Merge branch 'master' into pr/cloudfront-response

Author: mergify[bot]

packages/@aws-cdk/aws-ec2/lib/instance-types.ts

@@ -118,6 +118,16 @@ export enum InstanceClass {
    */
   R5 = 'r5',
 
+  /**
+   * Memory optimized instances, 6th generation with Intel Xeon Scalable processors (3rd generation processors code named Ice Lake)
+   */
+  MEMORY6_INTEL = 'r6i',
+
+  /**
+   * Memory optimized instances, 6th generation with Intel Xeon Scalable processors (3rd generation processors code named Ice Lake)
+   */
+  R6I = 'r6i',
+
   /**
    * Memory optimized instances for high performance computing, 5th generation
    */

packages/@aws-cdk/aws-ec2/test/instance.test.ts

@@ -138,7 +138,7 @@ describe('instance', () => {
   });
   test('instance architecture is correctly discerned for x86-64 instance', () => {
     // GIVEN
-    const sampleInstanceClasses = ['c5', 'm5ad', 'r5n', 'm6', 't3a']; // A sample of x86-64 instance classes
+    const sampleInstanceClasses = ['c5', 'm5ad', 'r5n', 'm6', 't3a', 'r6i']; // A sample of x86-64 instance classes
 
     for (const instanceClass of sampleInstanceClasses) {
       // WHEN

packages/@aws-cdk/aws-iam/README.md

@@ -329,7 +329,7 @@ Identity Pools Developer Guide].
 
 The following examples defines an OpenID Connect provider. Two client IDs
 (audiences) are will be able to send authentication requests to
-https://openid/connect.
+<https://openid/connect>.
 
 ```ts
 const provider = new iam.OpenIdConnectProvider(this, 'MyProvider', {
@@ -439,6 +439,26 @@ const user = iam.User.fromUserAttributes(this, 'MyImportedUserByAttributes', {
 });
 ```
 
+## Groups
+
+An IAM user group is a collection of IAM users. User groups let you specify permissions for multiple users.
+
+```ts
+const group = new iam.Group(this, 'MyGroup');
+```
+
+To import an existing group by ARN:
+
+```ts
+const group = iam.Group.fromGroupArn(this, 'MyImportedGroupByArn', 'arn:aws:iam::account-id:group/group-name');
+```
+
+To import an existing group by name [with path](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names):
+
+```ts
+const group = iam.Group.fromGroupName(this, 'MyImportedGroupByName', 'group-name');
+```
+
 To add a user to a group (both for a new and imported user/group):
 
 ```ts
@@ -450,12 +470,11 @@ user.addToGroup(group);
 group.addUser(user);
 ```
 
-
 ## Features
 
-  * Policy name uniqueness is enforced. If two policies by the same name are attached to the same
+* Policy name uniqueness is enforced. If two policies by the same name are attached to the same
     principal, the attachment will fail.
-  * Policy names are not required - the CDK logical ID will be used and ensured to be unique.
-  * Policies are validated during synthesis to ensure that they have actions, and that policies
+* Policy names are not required - the CDK logical ID will be used and ensured to be unique.
+* Policies are validated during synthesis to ensure that they have actions, and that policies
     attached to IAM principals specify relevant resources, while policies attached to resources
     specify which IAM principals they apply to.

packages/@aws-cdk/aws-iam/lib/group.ts

@@ -156,6 +156,24 @@ export class Group extends GroupBase {
     return new Import(scope, id);
   }
 
+  /**
+   * Import an existing group by given name (with path).
+   * This method has same caveats of `fromGroupArn`
+   *
+   * @param scope construct scope
+   * @param id construct id
+   * @param groupName the groupName (path included) of the existing group to import
+   */
+  static fromGroupName(scope: Construct, id: string, groupName: string) {
+    const groupArn = Stack.of(scope).formatArn({
+      service: 'iam',
+      region: '',
+      resource: 'group',
+      resourceName: groupName,
+    });
+    return Group.fromGroupArn(scope, id, groupArn);
+  }
+
   public readonly groupName: string;
   public readonly groupArn: string;
 

