Merge branch 'master' into huijbers/permissions-boundary

Author: mergify[bot]

CHANGELOG.md

@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.87.1](https://github.com/aws/aws-cdk/compare/v1.87.0...v1.87.1) (2021-01-28)
+
+
+### Bug Fixes
+
+* **apigateway:** stack update fails to replace api key ([38cbe62](https://github.com/aws/aws-cdk/commit/38cbe620859d6efabda95dbdd3185a480ab43894)), closes [#12698](https://github.com/aws/aws-cdk/issues/12698)
+
 ## [1.87.0](https://github.com/aws/aws-cdk/compare/v1.86.0...v1.87.0) (2021-01-27)
 
 

packages/@aws-cdk/assets/lib/fs/options.ts

@@ -10,6 +10,7 @@ export interface CopyOptions {
    * A strategy for how to handle symlinks.
    *
    * @default Never
+   * @deprecated use `followSymlinks` instead
    */
   readonly follow?: FollowMode;
 

packages/@aws-cdk/aws-ecr-assets/lib/image-asset.ts

@@ -2,14 +2,16 @@ import * as fs from 'fs';
 import * as path from 'path';
 import * as assets from '@aws-cdk/assets';
 import * as ecr from '@aws-cdk/aws-ecr';
-import { Annotations, Construct as CoreConstruct, FeatureFlags, IgnoreMode, Stack, Token } from '@aws-cdk/core';
+import {
+  Annotations, AssetStaging, Construct as CoreConstruct, FeatureFlags, FileFingerprintOptions, IgnoreMode, Stack, SymlinkFollowMode, Token,
+} from '@aws-cdk/core';
 import * as cxapi from '@aws-cdk/cx-api';
 import { Construct } from 'constructs';
 
 /**
  * Options for DockerImageAsset
  */
-export interface DockerImageAssetOptions extends assets.FingerprintOptions {
+export interface DockerImageAssetOptions extends assets.FingerprintOptions, FileFingerprintOptions {
   /**
    * ECR repository name
    *
@@ -137,8 +139,9 @@ export class DockerImageAsset extends CoreConstruct implements assets.IAsset {
     // deletion of the ECR repository the app used).
     extraHash.version = '1.21.0';
 
-    const staging = new assets.Staging(this, 'Staging', {
+    const staging = new AssetStaging(this, 'Staging', {
       ...props,
+      follow: props.followSymlinks ?? toSymlinkFollow(props.follow),
       exclude,
       ignoreMode,
       sourcePath: dir,
@@ -181,3 +184,13 @@ function validateBuildArgs(buildArgs?: { [key: string]: string }) {
     }
   }
 }
+
+function toSymlinkFollow(follow?: assets.FollowMode): SymlinkFollowMode | undefined {
+  switch (follow) {
+    case undefined: return undefined;
+    case assets.FollowMode.NEVER: return SymlinkFollowMode.NEVER;
+    case assets.FollowMode.ALWAYS: return SymlinkFollowMode.ALWAYS;
+    case assets.FollowMode.BLOCK_EXTERNAL: return SymlinkFollowMode.BLOCK_EXTERNAL;
+    case assets.FollowMode.EXTERNAL: return SymlinkFollowMode.EXTERNAL;
+  }
+}

packages/@aws-cdk/aws-ecr/README.md

@@ -51,11 +51,29 @@ grants an IAM user access to call this API.
 
 ```ts
 import * as iam from '@aws-cdk/aws-iam';
+import * as ecr from '@aws-cdk/aws-ecr';
 
 const user = new iam.User(this, 'User', { ... });
-iam.AuthorizationToken.grantRead(user);
+ecr.AuthorizationToken.grantRead(user);
 ```
 
+If you access images in the [Public ECR Gallery](https://gallery.ecr.aws/) as well, it is recommended you authenticate to the regsitry to benefit from
+higher rate and bandwidth limits.
+
+> See `Pricing` in https://aws.amazon.com/blogs/aws/amazon-ecr-public-a-new-public-container-registry/ and [Service quotas](https://docs.aws.amazon.com/AmazonECR/latest/public/public-service-quotas.html).
+
+The following code snippet grants an IAM user access to retrieve an authorization token for the public gallery.
+
+```ts
+import * as iam from '@aws-cdk/aws-iam';
+import * as ecr from '@aws-cdk/aws-ecr';
+
+const user = new iam.User(this, 'User', { ... });
+ecr.PublicGalleryAuthorizationToken.grantRead(user);
+```
+
+This user can then proceed to login to the registry using one of the [authentication methods](https://docs.aws.amazon.com/AmazonECR/latest/public/public-registries.html#public-registry-auth).
+
 ## Automatically clean up repositories
 
