feat: new resource interfaces shared by both L1s and L2s

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-elastic-beanstalk-deploy.ts

@@ -2,11 +2,13 @@ import * as path from 'path';
 import * as codepipeline from 'aws-cdk-lib/aws-codepipeline';
 import * as elasticbeanstalk from 'aws-cdk-lib/aws-elasticbeanstalk';
 import * as iam from 'aws-cdk-lib/aws-iam';
+import { IManagedPolicy, ManagedPolicyReference } from 'aws-cdk-lib/aws-iam';
 import * as s3 from 'aws-cdk-lib/aws-s3';
 import * as deploy from 'aws-cdk-lib/aws-s3-deployment';
-import { App, Fn, RemovalPolicy, Stack } from 'aws-cdk-lib';
+import { App, Fn, RemovalPolicy, Stack, UnscopedValidationError } from 'aws-cdk-lib';
 import * as integ from '@aws-cdk/integ-tests-alpha';
 import * as cpactions from 'aws-cdk-lib/aws-codepipeline-actions';
+import { Node } from 'constructs';
 
 /**
  * To validate that the deployment actually succeeds, perform the following actions:
@@ -43,32 +45,36 @@ const artifact = new deploy.BucketDeployment(stack, 'DeployApp', {
   extract: false,
 });
 
+function makePolicy(arn: string): IManagedPolicy {
+  return {
+    managedPolicyArn: arn,
+    get managedPolicyRef(): ManagedPolicyReference {
+      return {
+        policyArn: this.managedPolicyArn,
+      };
+    },
+    get node(): Node {
+      throw new UnscopedValidationError('The result of fromAwsManagedPolicyName can not be used in this API');
+    },
+  };
+}
+
 const serviceRole = new iam.Role(stack, 'service-role', {
   roleName: 'codepipeline-elasticbeanstalk-action-test-serivce-role',
   assumedBy: new iam.ServicePrincipal('elasticbeanstalk.amazonaws.com'),
   managedPolicies: [
-    {
-      managedPolicyArn: 'arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth',
-    },
-    {
-      managedPolicyArn: 'arn:aws:iam::aws:policy/AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy',
-    },
+    makePolicy('arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth'),
+    makePolicy('arn:aws:iam::aws:policy/AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy'),
   ],
 });
 
 const instanceProfileRole = new iam.Role(stack, 'instance-profile-role', {
   roleName: 'codepipeline-elasticbeanstalk-action-test-instance-profile-role',
   assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'),
   managedPolicies: [
-    {
-      managedPolicyArn: 'arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier',
-    },
-    {
-      managedPolicyArn: 'arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker',
-    },
-    {
-      managedPolicyArn: 'arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier',
-    },
+    makePolicy('arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier'),
+    makePolicy('arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker'),
+    makePolicy('arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier'),
   ],
 });
 

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/databrew/integ.start-job-run.ts

@@ -1,16 +1,33 @@
 import * as databrew from 'aws-cdk-lib/aws-databrew';
 import * as iam from 'aws-cdk-lib/aws-iam';
+import { IManagedPolicy, ManagedPolicyReference } from 'aws-cdk-lib/aws-iam';
 import * as s3 from 'aws-cdk-lib/aws-s3';
 import * as sfn from 'aws-cdk-lib/aws-stepfunctions';
 import * as cdk from 'aws-cdk-lib';
+import { UnscopedValidationError } from 'aws-cdk-lib';
 import { GlueDataBrewStartJobRun } from 'aws-cdk-lib/aws-stepfunctions-tasks';
+import { Node } from 'constructs';
 
 /*
  * Stack verification steps:
  * * aws stepfunctions start-execution --state-machine-arn <deployed state machine arn> : should return execution arn
  * * aws stepfunctions describe-execution --execution-arn <exection-arn generated before> : should return status as SUCCEEDED
  */
 