packages/@aws-cdk/aws-iam/test/group.test.ts

@@ -27,15 +27,15 @@ describe('IAM groups', () => {
       {
         MyGroupCBA54B1B: { Type: 'AWS::IAM::Group' },
         User1E278A736:
-         {
-           Type: 'AWS::IAM::User',
-           Properties: { Groups: [{ Ref: 'MyGroupCBA54B1B' }] },
-         },
+        {
+          Type: 'AWS::IAM::User',
+          Properties: { Groups: [{ Ref: 'MyGroupCBA54B1B' }] },
+        },
         User21F1486D1:
-         {
-           Type: 'AWS::IAM::User',
-           Properties: { Groups: [{ Ref: 'MyGroupCBA54B1B' }] },
-         },
+        {
+          Type: 'AWS::IAM::User',
+          Properties: { Groups: [{ Ref: 'MyGroupCBA54B1B' }] },
+        },
       },
     });
   });
@@ -56,4 +56,21 @@ describe('IAM groups', () => {
       ],
     });
   });
+
+  test('groups imported by group name have valid arn', () => {
+    // GIVEN
+    const stack = new Stack();
+
+    // WHEN
+    const group1 = Group.fromGroupName(stack, 'imported-group1', 'MyGroupName1');
+    const group2 = Group.fromGroupName(stack, 'imported-group2', 'division/MyGroupName2');
+
+    // THEN
+    expect(stack.resolve(group1.groupArn)).toStrictEqual({
+      'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::', { Ref: 'AWS::AccountId' }, ':group/MyGroupName1']],
+    });
+    expect(stack.resolve(group2.groupArn)).toStrictEqual({
+      'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::', { Ref: 'AWS::AccountId' }, ':group/division/MyGroupName2']],
+    });
+  });
 });

packages/@aws-cdk/core/lib/asset-staging.ts

@@ -189,7 +189,8 @@ export class AssetStaging extends CoreConstruct {
     if (props.bundling) {
       // Check if we actually have to bundle for this stack
       const bundlingStacks: string[] = this.node.tryGetContext(cxapi.BUNDLING_STACKS) ?? ['*'];
-      skip = !bundlingStacks.find(pattern => minimatch(Stack.of(this).stackName, pattern));
+      // bundlingStacks is of the form `Stage/Stack`, convert it to `Stage-Stack` before comparing to stack name
+      skip = !bundlingStacks.find(pattern => minimatch(Stack.of(this).stackName, pattern.replace('/', '-')));
       const bundling = props.bundling;
       stageThisAsset = () => this.stageByBundling(bundling, skip);
     } else {

packages/@aws-cdk/core/test/staging.test.ts

@@ -859,8 +859,42 @@ describe('staging', () => {
     expect(asset.stagedPath).toEqual(directory);
     expect(asset.relativeStagedPath(stack)).toEqual(directory);
     expect(asset.assetHash).toEqual('f66d7421aa2d044a6c1f60ddfc76dc78571fcd8bd228eb48eb394e2dbad94a5c');
+  });
+
+  test('correctly skips bundling with stack under stage', () => {
+    // GIVEN
+    const app = new App();
+
+    const stage = new Stage(app, 'Stage');
+    stage.node.setContext(cxapi.BUNDLING_STACKS, ['Stage/Stack1']);
+
+    const stack1 = new Stack(stage, 'Stack1');
+    const stack2 = new Stack(stage, 'Stack2');
+    const directory = path.join(__dirname, 'fs', 'fixtures', 'test1');
 
+    new AssetStaging(stack1, 'Asset', {
+      sourcePath: directory,
+      assetHashType: AssetHashType.OUTPUT,
+      bundling: {
+        image: DockerImage.fromRegistry('alpine'),
+        command: [DockerStubCommand.SUCCESS],
+      },
+    });
+
+    new AssetStaging(stack2, 'Asset', {
+      sourcePath: directory,
+      assetHashType: AssetHashType.OUTPUT,
+      bundling: {
+        image: DockerImage.fromRegistry('alpine'),
+        command: [DockerStubCommand.MULTIPLE_FILES],
+      },
+    });
 
