feature flag as the old behavior will be deprecated, but some resources may require manual intervention since they might not have the appropriate tags propagated automatically. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.72.0 | `false` | `true` | - ### @aws-cdk/aws-apigateway:requestValidatorUniqueId *Generate a unique id for each RequestValidator added to a method* (fix) @@ -992,13 +912,11 @@ providing the `RequestValidatorOptions` in the `addMethod()` method. If the flag is not set then only a single RequestValidator can be added in this way. Any additional RequestValidators have to be created directly with `new RequestValidator`. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.78.0 | `false` | `true` | - ### @aws-cdk/aws-ec2:restrictDefaultSecurityGroup *Restrict access to the VPC default security group* (default) @@ -1008,20 +926,17 @@ VPC default security group. When a VPC is created, a default security group is created as well and this cannot be deleted. The default security group is created with ingress/egress rules that allow -_all_ traffic. [AWS Security best practices recommend](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-2) +*all* traffic. [AWS Security best practices recommend](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-2) removing these ingress/egress rules in order to restrict access to the default security group. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.78.0 | `false` | `true` | -**Compatibility with old behavior:** +**Compatibility with old behavior:** To allow all ingress/egress traffic to the VPC default security group you can set the `restrictDefaultSecurityGroup: false`. - - ### @aws-cdk/aws-kms:aliasNameRef @@ -1033,13 +948,11 @@ when referencing key.aliasName or key.keyArn. If the flag is not set then a raw string is passed as the Alias name and no implicit dependencies will be set. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.83.0 | `false` | `true` | - ### @aws-cdk/core:includePrefixInUniqueNameGeneration *Include the stack prefix in the stack name generation process* (fix) @@ -1053,13 +966,11 @@ If the flag is not set, then the prefix of the stack is prepended to the generat feature flag can lead to a change in stacks' name. Changing a stack name mean recreating the whole stack, which is not viable in some productive setups. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.84.0 | `false` | `true` | - ### @aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig *Generate a launch template when creating an AutoScalingGroup* (fix) @@ -1072,17 +983,14 @@ will now create an equivalent 'launchTemplate'. Alternatively, users can provide attempt to set user data according to the OS of the machine image if explicit user data is not provided. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.88.0 | `false` | `true` | -**Compatibility with old behavior:** +**Compatibility with old behavior:** If backwards compatibility needs to be maintained due to an existing autoscaling group using a launch config, set this flag to false. - - ### @aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby @@ -1091,7 +999,6 @@ provided. If this is set, an opensearch domain will automatically be created with multi-az with standby enabled. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1099,7 +1006,6 @@ multi-az with standby enabled. **Compatibility with old behavior:** Pass `capacity.multiAzWithStandbyEnabled: false` to `Domain` construct to restore the old behavior. - ### @aws-cdk/aws-efs:denyAnonymousAccess *EFS denies anonymous clients accesses* (default) @@ -1110,7 +1016,6 @@ access to `efs.FileSystem`. If this flag is not set, `efs.FileSystem` will allow all anonymous clients that can access over the network. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1118,7 +1023,6 @@ that can access over the network. **Compatibility with old behavior:** You can pass `allowAnonymousAccess: true` so allow anonymous clients access. - ### @aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId *When enabled, mount targets will have a stable logicalId that is linked to the associated subnet.* (fix) @@ -1130,13 +1034,11 @@ subnets changes. Set this flag to false for existing mount targets. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.93.0 | `false` | `true` | - ### @aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion *Enables aws-lambda-nodejs.Function to use the latest available NodeJs runtime as the default* (default) @@ -1146,7 +1048,6 @@ functions will us the latest version of the runtime provided by the Lambda service. Do not use this if you your lambda function is reliant on dependencies shipped as part of the runtime environment. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1154,7 +1055,6 @@ shipped as part of the runtime environment. **Compatibility with old behavior:** Pass `runtime: lambda.Runtime.NODEJS_16_X` to `Function` construct to restore the previous behavior. - ### @aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier *When enabled, will always use the arn for identifiers for CfnSourceApiAssociation in the GraphqlApi construct rather than id.