Merge branch 'main' into fix-ecs-log-resource-policy

.github/workflows/sync-from-upstream.yml

@@ -0,0 +1,59 @@
+name: Sync repository from upstream
+on:
+ workflow_dispatch: {}
+ schedule:
+ - cron: 5 2 * * *
+
+env:
+ BRANCHES: main v2-release
+
+jobs:
+
+ # Check for the presence of a PROJEN_GITHUB_TOKEN secret.
+ #
+ # This is expected to contain a personal access token of someone
+ # who pas permissions to bypass branch protection rules.
+ #
+ # If not present, we will use GitHub Actions Token permissions,
+ # but those are bound by branch protection rules.
+ check-secret:
+ # Don't run on the target repo itself, only forks
+ if: github.repository != 'aws/aws-cdk'
+
+ runs-on: ubuntu-latest
+ steps:
+ - name: Check for presence of PROJEN_GITHUB_TOKEN
+ id: check-secrets
+ run: |
+ if [ ! -z "${{ secrets.PROJEN_GITHUB_TOKEN }}" ]; then
+ echo "ok=true" >> $GITHUB_OUTPUT
+ else
+ echo "ok=false" >> $GITHUB_OUTPUT
+ fi
+ outputs:
+ ok: ${{ steps.check-secrets.outputs.ok }}
+
+ sync-branch:
+ runs-on: ubuntu-latest
+ permissions:
+ contents: write
+ needs: [check-secret]
+ steps:
+ - name: Checkout using User Token
+ if: needs.check-secret.outputs.ok == 'true'
+ uses: actions/checkout@v4
+ with:
+ token: ${{ secrets.PROJEN_GITHUB_TOKEN }}
+
+ - name: Checkout using GitHub Actions permissions
+ if: needs.check-secret.outputs.ok == 'false'
+ uses: actions/checkout@v4
+
+ - name: Sync from aws/aws-cdk
+ run: |-
+ git remote add upstream https:/aws/aws-cdk.git
+ git fetch upstream
+
+ for branch in $BRANCHES; do
+ git push origin --force refs/remotes/upstream/$branch:refs/heads/$branch
+ done

packages/@aws-cdk-testing/cli-integ/resources/cdk-apps/app/app.js

@@ -492,6 +492,9 @@ switch (stackSet) {
  stage.synth({ validateOnSynthesis: true });
  break;
 
+ case 'stage-with-no-stacks':
+ break;
+
  default:
  throw new Error(`Unrecognized INTEG_STACK_SET: '${stackSet}'`);
 }

packages/@aws-cdk-testing/cli-integ/tests/cli-integ-tests/cli.integtest.ts

@@ -780,6 +780,25 @@ integTest('deploy stack without resource', withDefaultFixture(async (fixture) =>
  .rejects.toThrow('conditional-resource does not exist');
 }));
 
+integTest('deploy no stacks with --ignore-no-stacks', withDefaultFixture(async (fixture) => {
+ // empty array for stack names
+ await fixture.cdkDeploy([], {
+ options: ['--ignore-no-stacks'],
+ modEnv: {
+ INTEG_STACK_SET: 'stage-with-no-stacks',
+ },
+ });
+}));
+
+integTest('deploy no stacks error', withDefaultFixture(async (fixture) => {
+ // empty array for stack names
+ await expect(fixture.cdkDeploy([], {
+ modEnv: {
+ INTEG_STACK_SET: 'stage-with-no-stacks',
+ },
+ })).rejects.toThrow('exited with error');
+}));
+
 integTest('IAM diff', withDefaultFixture(async (fixture) => {
  const output = await fixture.cdk(['diff', fixture.fullStackName('iam-test')]);
 

packages/@aws-cdk/cli-lib-alpha/THIRD_PARTY_LICENSES

@@ -479,6 +479,16 @@ This product includes software developed at
 Amazon Web Services, Inc. (http://aws.amazon.com/).
 