+function makePolicy(arn: string): IManagedPolicy {
+  return {
+    managedPolicyArn: arn,
+    get managedPolicyRef(): ManagedPolicyReference {
+      return {
+        policyArn: this.managedPolicyArn,
+      };
+    },
+    get node(): Node {
+      throw new UnscopedValidationError('The result of fromAwsManagedPolicyName can not be used in this API');
+    },
+  };
+}
+
 class GlueDataBrewJobStack extends cdk.Stack {
   constructor(scope: cdk.App, id: string, props: cdk.StackProps = {}) {
     super(scope, id, props);
@@ -22,9 +39,9 @@ class GlueDataBrewJobStack extends cdk.Stack {
     });
 
     const role = new iam.Role(this, 'DataBrew Role', {
-      managedPolicies: [{
-        managedPolicyArn: 'arn:aws:iam::aws:policy/service-role/AWSGlueDataBrewServiceRole',
-      }],
+      managedPolicies: [
+        makePolicy('arn:aws:iam::aws:policy/service-role/AWSGlueDataBrewServiceRole'),
+      ],
       path: '/',
       assumedBy: new iam.ServicePrincipal('databrew.amazonaws.com'),
       inlinePolicies: {

packages/@aws-cdk/aws-ec2-alpha/lib/subnet-v2.ts

@@ -1,11 +1,21 @@
-import { Resource, Names, Lazy, Tags, Token, ValidationError, UnscopedValidationError } from 'aws-cdk-lib';
-import { CfnSubnet, CfnSubnetRouteTableAssociation, INetworkAcl, IRouteTable, ISubnet, NetworkAcl, SubnetNetworkAclAssociation, SubnetType } from 'aws-cdk-lib/aws-ec2';
+import { Lazy, Names, Resource, Tags, Token, UnscopedValidationError, ValidationError } from 'aws-cdk-lib';
+import {
+  CfnSubnet,
+  CfnSubnetRouteTableAssociation,
+  INetworkAcl,
+  IRouteTable,
+  ISubnet,
+  NetworkAcl,
+  SubnetNetworkAclAssociation,
+  SubnetType,
+} from 'aws-cdk-lib/aws-ec2';
 import { Construct, DependencyGroup, IDependable } from 'constructs';
 import { IVpcV2 } from './vpc-v2-base';
 import { CidrBlock, CidrBlockIpv6, defaultSubnetName } from './util';
 import { RouteTable } from './route';
 import { addConstructMetadata, MethodMetadata } from 'aws-cdk-lib/core/lib/metadata-resource';
 import { propertyInjectable } from 'aws-cdk-lib/core/lib/prop-injectable';
+import { SubnetReference } from 'aws-cdk-lib/aws-ec2/lib/ec2.generated';
 
 /**
  * Interface to define subnet CIDR
@@ -194,6 +204,12 @@ export class SubnetV2 extends Resource implements ISubnetV2 {
        */
       public readonly routeTable: IRouteTable = { routeTableId: attrs.routeTableId! };
 
+      public get subnetRef(): SubnetReference {
+        return {
+          subnetId: this.subnetId,
+        };
+      }
+
       /**
        * Associate a Network ACL with this subnet
        * Required here since it is implemented in the ISubnetV2
@@ -245,6 +261,12 @@ export class SubnetV2 extends Resource implements ISubnetV2 {
    */
   public readonly ipv6CidrBlock?: string;
 
+  public get subnetRef(): SubnetReference {
+    return {
+      subnetId: this.subnetId,
+    };
+  }
+
   /**
    * The type of subnet (public or private) that this subnet represents.
    * @attribute SubnetType

packages/@aws-cdk/aws-ec2-alpha/lib/vpc-v2-base.ts

@@ -1,11 +1,45 @@
-import { Aws, Resource, Annotations, ValidationError } from 'aws-cdk-lib';
-import { IVpc, ISubnet, SubnetSelection, SelectedSubnets, EnableVpnGatewayOptions, VpnGateway, VpnConnectionType, CfnVPCGatewayAttachment, CfnVPNGatewayRoutePropagation, VpnConnectionOptions, VpnConnection, ClientVpnEndpointOptions, ClientVpnEndpoint, InterfaceVpcEndpointOptions, InterfaceVpcEndpoint, GatewayVpcEndpointOptions, GatewayVpcEndpoint, FlowLogOptions, FlowLog, FlowLogResourceType, SubnetType, SubnetFilter } from 'aws-cdk-lib/aws-ec2';
+import { Annotations, Aws, Resource, ValidationError } from 'aws-cdk-lib';
+import {
+  CfnVPCGatewayAttachment,
+  CfnVPNGatewayRoutePropagation,
+  ClientVpnEndpoint,
+  ClientVpnEndpointOptions,
+  EnableVpnGatewayOptions,
+  FlowLog,
+  FlowLogOptions,
+  FlowLogResourceType,
+  GatewayVpcEndpoint,
+  GatewayVpcEndpointOptions,
+  InterfaceVpcEndpoint,
+  InterfaceVpcEndpointOptions,
+  ISubnet,
+  IVpc,
+  SelectedSubnets,
+  SubnetFilter,
+  SubnetSelection,
+  SubnetType,
+  VpnConnection,
+  VpnConnectionOptions,
+  VpnConnectionType,
+  VpnGateway,
+} from 'aws-cdk-lib/aws-ec2';
 import { allRouteTableIds, flatten, subnetGroupNameFromConstructId } from './util';
-import { IDependable, Dependable, IConstruct, DependencyGroup } from 'constructs';
-import { EgressOnlyInternetGateway, InternetGateway, NatConnectivityType, NatGateway, NatGatewayOptions, Route, VPCPeeringConnection, VPCPeeringConnectionOptions, VPNGatewayV2 } from './route';
+import { Dependable, DependencyGroup, IConstruct, IDependable } from 'constructs';
+import {
+  EgressOnlyInternetGateway,
+  InternetGateway,
+  NatConnectivityType,
+  NatGateway,
+  NatGatewayOptions,
+  Route,
+  VPCPeeringConnection,
+  VPCPeeringConnectionOptions,
+  VPNGatewayV2,
+} from './route';
 import { ISubnetV2 } from './subnet-v2';
 import { AccountPrincipal, Effect, PolicyStatement, Role } from 'aws-cdk-lib/aws-iam';
 import { IVPCCidrBlock } from './vpc-v2';
+import { VPCReference } from 'aws-cdk-lib/aws-ec2/lib/ec2.generated';
 