 You can set life cycle rules to automatically clean up old images from your

packages/@aws-cdk/aws-ecr/lib/auth-token.ts

@@ -1,7 +1,9 @@
 import * as iam from '@aws-cdk/aws-iam';
 
 /**
- * Authorization token to access ECR repositories via Docker CLI.
+ * Authorization token to access private ECR repositories in the current environment via Docker CLI.
+ *
+ * @see https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html
  */
 export class AuthorizationToken {
   /**
@@ -18,3 +20,27 @@ export class AuthorizationToken {
   private constructor() {
   }
 }
+
+/**
+ * Authorization token to access the global public ECR Gallery via Docker CLI.
+ *
+ * @see https://docs.aws.amazon.com/AmazonECR/latest/public/public-registries.html#public-registry-auth
+ */
+export class PublicGalleryAuthorizationToken {
+
+  /**
+   * Grant access to retrieve an authorization token.
+   */
+  public static grantRead(grantee: iam.IGrantable) {
+    grantee.grantPrincipal.addToPrincipalPolicy(new iam.PolicyStatement({
+      actions: ['ecr-public:GetAuthorizationToken', 'sts:GetServiceBearerToken'],
+      // GetAuthorizationToken only allows '*'. See https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistry.html#amazonelasticcontainerregistry-actions-as-permissions
+      // GetServiceBearerToken only allows '*'. See https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecuritytokenservice.html#awssecuritytokenservice-actions-as-permissions
+      resources: ['*'],
+    }));
+  }
+
+  private constructor() {
+  }
+
+}

packages/@aws-cdk/aws-ecr/test/test.auth-token.ts

@@ -2,10 +2,10 @@ import { expect, haveResourceLike } from '@aws-cdk/assert';
 import * as iam from '@aws-cdk/aws-iam';
 import { Stack } from '@aws-cdk/core';
 import { Test } from 'nodeunit';
-import { AuthorizationToken } from '../lib';
+import { AuthorizationToken, PublicGalleryAuthorizationToken } from '../lib';
 
 export = {
-  'grant()'(test: Test) {
+  'AuthorizationToken.grantRead()'(test: Test) {
     // GIVEN
     const stack = new Stack();
     const user = new iam.User(stack, 'User');
@@ -28,4 +28,32 @@ export = {
 
     test.done();
   },
+
+  'PublicGalleryAuthorizationToken.grantRead()'(test: Test) {
+    // GIVEN
+    const stack = new Stack();
+    const user = new iam.User(stack, 'User');
+
+    // WHEN
+    PublicGalleryAuthorizationToken.grantRead(user);
+
+    // THEN
+    expect(stack).to(haveResourceLike('AWS::IAM::Policy', {
+      PolicyDocument: {
+        Statement: [
+          {
+            Action: [
+              'ecr-public:GetAuthorizationToken',
+              'sts:GetServiceBearerToken',
+            ],
+            Effect: 'Allow',
+            Resource: '*',
+          },
+        ],
+      },
+    }));
+
+    test.done();
+  },
+
 };