+    const dockerStubInput = readDockerStubInputConcat();
+    // Docker ran for the asset in Stack1
+    expect(dockerStubInput).toMatch(DockerStubCommand.SUCCESS);
+    // DOcker did not run for the asset in Stack2
+    expect(dockerStubInput).not.toMatch(DockerStubCommand.MULTIPLE_FILES);
   });
 
   test('bundling still occurs with partial wildcard', () => {

packages/@aws-cdk/custom-resources/README.md

@@ -347,6 +347,25 @@ This sample demonstrates the following concepts:
 * Non-intrinsic physical IDs
 * Implemented in Python
 
+
+### Customizing Provider Function name
+
+In multi-account environments or when the custom resource may be re-utilized across several 
+stacks it may be useful to manually set a name for the Provider Function Lambda and therefore
+have a predefined service token ARN.
+
+```ts
+
+const myProvider = new cr.Provider(this, 'MyProvider', {
+  onEventHandler: onEvent,
+  isCompleteHandler: isComplete,
+  logRetention: logs.RetentionDays.ONE_DAY,
+  role: myRole,
+  providerFunctionName: 'the-lambda-name',   // Optional
+});
+
+```
+
 ## Custom Resources for AWS APIs
 
 Sometimes a single API call can fill the gap in the CloudFormation coverage. In

packages/@aws-cdk/custom-resources/lib/provider-framework/provider.ts

@@ -115,6 +115,15 @@ export interface ProviderProps {
    * @default - A default role will be created.
    */
   readonly role?: iam.IRole;
+
+  /**
+   * Provider Lambda name.
+   *
+   * The provider lambda function name.
+   *
+   * @default -  CloudFormation default name from unique physical ID
+   */
+  readonly providerFunctionName?: string;
 }
 
 /**
@@ -165,7 +174,7 @@ export class Provider extends CoreConstruct implements ICustomResourceProvider {
 
     this.role = props.role;
 
-    const onEventFunction = this.createFunction(consts.FRAMEWORK_ON_EVENT_HANDLER_NAME);
+    const onEventFunction = this.createFunction(consts.FRAMEWORK_ON_EVENT_HANDLER_NAME, props.providerFunctionName);
 
     if (this.isCompleteHandler) {
       const isCompleteFunction = this.createFunction(consts.FRAMEWORK_IS_COMPLETE_HANDLER_NAME);
@@ -198,7 +207,7 @@ export class Provider extends CoreConstruct implements ICustomResourceProvider {
     };
   }
 
-  private createFunction(entrypoint: string) {
+  private createFunction(entrypoint: string, name?: string) {
     const fn = new lambda.Function(this, `framework-${entrypoint}`, {
       code: lambda.Code.fromAsset(RUNTIME_HANDLER_PATH),
       description: `AWS CDK resource provider framework - ${entrypoint} (${this.node.path})`.slice(0, 256),
@@ -210,6 +219,7 @@ export class Provider extends CoreConstruct implements ICustomResourceProvider {
       vpcSubnets: this.vpcSubnets,
       securityGroups: this.securityGroups,
       role: this.role,
+      functionName: name,
     });
 
     fn.addEnvironment(consts.USER_ON_EVENT_FUNCTION_ARN_ENV, this.onEventHandler.functionArn);

packages/@aws-cdk/custom-resources/test/provider-framework/provider.test.ts

@@ -397,3 +397,27 @@ describe('role', () => {
     });
   });
 });
+
+describe('name', () => {
+  it('uses custom name when present', () => {
+    // GIVEN
+    const stack = new Stack();
+    const providerFunctionName = 'test-name';
+
+    // WHEN
+    new cr.Provider(stack, 'MyProvider', {
+      onEventHandler: new lambda.Function(stack, 'MyHandler', {
+        code: lambda.Code.fromAsset(path.join(__dirname, './integration-test-fixtures/s3-file-handler')),
+        handler: 'index.onEvent',
+        runtime: lambda.Runtime.NODEJS_10_X,
+      }),
+      providerFunctionName,
+    });
+
+    // THEN
+    expect(stack).toHaveResourceLike('AWS::Lambda::Function', {
+      FunctionName: providerFunctionName,
+    });
+  });
+});
+