diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index 6f6a7d438f446..adf1edcbfe7f1 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -65,7 +65,7 @@ jobs: sudo sysctl -w vm.max_map_count=2251954 - name: Build - run: /bin/bash ./build.sh --ci + run: /bin/bash ./build.sh --ci --concurrency=10 - name: Run Rosetta run: /bin/bash ./scripts/run-rosetta.sh diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-elastic-beanstalk-deploy.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-elastic-beanstalk-deploy.ts index 57610933c508b..7d1db6d9af6fb 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-elastic-beanstalk-deploy.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-elastic-beanstalk-deploy.ts @@ -5,7 +5,7 @@ import * as iam from 'aws-cdk-lib/aws-iam'; import { IManagedPolicy, ManagedPolicyReference } from 'aws-cdk-lib/aws-iam'; import * as s3 from 'aws-cdk-lib/aws-s3'; import * as deploy from 'aws-cdk-lib/aws-s3-deployment'; -import { App, Fn, RemovalPolicy, Stack, UnscopedValidationError } from 'aws-cdk-lib'; +import { App, Fn, RemovalPolicy, ResourceEnvironment, Stack, UnscopedValidationError } from 'aws-cdk-lib'; import * as integ from '@aws-cdk/integ-tests-alpha'; import * as cpactions from 'aws-cdk-lib/aws-codepipeline-actions'; import { Node } from 'constructs'; @@ -56,6 +56,9 @@ function makePolicy(arn: string): IManagedPolicy { get node(): Node { throw new UnscopedValidationError('The result of fromAwsManagedPolicyName can not be used in this API'); }, + get env(): ResourceEnvironment { + throw new UnscopedValidationError('The result of fromAwsManagedPolicyName can not be used in this API'); + }, }; } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/databrew/integ.start-job-run.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/databrew/integ.start-job-run.ts index 3bba2d26fae1e..6995b5339d141 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/databrew/integ.start-job-run.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/databrew/integ.start-job-run.ts @@ -25,6 +25,9 @@ function makePolicy(arn: string): IManagedPolicy { get node(): Node { throw new UnscopedValidationError('The result of fromAwsManagedPolicyName can not be used in this API'); }, + get env(): cdk.ResourceEnvironment { + throw new UnscopedValidationError('The result of fromAwsManagedPolicyName can not be used in this API'); + }, }; } diff --git a/packages/@aws-cdk/aws-bedrock-alpha/bedrock/agents/agent-alias.ts b/packages/@aws-cdk/aws-bedrock-alpha/bedrock/agents/agent-alias.ts index 9f512d55fda78..f9c556998ce47 100644 --- a/packages/@aws-cdk/aws-bedrock-alpha/bedrock/agents/agent-alias.ts +++ b/packages/@aws-cdk/aws-bedrock-alpha/bedrock/agents/agent-alias.ts @@ -77,7 +77,6 @@ export abstract class AgentAliasBase extends Resource implements IAgentAlias { grantee, actions, resourceArns: [this.aliasArn], - scope: this, }); } diff --git a/packages/@aws-cdk/aws-bedrock-alpha/bedrock/guardrails/guardrails.ts b/packages/@aws-cdk/aws-bedrock-alpha/bedrock/guardrails/guardrails.ts index 49c04ffeb45c8..74b6c47131dac 100644 --- a/packages/@aws-cdk/aws-bedrock-alpha/bedrock/guardrails/guardrails.ts +++ b/packages/@aws-cdk/aws-bedrock-alpha/bedrock/guardrails/guardrails.ts @@ -199,7 +199,6 @@ export abstract class GuardrailBase extends Resource implements IGuardrail { grantee, actions, resourceArns: [this.guardrailArn], - scope: this, }); } diff --git a/packages/@aws-cdk/aws-bedrock-alpha/bedrock/inference-profiles/application-inference-profile.ts b/packages/@aws-cdk/aws-bedrock-alpha/bedrock/inference-profiles/application-inference-profile.ts index b2047ee5fc9e1..c194db77bef98 100644 --- a/packages/@aws-cdk/aws-bedrock-alpha/bedrock/inference-profiles/application-inference-profile.ts +++ b/packages/@aws-cdk/aws-bedrock-alpha/bedrock/inference-profiles/application-inference-profile.ts @@ -123,7 +123,6 @@ export class ApplicationInferenceProfile extends InferenceProfileBase implements grantee: grantee, actions: ['bedrock:GetInferenceProfile', 'bedrock:InvokeModel'], resourceArns: [this.inferenceProfileArn], - scope: this, }); } } @@ -157,7 +156,6 @@ export class ApplicationInferenceProfile extends InferenceProfileBase implements grantee: grantee, actions: ['bedrock:GetInferenceProfile', 'bedrock:InvokeModel'], resourceArns: [this.inferenceProfileArn], - scope: this, }); } })(cfnApplicationInferenceProfile, id); @@ -357,7 +355,6 @@ export class ApplicationInferenceProfile extends InferenceProfileBase implements grantee: grantee, actions: ['bedrock:GetInferenceProfile', 'bedrock:InvokeModel'], resourceArns: [this.inferenceProfileArn], - scope: this, }); } } diff --git a/packages/@aws-cdk/aws-bedrock-alpha/bedrock/prompts/prompt.ts