* (fix) @@ -1163,13 +1063,11 @@ When this feature flag is enabled, we use the IGraphqlApi ARN rather than ID whe the GraphqlApi construct. Using the ARN allows the association to support an association with a source api or merged api in another account. Note that for existing source api associations created with this flag disabled, enabling the flag will lead to a resource replacement. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.97.0 | `false` | `true` | - ### @aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters *When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change.* (fix) @@ -1181,13 +1079,11 @@ from AuroraCluster. If the flag is set to false then it can only make one `AuroraClusterInstance` with each `InstanceParameterGroup` in the AuroraCluster. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.97.0 | `false` | `true` | - ### @aws-cdk/aws-rds:preventRenderingDeprecatedCredentials *When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials.* (fix) @@ -1205,13 +1101,11 @@ Set this flag to prevent rendering deprecated `credentials` and creating an extra database secret when only using `snapshotCredentials` to create an RDS database cluster from a snapshot. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.98.0 | `false` | `true` | - ### @aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource *When enabled, the CodeCommit source action is using the default branch name 'main'.* (fix) @@ -1220,13 +1114,11 @@ When setting up a CodeCommit source action for the source stage of a pipeline, p default branch is 'master'. However, with the activation of this feature flag, the default branch is updated to 'main'. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.103.1 | `false` | `true` | - ### @aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction *When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID.* (fix) @@ -1238,13 +1130,11 @@ can be created with `LambdaAction`. If the flag is set to false then it can only make one alarm for the Lambda with `LambdaAction`. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.124.0 | `false` | `true` | - ### @aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse *Enables Pipeline to set the default value for crossAccountKeys to false.* (default) @@ -1252,7 +1142,6 @@ If the flag is set to false then it can only make one alarm for the Lambda with When this feature flag is enabled, and the `crossAccountKeys` property is not provided in a `Pipeline` construct, the construct automatically defaults the value of this property to false. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1260,7 +1149,6 @@ construct, the construct automatically defaults the value of this property to fa **Compatibility with old behavior:** Pass `crossAccountKeys: true` to `Pipeline` construct to restore the previous behavior. - ### @aws-cdk/aws-codepipeline:defaultPipelineTypeToV2 *Enables Pipeline to set the default pipeline type to V2.* (default) @@ -1268,7 +1156,6 @@ construct, the construct automatically defaults the value of this property to fa When this feature flag is enabled, and the `pipelineType` property is not provided in a `Pipeline` construct, the construct automatically defaults the value of this property to `PipelineType.V2`. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1276,7 +1163,6 @@ construct, the construct automatically defaults the value of this property to `P **Compatibility with old behavior:** Pass `pipelineType: PipelineType.V1` to `Pipeline` construct to restore the previous behavior. - ### @aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope *When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only.* (fix) @@ -1284,13 +1170,11 @@ construct, the construct automatically defaults the value of this property to `P When this feature flag is enabled and calling KMS key grant method, the created IAM policy will reduce the resource scope from '*' to this specific granting KMS key. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.134.0 | `false` | `true` | - ### @aws-cdk/aws-eks:nodegroupNameAttribute *When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix.* (fix) @@ -1298,20 +1182,17 @@ When this feature flag is enabled and calling KMS key grant method, the created When this feature flag is enabled, the nodegroupName attribute will be exactly the name of the nodegroup without any prefix. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.139.0 | `false` | `true` | - ### @aws-cdk/aws-ec2:ebsDefaultGp3Volume *When enabled, the default volume type of the EBS volume will be GP3* (default) When this featuer flag is enabled, the default volume type of the EBS volume will be `EbsDeviceVolumeType.GENERAL_PURPOSE_SSD_GP3`. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1319,7 +1200,6 @@ When this featuer flag is enabled, the default volume type of the EBS volume wil **Compatibility with old behavior:** Pass `volumeType: EbsDeviceVolumeType.GENERAL_PURPOSE_SSD` to `Volume` construct to restore the previous behavior. - ### @aws-cdk/pipelines:reduceAssetRoleTrustScope *Remove the root account principal from PipelineAssetsFileRole trust policy* (default) @@ -1327,7 +1207,6 @@ When this featuer flag is enabled, the default volume type of the EBS volume wil When this feature flag is enabled, the root account principal will not be added to the trust policy of asset role. When this feature flag is disabled, it will keep the root account principal in the trust policy. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1335,14 +1214,12 @@ When this feature flag is disabled, it will keep the root account principal in t **Compatibility with old behavior:** Disable the feature flag to add the root account principal back - ### @aws-cdk/aws-ecs:removeDefaultDeploymentAlarm *When enabled, remove default deployment alarm settings* (default) When this featuer flag is enabled, remove the default deployment alarm settings when creating a AWS ECS service. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1350,7 +1227,6 @@ When this featuer flag is enabled, remove the default deployment alarm settings **Compatibility with old behavior:** Set AWS::ECS::Service 'DeploymentAlarms' manually to restore the previous behavior. - ### @aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault *When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default* (fix) @@ -1358,19 +1234,17 @@ When this featuer flag is enabled, remove the default deployment alarm settings This results in 'logApiResponseData' being passed as true to the custom resource provider. This will cause the custom resource handler to receive an 'Update' event. If you don't have an SDK call configured for the 'Update' event and you're dependent on specific SDK call response data, you will see this error from CFN: -CustomResource attribute error: Vendor response doesn't contain attribute in object. See https://github.com/aws/aws-cdk/issues/29949) for more details. +CustomResource attribute error: Vendor response doesn't contain attribute in object. See ) for more details. Unlike most feature flags, we don't recommend setting this feature flag to true. However, if you're using the 'AwsCustomResource' construct with 'logApiResponseData' as true in the event object, then setting this feature flag will keep this behavior. Otherwise, setting this feature flag to false will trigger an 'Update' event by removing the 'logApiResponseData' property from the event object. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.145.0 | `false` | `false` | - ### @aws-cdk/aws-s3:keepNotificationInImportedBucket *When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack.* (fix) @@ -1380,13 +1254,11 @@ Currently, adding notifications to a bucket where it was created by ourselves wi When this feature flag is enabled, adding notifications to a bucket in the current stack will only update notification defined in this stack. Other notifications that are not managed by this stack will be kept. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.155.0 | `false` | `false` | - ### @aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask *When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model.* (fix) @@ -1397,7 +1269,6 @@ of State Machine Task definition. When this feature flag is enabled, specify newly introduced props 's3InputUri' and 's3OutputUri' to populate S3 uri under input and output fields in state machine task definition for Bedrock invoke model. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1405,7 +1276,6 @@ When this feature flag is enabled, specify newly introduced props 's3InputUri' a **Compatibility with old behavior:** Disable the feature flag to use input and output path fields for s3 URI - ### @aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions *When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration* (fix) @@ -1415,7 +1285,6 @@ specified as logConfiguration and it will grant 'Resources': ['*'] to the task r When this feature flag is enabled, we will only grant the necessary permissions when users specify cloudwatch log group. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1423,7 +1292,6 @@ When this feature flag is enabled, we will only grant the necessary permissions **Compatibility with old behavior:** Disable the feature flag to continue grant permissions to log group when no log group is specified - ### @aws-cdk/aws-ec2:ec2SumTImeoutEnabled *When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together.* (fix) @@ -1433,13 +1301,11 @@ only the value from 'resourceSignalTimeout' will be used. When this feature flag is enabled, if both initOptions.timeout and resourceSignalTimeout are specified, the values will to be summed together. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.160.0 | `false` | `true` | - ### @aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission *When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn.* (fix) @@ -1451,13 +1317,11 @@ it allows invocations from any source. When this feature flag is enabled, the AWS::Lambda::Permission will be properly scoped with the SourceArn corresponding to the specific AppSync GraphQL API. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.161.0 | `false` | `true` | - ### @aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages *When enabled, both `@aws-sdk` and `@smithy` packages will be excluded from the Lambda Node.js 18.x runtime to prevent version mismatches in bundled applications.* (fix) @@ -1468,13 +1332,11 @@ However, this can cause version mismatches between the '@aws-sdk/*' and '@smithy When this feature flag is enabled, both '@aws-sdk/*' and '@smithy/*' packages will be excluded during the bundling process. This ensures that no mismatches occur between these tightly coupled dependencies when using the AWS SDK v3 in Lambda functions. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.161.0 | `false` | `true` | - ### @aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId *When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn`* (fix) @@ -1483,7 +1345,6 @@ Currently, the value of the property 'instanceResourceId' in construct 'Database When this feature flag is enabled, the value of that property will be as expected set to 'DbiResourceId' attribute, and that will fix the grantConnect method. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1491,7 +1352,6 @@ When this feature flag is enabled, the value of that property will be as expecte **Compatibility with old behavior:** Disable the feature flag to use `DbInstanceArn` as value for property `instanceResourceId` - ### @aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics *When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values.* (fix) @@ -1500,13 +1360,11 @@ Without enabling this feature flag, `cfn-include` will silently drop resource up Enabling this feature flag will make `cfn-include` throw on these templates, unless you specify the logical ID of the resource in the 'unhydratedResources' property. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.161.0 | `false` | `true` | - ### @aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy *When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN.* (fix) @@ -1516,13 +1374,11 @@ The revision number at the end will be replaced with a wildcard which it shouldn When this feature flag is enabled, if the task definition is created in the stack, the 'Resource' section will 'Ref' the taskDefinition. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.163.0 | `false` | `true` | - ### @aws-cdk/aws-dynamodb:resourcePolicyPerReplica *When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas* (fix) @@ -1534,13 +1390,11 @@ This will prevent you from creating a new table which has an additional replica This is a feature flag as the old behavior was technically incorrect but users may have come to depend on it. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.164.0 | `false` | `true` | - ### @aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault *When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2.* (default) @@ -1552,7 +1406,6 @@ and secure option. When this feature flag is enabled, if you do not pass the machineImage property to the BastionHost construct, the latest Amazon Linux 2023 version will be used instead of Amazon Linux 2. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1560,7 +1413,6 @@ the latest Amazon Linux 2023 version will be used instead of Amazon Linux 2. **Compatibility with old behavior:** Disable the feature flag or explicitly pass an Amazon Linux 2 machine image to the BastionHost construct. - ### @aws-cdk/core:aspectStabilization *When enabled, a stabilization loop will be run when invoking Aspects during synthesis.* (config) @@ -1570,13 +1422,11 @@ This means that the Aspects that create other Aspects are not run and Aspects th When this feature flag is enabled, a stabilization loop is run to recurse the construct tree multiple times when invoking Aspects. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.172.0 | `true` | `true` | - ### @aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource *When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource.* (fix) @@ -1586,25 +1436,22 @@ creates a custom resource internally, but the new method doesn't need a custom r If the flag is set to false then a custom resource will be created when using `UserPoolDomainTarget`. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.174.0 | `false` | `true` | - ### @aws-cdk/aws-ecs:disableEcsImdsBlocking *When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)*** (temporary) In an ECS Cluster with `MachineImageType.AMAZON_LINUX_2`, the canContainersAccessInstanceRole=false option attempts to add commands to block containers from accessing IMDS. CDK cannot guarantee the correct execution of the feature in all platforms. Setting this feature flag -to true will ensure CDK does not attempt to implement IMDS blocking. By **end of 2025**, CDK will remove the +to true will ensure CDK does not attempt to implement IMDS blocking. By **end of 2025**, CDK will remove the IMDS blocking feature. See [Github discussion](https://github.com/aws/aws-cdk/discussions/32609) for more information. It is recommended to follow ECS documentation to block IMDS for your specific platform and cluster configuration. