aws
diff --git a/‎CHANGELOG.md‎
Lines changed: 18 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎CONTRIBUTING.md‎
Lines changed: 6 additions & 0 deletions b/‎CONTRIBUTING.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎DEPRECATED_APIs.md‎
Lines changed: 0 additions & 11 deletions b/‎DEPRECATED_APIs.md‎
Lines changed: 0 additions & 11 deletions
diff --git a/‎deprecated_apis.txt‎
Lines changed: 0 additions & 11 deletions b/‎deprecated_apis.txt‎
Lines changed: 0 additions & 11 deletions
diff --git a/‎packages/@aws-cdk/assertions/rosetta/default.ts-fixture‎
Lines changed: 3 additions & 1 deletion b/‎packages/@aws-cdk/assertions/rosetta/default.ts-fixture‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎packages/@aws-cdk/aws-apigateway/rosetta/default.ts-fixture‎
Lines changed: 2 additions & 1 deletion b/‎packages/@aws-cdk/aws-apigateway/rosetta/default.ts-fixture‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎packages/@aws-cdk/aws-apigatewayv2/README.md‎
Lines changed: 4 additions & 0 deletions b/‎packages/@aws-cdk/aws-apigatewayv2/README.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎packages/@aws-cdk/aws-apigatewayv2/lib/common/domain-name.ts‎
Lines changed: 102 additions & 12 deletions b/‎packages/@aws-cdk/aws-apigatewayv2/lib/common/domain-name.ts‎
Lines changed: 102 additions & 12 deletions
@@ -2,6 +2,24 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.134.0](https://github.com/aws/aws-cdk/compare/v1.133.0...v1.134.0) (2021-11-23)
+
+
+### Features
+
+* **apigatewayv2:** domain endpoint type, security policy and endpoint migration ([#17518](https://github.com/aws/aws-cdk/issues/17518)) ([261b331](https://github.com/aws/aws-cdk/commit/261b331e89be01dc996d153c91b4018e7ddfda29))
+* **cfnspec:** cloudformation spec v49.0.0 ([#17621](https://github.com/aws/aws-cdk/issues/17621)) ([ce638b4](https://github.com/aws/aws-cdk/commit/ce638b407ac9efc6a3ee4d5ecd22c68ab68b8e58))
+* **docdb:** add option to set the name of the generated Secret ([#17574](https://github.com/aws/aws-cdk/issues/17574)) ([18c9ef7](https://github.com/aws/aws-cdk/commit/18c9ef713717fcb2f84e687c1e34c887a50264bd)), closes [#17572](https://github.com/aws/aws-cdk/issues/17572)
+* **eks:** ALB Controller ([#17618](https://github.com/aws/aws-cdk/issues/17618)) ([1faf31d](https://github.com/aws/aws-cdk/commit/1faf31d1ec7ffec4c6323a050126b0b054094c63))
+* **msk:** add Kafka version 2.6.2 ([#17497](https://github.com/aws/aws-cdk/issues/17497)) ([5f1f476](https://github.com/aws/aws-cdk/commit/5f1f4762e964345741426fa1242320a5fc117338))
+
+
+### Bug Fixes
+
+* **assets:** add missing SAM asset metadata information ([#17591](https://github.com/aws/aws-cdk/issues/17591)) ([55df760](https://github.com/aws/aws-cdk/commit/55df760fdd9514384de019e5ce338d5250c7df97)), closes [#14593](https://github.com/aws/aws-cdk/issues/14593)
+* **aws-ecs:** check for invalid capacityProviderName ([#17291](https://github.com/aws/aws-cdk/issues/17291)) ([6e2fde4](https://github.com/aws/aws-cdk/commit/6e2fde452de73c51011ddb14ede40ca0471d3663)), closes [#17321](https://github.com/aws/aws-cdk/issues/17321)
+* **opensearch:** correctly validate ebs configuration against instance types  ([#16911](https://github.com/aws/aws-cdk/issues/16911)) ([34af598](https://github.com/aws/aws-cdk/commit/34af5988b7c1ff003d10612150191803f762a79f)), closes [#11898](https://github.com/aws/aws-cdk/issues/11898)
+
 ## [1.133.0](https://github.com/aws/aws-cdk/compare/v1.132.0...v1.133.0) (2021-11-19)
 
 
 
@@ -556,6 +556,12 @@ contain three slashes to achieve the same effect:
 For a practical example of how making sample code compilable works, see the
 `aws-ec2` package.
 