b/packages/@aws-cdk/aws-bedrock-alpha/bedrock/prompts/prompt.ts index 15b3536158a2e..7d05e9d175788 100644 --- a/packages/@aws-cdk/aws-bedrock-alpha/bedrock/prompts/prompt.ts +++ b/packages/@aws-cdk/aws-bedrock-alpha/bedrock/prompts/prompt.ts @@ -78,7 +78,6 @@ export abstract class PromptBase extends Resource implements IPrompt { grantee, resourceArns: [this.promptArn], actions: ['bedrock:GetPrompt'], - scope: this, }); } } diff --git a/packages/aws-cdk-lib/aws-appsync/lib/data-source-common.ts b/packages/aws-cdk-lib/aws-appsync/lib/data-source-common.ts index 9b36111bce35d..a0192f874d4cd 100644 --- a/packages/aws-cdk-lib/aws-appsync/lib/data-source-common.ts +++ b/packages/aws-cdk-lib/aws-appsync/lib/data-source-common.ts @@ -470,7 +470,6 @@ export class AppSyncRdsDataSource extends AppSyncBackedDataSource { 'rds-data:UpdateItems', ], resourceArns: [clusterArn, `${clusterArn}:*`], - scope: this, }); } } diff --git a/packages/aws-cdk-lib/aws-appsync/lib/data-source.ts b/packages/aws-cdk-lib/aws-appsync/lib/data-source.ts index 00db3bc2deaf7..94a4e8106e12c 100644 --- a/packages/aws-cdk-lib/aws-appsync/lib/data-source.ts +++ b/packages/aws-cdk-lib/aws-appsync/lib/data-source.ts @@ -455,7 +455,6 @@ export class RdsDataSource extends BackedDataSource { 'rds-data:UpdateItems', ], resourceArns: [clusterArn, `${clusterArn}:*`], - scope: this, }); } } diff --git a/packages/aws-cdk-lib/aws-appsync/lib/eventapi.ts b/packages/aws-cdk-lib/aws-appsync/lib/eventapi.ts index e1b973734ec38..bbe0bb05a18df 100644 --- a/packages/aws-cdk-lib/aws-appsync/lib/eventapi.ts +++ b/packages/aws-cdk-lib/aws-appsync/lib/eventapi.ts @@ -402,7 +402,6 @@ export abstract class EventApiBase extends ApiBase implements IEventApi { grantee, actions, resourceArns: resources.resourceArns(this), - scope: this, }); } diff --git a/packages/aws-cdk-lib/aws-appsync/lib/graphqlapi-base.ts b/packages/aws-cdk-lib/aws-appsync/lib/graphqlapi-base.ts index cc64a5e51a88e..bee46be04dd73 100644 --- a/packages/aws-cdk-lib/aws-appsync/lib/graphqlapi-base.ts +++ b/packages/aws-cdk-lib/aws-appsync/lib/graphqlapi-base.ts @@ -560,7 +560,6 @@ export abstract class GraphqlApiBase extends Resource implements IGraphqlApi { grantee, actions, resourceArns: resources.resourceArns(this), - scope: this, }); } diff --git a/packages/aws-cdk-lib/aws-cloudfront/lib/cache-policy.ts b/packages/aws-cdk-lib/aws-cloudfront/lib/cache-policy.ts index c9f58b7969788..5ac829dbf98d6 100644 --- a/packages/aws-cdk-lib/aws-cloudfront/lib/cache-policy.ts +++ b/packages/aws-cdk-lib/aws-cloudfront/lib/cache-policy.ts @@ -4,6 +4,7 @@ import { Duration, Names, Resource, + ResourceEnvironment, Stack, Token, UnscopedValidationError, @@ -152,6 +153,10 @@ export class CachePolicy extends Resource implements ICachePolicy { throw new UnscopedValidationError('The result of fromManagedCachePolicy can not be used in this API'); } + public get env(): ResourceEnvironment { + throw new UnscopedValidationError('The result of fromManagedCachePolicy can not be used in this API'); + } + public readonly cachePolicyId = managedCachePolicyId; public readonly cachePolicyRef = { cachePolicyId: managedCachePolicyId, diff --git a/packages/aws-cdk-lib/aws-cloudfront/lib/origin-request-policy.ts b/packages/aws-cdk-lib/aws-cloudfront/lib/origin-request-policy.ts index dade440dc6db1..0c7e8bd276b4d 100644 --- a/packages/aws-cdk-lib/aws-cloudfront/lib/origin-request-policy.ts +++ b/packages/aws-cdk-lib/aws-cloudfront/lib/origin-request-policy.ts @@ -1,6 +1,6 @@ import { Construct, Node } from 'constructs'; import { CfnOriginRequestPolicy, IOriginRequestPolicyRef, OriginRequestPolicyReference } from './cloudfront.generated'; -import { Names, Resource, Token, UnscopedValidationError, ValidationError } from '../../core'; +import { Names, Resource, ResourceEnvironment, Token, UnscopedValidationError, ValidationError } from '../../core'; import { addConstructMetadata } from '../../core/lib/metadata-resource'; import { propertyInjectable } from '../../core/lib/prop-injectable'; @@ -92,6 +92,10 @@ export class OriginRequestPolicy extends Resource implements IOriginRequestPolic throw new UnscopedValidationError('The result of fromManagedOriginRequestPolicy can not be used in this API'); } + public get env(): ResourceEnvironment { + throw new UnscopedValidationError('The result of fromManagedOriginRequestPolicy can not be used in this API'); + } + public readonly originRequestPolicyId = managedOriginRequestPolicyId; public readonly originRequestPolicyRef = { originRequestPolicyId: managedOriginRequestPolicyId, diff --git a/packages/aws-cdk-lib/aws-cloudfront/lib/response-headers-policy.ts b/packages/aws-cdk-lib/aws-cloudfront/lib/response-headers-policy.ts