Merge branch 'main' into app-asg-validation

.github/workflows/repo-metrics.yml

@@ -36,7 +36,7 @@ jobs:
         SEARCH_QUERY: 'repo:aws/aws-cdk is:issue created:${{ env.last_month }} -reason:"not planned"'
 
     - name: Create report for issues
-      uses: peter-evans/create-issue-from-file@v4
+      uses: peter-evans/create-issue-from-file@v5
       with:
         title: Monthly issue metrics report
         token: ${{ secrets.GITHUB_TOKEN }}
@@ -50,7 +50,7 @@ jobs:
         SEARCH_QUERY: 'repo:aws/aws-cdk is:pr created:${{ env.last_month }} -is:draft'
 
     - name: Create report for PRs
-      uses: peter-evans/create-issue-from-file@v4
+      uses: peter-evans/create-issue-from-file@v5
       with:
         title: Monthly PR metrics report
         token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/request-cli-integ-test.yml

@@ -19,7 +19,7 @@ jobs:
           persist-credentials: false
       - name: Find changed cli files
         id: changed-cli-files
-        uses: tj-actions/changed-files@ae82ed4ae04587b665efad2f206578aa6f0e8539
+        uses: tj-actions/changed-files@90a06d6ba9543371ab4df8eeca0be07ca6054959
         with:
           base_sha: ${{ github.event.pull_request.base.sha }}
           files_yaml: |

.gitignore

@@ -51,3 +51,7 @@ RELEASE_NOTES.md
 
 # Produced by integ tests
 read*lock
+
+# VSCode jest plugin
+.test-output
+

packages/@aws-cdk-testing/framework-integ/package.json

@@ -9,7 +9,7 @@
     "lint": "cdk-lint",
     "pkglint": "pkglint -f",
     "test": "cdk-test",
-    "integ": "integ-runner",
+    "integ": "integ-runner --language javascript",
     "package": "cdk-package",
     "build+test": "yarn build && yarn test",
     "build+extract": "yarn build",

