From 4b387c2558bf7461551a51c771eab7cd4cee0b8b Mon Sep 17 00:00:00 2001 From: AWS CDK Team Date: Thu, 21 Mar 2024 15:37:09 +0000 Subject: [PATCH 1/3] chore(release): 2.134.0 --- CHANGELOG.v2.alpha.md | 12 ++++++++++ CHANGELOG.v2.md | 25 ++++++++++++++++++++ packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md | 3 ++- packages/aws-cdk-lib/cx-api/lib/features.ts | 2 +- version.v2.json | 4 ++-- 5 files changed, 42 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md index cd60394bee4cc..0924dd0370c9e 100644 --- a/CHANGELOG.v2.alpha.md +++ b/CHANGELOG.v2.alpha.md @@ -2,6 +2,18 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [2.134.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.133.0-alpha.0...v2.134.0-alpha.0) (2024-03-21) + + +### Features + +* **kinesisanalytics-flink:** add support for Flink 1.18 ([#29554](https://github.com/aws/aws-cdk/issues/29554)) ([8fd8ee8](https://github.com/aws/aws-cdk/commit/8fd8ee8e7e5a6e047e5110f084dff61906bde160)), closes [/docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kinesisanalyticsv2-application.html#aws-resource-kinesisanalyticsv2](https://github.com/aws//docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kinesisanalyticsv2-application.html/issues/aws-resource-kinesisanalyticsv2) + + +### Bug Fixes + +* **glue:** s3 path specified in --spark-event-logs-path needs to end with slash ([#29357](https://github.com/aws/aws-cdk/issues/29357)) ([4ff3565](https://github.com/aws/aws-cdk/commit/4ff3565a9d7b0298bf884822fecabdd3cff643aa)), closes [#29356](https://github.com/aws/aws-cdk/issues/29356) + ## [2.133.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.132.1-alpha.0...v2.133.0-alpha.0) (2024-03-14) ## [2.132.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.132.0-alpha.0...v2.132.1-alpha.0) (2024-03-12) diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md index 309e6289202d9..363623a79c427 100644 --- a/CHANGELOG.v2.md +++ b/CHANGELOG.v2.md @@ -2,6 +2,31 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [2.134.0](https://github.com/aws/aws-cdk/compare/v2.133.0...v2.134.0) (2024-03-21) + + +### Features + +* update L1 CloudFormation resource definitions ([#29569](https://github.com/aws/aws-cdk/issues/29569)) ([c9fb4f7](https://github.com/aws/aws-cdk/commit/c9fb4f739f3aacf669cdd38b8431695811be5e92)) +* **appsync:** queryDepthLimit and resolverCountLimit props on GraphqlApi ([#29182](https://github.com/aws/aws-cdk/issues/29182)) ([ba6d0b3](https://github.com/aws/aws-cdk/commit/ba6d0b3ec3fba2ac5a704022bcbe6a3ba6f7dff3)) +* **cli:** warn of non-existent stacks in `cdk destroy` ([#27921](https://github.com/aws/aws-cdk/issues/27921)) ([f0d1d67](https://github.com/aws/aws-cdk/commit/f0d1d675c7ca6575f953a446a86185cc20122a91)), closes [#27179](https://github.com/aws/aws-cdk/issues/27179) +* **codepipeline-actions:** show status reason in the pipeline for failed change set executions ([#29534](https://github.com/aws/aws-cdk/issues/29534)) ([6d16337](https://github.com/aws/aws-cdk/commit/6d16337c9faed12716697a3b3af2a2be259b21b0)) +* **elasticloadbalancingv2:** `denyAllIgwTraffic` and `clientRoutingPolicy` for NLB ([#29521](https://github.com/aws/aws-cdk/issues/29521)) ([7fe8ad3](https://github.com/aws/aws-cdk/commit/7fe8ad3741fa5342ba93652ed9eabd1157682faa)), closes [#29520](https://github.com/aws/aws-cdk/issues/29520) +* update L1 CloudFormation resource definitions ([#29530](https://github.com/aws/aws-cdk/issues/29530)) ([1fdac0c](https://github.com/aws/aws-cdk/commit/1fdac0cbb71a84efd3f744ade6a4f49a452968e0)) +* **eks:** trainium instance types ([#29155](https://github.com/aws/aws-cdk/issues/29155)) ([507b709](https://github.com/aws/aws-cdk/commit/507b709bab8679750f1e9cbe25794daf2eb76f00)), closes [#29131](https://github.com/aws/aws-cdk/issues/29131) +* **rds:** eliminating the need for explicit `secret.grantRead()` invokes when using DataAPI with Aurora cluster ([#29399](https://github.com/aws/aws-cdk/issues/29399)) ([bc9d0b4](https://github.com/aws/aws-cdk/commit/bc9d0b44ef0717c6bd98fd37ab7883d830094461)), closes [#29362](https://github.com/aws/aws-cdk/issues/29362) [/github.com/aws/aws-cdk/pull/29338#discussion_r1512026791](https://github.com/aws//github.com/aws/aws-cdk/pull/29338/issues/discussion_r1512026791) + + +### Bug Fixes + +* **CLI:** `cdk diff` stack deletion causes a race condition ([#29492](https://github.com/aws/aws-cdk/issues/29492)) ([067539a](https://github.com/aws/aws-cdk/commit/067539a9587794ca65b984d0001efa8d274766ca)), closes [#29265](https://github.com/aws/aws-cdk/issues/29265) +* **cloudformation-diff:** move aws-sdk to dependency for cfn-diff to get CFN types resolved in exports ([#28768](https://github.com/aws/aws-cdk/issues/28768)) ([28c4be3](https://github.com/aws/aws-cdk/commit/28c4be3419e8c18ac84f2b72ae1838f8f424c1c6)), closes [#28680](https://github.com/aws/aws-cdk/issues/28680) [#28679](https://github.com/aws/aws-cdk/issues/28679) +* **cloudwatch:** cloudwatch ec2 alarm action with multiple dimension results in error ([#29364](https://github.com/aws/aws-cdk/issues/29364)) ([cc37778](https://github.com/aws/aws-cdk/commit/cc377785c00a021c9b519bdda945be8e99cb1148)) +* **cloudwatch:** unrecognized statistic warning when using percentileRank statistic in Stats helper ([#29498](https://github.com/aws/aws-cdk/issues/29498)) ([f2ad980](https://github.com/aws/aws-cdk/commit/f2ad98027a896228c554985e746107a4c7089f70)), closes [#29465](https://github.com/aws/aws-cdk/issues/29465) +* **elasticloadbalancingv2:** allow alb slow start duration of 0 seconds ([#29445](https://github.com/aws/aws-cdk/issues/29445)) ([cf2351b](https://github.com/aws/aws-cdk/commit/cf2351bfba986352ba6cbc93e00cb4eb9348265a)), closes [#29437](https://github.com/aws/aws-cdk/issues/29437) +* **kms:** kms key grant methods misidentify region when enclosing stack is different region ([#29315](https://github.com/aws/aws-cdk/issues/29315)) ([9076d6e](https://github.com/aws/aws-cdk/commit/9076d6e522002357da307bc09417a5b12bcfb35e)) +* **opensearch:** cannot disable cluster logging ([#29205](https://github.com/aws/aws-cdk/issues/29205)) ([c7fcaf7](https://github.com/aws/aws-cdk/commit/c7fcaf7f8d819fa91b93effe2ad55658e980655b)), closes [#29294](https://github.com/aws/aws-cdk/issues/29294) + ## [2.133.0](https://github.com/aws/aws-cdk/compare/v2.132.1...v2.133.0) (2024-03-14) diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md index a5cb355edb15b..e3688ae4b55ae 100644 --- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md +++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md @@ -66,6 +66,7 @@ Flags come in three types: | [@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction](#aws-cdkaws-cloudwatch-actionschangelambdapermissionlogicalidforlambdaaction) | When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID. | 2.124.0 | (fix) | | [@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse](#aws-cdkaws-codepipelinecrossaccountkeysdefaultvaluetofalse) | Enables Pipeline to set the default value for crossAccountKeys to false. | 2.127.0 | (default) | | [@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2](#aws-cdkaws-codepipelinedefaultpipelinetypetov2) | Enables Pipeline to set the default pipeline type to V2. | 2.133.0 | (default) | +| [@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope](#aws-cdkaws-kmsreducecrossaccountregionpolicyscope) | When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only. | 