index 9617057d1c3ed..404bb0d6c1a29 100644 --- a/packages/aws-cdk-lib/aws-cloudfront/lib/response-headers-policy.ts +++ b/packages/aws-cdk-lib/aws-cloudfront/lib/response-headers-policy.ts @@ -4,7 +4,7 @@ import { IResponseHeadersPolicyRef, ResponseHeadersPolicyReference, } from './cloudfront.generated'; -import { Duration, Names, Resource, Token, UnscopedValidationError, ValidationError, withResolved } from '../../core'; +import { Duration, Names, Resource, ResourceEnvironment, Token, UnscopedValidationError, ValidationError, withResolved } from '../../core'; import { addConstructMetadata } from '../../core/lib/metadata-resource'; import { propertyInjectable } from '../../core/lib/prop-injectable'; @@ -114,6 +114,10 @@ export class ResponseHeadersPolicy extends Resource implements IResponseHeadersP throw new UnscopedValidationError('The result of fromManagedResponseHeadersPolicy can not be used in this API'); } + public get env(): ResourceEnvironment { + throw new UnscopedValidationError('The result of fromManagedResponseHeadersPolicy can not be used in this API'); + } + public readonly responseHeadersPolicyId = managedResponseHeadersPolicyId; public readonly responseHeadersPolicyRef = { responseHeadersPolicyId: managedResponseHeadersPolicyId, diff --git a/packages/aws-cdk-lib/aws-codepipeline-actions/lib/elastic-beanstalk/deploy-action.ts b/packages/aws-cdk-lib/aws-codepipeline-actions/lib/elastic-beanstalk/deploy-action.ts index 84a1b6e7d80eb..952ef5a8dd68a 100644 --- a/packages/aws-cdk-lib/aws-codepipeline-actions/lib/elastic-beanstalk/deploy-action.ts +++ b/packages/aws-cdk-lib/aws-codepipeline-actions/lib/elastic-beanstalk/deploy-action.ts @@ -1,6 +1,6 @@ import { Construct, Node } from 'constructs'; import * as codepipeline from '../../../aws-codepipeline'; -import { Aws, UnscopedValidationError } from '../../../core'; +import { Aws, ResourceEnvironment, UnscopedValidationError } from '../../../core'; import { Action } from '../action'; import { deployArtifactBounds } from '../common'; @@ -57,6 +57,9 @@ export class ElasticBeanstalkDeployAction extends Action { get node(): Node { throw new UnscopedValidationError('This object can not be used in this API'); }, + get env(): ResourceEnvironment { + throw new UnscopedValidationError('This object can not be used in this API'); + }, managedPolicyArn: policyArn, managedPolicyRef: { policyArn }, }); diff --git a/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts b/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts index 20b7bfca96c93..b0dfdae762dc9 100644 --- a/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts +++ b/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts @@ -1049,7 +1049,6 @@ abstract class UserPoolBase extends Resource implements IUserPool { grantee, actions, resourceArns: [this.userPoolArn], - scope: this, }); } } diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2-base.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2-base.ts index 134afe2c8be95..90ffb588797f2 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2-base.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/lib/table-v2-base.ts @@ -448,7 +448,6 @@ export abstract class TableBaseV2 extends Resource implements ITableV2, IResourc grantee, actions: options.streamActions, resourceArns: [this.tableStreamArn], - scope: this, }); } diff --git a/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts b/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts index 4a8c65e324932..8ffa5b61b11fc 100644 --- a/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts +++ b/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts @@ -696,7 +696,6 @@ export abstract class TableBase extends Resource implements ITable, iam.IResourc grantee, actions, resourceArns: [this.tableStreamArn], - scope: this, }); } diff --git a/packages/aws-cdk-lib/aws-ecr/lib/repository.ts b/packages/aws-cdk-lib/aws-ecr/lib/repository.ts index 07d13f66c30bc..9a8c70477eee6 100644 --- a/packages/aws-cdk-lib/aws-ecr/lib/repository.ts +++ b/packages/aws-cdk-lib/aws-ecr/lib/repository.ts @@ -382,7 +382,6 @@ export abstract class RepositoryBase extends Resource implements IRepository { grantee, actions, resourceArns: [this.repositoryArn], - scope: this, }); } else { return iam.Grant.addToPrincipalOrResource({ @@ -415,7 +414,6 @@ export abstract class RepositoryBase extends Resource implements IRepository { grantee, actions: ['ecr:GetAuthorizationToken'], resourceArns: ['*'], - scope: this, }); return ret; @@ -430,7 +428,6 @@ export abstract class RepositoryBase extends Resource implements IRepository { grantee, actions: ['ecr:GetAuthorizationToken'], resourceArns: ['*'], - scope: this, }); return