Merge branch 'master' into ecs-ec2-capacity-provider

.mergify.yml

@@ -6,7 +6,7 @@ pull_request_rules:
       label:
         add: [ contribution/core ]
     conditions:
-      - author~=^(eladb|RomainMuller|garnaat|nija-at|skinny85|rix0rrr|NGL321|Jerry-AWS|MrArnoldPalmer|NetaNir|iliapolo|njlynch|ericzbeard|ccfife|fulghum|pkandasamy91|SoManyHs|uttarasridhar|otaviomacedo|BenChaimberg)$
+      - author~=^(eladb|RomainMuller|garnaat|nija-at|skinny85|rix0rrr|NGL321|Jerry-AWS|MrArnoldPalmer|NetaNir|iliapolo|njlynch|ericzbeard|ccfife|fulghum|pkandasamy91|SoManyHs|uttarasridhar|otaviomacedo|BenChaimberg|madeline-k)$
       - -label~="contribution/core"
   - name: automatic merge
     actions:

packages/@aws-cdk-containers/ecs-service-extensions/README.md

@@ -61,19 +61,19 @@ const nameService = new Service(stack, 'name', {
 ## Creating an `Environment`
 
 An `Environment` is a place to deploy your services. You can have multiple environments
-on a single AWS account. For example you could create a `test` environment as well
-as a `production` environment so you have a place to verify that you application
+on a single AWS account. For example, you could create a `test` environment as well
+as a `production` environment so you have a place to verify that your application
 works as intended before you deploy it to a live environment.
 
-Each environment is isolated from other environments. In specific
-by default when you create an environment the construct supplies its own VPC,
+Each environment is isolated from other environments. In other words,
+when you create an environment, by default the construct supplies its own VPC,
 ECS Cluster, and any other required resources for the environment:
 
 ```ts
 const environment = new Environment(stack, 'production');
 ```
 
-However, you can also choose to build an environment out of a pre-existing VPC,
+However, you can also choose to build an environment out of a pre-existing VPC
 or ECS Cluster:
 
 ```ts
@@ -89,7 +89,7 @@ const environment = new Environment(stack, 'production', {
 ## Defining your `ServiceDescription`
 
 The `ServiceDescription` defines what application you want the service to run and
-what optional extensions you want to add to the service. The most basic form of a `ServiceExtension` looks like this:
+what optional extensions you want to add to the service. The most basic form of a `ServiceDescription` looks like this:
 
 ```ts
 const nameDescription = new ServiceDescription();
@@ -105,9 +105,9 @@ nameDescription.add(new Container({
 ```
 
 Every `ServiceDescription` requires at minimum that you add a `Container` extension
-which defines the main application container to run for the service.
+which defines the main application (essential) container to run for the service.
 
-After that you can optionally enable additional features for the service using the `ServiceDescription.add()` method:
+After that, you can optionally enable additional features for the service using the `ServiceDescription.add()` method:
 
 ```ts
 nameDescription.add(new AppMeshExtension({ mesh }));
@@ -238,7 +238,7 @@ frontend.connectTo(backend);
 
 The address that a service will use to talk to another service depends on the
 type of ingress that has been created by the extension that did the connecting.
-For example if an App Mesh extension has been used then the service is accessible
+For example, if an App Mesh extension has been used, then the service is accessible
 at a DNS address of `<service name>.<environment name>`. For example:
 
 ```ts
@@ -280,7 +280,7 @@ const backend = new Service(stack, 'backend', {
 frontend.connectTo(backend);
 ```
 
-The above code uses the well known service discovery name for each
+The above code uses the well-known service discovery name for each
 service, and passes it as an environment variable to the container so
 that the container knows what address to use when communicating to
 the other service.

packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/integ.alb.expected.json

@@ -633,6 +633,7 @@
           "Ref": "HttpProxyPrivateApiA55E154D"
         },
         "RouteKey": "$default",
+        "AuthorizationType": "NONE",
         "Target": {
           "Fn::Join": [
             "",

packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/integ.http-proxy.expected.json