 /**
  * Options to define EgressOnlyInternetGateway for VPC
@@ -327,6 +361,12 @@ export abstract class VpcV2Base extends Resource implements IVpcV2 {
     };
   }
 
+  public get vpcRef(): VPCReference {
+    return {
+      vpcId: this.vpcId,
+    };
+  }
+
   /**
    * Adds a VPN Gateway to this VPC
    * @deprecated use enableVpnGatewayV2 for compatibility with VPCV2.Route

packages/aws-cdk-lib/aws-apigateway/lib/api-key.ts

@@ -1,5 +1,5 @@
 import { Construct } from 'constructs';
-import { CfnApiKey } from './apigateway.generated';
+import { ApiKeyReference, CfnApiKey, IApiKeyRef } from './apigateway.generated';
 import { ResourceOptions } from './resource';
 import { IRestApi } from './restapi';
 import { IStage } from './stage';
@@ -14,7 +14,7 @@ import { propertyInjectable } from '../../core/lib/prop-injectable';
  * API keys are alphanumeric string values that you distribute to
  * app developer customers to grant access to your API
  */
-export interface IApiKey extends IResourceBase {
+export interface IApiKey extends IResourceBase, IApiKeyRef {
   /**
    * The API key ID.
    * @attribute
@@ -138,6 +138,12 @@ abstract class ApiKeyBase extends Resource implements IApiKey {
       resourceArns: [this.keyArn],
     });
   }
+
+  public get apiKeyRef(): ApiKeyReference {
+    return {
+      apiKeyId: this.keyId,
+    };
+  }
 }
 
 /**

packages/aws-cdk-lib/aws-apigateway/lib/domain-name.ts

@@ -1,12 +1,12 @@
 import { Construct } from 'constructs';
-import { CfnDomainName } from './apigateway.generated';
+import { CfnDomainName, DomainNameReference, IDomainNameRef } from './apigateway.generated';
 import { BasePathMapping, BasePathMappingOptions } from './base-path-mapping';
 import { EndpointType, IRestApi } from './restapi';
 import { IStage } from './stage';
 import * as apigwv2 from '../../aws-apigatewayv2';
 import * as acm from '../../aws-certificatemanager';
 import { IBucket } from '../../aws-s3';
-import { IResource, Names, Resource, Token } from '../../core';
+import { Arn, IResource, Names, Resource, Stack, Token } from '../../core';
 import { ValidationError } from '../../core/lib/errors';
 import { addConstructMetadata, MethodMetadata } from '../../core/lib/metadata-resource';
 import { propertyInjectable } from '../../core/lib/prop-injectable';
@@ -94,7 +94,7 @@ export interface DomainNameProps extends DomainNameOptions {
   readonly mapping?: IRestApi;
 }
 