ret; @@ -448,7 +445,6 @@ export abstract class RepositoryBase extends Resource implements IRepository { grantee, actions: ['ecr:GetAuthorizationToken'], resourceArns: ['*'], - scope: this, }); return ret; diff --git a/packages/aws-cdk-lib/aws-efs/lib/efs-file-system.ts b/packages/aws-cdk-lib/aws-efs/lib/efs-file-system.ts index 87d5045d58d74..01fb52085de4b 100644 --- a/packages/aws-cdk-lib/aws-efs/lib/efs-file-system.ts +++ b/packages/aws-cdk-lib/aws-efs/lib/efs-file-system.ts @@ -4,7 +4,7 @@ import { CfnFileSystem, CfnMountTarget } from './efs.generated'; import * as ec2 from '../../aws-ec2'; import * as iam from '../../aws-iam'; import * as kms from '../../aws-kms'; -import { ArnFormat, FeatureFlags, Lazy, Names, RemovalPolicy, Resource, Size, Stack, Tags, Token, ValidationError } from '../../core'; +import { ArnFormat, FeatureFlags, IResource, Lazy, Names, RemovalPolicy, Resource, Size, Stack, Tags, Token, ValidationError } from '../../core'; import { addConstructMetadata, MethodMetadata } from '../../core/lib/metadata-resource'; import { propertyInjectable } from '../../core/lib/prop-injectable'; import * as cxapi from '../../cx-api'; @@ -141,7 +141,7 @@ export enum ReplicationOverwriteProtection { /** * Represents an Amazon EFS file system */ -export interface IFileSystem extends ec2.IConnectable, iam.IResourceWithPolicy { +export interface IFileSystem extends ec2.IConnectable, IResource, iam.IResourceWithPolicy { /** * The ID of the file system, assigned by Amazon EFS. * diff --git a/packages/aws-cdk-lib/aws-elasticsearch/lib/domain.ts b/packages/aws-cdk-lib/aws-elasticsearch/lib/domain.ts index 48eb034cd32b6..5f2fdfe57e83f 100644 --- a/packages/aws-cdk-lib/aws-elasticsearch/lib/domain.ts +++ b/packages/aws-cdk-lib/aws-elasticsearch/lib/domain.ts @@ -1320,7 +1320,6 @@ abstract class DomainBase extends cdk.Resource implements IDomain { grantee, actions: domainActions, resourceArns, - scope: this, }); return grant; diff --git a/packages/aws-cdk-lib/aws-iam/lib/grant.ts b/packages/aws-cdk-lib/aws-iam/lib/grant.ts index 2da45bca14fd0..4a36a84cfb512 100644 --- a/packages/aws-cdk-lib/aws-iam/lib/grant.ts +++ b/packages/aws-cdk-lib/aws-iam/lib/grant.ts @@ -44,7 +44,7 @@ export interface GrantWithResourceOptions extends CommonGrantOptions { * The statement will be added to the resource policy if it couldn't be * added to the principal policy. */ - readonly resource: IResourceWithPolicy; + readonly resource: IResourceWithPolicyV2; /** * When referring to the resource in a resource policy, use this as ARN. @@ -68,7 +68,7 @@ export interface GrantPolicyWithResourceOptions extends GrantWithResourceOptions * The policy statement to add to the resource's policy * * This statement will be passed to the resource's addToResourcePolicy method. - * The actual handling of the statement depends on the specific IResourceWithPolicy + * The actual handling of the statement depends on the specific IResourceWithPolicyV2 * implementation. */ readonly statement: PolicyStatement; @@ -83,6 +83,7 @@ export interface GrantOnPrincipalOptions extends CommonGrantOptions { * Construct to report warnings on in case grant could not be registered * * @default - the construct in which this construct is defined + * @deprecated The scope argument is currently unused. */ readonly scope?: IConstruct; } @@ -97,7 +98,7 @@ export interface GrantOnPrincipalAndResourceOptions extends CommonGrantOptions { * * The statement will always be added to the resource policy. */ - readonly resource: IResourceWithPolicy; + readonly resource: IResourceWithPolicyV2; /** * When referring to the resource in a resource policy, use this as ARN. @@ -138,10 +139,7 @@ export class Grant implements IDependable { * resource construct. */ public static addToPrincipalOrResource(options: GrantWithResourceOptions): Grant { - const result = Grant.addToPrincipal({ - ...options, - scope: options.resource, - }); + const result = Grant.addToPrincipal(options); const resourceAndPrincipalAccountComparison = options.grantee.grantPrincipal.principalAccount ? cdk.Token.compareStrings(options.resource.env.account, options.grantee.grantPrincipal.principalAccount) @@ -267,10 +265,7 @@ export class Grant implements IDependable { * Statement will be the resource statement. */ public static addToPrincipalAndResource(options: GrantOnPrincipalAndResourceOptions): Grant { - const result = Grant.addToPrincipal({ - ...options, - scope: options.resource, - }); + const result = Grant.addToPrincipal(options); const statement = new PolicyStatement({ actions: options.actions, @@ -426,13 +421,24 @@ interface GrantProps { /** * A resource with a resource policy that can be added to */ -export interface