@@ -117,6 +117,7 @@
           "Ref": "LambdaProxyApi67594471"
         },
         "RouteKey": "$default",
+        "AuthorizationType": "NONE",
         "Target": {
           "Fn::Join": [
             "",
@@ -185,6 +186,7 @@
           "Ref": "HttpProxyApiD0217C67"
         },
         "RouteKey": "$default",
+        "AuthorizationType": "NONE",
         "Target": {
           "Fn::Join": [
             "",

packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/integ.lambda-proxy.expected.json

@@ -117,6 +117,7 @@
           "Ref": "LambdaProxyApi67594471"
         },
         "RouteKey": "$default",
+        "AuthorizationType": "NONE",
         "Target": {
           "Fn::Join": [
             "",

packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/integ.nlb.expected.json

@@ -598,6 +598,7 @@
           "Ref": "HttpProxyPrivateApiA55E154D"
         },
         "RouteKey": "$default",
+        "AuthorizationType": "NONE",
         "Target": {
           "Fn::Join": [
             "",

packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/integ.service-discovery.expected.json

@@ -602,6 +602,7 @@
           "Ref": "HttpProxyPrivateApiA55E154D"
         },
         "RouteKey": "$default",
+        "AuthorizationType": "NONE",
         "Target": {
           "Fn::Join": [
             "",

packages/@aws-cdk/aws-apigatewayv2/lib/http/route.ts

@@ -156,8 +156,6 @@ export class HttpRoute extends Resource implements IHttpRoute {
       ]));
     }
 
-    const authorizationType = authBindResult?.authorizationType === HttpAuthorizerType.NONE ? undefined : authBindResult?.authorizationType;
-
     if (authorizationScopes?.length === 0) {
       authorizationScopes = undefined;
     }
@@ -167,7 +165,7 @@ export class HttpRoute extends Resource implements IHttpRoute {
       routeKey: props.routeKey.key,
       target: `integrations/${integration.integrationId}`,
       authorizerId: authBindResult?.authorizerId,
-      authorizationType,
+      authorizationType: authBindResult?.authorizationType ?? HttpAuthorizerType.NONE, // must be explicitly NONE (not undefined) for stack updates to work correctly
       authorizationScopes,
     };
 

packages/@aws-cdk/aws-apigatewayv2/test/http/api.test.ts

@@ -429,6 +429,7 @@ describe('HttpApi', () => {
 
       expect(stack).toHaveResource('AWS::ApiGatewayV2::Route', {
         RouteKey: 'GET /chickens',
+        AuthorizationType: 'NONE',
         AuthorizerId: ABSENT,
       });
     });

packages/@aws-cdk/aws-apigatewayv2/test/http/route.test.ts

@@ -30,6 +30,7 @@ describe('HttpRoute', () => {
           ],
         ],
       },
+      AuthorizationType: 'NONE',
     });
 
     expect(stack).toHaveResource('AWS::ApiGatewayV2::Integration', {

packages/@aws-cdk/aws-cloudwatch/lib/graph.ts

@@ -213,6 +213,16 @@ export interface GraphWidgetProps extends MetricWidgetProps {
    * @default TimeSeries
    */
   readonly view?: GraphWidgetView;
+
+  /**
+   * Whether to show the value from the entire time range. Only applicable for Bar and Pie charts.
+   *
+   * If false, values will be from the most recent period of your chosen time range;
+   * if true, shows the value from the entire time range.
+   *
+   * @default false
+   */
+  readonly setPeriodToTimeRange?: boolean;
 }
 
 /**
@@ -276,6 +286,7 @@ export class GraphWidget extends ConcreteWidget {
         },
         legend: this.props.legendPosition !== undefined ? { position: this.props.legendPosition } : undefined,
         liveData: this.props.liveData,
+        setPeriodToTimeRange: this.props.setPeriodToTimeRange,
       },
     }];
   }
@@ -447,4 +458,4 @@ function mapAnnotation(yAxis: string): ((x: HorizontalAnnotation) => any) {
   return (a: HorizontalAnnotation) => {
     return { ...a, yAxis };
   };
-}
+}

packages/@aws-cdk/aws-cloudwatch/test/integ.math-alarm-and-dashboard.expected.json