2.134.0 | (fix) | @@ -1261,7 +1262,7 @@ When this feature flag is enabled and calling KMS key grant method, the created | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | -| V2NEXT | `false` | `true` | +| 2.134.0 | `false` | `true` | diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts index 2d76033fb0a5f..3787104072ee5 100644 --- a/packages/aws-cdk-lib/cx-api/lib/features.ts +++ b/packages/aws-cdk-lib/cx-api/lib/features.ts @@ -1031,7 +1031,7 @@ export const FLAGS: Record = { When this feature flag is enabled and calling KMS key grant method, the created IAM policy will reduce the resource scope from '*' to this specific granting KMS key. `, - introducedIn: { v2: 'V2NEXT' }, + introducedIn: { v2: '2.134.0' }, recommendedValue: true, }, }; diff --git a/version.v2.json b/version.v2.json index 758e39730523d..5c351d68f5102 100644 --- a/version.v2.json +++ b/version.v2.json @@ -1,4 +1,4 @@ { - "version": "2.133.0", - "alphaVersion": "2.133.0-alpha.0" + "version": "2.134.0", + "alphaVersion": "2.134.0-alpha.0" } \ No newline at end of file From e0279f74a3ff275199930b56e8b9e0b3acb9f95b Mon Sep 17 00:00:00 2001 From: AWS CDK Team Date: Tue, 26 Mar 2024 16:48:54 +0000 Subject: [PATCH 2/3] chore(release): 2.134.0 --- CHANGELOG.v2.alpha.md | 12 +++++++ CHANGELOG.v2.md | 37 ++++++++++++++++++++ packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md | 4 +-- packages/aws-cdk-lib/cx-api/lib/features.ts | 2 +- version.v2.json | 4 +-- 5 files changed, 54 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md index cd60394bee4cc..08567e09ac382 100644 --- a/CHANGELOG.v2.alpha.md +++ b/CHANGELOG.v2.alpha.md @@ -2,6 +2,18 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [2.134.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.133.0-alpha.0...v2.134.0-alpha.0) (2024-03-26) + + +### Features + +* **kinesisanalytics-flink:** add support for Flink 1.18 ([#29554](https://github.com/aws/aws-cdk/issues/29554)) ([8fd8ee8](https://github.com/aws/aws-cdk/commit/8fd8ee8e7e5a6e047e5110f084dff61906bde160)), closes [/docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kinesisanalyticsv2-application.html#aws-resource-kinesisanalyticsv2](https://github.com/aws//docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kinesisanalyticsv2-application.html/issues/aws-resource-kinesisanalyticsv2) + + +### Bug Fixes + +* **glue:** s3 path specified in --spark-event-logs-path needs to end with slash ([#29357](https://github.com/aws/aws-cdk/issues/29357)) ([4ff3565](https://github.com/aws/aws-cdk/commit/4ff3565a9d7b0298bf884822fecabdd3cff643aa)), closes [#29356](https://github.com/aws/aws-cdk/issues/29356) + ## [2.133.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.132.1-alpha.0...v2.133.0-alpha.0) (2024-03-14) ## [2.132.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.132.0-alpha.0...v2.132.1-alpha.0) (2024-03-12) diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md index 309e6289202d9..19ebdc49a12ed 100644 --- a/CHANGELOG.v2.md +++ b/CHANGELOG.v2.md @@ -2,6 +2,43 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [2.134.0](https://github.com/aws/aws-cdk/compare/v2.133.0...v2.134.0) (2024-03-26) + + +### Features + +* update L1 CloudFormation resource definitions ([#29605](https://github.com/aws/aws-cdk/issues/29605)) ([bf34b6c](https://github.com/aws/aws-cdk/commit/bf34b6cea31c452da2f1eda49072331466994af2)) +* update L1 CloudFormation resource definitions ([#29606](https://github.com/aws/aws-cdk/issues/29606)) ([432f97d](https://github.com/aws/aws-cdk/commit/432f97d9de3522e198b5bd7832bce6e26cf18d1f)) +* **apigatewayv2:** add