Merge branch 'master' into corymhall/core/export-overridelogicalid

Author: mergify[bot]

CHANGELOG.md

@@ -2,6 +2,28 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.158.0](https://github.com/aws/aws-cdk/compare/v1.157.0...v1.158.0) (2022-05-27)
+
+
+### Features
+
+* **apprunner:** VpcConnector construct ([#20471](https://github.com/aws/aws-cdk/issues/20471)) ([5052191](https://github.com/aws/aws-cdk/commit/50521911f22f433323d700db77530e883762138a))
+* **aws-ecr-assets:** support the --platform option when building docker images ([#20439](https://github.com/aws/aws-cdk/issues/20439)) ([adc0368](https://github.com/aws/aws-cdk/commit/adc0368dc1f137aeaa4bd92de77028269e3a48f4)), closes [#12472](https://github.com/aws/aws-cdk/issues/12472) [#16770](https://github.com/aws/aws-cdk/issues/16770) [#16858](https://github.com/aws/aws-cdk/issues/16858)
+* **lambda:** validate function description length ([#20476](https://github.com/aws/aws-cdk/issues/20476)) ([de027e2](https://github.com/aws/aws-cdk/commit/de027e28ce5c95e70fed8874e6531eabba24521c)), closes [#20475](https://github.com/aws/aws-cdk/issues/20475)
+* **s3:** adds objectSizeGreaterThan property for s3 lifecycle rule ([#20425](https://github.com/aws/aws-cdk/issues/20425)) ([23690e4](https://github.com/aws/aws-cdk/commit/23690e40b1604839f99da8b8f96168dda8679c47)), closes [#20372](https://github.com/aws/aws-cdk/issues/20372)
+* **servicecatalog:** ProductStackHistory can retain old ProductStack iterations ([#20244](https://github.com/aws/aws-cdk/issues/20244)) ([1037b8c](https://github.com/aws/aws-cdk/commit/1037b8c7f58ccd162491b49d75954c38d685d67f))
+
+
+### Bug Fixes
+
+* **core:** NestedStack defaultChild is undefined ([#20450](https://github.com/aws/aws-cdk/issues/20450)) ([0a49927](https://github.com/aws/aws-cdk/commit/0a49927e9e5bc250f339f664fa843fae2fab92ec)), closes [#11221](https://github.com/aws/aws-cdk/issues/11221)
+* **iam:** Role policies cannot grow beyond 10k ([#20400](https://github.com/aws/aws-cdk/issues/20400)) ([75bfce7](https://github.com/aws/aws-cdk/commit/75bfce70dbc57fe688c96b3c5cbb67fc4e6fcc56)), closes [#19276](https://github.com/aws/aws-cdk/issues/19276) [#19939](https://github.com/aws/aws-cdk/issues/19939) [#19835](https://github.com/aws/aws-cdk/issues/19835)
+* **integ-runner:** always resynth on deploy ([#20508](https://github.com/aws/aws-cdk/issues/20508)) ([7138057](https://github.com/aws/aws-cdk/commit/71380571b878a50fe4b754c7dac78da075a98242))
+* **integ-tests:** DeployAssert should be private ([#20466](https://github.com/aws/aws-cdk/issues/20466)) ([0f52813](https://github.com/aws/aws-cdk/commit/0f52813bcf6a48c352f697004a899461dd06935d))
+* **lambda:** Fix typo in public subnet warning ([#20470](https://github.com/aws/aws-cdk/issues/20470)) ([85f4e29](https://github.com/aws/aws-cdk/commit/85f4e29e0551d71dd5f2f588584785cbc1ae7b72))
+* **pipelines:** too many CodeBuild steps inflate policy size ([#20396](https://github.com/aws/aws-cdk/issues/20396)) ([f334060](https://github.com/aws/aws-cdk/commit/f334060fca02e928bc4f5fdcfd45244060731d78)), closes [#20189](https://github.com/aws/aws-cdk/issues/20189) [#19276](https://github.com/aws/aws-cdk/issues/19276) [#19939](https://github.com/aws/aws-cdk/issues/19939) [#19835](https://github.com/aws/aws-cdk/issues/19835)
+* **s3-deployment:** default role does not get `PutAcl` permissions on… ([#20492](https://github.com/aws/aws-cdk/issues/20492)) ([3e6ec5c](https://github.com/aws/aws-cdk/commit/3e6ec5c48cff41cec2b32566990046fd704f4ec1))
+
 ## [1.157.0](https://github.com/aws/aws-cdk/compare/v1.156.1...v1.157.0) (2022-05-20)
 