+> ⚠️ NOTE: README files often contain code snippets that refer to modules that are consumers
+> of the current module, and hence not present in the current module's dependency closure.
+> Compilation of these snippets will fail if the module referenced has not been built.
+> For the best experience when working on snippets, a full build of the CDK repo is required.
+> However, it may be prudent to "build up" these modules as required.
+
 #### Recommendations
 
 In order to offer a consistent documentation style throughout the AWS CDK
 
@@ -600,20 +600,10 @@
 | @aws-cdk/aws-dynamodb | Table.grantListStreams() | Use {@link #grantTableListStreams} for more granular permission |
 | @aws-cdk/aws-dynamodb | Table.metricSystemErrors() | use `metricSystemErrorsForOperations`. |
 | @aws-cdk/aws-dynamodb | TableOptions.serverSideEncryption | This property is deprecated. In order to obtain the same behavior as enabling this, set the `encryption` property to `TableEncryption.AWS_MANAGED` instead. |
-| @aws-cdk/aws-rds | Credentials.fromUsername() | use `fromGeneratedSecret()` or `fromPassword()` for new Clusters and Instances. Note that switching from `fromUsername()` to `fromGeneratedSecret()` or `fromPassword()` for already deployed Clusters or Instances will result in their replacement! |
 | @aws-cdk/aws-rds | CredentialsFromUsernameOptions | supporting API `fromUsername()` has been deprecated. See deprecation notice of the API. |
 | @aws-cdk/aws-rds | CredentialsFromUsernameOptions.password | supporting API `fromUsername()` has been deprecated. See deprecation notice of the API. |
-| @aws-cdk/aws-rds | DatabaseInstanceEngine.MARIADB | using unversioned engines is an availability risk. We recommend using versioned engines created using the {@link mariaDb()} method |
-| @aws-cdk/aws-rds | DatabaseInstanceEngine.MYSQL | using unversioned engines is an availability risk. We recommend using versioned engines created using the {@link mysql()} method |
-| @aws-cdk/aws-rds | DatabaseInstanceEngine.ORACLE_EE | using unversioned engines is an availability risk. We recommend using versioned engines created using the {@link oracleEe()} method |
 | @aws-cdk/aws-rds | DatabaseInstanceEngine.ORACLE_SE | instances can no longer be created with this engine. See https://forums.aws.amazon.com/ann.jspa?annID=7341 |
 | @aws-cdk/aws-rds | DatabaseInstanceEngine.ORACLE_SE1 | instances can no longer be created with this engine. See https://forums.aws.amazon.com/ann.jspa?annID=7341 |
-| @aws-cdk/aws-rds | DatabaseInstanceEngine.ORACLE_SE2 | using unversioned engines is an availability risk. We recommend using versioned engines created using the {@link oracleSe2()} method |
-| @aws-cdk/aws-rds | DatabaseInstanceEngine.POSTGRES | using unversioned engines is an availability risk. We recommend using versioned engines created using the {@link postgres()} method |
-| @aws-cdk/aws-rds | DatabaseInstanceEngine.SQL_SERVER_EE | using unversioned engines is an availability risk. We recommend using versioned engines created using the {@link sqlServerEe()} method |
-| @aws-cdk/aws-rds | DatabaseInstanceEngine.SQL_SERVER_EX | using unversioned engines is an availability risk. We recommend using versioned engines created using the {@link sqlServerEx()} method |
-| @aws-cdk/aws-rds | DatabaseInstanceEngine.SQL_SERVER_SE | using unversioned engines is an availability risk. We recommend using versioned engines created using the {@link sqlServerSe()} method |
-| @aws-cdk/aws-rds | DatabaseInstanceEngine.SQL_SERVER_WEB | using unversioned engines is an availability risk. We recommend using versioned engines created using the {@link sqlServerWeb()} method |
 | @aws-cdk/aws-rds | DatabaseInstanceEngine.oracleSe() | instances can no longer be created with this engine. See https://forums.aws.amazon.com/ann.jspa?annID=7341 |
 | @aws-cdk/aws-rds | DatabaseInstanceEngine.oracleSe1() | instances can no longer be created with this engine. See https://forums.aws.amazon.com/ann.jspa?annID=7341 |
 | @aws-cdk/aws-rds | DatabaseInstanceNewProps.vpcPlacement | use `vpcSubnets` |
@@ -751,7 +741,6 @@
 | @aws-cdk/aws-ecs | BaseService.configureAwsVpcNetworking() | use configureAwsVpcNetworkingWithSecurityGroups instead. |
 | @aws-cdk/aws-ecs | BaseServiceOptions.propagateTaskTagsFrom | Use `propagateTags` instead. |
 | @aws-cdk/aws-ecs | Cluster.addAutoScalingGroup() | Use {@link Cluster.addAsgCapacityProvider} instead. |
-| @aws-cdk/aws-ecs | Cluster.addCapacity() | Use {@link Cluster.addAsgCapacityProvider} instead. |
 | @aws-cdk/aws-ecs | Cluster.addCapacityProvider() | Use {@link enableFargateCapacityProviders} instead. |
 | @aws-cdk/aws-ecs | ClusterProps.capacityProviders | Use {@link ClusterProps.enableFargateCapacityProviders} instead. |
 | @aws-cdk/aws-ecs | Ec2ServiceProps.securityGroup | use securityGroups instead. |
 