packages/@aws-cdk/aws-ecs-patterns/README.md

@@ -427,3 +427,17 @@ const loadBalancedFargateService = new ApplicationLoadBalancedFargateService(sta
   },
 });
 ```
+
+### Set PlatformVersion for ScheduledFargateTask
+
+```ts
+const scheduledFargateTask = new ScheduledFargateTask(stack, 'ScheduledFargateTask', {
+  cluster,
+  scheduledFargateTaskImageOptions: {
+    image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
+    memoryLimitMiB: 512,
+  },
+  schedule: events.Schedule.expression('rate(1 minute)'),
+  platformVersion: ecs.FargatePlatformVersion.VERSION1_4,
+});
+```

packages/@aws-cdk/aws-ecs-patterns/lib/base/scheduled-task-base.ts

@@ -165,11 +165,20 @@ export abstract class ScheduledTaskBase extends CoreConstruct {
       subnetSelection: this.subnetSelection,
     });
 
-    this.eventRule.addTarget(eventRuleTarget);
+    this.addTaskAsTarget(eventRuleTarget);
 
     return eventRuleTarget;
   }
 
+  /**
+   * Adds task as a target of the scheduled event rule.
+   *
+   * @param ecsTaskTarget the EcsTask to add to the event rule
+   */
+  protected addTaskAsTarget(ecsTaskTarget: EcsTask) {
+    this.eventRule.addTarget(ecsTaskTarget);
+  }
+
   /**
    * Returns the default cluster.
    */

packages/@aws-cdk/aws-ecs-patterns/lib/fargate/scheduled-fargate-task.ts

@@ -1,4 +1,5 @@
-import { FargateTaskDefinition } from '@aws-cdk/aws-ecs';
+import { FargateTaskDefinition, FargatePlatformVersion } from '@aws-cdk/aws-ecs';
+import { EcsTask } from '@aws-cdk/aws-events-targets';
 import { Construct } from 'constructs';
 import { ScheduledTaskBase, ScheduledTaskBaseProps, ScheduledTaskImageProps } from '../base/scheduled-task-base';
 
@@ -21,6 +22,17 @@ export interface ScheduledFargateTaskProps extends ScheduledTaskBaseProps {
    * @default none
    */
   readonly scheduledFargateTaskImageOptions?: ScheduledFargateTaskImageOptions;
+
+  /**
+   * The platform version on which to run your service.
+   *
+   * If one is not specified, the LATEST platform version is used by default. For more information, see
+   * [AWS Fargate Platform Versions](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/platform_versions.html)
+   * in the Amazon Elastic Container Service Developer Guide.
+   *
+   * @default Latest
+   */
+  readonly platformVersion?: FargatePlatformVersion;
 }
 
 /**
@@ -109,6 +121,15 @@ export class ScheduledFargateTask extends ScheduledTaskBase {
       throw new Error('You must specify one of: taskDefinition or image');
     }
 
-    this.addTaskDefinitionToEventTarget(this.taskDefinition);
+    // Use the EcsTask as the target of the EventRule
+    const eventRuleTarget = new EcsTask( {
+      cluster: this.cluster,
+      taskDefinition: this.taskDefinition,
+      taskCount: this.desiredTaskCount,
+      subnetSelection: this.subnetSelection,
+      platformVersion: props.platformVersion,
+    });
+
+    this.addTaskAsTarget(eventRuleTarget);
   }
 }

packages/@aws-cdk/aws-ecs-patterns/test/fargate/test.scheduled-fargate-task.ts

@@ -294,6 +294,60 @@ export = {
       ],
     }));
 
+    test.done();
+  },
+  'Scheduled Fargate Task - with platformVersion defined'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const vpc = new ec2.Vpc(stack, 'Vpc', { maxAzs: 1 });
+    const cluster = new ecs.Cluster(stack, 'EcsCluster', { vpc });
+
+    new ScheduledFargateTask(stack, 'ScheduledFargateTask', {
+      cluster,
+      scheduledFargateTaskImageOptions: {
+        image: ecs.ContainerImage.fromRegistry('henk'),
+        memoryLimitMiB: 512,
+      },
+      schedule: events.Schedule.expression('rate(1 minute)'),
+      platformVersion: ecs.FargatePlatformVersion.VERSION1_4,
+    });
+
+    // THEN
+    expect(stack).to(haveResource('AWS::Events::Rule', {
+      Targets: [
+        {
+          Arn: { 'Fn::GetAtt': ['EcsCluster97242B84', 'Arn'] },
+          EcsParameters: {
+            LaunchType: 'FARGATE',
+            NetworkConfiguration: {
+              AwsVpcConfiguration: {
+                AssignPublicIp: 'DISABLED',
+                SecurityGroups: [
+                  {
+                    'Fn::GetAtt': [
+                      'ScheduledFargateTaskScheduledTaskDefSecurityGroupE075BC19',
+                      'GroupId',
+                    ],
+                  },
+                ],
+                Subnets: [
+                  {
+                    Ref: 'VpcPrivateSubnet1Subnet536B997A',
+                  },
+                ],
+              },
+            },
+            PlatformVersion: '1.4.0',
+            TaskCount: 1,
+            TaskDefinitionArn: { Ref: 'ScheduledFargateTaskScheduledTaskDef521FA675' },
+          },
+          Id: 'Target0',
+          Input: '{}',
+          RoleArn: { 'Fn::GetAtt': ['ScheduledFargateTaskScheduledTaskDefEventsRole6CE19522', 'Arn'] },
+        },
+      ],
+    }));
+
     test.done();
   },
 };