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1612,18 +1459,16 @@ It is recommended to follow ECS documentation to block IMDS for your specific pl **Compatibility with old behavior:** It is strongly recommended to set this flag to true. However, if necessary, set this flag to false to continue using the old implementation. - ### @aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature *When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)*** (temporary) In an ECS Cluster with `MachineImageType.AMAZON_LINUX_2`, the canContainersAccessInstanceRole=false option attempts to add commands to block containers from -accessing IMDS. Set this flag to true in order to use new and updated commands. Please note that this -feature alone with this feature flag will be deprecated by **end of 2025** as CDK cannot +accessing IMDS. Set this flag to true in order to use new and updated commands. Please note that this +feature alone with this feature flag will be deprecated by **end of 2025** as CDK cannot guarantee the correct execution of the feature in all platforms. See [Github discussion](https://github.com/aws/aws-cdk/discussions/32609) for more information. It is recommended to follow ECS documentation to block IMDS for your specific platform and cluster configuration. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1631,7 +1476,6 @@ It is recommended to follow ECS documentation to block IMDS for your specific pl **Compatibility with old behavior:** Set this flag to false in order to continue using old and outdated commands. However, it is **not** recommended. - ### @aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault *When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere* (fix) @@ -1642,7 +1486,6 @@ will allow IPv6 ingress from anywhere (::/0). Previously, the default security g Using a feature flag to make sure existing customers who might be relying on the overly restrictive permissions are not broken. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1650,7 +1493,6 @@ on the overly restrictive permissions are not broken. **Compatibility with old behavior:** Disable the feature flag to only allow IPv4 ingress in the default security group rules. - ### @aws-cdk/core:enableAdditionalMetadataCollection *When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues.* (config) From d5af4c521824405192ebe9e98616fb71781507b3 Mon Sep 17 00:00:00 2001 From: yuanhaoz Date: Fri, 10 Jan 2025 13:52:24 -0800 Subject: [PATCH 15/17] chore: add todo and missing docstring --- .../aws-cdk-lib/core/lib/private/runtime-info.ts | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/core/lib/private/runtime-info.ts b/packages/aws-cdk-lib/core/lib/private/runtime-info.ts index 65d398689d7e2..ef282c55fb5b5 100644 --- a/packages/aws-cdk-lib/core/lib/private/runtime-info.ts +++ b/packages/aws-cdk-lib/core/lib/private/runtime-info.ts @@ -69,7 +69,8 @@ export function redactTelemetryData(metadata: MetadataEntry[]): Record = {}; for (const [key, value] of Object.entries(data)) { result[key] = redactTelemetryDataHelper(value); @@ -180,6 +186,11 @@ export function constructInfoFromStack(stack: Stack): ConstructInfo[] { return Array.from(uniqueMap.values()); } +/** + * Check whether the given construct is a Resource. Note that this is + * duplicated function from 'core/lib/resource.ts' to avoid circular + * dependencies in imports. + */ function isResource(construct: IConstruct): construct is Resource { const RESOURCE_SYMBOL = Symbol.for('@aws-cdk/core.Resource'); return construct !== null && typeof(construct) === 'object' && RESOURCE_SYMBOL in construct; From eac2bdd89cf1468a56d8393212bfacffc7420cd2 Mon Sep 17 00:00:00 2001 From: yuanhaoz Date: Fri, 10 Jan 2025 14:41:12 -0800 Subject: [PATCH 16/17] chore: add todo to tests --- packages/aws-cdk-lib/core/test/private/runtime-info.test.ts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/packages/aws-cdk-lib/core/test/private/runtime-info.test.ts b/packages/aws-cdk-lib/core/test/private/runtime-info.test.ts index 8fb5ed0d379c7..52bd8c33b143a 100644 --- a/packages/aws-cdk-lib/core/test/private/runtime-info.test.ts +++ b/packages/aws-cdk-lib/core/test/private/runtime-info.test.ts @@ -61,6 +61,8 @@ test('test metadata is redacted correctly', () => { }, ]; + // TODO: change this test case to verify that we only collect objects + // that's part of CDK and redact any customer provided object. expect(redactTelemetryData(metadata)).toEqual([ { type: MetadataType.CONSTRUCT, From 263b50b69cd77aa0a56b8b73ae46ed2944c7a740 Mon Sep 17 00:00:00 2001 From: yuanhaoz Date: Fri, 10 Jan 2025 14:50:01 -0800 Subject: [PATCH 17/17] remove integration tests --- ...efaultTestDeployAssert3F14AD57.assets.json | 19 -- ...aultTestDeployAssert3F14AD57.template.json | 36 --- .../EnableTelemtryStack.assets.json | 19 -- .../EnableTelemtryStack.template.json | 96 ------- .../cdk.out | 1 - .../integ.json | 12 - .../manifest.json | 184 ------------ .../tree.json | 261 ------------------ .../test/integ.enable-additional-metadata.ts | 36 --- .../core/test/metadata-resource.test.ts | 31 ++- 10 files changed, 30 insertions(+), 665 deletions(-) delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableTelemtryStack.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableTelemtryStack.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/cdk.out delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/integ.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/manifest.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/tree.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.ts diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.assets.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.assets.json deleted file mode 100644 index 9e44dfaca42dd..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "39.0.0", - "files": { - "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { - "source": { - "path": "EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.template.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.template.json deleted file mode 100644 index ad9d0fb73d1dd..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.template.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableTelemtryStack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableTelemtryStack.assets.json deleted file mode 100644 index 728de54bd3051..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableTelemtryStack.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "39.0.0", - "files": { - "b6503dca5951e510ce013d2525009c961587cc7267ceff8ecacb15d7fb7db461": { - "source": { - "path": "EnableTelemtryStack.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "b6503dca5951e510ce013d2525009c961587cc7267ceff8ecacb15d7fb7db461.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableTelemtryStack.template.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableTelemtryStack.template.json deleted file mode 100644 index 40382f0cbd21a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/EnableTelemtryStack.template.json +++ /dev/null @@ -1,96 +0,0 @@ -{ - "Resources": { - "01234test13C610BE": { - "Type": "AWS::SQS::Queue", - "Properties": { - "VisibilityTimeout": 300 - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "MyFunctionServiceRole3C357FF2": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - }, - "ManagedPolicyArns": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ] - ] - } - ] - } - }, - "MyFunction3BAA72D1": { - "Type": "AWS::Lambda::Function", - "Properties": { - "Code": { - "ZipFile": "def handler(event, context):\n\tprint('The function has been invoked.')" - }, - "Handler": "index.handler", - "Role": { - "Fn::GetAtt": [ - "MyFunctionServiceRole3C357FF2", - "Arn" - ] - }, - "Runtime": "python3.8" - }, - "DependsOn": [ - "MyFunctionServiceRole3C357FF2" - ] - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/cdk.out deleted file mode 100644 index 91e1a8b9901d5..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"39.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/integ.json deleted file mode 100644 index 6d5977883c3cb..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/integ.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "version": "39.0.0", - "testCases": { - "Enable Additional Metadata/DefaultTest": { - "stacks": [ - "EnableTelemtryStack" - ], - "assertionStack": "Enable Additional Metadata/DefaultTest/DeployAssert", - "assertionStackName": "EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/manifest.json deleted file mode 100644 index 1ff542acc1419..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/manifest.json +++ /dev/null @@ -1,184 +0,0 @@ -{ - "version": "39.0.0", - "artifacts": { - "EnableTelemtryStack.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "EnableTelemtryStack.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "EnableTelemtryStack": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "EnableTelemtryStack.template.json", - "terminationProtection": false, - "validateOnSynth": false, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/b6503dca5951e510ce013d2525009c961587cc7267ceff8ecacb15d7fb7db461.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "EnableTelemtryStack.