 

README.md

@@ -25,7 +25,6 @@ The CDK is available in the following languages:
 * Java ([Java ≥ 8](https://www.oracle.com/technetwork/java/javase/downloads/index.html) and [Maven ≥ 3.5.4](https://maven.apache.org/download.cgi))
 * .NET ([.NET Core ≥ 3.1](https://dotnet.microsoft.com/download))
 * Go ([Go ≥ 1.16.4](https://golang.org/))
-  - Go is currently in developer preview and is not recommended for production use.
 
 \
 Jump To:

packages/@aws-cdk/aws-apprunner/README.md

@@ -134,3 +134,29 @@ ECR image repositories (but not for ECR Public repositories). If not defined, a
 when required.
 
 See [App Runner IAM Roles](https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html#security_iam_service-with-iam-roles) for more details.
+
+## VPC Connector
+
+To associate an App Runner service with a custom VPC, define `vpcConnector` for the service.
+
+```ts
+import * as ec2 from '@aws-cdk/aws-ec2';
+
+const vpc = new ec2.Vpc(this, 'Vpc', {
+  cidr: '10.0.0.0/16',
+});
+
+const vpcConnector = new apprunner.VpcConnector(this, 'VpcConnector', {
+  vpc,
+  vpcSubnets: vpc.selectSubnets({ subnetType: ec2.SubnetType.PUBLIC }),
+  vpcConnectorName: 'MyVpcConnector',
+});
+
+new apprunner.Service(this, 'Service', {
+  source: apprunner.Source.fromEcrPublic({
+    imageConfiguration: { port: 8000 },
+    imageIdentifier: 'public.ecr.aws/aws-containers/hello-app-runner:latest',
+  }),
+  vpcConnector,
+});
+```

packages/@aws-cdk/aws-apprunner/lib/index.ts

@@ -1,3 +1,4 @@
 // AWS::AppRunner CloudFormation Resources:
 export * from './apprunner.generated';
 export * from './service';
+export * from './vpc-connector';

packages/@aws-cdk/aws-apprunner/lib/service.ts

@@ -4,6 +4,7 @@ import * as iam from '@aws-cdk/aws-iam';
 import * as cdk from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnService } from './apprunner.generated';
+import { IVpcConnector } from './vpc-connector';
 
 /**
  * The image repository types
@@ -524,6 +525,13 @@ export interface ServiceProps {
    * @default - auto-generated if undefined.
    */
   readonly serviceName?: string;
+
+  /**
+   * Settings for an App Runner VPC connector to associate with the service.
+   *
+   * @default - no VPC connector, uses the DEFAULT egress type instead
+   */
+  readonly vpcConnector?: IVpcConnector;
 }
 
 /**
@@ -792,6 +800,12 @@ export class Service extends cdk.Resource {
         imageRepository: source.imageRepository ? this.renderImageRepository() : undefined,
         codeRepository: source.codeRepository ? this.renderCodeConfiguration() : undefined,
       },
+      networkConfiguration: {
+        egressConfiguration: {
+          egressType: this.props.vpcConnector ? 'VPC' : 'DEFAULT',
+          vpcConnectorArn: this.props.vpcConnector?.vpcConnectorArn,
+        },
+      },
     });
 