 
+----------------
+
+** [email protected] - https://www.npmjs.com/package/aws-sdk/v/2.1532.0 | Apache-2.0
+AWS SDK for JavaScript
+Copyright 2012-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+This product includes software developed at
+Amazon Web Services, Inc. (http://aws.amazon.com/).
+
+
 ----------------
 
 ** [email protected] - https://www.npmjs.com/package/balanced-match/v/1.0.2 | MIT
@@ -668,7 +678,7 @@ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLI
 
 ----------------
 
-** cdk-from-cfn@0.113.0 - https://www.npmjs.com/package/cdk-from-cfn/v/0.113.0 | MIT OR Apache-2.0
+** cdk-from-cfn@0.116.0 - https://www.npmjs.com/package/cdk-from-cfn/v/0.116.0 | MIT OR Apache-2.0
 
 ----------------
 

packages/aws-cdk-lib/aws-codebuild/lib/compute-type.ts

@@ -5,6 +5,7 @@ export enum ComputeType {
  SMALL = 'BUILD_GENERAL1_SMALL',
  MEDIUM = 'BUILD_GENERAL1_MEDIUM',
  LARGE = 'BUILD_GENERAL1_LARGE',
+ X_LARGE = 'BUILD_GENERAL1_XLARGE',
  X2_LARGE = 'BUILD_GENERAL1_2XLARGE',
  LAMBDA_1GB = 'BUILD_LAMBDA_1GB',
  LAMBDA_2GB = 'BUILD_LAMBDA_2GB',

packages/aws-cdk-lib/aws-codebuild/lib/project.ts

@@ -2117,7 +2117,8 @@ export class WindowsBuildImage implements IBuildImage {
  errors.push('Windows images do not support Lambda compute types');
  }
 
- if (buildEnvironment.computeType === ComputeType.SMALL || buildEnvironment.computeType === ComputeType.X2_LARGE) {
+ const unsupportedComputeTypes = [ComputeType.SMALL, ComputeType.X_LARGE, ComputeType.X2_LARGE];
+ if (buildEnvironment.computeType !== undefined && unsupportedComputeTypes.includes(buildEnvironment.computeType)) {
  errors.push(`Windows images do not support the '${buildEnvironment.computeType}' compute type`);
  }
  return errors;

packages/aws-cdk-lib/aws-codebuild/test/codebuild.test.ts

@@ -1617,6 +1617,24 @@ test('using ComputeType.Small with a Windows image fails validation', () => {
  }).toThrow(/Windows images do not support the 'BUILD_GENERAL1_SMALL' compute type/);
 });
 
+test('using ComputeType.XLarge with a Windows image fails validation', () => {
+ const stack = new cdk.Stack();
+ const invalidEnvironment: codebuild.BuildEnvironment = {
+ buildImage: codebuild.WindowsBuildImage.WIN_SERVER_CORE_2019_BASE,
+ computeType: codebuild.ComputeType.X_LARGE,
+ };
+
+ expect(() => {
+ new codebuild.Project(stack, 'MyProject', {
+ source: codebuild.Source.s3({
+ bucket: new s3.Bucket(stack, 'MyBucket'),
+ path: 'path',
+ }),
+ environment: invalidEnvironment,
+ });
+ }).toThrow(/Windows images do not support the 'BUILD_GENERAL1_XLARGE' compute type/);
+});
+
 test('using ComputeType.X2Large with a Windows image fails validation', () => {
  const stack = new cdk.Stack();
  const invalidEnvironment: codebuild.BuildEnvironment = {

packages/aws-cdk-lib/aws-route53/README.md

@@ -182,7 +182,7 @@ new route53.ARecord(this, 'ARecord', {
 ### Cross Account Zone Delegation
 
 If you want to have your root domain hosted zone in one account and your subdomain hosted
-zone in a diferent one, you can use `CrossAccountZoneDelegationRecord` to set up delegation
+zone in a different one, you can use `CrossAccountZoneDelegationRecord` to set up delegation
 between them.
 