IResourceWithPolicy extends cdk.IResource { +export interface IResourceWithPolicyV2 extends cdk.IEnvironmentAware { /** * Add a statement to the resource's resource policy */ addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult; } +/** + * A resource with a resource policy that can be added to + * + * This interface is maintained for backwards compatibility, but should + * not be used in new code. Prefer `IResourceWithPolicyV2` instead. + * + * @deprecated Implement `IResourceWithPolicyV2` instead. + */ +export interface IResourceWithPolicy extends IResourceWithPolicyV2, cdk.IResource { +} + /** * Result of calling addToResourcePolicy */ diff --git a/packages/aws-cdk-lib/aws-iam/lib/managed-policy.ts b/packages/aws-cdk-lib/aws-iam/lib/managed-policy.ts index 869f1f78f0ac1..2bae724f8222a 100644 --- a/packages/aws-cdk-lib/aws-iam/lib/managed-policy.ts +++ b/packages/aws-cdk-lib/aws-iam/lib/managed-policy.ts @@ -13,7 +13,7 @@ import { AddToPrincipalPolicyResult, IGrantable, IPrincipal, PrincipalPolicyFrag import { undefinedIfEmpty } from './private/util'; import { IRole } from './role'; import { IUser } from './user'; -import { Arn, ArnFormat, Aws, Resource, Stack, UnscopedValidationError } from '../../core'; +import { Arn, ArnFormat, Aws, Resource, ResourceEnvironment, Stack, UnscopedValidationError } from '../../core'; import { getCustomizeRolesConfig, PolicySynthesizer } from '../../core/lib/helpers-internal'; import { addConstructMetadata, MethodMetadata } from '../../core/lib/metadata-resource'; import { propertyInjectable } from '../../core/lib/prop-injectable'; @@ -196,6 +196,9 @@ export class ManagedPolicy extends Resource implements IManagedPolicy, IGrantabl public get node(): Node { throw new UnscopedValidationError('The result of fromAwsManagedPolicyName can not be used in this API'); } + public get env(): ResourceEnvironment { + throw new UnscopedValidationError('The result of fromAwsManagedPolicyName can not be used in this API'); + } } return new AwsManagedPolicy(); } diff --git a/packages/aws-cdk-lib/aws-iam/lib/private/imported-role.ts b/packages/aws-cdk-lib/aws-iam/lib/private/imported-role.ts index a55b0e0f96729..e7e970ac1cc18 100644 --- a/packages/aws-cdk-lib/aws-iam/lib/private/imported-role.ts +++ b/packages/aws-cdk-lib/aws-iam/lib/private/imported-role.ts @@ -132,7 +132,6 @@ export class ImportedRole extends Resource implements IRole, IComparablePrincipa grantee, actions, resourceArns: [this.roleArn], - scope: this, }); } diff --git a/packages/aws-cdk-lib/aws-iam/lib/role.ts b/packages/aws-cdk-lib/aws-iam/lib/role.ts index 50a60aba63b98..c4f7e615e7454 100644 --- a/packages/aws-cdk-lib/aws-iam/lib/role.ts +++ b/packages/aws-cdk-lib/aws-iam/lib/role.ts @@ -679,7 +679,6 @@ export class Role extends Resource implements IRole { grantee, actions, resourceArns: [this.roleArn], - scope: this, }); } diff --git a/packages/aws-cdk-lib/aws-kinesis/lib/stream.ts b/packages/aws-cdk-lib/aws-kinesis/lib/stream.ts index 583e322aa6b11..f76937c39522a 100644 --- a/packages/aws-cdk-lib/aws-kinesis/lib/stream.ts +++ b/packages/aws-cdk-lib/aws-kinesis/lib/stream.ts @@ -493,10 +493,7 @@ abstract class StreamBase extends Resource implements IStream { } return { statementAdded: false }; }, - node: this.node, - stack: this.stack, env: this.env, - applyRemovalPolicy: x => this.applyRemovalPolicy(x), }, }); } diff --git a/packages/aws-cdk-lib/aws-lambda/lib/function-base.ts b/packages/aws-cdk-lib/aws-lambda/lib/function-base.ts index 6feccafb942c3..ff4110cb10d12 100644 --- a/packages/aws-cdk-lib/aws-lambda/lib/function-base.ts +++ b/packages/aws-cdk-lib/aws-lambda/lib/function-base.ts @@ -680,10 +680,7 @@ export abstract class FunctionBase extends Resource implements IFunction, ec2.IC } return { statementAdded: true, policyDependable: permissionNode }; }, - node: this.node, - stack: this.stack, env: this.env, - applyRemovalPolicy: x => this.applyRemovalPolicy(x), }, }); diff --git a/packages/aws-cdk-lib/aws-logs/lib/log-group.ts b/packages/aws-cdk-lib/aws-logs/lib/log-group.ts index a626f21b46b67..270a43f6e29c0 100644 --- a/packages/aws-cdk-lib/aws-logs/lib/log-group.ts +++ b/packages/aws-cdk-lib/aws-logs/lib/log-group.ts @@ -11,11 +11,11 @@ import { IProcessor, Transformer } from './transformer'; import * as cloudwatch from '../../aws-cloudwatch'; import * as iam from '../../aws-iam'; import * as kms from '../../aws-kms'; -import { Arn, ArnFormat, RemovalPolicy, Resource, Stack, Token, ValidationError } from '../../core'; +import { Arn, ArnFormat, IResource, RemovalPolicy, Resource, Stack, Token, ValidationError } from '../../core'; import { addConstructMetadata } from '../../core/lib/metadata-resource'; import { propertyInjectable } from '../../core/lib/prop-injectable'; -export interface ILogGroup extends iam.IResourceWithPolicy { +export interface ILogGroup extends IResource, iam.IResourceWithPolicy { /** * The ARN of this log group, with ':*' appended * diff --git a/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts b/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts index 9f8ef7c872270..a296c16785303 100644 --- a/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts +++ b/packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts @@ -1328,7 +1328,6 @@ abstract class DomainBase extends cdk.Resource implements IDomain { grantee, actions: domainActions, resourceArns, - scope: this, }); return grant; diff --git a/packages/aws-cdk-lib/aws-rds/lib/cluster.ts b/packages/aws-cdk-lib/aws-rds/lib/cluster.ts index 699a5b89aaeb6..c355654c6bb60 100644 --- a/packages/aws-cdk-lib/aws-rds/lib/cluster.ts +++ b/packages/aws-cdk-lib/aws-rds/lib/cluster.ts @@ -699,7 +699,6 @@ export abstract class DatabaseClusterBase extends Resource implements IDatabaseC grantee, actions: DATA_API_ACTIONS, resourceArns: [this.clusterArn], - scope: this, }); this.secret?.grantRead(grantee); return ret; diff --git a/packages/aws-cdk-lib/aws-rds/lib/serverless-cluster.ts b/packages/aws-cdk-lib/aws-rds/lib/serverless-cluster.ts index bcbb6eb4f319b..e1d1dc3da3ff2 100644 --- a/packages/aws-cdk-lib/aws-rds/lib/serverless-cluster.ts +++ b/packages/aws-cdk-lib/aws-rds/lib/serverless-cluster.ts @@ -372,7 +372,6 @@ abstract class ServerlessClusterBase extends Resource implements IServerlessClus grantee, actions: DATA_API_ACTIONS, resourceArns: ['*'], - scope: this, }); this.secret?.grantRead(grantee); return ret; diff --git a/packages/aws-cdk-lib/aws-scheduler/lib/schedule-group.ts b/packages/aws-cdk-lib/aws-scheduler/lib/schedule-group.ts index a1b07ff75124b..9f479529a5ea8 100644 --- a/packages/aws-cdk-lib/aws-scheduler/lib/schedule-group.ts +++ b/packages/aws-cdk-lib/aws-scheduler/lib/schedule-group.ts @@ -244,7 +244,6 @@ abstract class ScheduleGroupBase extends Resource implements IScheduleGroup { grantee, actions, resourceArns: [this.scheduleGroupArn], - scope: this, }); } @@ -267,7 +266,6 @@ abstract class ScheduleGroupBase extends Resource implements IScheduleGroup { grantee: identity, actions: ['scheduler:GetSchedule', 'scheduler:ListSchedules'], resourceArns: [this.arnForScheduleInGroup('*')], - scope: this, }); } @@ -279,7 +277,6 @@ abstract class ScheduleGroupBase extends Resource implements IScheduleGroup { grantee: identity, actions: ['scheduler:CreateSchedule', 'scheduler:UpdateSchedule'], resourceArns: [this.arnForScheduleInGroup('*')], - scope: this, }); } @@ -291,7 +288,6 @@ abstract class ScheduleGroupBase extends Resource implements IScheduleGroup { grantee: identity, actions: ['scheduler:DeleteSchedule'], resourceArns: [this.arnForScheduleInGroup('*')], - scope: this, }); } } diff --git a/packages/aws-cdk-lib/aws-ses/lib/email-identity.ts b/packages/aws-cdk-lib/aws-ses/lib/email-identity.ts index 7aba579baef86..40c7c91f7bd06 100644 --- a/packages/aws-cdk-lib/aws-ses/lib/email-identity.ts +++ b/packages/aws-cdk-lib/aws-ses/lib/email-identity.ts @@ -365,7 +365,6 @@ abstract class EmailIdentityBase extends Resource implements IEmailIdentity { grantee, actions, resourceArns, - scope: this, }); } diff --git a/packages/aws-cdk-lib/core/lib/cfn-resource.ts b/packages/aws-cdk-lib/core/lib/cfn-resource.ts index b19381a9df8de..3a498039a9b19 100644 --- a/packages/aws-cdk-lib/core/lib/cfn-resource.ts +++ b/packages/aws-cdk-lib/core/lib/cfn-resource.ts @@ -15,6 +15,7 @@ import { FeatureFlags } from './feature-flags'; import { ResolutionTypeHint } from './type-hints'; import * as cxapi from '../../cx-api'; import { AssumptionError, ValidationError } from './errors'; +import { ResourceEnvironment } from './environment'; export interface CfnResourceProps { /** @@ -101,6 +102,13 @@ export class CfnResource extends CfnRefElement { } } + public get env(): ResourceEnvironment { + return { + account: this.stack.account, + region: this.stack.region, + }; + } + /** * Sets the deletion policy of the resource based on the removal policy specified. * diff --git a/packages/aws-cdk-lib/core/lib/environment.ts b/packages/aws-cdk-lib/core/lib/environment.ts index 794aeeaaad200..1403212f192e1 100644 --- a/packages/aws-cdk-lib/core/lib/environment.ts +++ b/packages/aws-cdk-lib/core/lib/environment.ts @@ -30,3 +30,47 @@ export interface Environment { */ readonly region?: string; } + +/** + * Represents the environment a given resource lives in. + * + * Used as the return value for the `IEnvironmentAware.env` property. + */ +export interface ResourceEnvironment { + /** + * The AWS Account ID that this resource belongs to. + * + * Since this can be a Token (for example, when the account is + * CloudFormation's `AWS::AccountId` intrinsic), make sure to use + * `Token.compareStrings()` instead of comparing the values with direct + * string equality. + */ + readonly account: string; + + /** + * The AWS Region that this resource belongs to. + * + * Since this can be a Token (for example, when the region is CloudFormation's + * `AWS::Region` intrinsic), make sure to use `Token.compareStrings()` instead + * of comparing the values with direct string equality. + */ + readonly region: string; +} + +/** + * Used to indicate that a particular construct has an resource environment + */ +export interface IEnvironmentAware { + /** + * The environment this resource belongs to. + * + * For resources that are created and managed in a Stack (those created by + * creating new class instances like `new Role()`, `new Bucket()`, etc.), this + * is always the same as the environment of the stack they belong to. + * + * For referenced resources (those obtained from referencing methods like + * `Role.fromRoleArn()`, `Bucket.fromBucketName()`, etc.), they might be + * different than the stack they were imported into. + */ + readonly env: ResourceEnvironment; +} diff --git a/packages/aws-cdk-lib/core/lib/resource.ts b/packages/aws-cdk-lib/core/lib/resource.ts index 49c5d454f5941..678ad7456d68e 100644 --- a/packages/aws-cdk-lib/core/lib/resource.ts +++ b/packages/aws-cdk-lib/core/lib/resource.ts @@ -1,6 +1,7 @@ import { ArnComponents, ArnFormat } from './arn'; import { CfnResource } from './cfn-resource'; import { RESOURCE_SYMBOL } from './constants'; +import { IEnvironmentAware, ResourceEnvironment } from './environment'; import { ValidationError } from './errors'; import { IStringProducer, Lazy } from './lazy'; import { generatePhysicalName, isGeneratedWhenNeededMarker } from './private/physical-name-generator'; @@ -15,49 +16,14 @@ import { Token, Tokenization } from './token'; import { Construct, IConstruct } from 'constructs'; /** - * Represents the environment a given resource lives in. - * Used as the return value for the `IResource.env` property. + * Interface for L2 Resource constructs. */ -export interface ResourceEnvironment { - /** - * The AWS account ID that this resource belongs to. - * Since this can be a Token - * (for example, when the account is CloudFormation's AWS::AccountId intrinsic), - * make sure to use Token.compareStrings() - * instead of just comparing the values for equality. - */ - readonly account: string; - - /** - * The AWS region that this resource belongs to. - * Since this can be a Token - * (for example, when the region is CloudFormation's AWS::Region intrinsic), - * make sure to use Token.compareStrings() - * instead of just comparing the values for equality. - */ - readonly region: string; -} - -/** - * Interface for the Resource construct. - */ -export interface IResource extends IConstruct { +export interface IResource extends IConstruct, IEnvironmentAware { /** * The stack in which this resource is defined. */ readonly stack: Stack; - /** - * The environment this resource belongs to. - * For resources that are created and managed by the CDK - * (generally, those created by creating new class instances like Role, Bucket, etc.), - * this is always the same as the environment of the stack they belong to; - * however, for imported resources - * (those obtained from static methods like fromRoleArn, fromBucketName, etc.), - * that might be different than the stack they were imported into. - */ - readonly env: ResourceEnvironment; - /** * Apply the given removal policy to this resource * @@ -117,7 +83,7 @@ export interface ResourceProps { } /** - * A construct which represents an AWS resource. + * An L2 construct which represents an AWS resource. */ export abstract class Resource extends Construct implements IResource { /** diff --git a/tools/@aws-cdk/spec2cdk/lib/cdk/cdk.ts b/tools/@aws-cdk/spec2cdk/lib/cdk/cdk.ts index 60074230f0cdc..6fc5365d5a2f8 100644 --- a/tools/@aws-cdk/spec2cdk/lib/cdk/cdk.ts +++ b/tools/@aws-cdk/spec2cdk/lib/cdk/cdk.ts @@ -39,6 +39,7 @@ export class CdkCore extends ExternalModule { public readonly TagType = $T(Type.fromName(this, 'TagType')); public readonly Fn = $T(Type.fromName(this, 'Fn')); public readonly ITaggable = Type.fromName(this, 'ITaggable'); + public readonly IEnvironmentAware = Type.fromName(this, 'IEnvironmentAware'); public readonly ITaggableV2 = Type.fromName(this, 'ITaggableV2'); public readonly IResolvable = Type.fromName(this, 'IResolvable'); public readonly Stack = Type.fromName(this, 'Stack'); diff --git a/tools/@aws-cdk/spec2cdk/lib/cdk/resource-class.ts b/tools/@aws-cdk/spec2cdk/lib/cdk/resource-class.ts index 3e08ed49323df..60dbc1222683f 100644 --- a/tools/@aws-cdk/spec2cdk/lib/cdk/resource-class.ts +++ b/tools/@aws-cdk/spec2cdk/lib/cdk/resource-class.ts @@ -73,7 +73,7 @@ export class ResourceClass extends ClassType { refInterface = new InterfaceType(scope, { export: true, name: `I${resource.name}${props.suffix ?? ''}Ref`, - extends: [CONSTRUCTS.IConstruct], + extends: [CONSTRUCTS.IConstruct, CDK_CORE.IEnvironmentAware], docs: { summary: `Indicates that this resource can be referenced as a ${resource.name}.