Merge branch 'master' into feature/rds-vpc-endpoint

Author: rix0rrr

packages/@aws-cdk/aws-ec2/lib/vpc.ts

@@ -1886,6 +1886,7 @@ class LookedUpVpc extends VpcBase {
         availabilityZone: vpcSubnet.availabilityZone,
         subnetId: vpcSubnet.subnetId,
         routeTableId: vpcSubnet.routeTableId,
+        ipv4CidrBlock: vpcSubnet.cidr,
       }));
     }
     return ret;

packages/@aws-cdk/aws-ec2/test/vpc.from-lookup.test.ts

@@ -210,6 +210,47 @@ nodeunitShim({
 
       test.done();
     },
+    'subnets in imported VPC has all expected attributes'(test: Test) {
+      const previous = mockVpcContextProviderWith(test, {
+        vpcId: 'vpc-1234',
+        subnetGroups: [
+          {
+            name: 'Public',
+            type: cxapi.VpcSubnetGroupType.PUBLIC,
+            subnets: [
+              {
+                subnetId: 'pub-sub-in-us-east-1a',
+                availabilityZone: 'us-east-1a',
+                routeTableId: 'rt-123',
+                cidr: '10.100.0.0/24',
+              },
+            ],
+          },
+        ],
+      }, options => {
+        test.deepEqual(options.filter, {
+          isDefault: 'true',
+        });
+
+        test.equal(options.subnetGroupNameTag, undefined);
+      });
+
+      const stack = new Stack();
+      const vpc = Vpc.fromLookup(stack, 'Vpc', {
+        isDefault: true,
+      });
+
+      let subnet = vpc.publicSubnets[0];
+
+      test.equal(subnet.availabilityZone, 'us-east-1a');
+      test.equal(subnet.subnetId, 'pub-sub-in-us-east-1a');
+      test.equal(subnet.routeTable.routeTableId, 'rt-123');
+      test.equal(subnet.ipv4CidrBlock, '10.100.0.0/24');
+
+
+      restoreContextProvider(previous);
+      test.done();
+    },
   },
 });
 

packages/@aws-cdk/aws-kms/lib/key.ts

@@ -156,7 +156,7 @@ abstract class KeyBase extends Resource implements IKey {
       resourceArns: [this.keyArn],
       resourceSelfArns: crossEnvironment ? undefined : ['*'],
     };
-    if (this.trustAccountIdentities) {
+    if (this.trustAccountIdentities && !crossEnvironment) {
       return iam.Grant.addToPrincipalOrResource(grantOptions);
     } else {
       return iam.Grant.addToPrincipalAndResource({

packages/@aws-cdk/aws-kms/test/key.test.ts

@@ -245,6 +245,103 @@ describe('key policies', () => {
     });
   });
 
+  testFutureBehavior('grant for a principal in a different region', flags, cdk.App, (app) => {
+    const principalStack = new cdk.Stack(app, 'PrincipalStack', { env: { region: 'testregion1' } });
+    const principal = new iam.Role(principalStack, 'Role', {
+      assumedBy: new iam.AnyPrincipal(),
+      roleName: 'MyRolePhysicalName',
+    });
+
+    const keyStack = new cdk.Stack(app, 'KeyStack', { env: { region: 'testregion2' } });
+    const key = new kms.Key(keyStack, 'Key');
+
+    key.grantEncrypt(principal);
+
+    expect(keyStack).toHaveResourceLike('AWS::KMS::Key', {
+      KeyPolicy: {
+        Statement: arrayWith(
+          {
+            Action: [
+              'kms:Encrypt',
+              'kms:ReEncrypt*',
+              'kms:GenerateDataKey*',
+            ],
+            Effect: 'Allow',
+            Principal: { AWS: { 'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::', { Ref: 'AWS::AccountId' }, ':role/MyRolePhysicalName']] } },
+            Resource: '*',
+          },
+        ),
+        Version: '2012-10-17',
+      },
+    });
+    expect(principalStack).toHaveResourceLike('AWS::IAM::Policy', {
+      PolicyDocument: {
+        Statement: [
+          {
+            Action: [
+              'kms:Encrypt',
+              'kms:ReEncrypt*',
+              'kms:GenerateDataKey*',
+            ],
+            Effect: 'Allow',
+            Resource: '*',
+          },
+        ],
+        Version: '2012-10-17',
+      },
+    });
+  });
+
+  testFutureBehavior('grant for a principal in a different account', flags, cdk.App, (app) => {
+    const principalStack = new cdk.Stack(app, 'PrincipalStack', { env: { account: '0123456789012' } });
+    const principal = new iam.Role(principalStack, 'Role', {
+      assumedBy: new iam.AnyPrincipal(),
+      roleName: 'MyRolePhysicalName',
+    });
+
+    const keyStack = new cdk.Stack(app, 'KeyStack', { env: { account: '111111111111' } });
+    const key = new kms.Key(keyStack, 'Key');
+
+    key.grantEncrypt(principal);
+
+    expect(keyStack).toHaveResourceLike('AWS::KMS::Key', {
+      KeyPolicy: {
+        Statement: [
+          {
+            // Default policy, unmodified
+          },
+          {
+            Action: [
+              'kms:Encrypt',
+              'kms:ReEncrypt*',
+              'kms:GenerateDataKey*',
+            ],
+            Effect: 'Allow',
+            Principal: { AWS: { 'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::0123456789012:role/MyRolePhysicalName']] } },
+            Resource: '*',
+          },
+        ],
+        Version: '2012-10-17',
+      },
+    });
+    expect(principalStack).toHaveResourceLike('AWS::IAM::Policy', {
+      PolicyDocument: {
+        Statement: [
+          {
+            Action: [
+              'kms:Encrypt',
+              'kms:ReEncrypt*',
+              'kms:GenerateDataKey*',
+            ],
+            Effect: 'Allow',
+            Resource: '*',
+          },
+        ],
+        Version: '2012-10-17',
+      },
+    });
+  });
+
   testFutureBehavior('additional key admins can be specified (with imported/immutable principal)', flags, cdk.App, (app) => {
     const stack = new cdk.Stack(app);
     const adminRole = iam.Role.fromRoleArn(stack, 'Admin', 'arn:aws:iam::123456789012:role/TrustedAdmin');