packages/@aws-cdk/app-staging-synthesizer-alpha/README.md

@@ -265,6 +265,22 @@ const app = new App({
 });
 ```
 
+### Staging Bucket Encryption
+
+By default, the staging resources will be stored in an S3 Bucket with KMS encryption. To use
+SSE-S3, set `stagingBucketEncryption` to `BucketEncryption.S3_MANAGED`.
+
+```ts
+import { BucketEncryption } from 'aws-cdk-lib/aws-s3';
+
+const app = new App({
+  defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({
+    appId: 'my-app-id',
+    stagingBucketEncryption: BucketEncryption.S3_MANAGED,
+  }),
+});
+```
+
 ## Using a Custom Staging Stack per Environment
 
 If you want to customize some behavior that is not configurable via properties,

packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts

@@ -61,6 +61,13 @@ export interface DefaultStagingStackOptions {
    */
   readonly stagingBucketName?: string;
 
+  /**
+   * Encryption type for staging bucket
+   *
+   * @default - s3.BucketEncryption.KMS
+   */
+  readonly stagingBucketEncryption?: s3.BucketEncryption;
+
   /**
    * Pass in an existing role to be used as the file publishing role.
    *
@@ -219,6 +226,7 @@ export class DefaultStagingStack extends Stack implements IStagingResources {
 
   private readonly appId: string;
   private readonly stagingBucketName?: string;
+  private stagingBucketEncryption?: s3.BucketEncryption;
 
   /**
    * File publish role ARN in asset manifest format
@@ -259,6 +267,7 @@ export class DefaultStagingStack extends Stack implements IStagingResources {
 
     this.deployRoleArn = props.deployRoleArn;
     this.stagingBucketName = props.stagingBucketName;
+    this.stagingBucketEncryption = props.stagingBucketEncryption;
     const specializer = new StringSpecializer(this, props.qualifier);
 
     this.providedFileRole = props.fileAssetPublishingRole?._specialize(specializer);
@@ -358,7 +367,15 @@ export class DefaultStagingStack extends Stack implements IStagingResources {
     }
 
     this.ensureFileRole();
-    const key = this.createBucketKey();
+
+    let key = undefined;
+    if (this.stagingBucketEncryption === s3.BucketEncryption.KMS || this.stagingBucketEncryption === undefined) {
+      if (this.stagingBucketEncryption === undefined) {
+        // default is KMS as an AWS best practice, and for backwards compatibility
+        this.stagingBucketEncryption = s3.BucketEncryption.KMS;
+      }
+      key = this.createBucketKey();
+    }
 
     // Create the bucket once the dependencies have been created
     const bucket = new s3.Bucket(this, bucketId, {
@@ -369,7 +386,7 @@ export class DefaultStagingStack extends Stack implements IStagingResources {
       } : {
         removalPolicy: RemovalPolicy.RETAIN,
       }),
-      encryption: s3.BucketEncryption.KMS,
+      encryption: this.stagingBucketEncryption,
       encryptionKey: key,
 
       // Many AWS account safety checkers will complain when buckets aren't versioned

packages/@aws-cdk/app-staging-synthesizer-alpha/package.json

@@ -48,7 +48,7 @@
     "watch": "cdk-watch",
     "lint": "cdk-lint",
     "test": "cdk-test",
-    "integ": "integ-runner",
+    "integ": "integ-runner --language javascript",
     "pkglint": "pkglint -f",
     "package": "cdk-package",
     "awslint": "cdk-awslint",

packages/@aws-cdk/app-staging-synthesizer-alpha/test/app-staging-synthesizer.test.ts

@@ -3,6 +3,7 @@ import * as path from 'path';
 import { App, Stack, CfnResource, FileAssetPackaging, Token, Lazy, Duration } from 'aws-cdk-lib';
 import { Match, Template } from 'aws-cdk-lib/assertions';
 import * as lambda from 'aws-cdk-lib/aws-lambda';
+import { BucketEncryption } from 'aws-cdk-lib/aws-s3';
 import * as cxschema from 'aws-cdk-lib/cloud-assembly-schema';
 import { CloudAssembly } from 'aws-cdk-lib/cx-api';
 import { evaluateCFN } from './evaluate-cfn';
@@ -257,7 +258,7 @@ describe(AppStagingSynthesizer, () => {
       stack = new Stack(app, 'Stack', {
         env: {
           account: '000000000000',
-          region: 'us-west-2',
+          region: 'us-east-1',
         },
       });
       new CfnResource(stack, 'Resource', {
@@ -268,16 +269,60 @@ describe(AppStagingSynthesizer, () => {
       const asm = app.synth();
 
       // THEN
-      const stagingStackArtifact = asm.getStackArtifact(`StagingStack-${APP_ID}-000000000000-us-west-2`);
-
-      Template.fromJSON(stagingStackArtifact.template).hasResourceProperties('AWS::S3::Bucket', {
+      Template.fromJSON(getStagingResourceStack(asm).template).hasResourceProperties('AWS::S3::Bucket', {
         LifecycleConfiguration: {
           Rules: Match.arrayWith([{
             ExpirationInDays: 1,
             Prefix: DEPLOY_TIME_PREFIX,
             Status: 'Enabled',
           }]),
         },
+        // When stagingBucketEncryption is not specified, it should be KMS for backwards compatibility
+        BucketEncryption: {
+          ServerSideEncryptionConfiguration: [
+            {
+              ServerSideEncryptionByDefault: {
+                SSEAlgorithm: 'aws:kms',
+              },
+            },
+          ],
+        },
+      });
+    });
+
+    test('staging bucket with SSE-S3 encryption', () => {
+      // GIVEN
+      app = new App({
+        defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({
+          appId: APP_ID,
+          deployTimeFileAssetLifetime: Duration.days(1),
+          stagingBucketEncryption: BucketEncryption.S3_MANAGED,
+        }),
+      });
+      stack = new Stack(app, 'Stack', {
+        env: {
+          account: '000000000000',
+          region: 'us-east-1',
+        },
+      });
+      new CfnResource(stack, 'Resource', {
+        type: 'Some::Resource',
+      });
+
+      // WHEN
+      const asm = app.synth();
+
+      // THEN
+      Template.fromJSON(getStagingResourceStack(asm).template).hasResourceProperties('AWS::S3::Bucket', {
+        BucketEncryption: {
+          ServerSideEncryptionConfiguration: [
+            {
+              ServerSideEncryptionByDefault: {
+                SSEAlgorithm: 'AES256',
+              },
+            },
+          ],
+        },
       });
     });
   });