-export interface IDomainName extends IResource {
+export interface IDomainName extends IResource, IDomainNameRef {
   /**
    * The domain name (e.g. `example.com`)
    *
@@ -132,12 +132,22 @@ export class DomainName extends Resource implements IDomainName {
       public readonly domainName = attrs.domainName;
       public readonly domainNameAliasDomainName = attrs.domainNameAliasTarget;
       public readonly domainNameAliasHostedZoneId = attrs.domainNameAliasHostedZoneId;
+
+      public readonly domainNameRef = {
+        domainName: this.domainName,
+        domainNameArn: Arn.format({
+          service: 'apigateway',
+          resource: 'domainnames',
+          resourceName: attrs.domainName,
+        }, Stack.of(scope)),
+      };
     }
 
     return new Import(scope, id);
   }
 
   public readonly domainName: string;
+  public readonly domainNameRef: DomainNameReference;
   public readonly domainNameAliasDomainName: string;
   public readonly domainNameAliasHostedZoneId: string;
   private readonly basePaths = new Set<string | undefined>();
@@ -168,6 +178,7 @@ export class DomainName extends Resource implements IDomainName {
     });
 
     this.domainName = resource.ref;
+    this.domainNameRef = resource.domainNameRef;
 
     this.domainNameAliasDomainName = edge
       ? resource.attrDistributionDomainName

packages/aws-cdk-lib/aws-apigateway/lib/gateway-response.ts

@@ -1,5 +1,10 @@
 import { Construct } from 'constructs';
-import { CfnGatewayResponse, CfnGatewayResponseProps } from './apigateway.generated';
+import {
+  CfnGatewayResponse,
+  CfnGatewayResponseProps,
+  GatewayResponseReference,
+  IGatewayResponseRef,
+} from './apigateway.generated';
 import { IRestApi } from './restapi';
 import { IResource, Resource } from '../../core';
 import { addConstructMetadata } from '../../core/lib/metadata-resource';
@@ -8,7 +13,7 @@ import { propertyInjectable } from '../../core/lib/prop-injectable';
 /**
  * Represents gateway response resource.
  */
-export interface IGatewayResponse extends IResource {
+export interface IGatewayResponse extends IResource, IGatewayResponseRef {
 }
 
 /**
@@ -61,6 +66,20 @@ export class GatewayResponse extends Resource implements IGatewayResponse {
   /** Uniquely identifies this class. */
   public static readonly PROPERTY_INJECTION_ID: string = 'aws-cdk-lib.aws-apigateway.GatewayResponse';
 
+  /**
+   * Reference an existing GatewayResponse given a gateway response ID.
+   */
+  public static fromGatewayResponseId(scope: Construct, id: string, gatewayResponseId: string): IGatewayResponse {
+    class Import extends Resource implements IGatewayResponse {
+      public readonly gatewayResponseRef = {
+        gatewayResponseId: gatewayResponseId,
+      };
+    }
+    return new Import(scope, id);
+  }
+
+  public readonly gatewayResponseRef: GatewayResponseReference;
+
   constructor(scope: Construct, id: string, props: GatewayResponseProps) {
     super(scope, id);
     // Enhanced CDK Analytics Telemetry
@@ -86,6 +105,7 @@ export class GatewayResponse extends Resource implements IGatewayResponse {
       });
     }
 
+    this.gatewayResponseRef = resource.gatewayResponseRef;
     this.node.defaultChild = resource;
   }
 

packages/aws-cdk-lib/aws-apigateway/lib/resource.ts

@@ -1,16 +1,16 @@
 import { Construct } from 'constructs';
-import { CfnResource, CfnResourceProps } from './apigateway.generated';
+import { CfnResource, CfnResourceProps, IResourceRef, ResourceReference } from './apigateway.generated';
 import { Cors, CorsOptions } from './cors';
 import { Integration } from './integration';
 import { MockIntegration } from './integrations';
-import { Method, MethodOptions, AuthorizationType } from './method';
+import { AuthorizationType, Method, MethodOptions } from './method';
 import { IRestApi, RestApi } from './restapi';
 import { IResource as IResourceBase, Resource as ResourceConstruct } from '../../core';
 import { ValidationError } from '../../core/lib/errors';
 import { addConstructMetadata, MethodMetadata } from '../../core/lib/metadata-resource';
 import { propertyInjectable } from '../../core/lib/prop-injectable';
 
-export interface IResource extends IResourceBase {
+export interface IResource extends IResourceBase, IResourceRef {
   /**
    * The parent of this resource or undefined for the root resource.
    */
@@ -383,6 +383,13 @@ export abstract class ResourceBase extends ResourceConstruct implements IResourc
   public get url(): string {
     return this.restApi.urlForPath(this.path);
   }
+
+  public get resourceRef(): ResourceReference {
+    return {
+      resourceId: this.resourceId,
+      restApiId: this.api.restApiId,
+    };
+  }
 }
 
 /**