@@ -599,17 +599,8 @@ constructs.Node#uniqueId
 @aws-cdk/aws-rds.Credentials#fromUsername
 @aws-cdk/aws-rds.CredentialsFromUsernameOptions
 @aws-cdk/aws-rds.CredentialsFromUsernameOptions#password
-@aws-cdk/aws-rds.DatabaseInstanceEngine#MARIADB
-@aws-cdk/aws-rds.DatabaseInstanceEngine#MYSQL
-@aws-cdk/aws-rds.DatabaseInstanceEngine#ORACLE_EE
 @aws-cdk/aws-rds.DatabaseInstanceEngine#ORACLE_SE
 @aws-cdk/aws-rds.DatabaseInstanceEngine#ORACLE_SE1
-@aws-cdk/aws-rds.DatabaseInstanceEngine#ORACLE_SE2
-@aws-cdk/aws-rds.DatabaseInstanceEngine#POSTGRES
-@aws-cdk/aws-rds.DatabaseInstanceEngine#SQL_SERVER_EE
-@aws-cdk/aws-rds.DatabaseInstanceEngine#SQL_SERVER_EX
-@aws-cdk/aws-rds.DatabaseInstanceEngine#SQL_SERVER_SE
-@aws-cdk/aws-rds.DatabaseInstanceEngine#SQL_SERVER_WEB
 @aws-cdk/aws-rds.DatabaseInstanceEngine#oracleSe
 @aws-cdk/aws-rds.DatabaseInstanceEngine#oracleSe1
 @aws-cdk/aws-rds.DatabaseInstanceNewProps#vpcPlacement
@@ -721,7 +712,6 @@ constructs.Node#uniqueId
 @aws-cdk/aws-rds.PostgresEngineVersion#VER_9_6_6
 @aws-cdk/aws-rds.PostgresEngineVersion#VER_9_6_8
 @aws-cdk/aws-rds.PostgresEngineVersion#VER_9_6_9
-@aws-cdk/aws-rds.SnapshotCredentials#fromGeneratedPassword
 @aws-cdk/aws-rds.SqlServerEngineVersion#VER_15_00_4043_23_V1
 @aws-cdk/aws-autoscaling.BlockDevice#mappingEnabled
 @aws-cdk/aws-autoscaling.CommonAutoScalingGroupProps#notificationsTopic
@@ -747,7 +737,6 @@ constructs.Node#uniqueId
 @aws-cdk/aws-ecs.BaseService#configureAwsVpcNetworking
 @aws-cdk/aws-ecs.BaseServiceOptions#propagateTaskTagsFrom
 @aws-cdk/aws-ecs.Cluster#addAutoScalingGroup
-@aws-cdk/aws-ecs.Cluster#addCapacity
 @aws-cdk/aws-ecs.Cluster#addCapacityProvider
 @aws-cdk/aws-ecs.ClusterProps#capacityProviders
 @aws-cdk/aws-ecs.Ec2ServiceProps#securityGroup
 