`, stability: Stability.Experimental, diff --git a/tools/@aws-cdk/spec2cdk/test/__snapshots__/fake-services.test.ts.snap b/tools/@aws-cdk/spec2cdk/test/__snapshots__/fake-services.test.ts.snap index 2716323cc24b6..3bde93d3affd3 100644 --- a/tools/@aws-cdk/spec2cdk/test/__snapshots__/fake-services.test.ts.snap +++ b/tools/@aws-cdk/spec2cdk/test/__snapshots__/fake-services.test.ts.snap @@ -13,7 +13,7 @@ import * as cdk_errors from "aws-cdk-lib/core/lib/errors"; * @deprecated in favour of something else * @stability deprecated */ -export interface IResourceRef extends constructs.IConstruct { +export interface IResourceRef extends constructs.IConstruct, cdk.IEnvironmentAware { /** * A reference to a Resource resource. */ diff --git a/tools/@aws-cdk/spec2cdk/test/__snapshots__/resources.test.ts.snap b/tools/@aws-cdk/spec2cdk/test/__snapshots__/resources.test.ts.snap index a7e0b9781aef8..b8977bc5316bc 100644 --- a/tools/@aws-cdk/spec2cdk/test/__snapshots__/resources.test.ts.snap +++ b/tools/@aws-cdk/spec2cdk/test/__snapshots__/resources.test.ts.snap @@ -12,7 +12,7 @@ import * as cdk_errors from "aws-cdk-lib/core/lib/errors"; * * @stability experimental */ -export interface IResourceRef extends constructs.IConstruct { +export interface IResourceRef extends constructs.IConstruct, cdk.IEnvironmentAware { /** * A reference to a Resource resource. */ @@ -184,7 +184,7 @@ import * as cdk_errors from "aws-cdk-lib/core/lib/errors"; * * @stability experimental */ -export interface IResourceRef extends constructs.IConstruct { +export interface IResourceRef extends constructs.IConstruct, cdk.IEnvironmentAware { /** * A reference to a Resource resource. */ @@ -347,7 +347,7 @@ import * as cdk_errors from "aws-cdk-lib/core/lib/errors"; * * @stability experimental */ -export interface ISomethingRef extends constructs.IConstruct { +export interface ISomethingRef extends constructs.IConstruct, cdk.IEnvironmentAware { /** * A reference to a Something resource. */ @@ -524,7 +524,7 @@ import * as cdk_errors from "aws-cdk-lib/core/lib/errors"; * * @stability experimental */ -export interface IResourceRef extends constructs.IConstruct { +export interface IResourceRef extends constructs.IConstruct, cdk.IEnvironmentAware { /** * A reference to a Resource resource. */ @@ -701,7 +701,7 @@ import * as cdk_errors from "aws-cdk-lib/core/lib/errors"; * * @stability experimental */ -export interface IResourceRef extends constructs.IConstruct { +export interface IResourceRef extends constructs.IConstruct, cdk.IEnvironmentAware { /** * A reference to a Resource resource. */ @@ -881,7 +881,7 @@ import * as cdk_errors from "aws-cdk-lib/core/lib/errors"; * * @stability experimental */ -export interface IResourceRef extends constructs.IConstruct { +export interface IResourceRef extends constructs.IConstruct, cdk.IEnvironmentAware { /** * A reference to a Resource resource. */ @@ -1044,7 +1044,7 @@ import * as cdk_errors from "aws-cdk-lib/core/lib/errors"; * * @stability experimental */ -export interface IResourceRef extends constructs.IConstruct { +export interface IResourceRef extends constructs.IConstruct, cdk.IEnvironmentAware { /** * A reference to a Resource resource. */ @@ -1221,7 +1221,7 @@ import * as cdk_errors from "aws-cdk-lib/core/lib/errors"; * * @stability experimental */ -export interface IResourceRef extends constructs.IConstruct { +export interface IResourceRef extends constructs.IConstruct, cdk.IEnvironmentAware { /** * A reference to a Resource resource. */ @@ -1415,7 +1415,7 @@ import * as cdk_errors from "aws-cdk-lib/core/lib/errors"; * * @stability experimental */ -export interface IResourceRef extends constructs.IConstruct { +export interface IResourceRef extends constructs.IConstruct, cdk.IEnvironmentAware { /** * A reference to a Resource resource. */ @@ -1610,7 +1610,7 @@ import * as cdk_errors from "aws-cdk-lib/core/lib/errors"; * * @stability experimental */ -export interface IResourceRef extends constructs.IConstruct { +export interface IResourceRef extends constructs.IConstruct, cdk.IEnvironmentAware { /** * A reference to a Resource resource. */