@@ -116,7 +116,25 @@
                   "QueueName"
                 ]
               },
-              "\",{\"label\":\"NotVisible Messages\",\"period\":30,\"yAxis\":\"right\"}]],\"annotations\":{\"horizontal\":[{\"label\":\"Total Messages >= 100 for 3 datapoints within 3 minutes\",\"value\":100,\"yAxis\":\"left\"}]},\"yAxis\":{}}},{\"type\":\"metric\",\"width\":6,\"height\":3,\"x\":0,\"y\":12,\"properties\":{\"view\":\"singleValue\",\"title\":\"Current total messages in queue\",\"region\":\"",
+              "\",{\"label\":\"NotVisible Messages\",\"period\":30,\"yAxis\":\"right\"}]],\"annotations\":{\"horizontal\":[{\"label\":\"Total Messages >= 100 for 3 datapoints within 3 minutes\",\"value\":100,\"yAxis\":\"left\"}]},\"yAxis\":{}}},{\"type\":\"metric\",\"width\":6,\"height\":6,\"x\":0,\"y\":12,\"properties\":{\"view\":\"pie\",\"title\":\"Percentage of messages in each queue as pie chart\",\"region\":\"",
+              {
+                "Ref": "AWS::Region"
+              },
+              "\",\"metrics\":[[\"AWS/SQS\",\"ApproximateNumberOfMessagesVisible\",\"QueueName\",\"",
+              {
+                "Fn::GetAtt": [
+                  "queue",
+                  "QueueName"
+                ]
+              },
+              "\",{\"label\":\"Visible Messages\",\"period\":10}],[\"AWS/SQS\",\"ApproximateNumberOfMessagesNotVisible\",\"QueueName\",\"",
+              {
+                "Fn::GetAtt": [
+                  "queue",
+                  "QueueName"
+                ]
+              },
+              "\",{\"label\":\"NotVisible Messages\",\"period\":30}]],\"yAxis\":{},\"setPeriodToTimeRange\":true}},{\"type\":\"metric\",\"width\":6,\"height\":3,\"x\":0,\"y\":18,\"properties\":{\"view\":\"singleValue\",\"title\":\"Current total messages in queue\",\"region\":\"",
               {
                 "Ref": "AWS::Region"
               },

packages/@aws-cdk/aws-cloudwatch/test/integ.math-alarm-and-dashboard.ts

@@ -59,6 +59,13 @@ dashboard.addWidgets(new cloudwatch.GraphWidget({
   leftAnnotations: [alarm.toAnnotation()],
 }));
 
+dashboard.addWidgets(new cloudwatch.GraphWidget({
+  title: 'Percentage of messages in each queue as pie chart',
+  left: [metricA, metricB],
+  view: cloudwatch.GraphWidgetView.PIE,
+  setPeriodToTimeRange: true,
+}));
+
 dashboard.addWidgets(new cloudwatch.SingleValueWidget({
   title: 'Current total messages in queue',
   metrics: [sumExpression],

packages/@aws-cdk/aws-cloudwatch/test/test.graphs.ts

@@ -660,4 +660,32 @@ export = {
 
     test.done();
   },
-};
+
+  'add setPeriodToTimeRange to GraphWidget'(test: Test) {
+    // GIVEN
+    const stack = new Stack();
+    const widget = new GraphWidget({
+      left: [new Metric({ namespace: 'CDK', metricName: 'Test' })],
+      view: GraphWidgetView.PIE,
+      setPeriodToTimeRange: true,
+    });
+
+    // THEN
+    test.deepEqual(stack.resolve(widget.toJson()), [{
+      type: 'metric',
+      width: 6,
+      height: 6,
+      properties: {
+        view: 'pie',
+        region: { Ref: 'AWS::Region' },
+        metrics: [
+          ['CDK', 'Test'],
+        ],
+        yAxis: {},
+        setPeriodToTimeRange: true,
+      },
+    }]);
+
+    test.done();
+  },
+};

packages/@aws-cdk/aws-codepipeline-actions/package.json

@@ -69,7 +69,7 @@
     "@types/jest": "^26.0.23",
     "@aws-cdk/aws-cloudtrail": "0.0.0",
     "@aws-cdk/cx-api": "0.0.0",
-    "@types/lodash": "^4.14.168",
+    "@types/lodash": "^4.14.169",
     "cdk-build-tools": "0.0.0",
     "cdk-integ-tools": "0.0.0",
     "lodash": "^4.17.21",