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "dependencies": [ - "EnableTelemtryStack.assets" - ], - "metadata": { - "/EnableTelemtryStack/01234test": [ - { - "type": "aws:cdk:analytics:construct", - "data": { - "visibilityTimeout": { - "amount": 300, - "unit": { - "label": "seconds", - "isoLabel": "S", - "inMillis": 1000 - } - } - } - } - ], - "/EnableTelemtryStack/01234test/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "01234test13C610BE" - } - ], - "/EnableTelemtryStack/MyFunction": [ - { - "type": "aws:cdk:analytics:construct", - "data": { - "runtime": { - "name": "python3.8", - "supportsInlineCode": true, - "family": 2, - "isVariable": false, - "bundlingDockerImage": { - "image": "public.ecr.aws/sam/build-python3.8" - }, - "bundlingImage": { - "image": "public.ecr.aws/sam/build-python3.8" - }, - "supportsCodeGuruProfiling": true, - "supportsSnapStart": false - }, - "handler": "index.handler", - "code": { - "code": "def handler(event, context):\n\tprint('The function has been invoked.')", - "isInline": true - } - } - } - ], - "/EnableTelemtryStack/MyFunction/ServiceRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "MyFunctionServiceRole3C357FF2" - } - ], - "/EnableTelemtryStack/MyFunction/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "MyFunction3BAA72D1" - } - ], - "/EnableTelemtryStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/EnableTelemtryStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ], - "MyBucketF68F3FF0": [ - { - "type": "aws:cdk:logicalId", - "data": "MyBucketF68F3FF0", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] - } - ], - "CDKMetadata": [ - { - "type": "aws:cdk:logicalId", - "data": "CDKMetadata", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] - } - ] - }, - "displayName": "EnableTelemtryStack" - }, - "EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.template.json", - "terminationProtection": false, - "validateOnSynth": false, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "dependencies": [ - "EnableAdditionalMetadataDefaultTestDeployAssert3F14AD57.assets" - ], - "metadata": { - "/Enable Additional Metadata/DefaultTest/DeployAssert/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/Enable Additional Metadata/DefaultTest/DeployAssert/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "Enable Additional Metadata/DefaultTest/DeployAssert" - }, - "Tree": { - "type": "cdk:tree", - "properties": { - "file": "tree.json" - } - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/tree.json deleted file mode 100644 index 03bb61260684c..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.js.snapshot/tree.json +++ /dev/null @@ -1,261 +0,0 @@ -{ - "version": "tree-0.1", - "tree": { - "id": "App", - "path": "", - "children": { - "EnableTelemtryStack": { - "id": "EnableTelemtryStack", - "path": "EnableTelemtryStack", - "children": { - "01234test": { - "id": "01234test", - "path": "EnableTelemtryStack/01234test", - "children": { - "Resource": { - "id": "Resource", - "path": "EnableTelemtryStack/01234test/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::SQS::Queue", - "aws:cdk:cloudformation:props": { - "visibilityTimeout": 300 - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_sqs.CfnQueue", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_sqs.Queue", - "version": "0.0.0", - "metadata": [ - { - "type": "aws:cdk:analytics:construct", - "data": { - "visibilityTimeout": { - "amount": "*", - "unit": { - "label": "*", - "isoLabel": "*", - "inMillis": "*" - } - } - } - } - ] - } - }, - "MyFunction": { - "id": "MyFunction", - "path": "EnableTelemtryStack/MyFunction", - "children": { - "ServiceRole": { - "id": "ServiceRole", - "path": "EnableTelemtryStack/MyFunction/ServiceRole", - "children": { - "ImportServiceRole": { - "id": "ImportServiceRole", - "path": "EnableTelemtryStack/MyFunction/ServiceRole/ImportServiceRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0", - "metadata": [] - } - }, - "Resource": { - "id": "Resource", - "path": "EnableTelemtryStack/MyFunction/ServiceRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - }, - "managedPolicyArns": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ] - ] - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0", - "metadata": [] - } - }, - "Resource": { - "id": "Resource", - "path": "EnableTelemtryStack/MyFunction/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::Lambda::Function", - "aws:cdk:cloudformation:props": { - "code": { - "zipFile": "def handler(event, context):\n\tprint('The function has been invoked.')" - }, - "handler": "index.handler", - "role": { - "Fn::GetAtt": [ - "MyFunctionServiceRole3C357FF2", - "Arn" - ] - }, - "runtime": "python3.8" - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_lambda.CfnFunction", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_lambda.Function", - "version": "0.0.0", - "metadata": [ - { - "type": "aws:cdk:analytics:construct", - "data": { - "runtime": { - "name": "*", - "supportsInlineCode": true, - "family": "*", - "isVariable": false, - "bundlingDockerImage": { - "image": "*", - "_imageHash": "*" - }, - "bundlingImage": { - "image": "*", - "_imageHash": "*" - }, - "supportsCodeGuruProfiling": true, - "supportsSnapStart": false - }, - "handler": "*", - "code": { - "code": "*", - "isInline": true - } - } - } - ] - } - }, - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "EnableTelemtryStack/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "EnableTelemtryStack/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - }, - "Enable