 In the account containing the parent hosted zone:
@@ -196,6 +196,36 @@ const crossAccountRole = new iam.Role(this, 'CrossAccountRole', {
  roleName: 'MyDelegationRole',
  // The other account
  assumedBy: new iam.AccountPrincipal('12345678901'),
+ // You can scope down this role policy to be least privileged.
+ // If you want the other account to be able to manage specific records,
+ // you can scope down by resource and/or normalized record names
+ inlinePolicies: {
+ crossAccountPolicy: new iam.PolicyDocument({
+ statements: [
+ new iam.PolicyStatement({
+ sid: 'ListHostedZonesByName',
+ effect: iam.Effect.ALLOW,
+ actions: ['route53:ListHostedZonesByName'],
+ resources: ['*'],
+ }),
+ new iam.PolicyStatement({
+ sid: 'GetHostedZoneAndChangeResourceRecordSet',
+ effect: iam.Effect.ALLOW,
+ actions: ['route53:GetHostedZone', 'route53:ChangeResourceRecordSet'],
+ // This example assumes the RecordSet subdomain.somexample.com
+ // is contained in the HostedZone
+ resources: ['arn:aws:route53:::hostedzone/HZID00000000000000000'],
+ conditions: {
+ 'ForAllValues:StringLike': {
+ 'route53:ChangeResourceRecordSetsNormalizedRecordNames': [
+ 'subdomain.someexample.com',
+ ],
+ },
+ },
+ }),
+ ],
+ }),
+ },
 });
 parentZone.grantDelegation(crossAccountRole);
 ```

packages/aws-cdk/README.md

@@ -386,6 +386,20 @@ $ cdk deploy --method=prepare-change-set --change-set-name MyChangeSetName
 For more control over when stack changes are deployed, the CDK can generate a
 CloudFormation change set but not execute it.
 
+#### Ignore No Stacks
+
+You may have an app with multiple environments, e.g., dev and prod. When starting
+development, your prod app may not have any resources or the resources are commented
+out. In this scenario, you will receive an error message stating that the app has no
+stacks.
+
+To bypass this error messages, you can pass the `--ignore-no-stacks` flag to the 
+`deploy` command:
+
+```console
+$ cdk deploy --ignore-no-stacks
+```
+
 #### Hotswap deployments for faster development
 
 You can pass the `--hotswap` flag to the `deploy` command:

packages/aws-cdk/THIRD_PARTY_LICENSES

@@ -272,6 +272,16 @@ This product includes software developed at
 Amazon Web Services, Inc. (http://aws.amazon.com/).
 
 
+----------------
+
+** [email protected] - https://www.npmjs.com/package/aws-sdk/v/2.1532.0 | Apache-2.0
+AWS SDK for JavaScript
+Copyright 2012-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+This product includes software developed at
+Amazon Web Services, Inc. (http://aws.amazon.com/).
+
+
 ----------------
 
 ** [email protected] - https://www.npmjs.com/package/balanced-match/v/1.0.2 | MIT
@@ -461,7 +471,7 @@ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLI
 
 ----------------
 
-** cdk-from-cfn@0.113.0 - https://www.npmjs.com/package/cdk-from-cfn/v/0.113.0 | MIT OR Apache-2.0
+** cdk-from-cfn@0.116.0 - https://www.npmjs.com/package/cdk-from-cfn/v/0.116.0 | MIT OR Apache-2.0
 
 ----------------
 

packages/aws-cdk/lib/api/cxapp/cloud-assembly.ts

@@ -38,9 +38,16 @@ export interface SelectStacksOptions {
  extend?: ExtendedStackSelection;
 
  /**
- * The behavior if if no selectors are privided.
+ * The behavior if if no selectors are provided.
  */
  defaultBehavior: DefaultSelection;
+
+ /**
+ * Whether to deploy if the app contains no stacks.
+ *
+ * @default false
+ */
+ ignoreNoStacks?: boolean;
 }
 
 /**
@@ -100,6 +107,9 @@ export class CloudAssembly {
  const patterns = sanitizePatterns(selector.patterns);
 
  if (stacks.length === 0) {
+ if (options.ignoreNoStacks) {
+ return new StackCollection(this, []);
+ }
  throw new Error('This app contains no stacks');
  }
 

packages/aws-cdk/lib/api/deployments.ts

@@ -199,6 +199,13 @@ export interface DeployStackOptions {
  * @default true To remain backward compatible.
  */
  readonly assetParallelism?: boolean;
+
+ /**
+ * Whether to deploy if the app contains no stacks.
+ *
+ * @default false
+ */
+ ignoreNoStacks?: boolean;
 }
 
 interface AssetOptions {