@@ -1,4 +1,6 @@
-import { Construct, Stack } from '@aws-cdk/core';
+// Fixture with packages imported, but nothing else
+import { Construct } from 'constructs';
+import { Stack } from '@aws-cdk/core';
 import { Capture, Match, Template } from '@aws-cdk/assertions';
 
 class Fixture extends Stack {
 
@@ -1,5 +1,6 @@
 // Fixture with packages imported, but nothing else
-import { Construct, Stack } from '@aws-cdk/core';
+import { Construct } from 'constructs';
+import { Stack } from '@aws-cdk/core';
 import apigateway = require('@aws-cdk/aws-apigateway');
 import cognito = require('@aws-cdk/aws-cognito');
 import lambda = require('@aws-cdk/aws-lambda');
 
@@ -204,6 +204,10 @@ const api = new apigwv2.HttpApi(this, 'HttpProxyProdApi', {
 });
 ```
 
+To migrate a domain endpoint from one type to another, you can add a new endpoint configuration via `addEndpoint()`
+and then configure DNS records to route traffic to the new endpoint. After that, you can remove the previous endpoint configuration. 
+Learn more at [Migrating a custom domain name](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-regional-api-custom-domain-migrate.html)
+
 To associate a specific `Stage` to a custom domain mapping -
 
 ```ts
 
@@ -1,9 +1,34 @@
 import { ICertificate } from '@aws-cdk/aws-certificatemanager';
 import { IBucket } from '@aws-cdk/aws-s3';
-import { IResource, Resource, Token } from '@aws-cdk/core';
+import { IResource, Lazy, Resource, Token } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnDomainName, CfnDomainNameProps } from '../apigatewayv2.generated';
 
+/**
+ * The minimum version of the SSL protocol that you want API Gateway to use for HTTPS connections.
+ */
+export enum SecurityPolicy {
+  /** Cipher suite TLS 1.0 */
+  TLS_1_0 = 'TLS_1_0',
+
+  /** Cipher suite TLS 1.2 */
+  TLS_1_2 = 'TLS_1_2',
+}
+
+/**
+ * Endpoint type for a domain name.
+ */
+export enum EndpointType {
+  /**
+   * For an edge-optimized custom domain name.
+   */
+  EDGE = 'EDGE',
+  /**
+   * For a regional custom domain name.
+   */
+  REGIONAL = 'REGIONAL',
+}
+
 /**
  * Represents an APIGatewayV2 DomainName
  * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-domainname.html
@@ -51,20 +76,54 @@ export interface DomainNameAttributes {
 /**
  * properties used for creating the DomainName
  */
-export interface DomainNameProps {
+export interface DomainNameProps extends EndpointOptions {
   /**
    * The custom domain name
    */
   readonly domainName: string;
+
+  /**
+   * The mutual TLS authentication configuration for a custom domain name.
+   * @default - mTLS is not configured.
+   */
+  readonly mtls?: MTLSConfig;
+}
+
+/**
+ * properties for creating a domain name endpoint
+ */
+export interface EndpointOptions {
   /**
-   * The ACM certificate for this domain name
+   * The ACM certificate for this domain name.
+   * Certificate can be both ACM issued or imported.
    */
   readonly certificate: ICertificate;
+
   /**
-   * The mutual TLS authentication configuration for a custom domain name.
-   * @default - mTLS is not configured.
+   * The user-friendly name of the certificate that will be used by the endpoint for this domain name.
+   * @default - No friendly certificate name
+   */
+  readonly certificateName?: string;
+
+  /**
+   * The type of endpoint for this DomainName.
+   * @default EndpointType.REGIONAL
+   */
+  readonly endpointType?: EndpointType;
+
+  /**
+   * The Transport Layer Security (TLS) version + cipher suite for this domain name.
+   * @default SecurityPolicy.TLS_1_2
+   */
+  readonly securityPolicy?: SecurityPolicy;
+
+  /**
+   * A public certificate issued by ACM to validate that you own a custom domain. This parameter is required
+   * only when you configure mutual TLS authentication and you specify an ACM imported or private CA certificate
+   * for `certificate`. The ownership certificate validates that you have permissions to use the domain name.
+   * @default - only required when configuring mTLS
    */
-  readonly mtls?: MTLSConfig
+  readonly ownershipCertificate?: ICertificate;
 }
 