packages/@aws-cdk/aws-s3-assets/README.md

@@ -115,6 +115,7 @@ new assets.Asset(this, 'BundledAsset', {
     },
     // Docker bundling fallback
     image: BundlingDockerImage.fromRegistry('alpine'),
+    entrypoint: ['/bin/sh', '-c'],
     command: ['bundle'],
   },
 });

packages/@aws-cdk/core/lib/bundling.ts

@@ -13,6 +13,17 @@ export interface BundlingOptions {
    */
   readonly image: BundlingDockerImage;
 
+  /**
+   * The entrypoint to run in the Docker container.
+   *
+   * @example ['/bin/sh', '-c']
+   *
+   * @see https://docs.docker.com/engine/reference/builder/#entrypoint
+   *
+   * @default - run the entrypoint defined in the image
+   */
+  readonly entrypoint?: string[];
+
   /**
    * The command to run in the Docker container.
    *
@@ -152,7 +163,15 @@ export class BundlingDockerImage {
   public run(options: DockerRunOptions = {}) {
     const volumes = options.volumes || [];
     const environment = options.environment || {};
-    const command = options.command || [];
+    const entrypoint = options.entrypoint?.[0] || null;
+    const command = [
+      ...options.entrypoint?.[1]
+        ? [...options.entrypoint.slice(1)]
+        : [],
+      ...options.command
+        ? [...options.command]
+        : [],
+    ];
 
     const dockerArgs: string[] = [
       'run', '--rm',
@@ -164,6 +183,9 @@ export class BundlingDockerImage {
       ...options.workingDirectory
         ? ['-w', options.workingDirectory]
         : [],
+      ...entrypoint
+        ? ['--entrypoint', entrypoint]
+        : [],
       this.image,
       ...command,
     ];
@@ -238,6 +260,13 @@ export enum DockerVolumeConsistency {
  * Docker run options
  */
 export interface DockerRunOptions {
+  /**
+   * The entrypoint to run in the container.
+   *
+   * @default - run the entrypoint defined in the image
+   */
+  readonly entrypoint?: string[];
+
   /**
    * The command to run in the container.
    *

packages/@aws-cdk/core/test/bundling.test.ts

@@ -171,6 +171,44 @@ nodeunitShim({
     test.done();
   },
 
+  'custom entrypoint is passed through to docker exec'(test: Test) {
+    const spawnSyncStub = sinon.stub(child_process, 'spawnSync').returns({
+      status: 0,
+      stderr: Buffer.from('stderr'),
+      stdout: Buffer.from('stdout'),
+      pid: 123,
+      output: ['stdout', 'stderr'],
+      signal: null,
+    });
+
+    const image = BundlingDockerImage.fromRegistry('alpine');
+    image.run({
+      entrypoint: ['/cool/entrypoint', '--cool-entrypoint-arg'],
+      command: ['cool', 'command'],
+      environment: {
+        VAR1: 'value1',
+        VAR2: 'value2',
+      },
+      volumes: [{ hostPath: '/host-path', containerPath: '/container-path' }],
+      workingDirectory: '/working-directory',
+      user: 'user:group',
+    });
+
+    test.ok(spawnSyncStub.calledWith('docker', [
+      'run', '--rm',
+      '-u', 'user:group',
+      '-v', '/host-path:/container-path:delegated',
+      '--env', 'VAR1=value1',
+      '--env', 'VAR2=value2',
+      '-w', '/working-directory',
+      '--entrypoint', '/cool/entrypoint',
+      'alpine',
+      '--cool-entrypoint-arg',
+      'cool', 'command',
+    ], { stdio: ['ignore', process.stderr, 'inherit'] }));
+    test.done();
+  },
+
   'cp utility copies from an image'(test: Test) {
     // GIVEN
     const containerId = '1234567890abcdef1234567890abcdef';