     // grant required privileges for the role

packages/@aws-cdk/aws-apprunner/lib/vpc-connector.ts

@@ -0,0 +1,154 @@
+import * as ec2 from '@aws-cdk/aws-ec2';
+import { Connections } from '@aws-cdk/aws-ec2';
+import * as cdk from '@aws-cdk/core';
+import { Construct } from 'constructs';
+import { CfnVpcConnector } from './apprunner.generated';
+
+/**
+ * Properties of the AppRunner VPC Connector
+ */
+export interface VpcConnectorProps {
+  /**
+   * The VPC for the VPC Connector.
+   */
+  readonly vpc: ec2.IVpc;
+
+  /**
+   * Where to place the VPC Connector within the VPC.
+   *
+   * @default - Private subnets.
+   */
+  readonly vpcSubnets?: ec2.SubnetSelection;
+
+  /**
+   * A list of IDs of security groups that App Runner should use for access to AWS resources under the specified subnets.
+   *
+   * @default - a new security group will be created in the specified VPC
+   */
+  readonly securityGroups?: ec2.ISecurityGroup[];
+
+  /**
+    * The name for the VpcConnector.
+    *
+    * @default - a name generated by CloudFormation
+    */
+  readonly vpcConnectorName?: string;
+}
+
+/**
+ * Attributes for the App Runner VPC Connector
+ */
+export interface VpcConnectorAttributes {
+  /**
+   * The name of the VPC connector.
+   */
+  readonly vpcConnectorName: string;
+
+  /**
+   * The ARN of the VPC connector.
+   */
+  readonly vpcConnectorArn: string;
+
+  /**
+   * The revision of the VPC connector.
+   */
+  readonly vpcConnectorRevision: number;
+
+  /**
+   * The security groups associated with the VPC connector.
+   */
+  readonly securityGroups: ec2.ISecurityGroup[];
+}
+
+/**
+ * Represents the App Runner VPC Connector.
+ */
+export interface IVpcConnector extends cdk.IResource, ec2.IConnectable {
+  /**
+   * The Name of the VPC connector.
+   * @attribute
+   */
+  readonly vpcConnectorName: string;
+
+  /**
+   * The ARN of the VPC connector.
+   * @attribute
+   */
+  readonly vpcConnectorArn: string;
+
+  /**
+   * The revision of the VPC connector.
+   * @attribute
+   */
+  readonly vpcConnectorRevision: number;
+}
+
+/**
+ * The App Runner VPC Connector
+ *
+ * @resource AWS::AppRunner::VpcConnector
+ */
+export class VpcConnector extends cdk.Resource implements IVpcConnector {
+  /**
+   * Import from VPC connector attributes.
+   */
+  public static fromVpcConnectorAttributes(scope: Construct, id: string, attrs: VpcConnectorAttributes): IVpcConnector {
+    const vpcConnectorArn = attrs.vpcConnectorArn;
+    const vpcConnectorName = attrs.vpcConnectorName;
+    const vpcConnectorRevision = attrs.vpcConnectorRevision;
+    const securityGroups = attrs.securityGroups;
+
+    class Import extends cdk.Resource {
+      public readonly vpcConnectorArn = vpcConnectorArn
+      public readonly vpcConnectorName = vpcConnectorName
+      public readonly vpcConnectorRevision = vpcConnectorRevision
+      public readonly connections = new Connections({ securityGroups });
+    }
+
+    return new Import(scope, id);
+  }
+
+  /**
+    * The ARN of the VPC connector.
+    * @attribute
+    */
+  readonly vpcConnectorArn: string;
+
+  /**
+   * The revision of the VPC connector.
+   * @attribute
+   */
+  readonly vpcConnectorRevision: number;
+
+  /**
+    * The name of the VPC connector.
+    * @attribute
+    */
+  readonly vpcConnectorName: string;
+
+  /**
+   * Allows specifying security group connections for the VPC connector.
+   */
+  public readonly connections: Connections
+
+  public constructor(scope: Construct, id: string, props: VpcConnectorProps) {
+    super(scope, id, {
+      physicalName: props.vpcConnectorName,
+    });
+
+    const securityGroups = props.securityGroups?.length ?
+      props.securityGroups
+      : [new ec2.SecurityGroup(this, 'SecurityGroup', { vpc: props.vpc })];
+
+    const resource = new CfnVpcConnector(this, 'Resource', {
+      subnets: props.vpc.selectSubnets(props.vpcSubnets).subnetIds,
+      securityGroups: cdk.Lazy.list({ produce: () => this.connections.securityGroups.map(sg => sg.securityGroupId) }),
+      vpcConnectorName: this.physicalName,
+    });
+
+    this.vpcConnectorArn = resource.attrVpcConnectorArn;
+    this.vpcConnectorRevision = resource.attrVpcConnectorRevision;
+    this.vpcConnectorName = resource.ref;
+    this.connections = new Connections({ securityGroups });
+  }
+}