 /**
@@ -107,6 +166,7 @@ export class DomainName extends Resource implements IDomainName {
   public readonly name: string;
   public readonly regionalDomainName: string;
   public readonly regionalHostedZoneId: string;
+  private readonly domainNameConfigurations: CfnDomainName.DomainNameConfigurationProperty[] = [];
 
   constructor(scope: Construct, id: string, props: DomainNameProps) {
     super(scope, id);
@@ -115,21 +175,25 @@ export class DomainName extends Resource implements IDomainName {
       throw new Error('empty string for domainName not allowed');
     }
 
+    // validation for ownership certificate
+    if (props.ownershipCertificate && !props.mtls) {
+      throw new Error('ownership certificate can only be used with mtls domains');
+    }
+
     const mtlsConfig = this.configureMTLS(props.mtls);
     const domainNameProps: CfnDomainNameProps = {
       domainName: props.domainName,
-      domainNameConfigurations: [
-        {
-          certificateArn: props.certificate.certificateArn,
-          endpointType: 'REGIONAL',
-        },
-      ],
+      domainNameConfigurations: Lazy.any({ produce: () => this.domainNameConfigurations }),
       mutualTlsAuthentication: mtlsConfig,
     };
     const resource = new CfnDomainName(this, 'Resource', domainNameProps);
     this.name = resource.ref;
     this.regionalDomainName = Token.asString(resource.getAtt('RegionalDomainName'));
     this.regionalHostedZoneId = Token.asString(resource.getAtt('RegionalHostedZoneId'));
+
+    if (props.certificate) {
+      this.addEndpoint(props);
+    }
   }
 
   private configureMTLS(mtlsConfig?: MTLSConfig): CfnDomainName.MutualTlsAuthenticationProperty | undefined {
@@ -139,4 +203,30 @@ export class DomainName extends Resource implements IDomainName {
       truststoreVersion: mtlsConfig.version,
     };
   }
+
+  /**
+   * Adds an endpoint to a domain name.
+   * @param options domain name endpoint properties to be set
+   */
+  public addEndpoint(options: EndpointOptions) : void {
+    const domainNameConfig: CfnDomainName.DomainNameConfigurationProperty = {
+      certificateArn: options.certificate.certificateArn,
+      certificateName: options.certificateName,
+      endpointType: options.endpointType ? options.endpointType?.toString() : 'REGIONAL',
+      ownershipVerificationCertificateArn: options.ownershipCertificate?.certificateArn,
+      securityPolicy: options.securityPolicy?.toString(),
+    };
+
+    this.validateEndpointType(domainNameConfig.endpointType);
+    this.domainNameConfigurations.push(domainNameConfig);
+  }
+
+  // validates that the new domain name configuration has a unique endpoint
+  private validateEndpointType(endpointType: string | undefined) : void {
+    for (let config of this.domainNameConfigurations) {
+      if (endpointType && endpointType == config.endpointType) {
+        throw new Error(`an endpoint with type ${endpointType} already exists`);
+      }
+    }
+  }
 }