Additional Metadata": { - "id": "Enable Additional Metadata", - "path": "Enable Additional Metadata", - "children": { - "DefaultTest": { - "id": "DefaultTest", - "path": "Enable Additional Metadata/DefaultTest", - "children": { - "Default": { - "id": "Default", - "path": "Enable Additional Metadata/DefaultTest/Default", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.4.2" - } - }, - "DeployAssert": { - "id": "DeployAssert", - "path": "Enable Additional Metadata/DefaultTest/DeployAssert", - "children": { - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "Enable Additional Metadata/DefaultTest/DeployAssert/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "Enable Additional Metadata/DefaultTest/DeployAssert/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", - "version": "0.0.0" - } - }, - "Tree": { - "id": "Tree", - "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.4.2" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.App", - "version": "0.0.0" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.ts b/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.ts deleted file mode 100644 index 6199f6e3c0dcc..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/core/test/integ.enable-additional-metadata.ts +++ /dev/null @@ -1,36 +0,0 @@ -import * as cdk from 'aws-cdk-lib/core'; -import * as integ from '@aws-cdk/integ-tests-alpha'; -import * as lambda from 'aws-cdk-lib/aws-lambda'; -import * as sqs from 'aws-cdk-lib/aws-sqs'; -import { ENABLE_ADDITIONAL_METADATA_COLLECTION } from 'aws-cdk-lib/cx-api'; -import { MetadataType } from 'aws-cdk-lib/core/lib/metadata-resource'; - -/** - * This test creates resources using alphanumeric logical IDs. - */ - -const app = new cdk.App({ - postCliContext: { - [ENABLE_ADDITIONAL_METADATA_COLLECTION]: true, - }, -}); - -const stack = new cdk.Stack(app, 'EnableTelemtryStack'); - -const queueProp = { - visibilityTimeout: cdk.Duration.seconds(300), -}; -const queue = new sqs.Queue(stack, '01234test', queueProp); -queue.node.addMetadata(MetadataType.CONSTRUCT, queueProp); - -const funcProp = { - runtime: lambda.Runtime.PYTHON_3_8, - handler: 'index.handler', - code: lambda.Code.fromInline('def handler(event, context):\n\tprint(\'The function has been invoked.\')'), -}; -const func = new lambda.Function(stack, 'MyFunction', funcProp); -func.node.addMetadata(MetadataType.CONSTRUCT, funcProp); - -new integ.IntegTest(app, 'Enable Additional Metadata', { - testCases: [stack], -}); diff --git a/packages/aws-cdk-lib/core/test/metadata-resource.test.ts b/packages/aws-cdk-lib/core/test/metadata-resource.test.ts index 4e137e93058e9..265a6cf22ff76 100644 --- a/packages/aws-cdk-lib/core/test/metadata-resource.test.ts +++ b/packages/aws-cdk-lib/core/test/metadata-resource.test.ts @@ -1,8 +1,9 @@ import * as zlib from 'zlib'; import { Construct } from 'constructs'; import { Code, Function, Runtime } from '../../aws-lambda'; +import { Queue } from '../../aws-sqs'; import { ENABLE_ADDITIONAL_METADATA_COLLECTION } from '../../cx-api'; -import { App, Stack, IPolicyValidationPluginBeta1, IPolicyValidationContextBeta1, Stage, PolicyValidationPluginReportBeta1, FeatureFlags } from '../lib'; +import { App, Stack, IPolicyValidationPluginBeta1, IPolicyValidationContextBeta1, Stage, PolicyValidationPluginReportBeta1, FeatureFlags, Duration } from '../lib'; import { MetadataType } from '../lib/metadata-resource'; import { formatAnalytics } from '../lib/private/metadata-resource'; import { ConstructInfo } from '../lib/private/runtime-info'; @@ -92,6 +93,34 @@ describe('MetadataResource', () => { expect(stackTemplate1.Resources?.CDKMetadata).toEqual(stackTemplate3.Resources?.CDKMetadata); }); + test('enable additional metadata with metadata', () => { + const myApp = new App({ + analyticsReporting: true, + postCliContext: { + [ENABLE_ADDITIONAL_METADATA_COLLECTION]: true, + }, + }); + + const myStack = new Stack(myApp, 'EnableTelemtryStack'); + const queueProp = { + visibilityTimeout: Duration.seconds(300), + }; + const queue = new Queue(myStack, '01234test', queueProp); + queue.node.addMetadata(MetadataType.CONSTRUCT, queueProp); + + const funcProp = { + runtime: Runtime.PYTHON_3_9, + handler: 'index.handler', + code: Code.fromInline('def handler(event, context):\n\tprint(\'The function has been invoked.\')'), + }; + const func = new Function(myStack, 'MyFunction', funcProp); + func.node.addMetadata(MetadataType.CONSTRUCT, funcProp); + + const template = myApp.synth().getStackByName('EnableTelemtryStack').template; + expect(template.Resources?.CDKMetadata).toBeDefined(); + expect(template.Resources?.CDKMetadata?.Properties?.Analytics).toEqual('v2:deflate64:H4sIAAAAAAAA/8vLT0nVyyrWLzO00DMy0DNQzCrOzNQtKs0rycxN1QuC0ADZIqxKJQAAAA=='); + }); + test('includes the formatted Analytics property', () => { // A very simple check that the jsii runtime psuedo-construct is present. // This check works whether we're running locally or on CodeBuild, on v1 or v2.