packages/@aws-cdk/aws-finspace/package.json

@@ -75,7 +75,7 @@
   },
   "license": "Apache-2.0",
   "devDependencies": {
-    "@types/jest": "^26.0.22",
+    "@types/jest": "^26.0.23",
     "@aws-cdk/assert-internal": "0.0.0",
     "cdk-build-tools": "0.0.0",
     "cfn2ts": "0.0.0",

packages/@aws-cdk/aws-frauddetector/package.json

@@ -75,7 +75,7 @@
   },
   "license": "Apache-2.0",
   "devDependencies": {
-    "@types/jest": "^26.0.22",
+    "@types/jest": "^26.0.23",
     "@aws-cdk/assert-internal": "0.0.0",
     "cdk-build-tools": "0.0.0",
     "cfn2ts": "0.0.0",

packages/@aws-cdk/aws-lambda-event-sources/lib/stream.ts

@@ -41,7 +41,7 @@ export interface StreamEventSourceProps {
    * * Minimum value of 60 seconds
    * * Maximum value of 7 days
    *
-   * @default Duration.days(7)
+   * @default - the retention period configured on the stream
    */
   readonly maxRecordAge?: Duration;
 
@@ -51,7 +51,7 @@ export interface StreamEventSourceProps {
    * * Minimum value of 0
    * * Maximum value of 10000
    *
-   * @default 10000
+   * @default - retry until the record expires
    */
   readonly retryAttempts?: number;
 

packages/@aws-cdk/aws-lambda/package.json

@@ -77,7 +77,7 @@
   "devDependencies": {
     "@types/jest": "^26.0.23",
     "@types/aws-lambda": "^8.10.76",
-    "@types/lodash": "^4.14.168",
+    "@types/lodash": "^4.14.169",
     "cdk-build-tools": "0.0.0",
     "cdk-integ-tools": "0.0.0",
     "cfn2ts": "0.0.0",

packages/@aws-cdk/aws-secretsmanager/README.md

@@ -87,6 +87,8 @@ secret.addRotationSchedule('RotationSchedule', {
 });
 ```
 
+Note: The required permissions for Lambda to call SecretsManager and the other way round are automatically granted based on [AWS Documentation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions.html) as long as the Lambda is not imported.
+
 See [Overview of the Lambda Rotation Function](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-lambda-function-overview.html) on how to implement a Lambda Rotation Function.
 
 ### Using a Hosted Lambda Function

packages/@aws-cdk/aws-secretsmanager/lib/rotation-schedule.ts

@@ -1,4 +1,5 @@
 import * as ec2 from '@aws-cdk/aws-ec2';
+import * as iam from '@aws-cdk/aws-iam';
 import * as lambda from '@aws-cdk/aws-lambda';
 import { Duration, Resource, Stack } from '@aws-cdk/core';
 import { Construct } from 'constructs';
@@ -70,6 +71,35 @@ export class RotationSchedule extends Resource {
       throw new Error('One of `rotationLambda` or `hostedRotation` must be specified.');
     }
 
+    if (props.rotationLambda?.permissionsNode.defaultChild) {
+      props.rotationLambda.grantInvoke(new iam.ServicePrincipal('secretsmanager.amazonaws.com'));
+
+      props.rotationLambda.addToRolePolicy(
+        new iam.PolicyStatement({
+          actions: [
+            'secretsmanager:DescribeSecret',
+            'secretsmanager:GetSecretValue',
+            'secretsmanager:PutSecretValue',
+            'secretsmanager:UpdateSecretVersionStage',
+          ],
+          resources: [props.secret.secretArn],
+          conditions: {
+            StringEquals: {
+              'secretsmanager:resource/AllowRotationLambdaArn': props.rotationLambda.functionArn,
+            },
+          },
+        }),
+      );
+      props.rotationLambda.addToRolePolicy(
+        new iam.PolicyStatement({
+          actions: [
+            'secretsmanager:GetRandomPassword',
+          ],
+          resources: ['*'],
+        }),
+      );
+    }
+
     new CfnRotationSchedule(this, 'Resource', {
       secretId: props.secret.secretArn,
       rotationLambdaArn: props.rotationLambda?.functionArn,