packages/@aws-cdk/aws-apprunner/package.json

@@ -83,6 +83,7 @@
   },
   "license": "Apache-2.0",
   "devDependencies": {
+    "@aws-cdk/aws-ec2": "0.0.0",
     "@aws-cdk/assertions": "0.0.0",
     "@aws-cdk/cdk-build-tools": "0.0.0",
     "@aws-cdk/integ-runner": "0.0.0",
@@ -91,13 +92,15 @@
     "@types/jest": "^27.5.0"
   },
   "dependencies": {
+    "@aws-cdk/aws-ec2": "0.0.0",
     "@aws-cdk/aws-ecr": "0.0.0",
     "@aws-cdk/aws-ecr-assets": "0.0.0",
     "@aws-cdk/aws-iam": "0.0.0",
     "@aws-cdk/core": "0.0.0",
     "constructs": "^3.3.69"
   },
   "peerDependencies": {
+    "@aws-cdk/aws-ec2": "0.0.0",
     "@aws-cdk/aws-ecr": "0.0.0",
     "@aws-cdk/aws-ecr-assets": "0.0.0",
     "@aws-cdk/aws-iam": "0.0.0",

packages/@aws-cdk/aws-apprunner/test/integ.service-vpc-connector.ts

@@ -0,0 +1,51 @@
+import * as ec2 from '@aws-cdk/aws-ec2';
+import * as cdk from '@aws-cdk/core';
+import { Service, Source, VpcConnector } from '../lib';
+
+
+const app = new cdk.App();
+
+const stack = new cdk.Stack(app, 'integ-apprunner');
+
+// Scenario 6: Create the service from ECR public with a VPC Connector
+const vpc = new ec2.Vpc(stack, 'Vpc', {
+  cidr: '10.0.0.0/16',
+});
+
+const securityGroup = new ec2.SecurityGroup(stack, 'SecurityGroup', { vpc });
+
+const vpcConnector = new VpcConnector(stack, 'VpcConnector', {
+  vpc,
+  vpcSubnets: vpc.selectSubnets({ subnetType: ec2.SubnetType.PUBLIC }),
+  securityGroups: [securityGroup],
+  vpcConnectorName: 'MyVpcConnector',
+});
+
+const service6 = new Service(stack, 'Service6', {
+  source: Source.fromEcrPublic({
+    imageConfiguration: {
+      port: 8000,
+    },
+    imageIdentifier: 'public.ecr.aws/aws-containers/hello-app-runner:latest',
+  }),
+  vpcConnector,
+});
+new cdk.CfnOutput(stack, 'URL6', { value: `https://${service6.serviceUrl}` });
+
+// Scenario 7: Create the service from ECR public and associate it with an existing VPC Connector
+
+const service7 = new Service(stack, 'Service7', {
+  source: Source.fromEcrPublic({
+    imageConfiguration: {
+      port: 8000,
+    },
+    imageIdentifier: 'public.ecr.aws/aws-containers/hello-app-runner:latest',
+  }),
+  vpcConnector: VpcConnector.fromVpcConnectorAttributes(stack, 'ImportedVpcConnector', {
+    vpcConnectorArn: vpcConnector.vpcConnectorArn,
+    vpcConnectorName: vpcConnector.vpcConnectorName,
+    vpcConnectorRevision: vpcConnector.vpcConnectorRevision,
+    securityGroups: [securityGroup],
+  }),
+});
+new cdk.CfnOutput(stack, 'URL7', { value: `https://${service7.serviceUrl}` });

packages/@aws-cdk/aws-apprunner/test/service-ecr-public.integ.snapshot/cdk.out

@@ -1 +1 @@
-{"version":"17.0.0"}
+{"version":"19.0.0"}

packages/@aws-cdk/aws-apprunner/test/service-ecr-public.integ.snapshot/integ-apprunner-ecr-public.template.json

@@ -13,7 +13,12 @@
       "ImageRepositoryType": "ECR_PUBLIC"
      }
     },
-    "InstanceConfiguration": {}
+    "InstanceConfiguration": {},
+    "NetworkConfiguration": {
+     "EgressConfiguration": {
+      "EgressType": "DEFAULT"
+     }
+    }
    }
   }
  },