missing `WebSocketIntegration` props ([#29566](https://github.com/aws/aws-cdk/issues/29566)) ([7534dcd](https://github.com/aws/aws-cdk/commit/7534dcd761ac9dc302022d5ef612f4a942a56c4c)), closes [#29562](https://github.com/aws/aws-cdk/issues/29562) +* **appsync:** queryDepthLimit and resolverCountLimit props on GraphqlApi ([#29182](https://github.com/aws/aws-cdk/issues/29182)) ([ba6d0b3](https://github.com/aws/aws-cdk/commit/ba6d0b3ec3fba2ac5a704022bcbe6a3ba6f7dff3)) +* **cli:** warn of non-existent stacks in `cdk destroy` ([#27921](https://github.com/aws/aws-cdk/issues/27921)) ([f0d1d67](https://github.com/aws/aws-cdk/commit/f0d1d675c7ca6575f953a446a86185cc20122a91)), closes [#27179](https://github.com/aws/aws-cdk/issues/27179) +* **codepipeline-actions:** show status reason in the pipeline for failed change set executions ([#29534](https://github.com/aws/aws-cdk/issues/29534)) ([6d16337](https://github.com/aws/aws-cdk/commit/6d16337c9faed12716697a3b3af2a2be259b21b0)) +* **eks:** trainium instance types ([#29155](https://github.com/aws/aws-cdk/issues/29155)) ([507b709](https://github.com/aws/aws-cdk/commit/507b709bab8679750f1e9cbe25794daf2eb76f00)), closes [#29131](https://github.com/aws/aws-cdk/issues/29131) +* **elasticloadbalancingv2:** `denyAllIgwTraffic` and `clientRoutingPolicy` for NLB ([#29521](https://github.com/aws/aws-cdk/issues/29521)) ([7fe8ad3](https://github.com/aws/aws-cdk/commit/7fe8ad3741fa5342ba93652ed9eabd1157682faa)), closes [#29520](https://github.com/aws/aws-cdk/issues/29520) +* **elasticloadbalancingv2:** client keepalive for ALB ([#29504](https://github.com/aws/aws-cdk/issues/29504)) ([9b79f94](https://github.com/aws/aws-cdk/commit/9b79f94da2249c199eb26949c40fa4807de55a77)), closes [#29503](https://github.com/aws/aws-cdk/issues/29503) +* **elasticloadbalancingv2:** enforce security group inbound rules prop ([#29522](https://github.com/aws/aws-cdk/issues/29522)) ([8df2823](https://github.com/aws/aws-cdk/commit/8df2823037553d3f4c1ce28720a883c05b68ee85)), closes [#29516](https://github.com/aws/aws-cdk/issues/29516) +* update L1 CloudFormation resource definitions ([#29530](https://github.com/aws/aws-cdk/issues/29530)) ([1fdac0c](https://github.com/aws/aws-cdk/commit/1fdac0cbb71a84efd3f744ade6a4f49a452968e0)) +* update L1 CloudFormation resource definitions ([#29569](https://github.com/aws/aws-cdk/issues/29569)) ([c9fb4f7](https://github.com/aws/aws-cdk/commit/c9fb4f739f3aacf669cdd38b8431695811be5e92)) +* update L1 CloudFormation resource definitions ([#29573](https://github.com/aws/aws-cdk/issues/29573)) ([53d2094](https://github.com/aws/aws-cdk/commit/53d2094ada55373736fe646026d2f508c8206df0)) +* **rds:** eliminating the need for explicit `secret.grantRead()` invokes when using DataAPI with Aurora cluster ([#29399](https://github.com/aws/aws-cdk/issues/29399)) ([bc9d0b4](https://github.com/aws/aws-cdk/commit/bc9d0b44ef0717c6bd98fd37ab7883d830094461)), closes [#29362](https://github.com/aws/aws-cdk/issues/29362) [/github.com/aws/aws-cdk/pull/29338#discussion_r1512026791](https://github.com/aws//github.com/aws/aws-cdk/pull/29338/issues/discussion_r1512026791) + + +### Bug Fixes + +* **CLI:** `cdk diff` stack deletion causes a race condition ([#29492](https://github.com/aws/aws-cdk/issues/29492)) ([067539a](https://github.com/aws/aws-cdk/commit/067539a9587794ca65b984d0001efa8d274766ca)), closes [#29265](https://github.com/aws/aws-cdk/issues/29265) +* **cloudformation-diff:** move aws-sdk to dependency for cfn-diff to get CFN types resolved in exports ([#28768](https://github.com/aws/aws-cdk/issues/28768)) ([28c4be3](https://github.com/aws/aws-cdk/commit/28c4be3419e8c18ac84f2b72ae1838f8f424c1c6)), closes [#28680](https://github.com/aws/aws-cdk/issues/28680) [#28679](https://github.com/aws/aws-cdk/issues/28679) +* **cloudwatch:** cloudwatch ec2 alarm action with multiple dimension results in error ([#29364](https://github.com/aws/aws-cdk/issues/29364)) ([cc37778](https://github.com/aws/aws-cdk/commit/cc377785c00a021c9b519bdda945be8e99cb1148)) +* **cloudwatch:** unrecognized statistic warning when using percentileRank statistic in Stats helper ([#29498](https://github.com/aws/aws-cdk/issues/29498)) ([f2ad980](https://github.com/aws/aws-cdk/commit/f2ad98027a896228c554985e746107a4c7089f70)), closes [#29465](https://github.com/aws/aws-cdk/issues/29465) +* **ecs-patterns:** integ test unable to create ECS service ([#29490](https://github.com/aws/aws-cdk/issues/29490)) ([6faa60e](https://github.com/aws/aws-cdk/commit/6faa60e6a91e86e8d426b82e480b0c5e684a1c84)), closes [/github.com/aws/aws-cdk/pull/29186#issuecomment-1959231406](https://github.com/aws//github.com/aws/aws-cdk/pull/29186/issues/issuecomment-1959231406) +* **elasticloadbalancingv2:** allow alb slow start duration of 0 seconds ([#29445](https://github.com/aws/aws-cdk/issues/29445)) ([cf2351b](https://github.com/aws/aws-cdk/commit/cf2351bfba986352ba6cbc93e00cb4eb9348265a)), closes [#29437](https://github.com/aws/aws-cdk/issues/29437) +* **kms:** kms key grant methods misidentify region when enclosing stack is different region ([#29315](https://github.com/aws/aws-cdk/issues/29315)) ([9076d6e](https://github.com/aws/aws-cdk/commit/9076d6e522002357da307bc09417a5b12bcfb35e)) +* **opensearch:** cannot disable cluster logging ([#29205](https://github.com/aws/aws-cdk/issues/29205)) ([c7fcaf7](https://github.com/aws/aws-cdk/commit/c7fcaf7f8d819fa91b93effe2ad55658e980655b)), closes [#29294](https://github.com/aws/aws-cdk/issues/29294) + + +### Reverts + +* "feat(cli): warn of non-existent stacks in `cdk destroy`" ([#29577](https://github.com/aws/aws-cdk/issues/29577)) ([f60e6e9](https://github.com/aws/aws-cdk/commit/f60e6e9b6f761aa170113399bb288311a142142b)), closes [aws/aws-cdk#27921](https://github.com/aws/aws-cdk/issues/27921) [40aws-cdk-testing/cli-integ/tests/cli-integ-tests/cli.integtest.ts#L190](https://github.com/40aws-cdk-testing/cli-integ/tests/cli-integ-tests/cli.integtest.ts/issues/L190) [/github.com/aws/aws-cdk/blob/07ce8ecc42782475d099b89944571375341c28d3/packages/aws-cdk/lib/api/cxapp/cloud-executable.ts#L86](https://github.com/aws//github.com/aws/aws-cdk/blob/07ce8ecc42782475d099b89944571375341c28d3/packages/aws-cdk/lib/api/cxapp/cloud-executable.ts/issues/L86) + ## [2.133.0](https://github.com/aws/aws-cdk/compare/v2.132.1...v2.133.0) (2024-03-14) diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md index 0c39405d31b7e..e3688ae4b55ae 100644 --- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md +++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md @@ -66,7 +66,7 @@ Flags come in three types: | [@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction](#aws-cdkaws-cloudwatch-actionschangelambdapermissionlogicalidforlambdaaction) | When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID. | 2.124.0 | (fix) | | [@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse](#aws-cdkaws-codepipelinecrossaccountkeysdefaultvaluetofalse) | Enables Pipeline to set the default value for crossAccountKeys to false. | 2.127.0 | (default) | | [@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2](#aws-cdkaws-codepipelinedefaultpipelinetypetov2) | Enables Pipeline to set the default pipeline type to V2. | 2.133.0 | (default) | -| [@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope](#aws-cdkaws-kmsreducecrossaccountregionpolicyscope) | When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only. | V2NEXT | (fix) | +| [@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope](#aws-cdkaws-kmsreducecrossaccountregionpolicyscope) | When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only. | 2.134.0 | (fix) | @@ -1262,7 +1262,7 @@ When this feature flag is enabled and calling KMS key grant method, the created | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | -| V2NEXT | `false` | `true` | +| 2.134.0 | `false` | `true` | diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts index 2d76033fb0a5f..3787104072ee5 100644 --- a/packages/aws-cdk-lib/cx-api/lib/features.ts +++ b/packages/aws-cdk-lib/cx-api/lib/features.ts @@ -1031,7 +1031,7 @@ export const FLAGS: Record = { When this feature flag is enabled and calling KMS key grant method, the created IAM policy will reduce the resource scope from '*' to this specific granting KMS key. `, - introducedIn: { v2: 'V2NEXT' }, + introducedIn: { v2: '2.134.0' }, recommendedValue: true, }, }; diff --git a/version.v2.json b/version.v2.json index 758e39730523d..5c351d68f5102 100644 --- a/version.v2.json +++ b/version.v2.json @@ -1,4 +1,4 @@ { - "version": "2.133.0", - "alphaVersion": "2.133.0-alpha.0" + "version": "2.134.0", + "alphaVersion": "2.134.0-alpha.0" } \ No newline at end of file From 2cc24499bf62b6dd48ae9bd265c38a6847f75a3f Mon Sep 17 00:00:00 2001 From: shikha372 Date: Tue, 26 Mar 2024 21:09:43 -0700 Subject: [PATCH 3/3] fix: add validation for ALB access log bucket when KMS key is provided (#29382) ### Issue # (if applicable) Closes #22031. ### Reason for this change Adds a validation with correct error indicating ALB Access log bucket does not support KMS encryption ### Description of changes Currently access logs bucket encryption with KMS is not supported in case of ALB but while deploying it throws an error indicating the failure with bucket permissions. This validation introduces an upfront check to throw an error if `bucket.encryptionKey `is defined. Documentation: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html ### Description of how you validated changes Added unit tests for validation. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../aws-elasticloadbalancingv2/README.md | 18 +++++ .../lib/alb/application-load-balancer.ts | 65 ++++++++++++++++++- .../test/alb/load-balancer.test.ts | 41 ++++++++---- .../default.ts-fixture | 1 + 4 files changed, 113 insertions(+), 12 deletions(-) diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md index 7d3494daedbe3..401eb132b4840 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md @@ -234,6 +234,24 @@ const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', { For more information, see [Load balancer attributes](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#load-balancer-attributes) +### Setting up Access Log Bucket on Application Load Balancer + +The only server-side encryption option that's supported is Amazon S3-managed keys (SSE-S3). For more information +Documentation: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html + +```ts + +declare const vpc: ec2.Vpc; + +const bucket = new s3.Bucket(this, 'ALBAccessLogsBucket',{ + encryption: s3.BucketEncryption.S3_MANAGED, + }); + +const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', { vpc }); +lb.logAccessLogs(bucket); + +``` + ## Defining a Network Load Balancer Network Load Balancers are defined in a similar way to Application Load diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts index bb6f2cfbefb8d..4d7bbd7c38c4a 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts @@ -3,8 +3,11 @@ import { ApplicationListener, BaseApplicationListenerProps } from './application import { ListenerAction } from './application-listener-action'; import * as cloudwatch from '../../../aws-cloudwatch'; import * as ec2 from '../../../aws-ec2'; +import { PolicyStatement } from '../../../aws-iam/lib/policy-statement'; +import { ServicePrincipal } from '../../../aws-iam/lib/principals'; +import * as s3 from '../../../aws-s3'; import * as cxschema from '../../../cloud-assembly-schema'; -import { Duration, Lazy, Names, Resource } from '../../../core'; +import { CfnResource, Duration, Lazy, Names, Resource, Stack } from '../../../core'; import * as cxapi from '../../../cx-api'; import { ApplicationELBMetrics } from '../elasticloadbalancingv2-canned-metrics.generated'; import { BaseLoadBalancer, BaseLoadBalancerLookupOptions, BaseLoadBalancerProps, ILoadBalancerV2 } from '../shared/base-load-balancer'; @@ -170,6 +173,66 @@ export class ApplicationLoadBalancer extends BaseLoadBalancer implements IApplic }); } + /** + * Enable access logging for this load balancer. + * + * A region must be specified on the stack containing the load balancer; you cannot enable logging on + * environment-agnostic stacks. See https://docs.aws.amazon.com/cdk/latest/guide/environments.html + */ + public logAccessLogs(bucket: s3.IBucket, prefix?: string) { + + /** + * KMS key encryption is not supported on Access Log bucket for ALB, the bucket must use Amazon S3-managed keys (SSE-S3). + * See https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#bucket-permissions-troubleshooting + */ + + if (bucket.encryptionKey) { + throw new Error('Encryption key detected. Bucket encryption using KMS keys is unsupported'); + } + + prefix = prefix || ''; + this.setAttribute('access_logs.s3.enabled', 'true'); + this.setAttribute('access_logs.s3.bucket', bucket.bucketName.toString()); + this.setAttribute('access_logs.s3.prefix', prefix); + + const logsDeliveryServicePrincipal = new ServicePrincipal('delivery.logs.amazonaws.com'); + bucket.addToResourcePolicy(new PolicyStatement({ + actions: ['s3:PutObject'], + principals: [this.resourcePolicyPrincipal()], + resources: [ + bucket.arnForObjects(`${prefix ? prefix + '/' : ''}AWSLogs/${Stack.of(this).account}/*`), + ], + })); + bucket.addToResourcePolicy( + new PolicyStatement({ + actions: ['s3:PutObject'], + principals: [logsDeliveryServicePrincipal], + resources: [ + bucket.arnForObjects(`${prefix ? prefix + '/' : ''}AWSLogs/${this.env.account}/*`), + ], + conditions: { + StringEquals: { 's3:x-amz-acl': 'bucket-owner-full-control' }, + }, + }), + ); + bucket.addToResourcePolicy( + new PolicyStatement({ + actions: ['s3:GetBucketAcl'], + principals: [logsDeliveryServicePrincipal], + resources: [bucket.bucketArn], + }), + ); + + // make sure the bucket's policy is created before the ALB (see https://github.com/aws/aws-cdk/issues/1633) + // at the L1 level to avoid creating a circular dependency (see https://github.com/aws/aws-cdk/issues/27528 + // and https://github.com/aws/aws-cdk/issues/27928) + const lb = this.node.defaultChild; + const bucketPolicy = bucket.policy?.node.defaultChild; + if (lb && bucketPolicy && CfnResource.isCfnResource(lb) && CfnResource.isCfnResource(bucketPolicy)) { + lb.addDependency(bucketPolicy); + } + } + /** * Add a security group to this load balancer */ diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts index 0bc9f98a775c0..b9fd54bd7ce95 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts @@ -2,6 +2,7 @@ import { Construct } from 'constructs'; import { Match, Template } from '../../../assertions'; import { Metric } from '../../../aws-cloudwatch'; import * as ec2 from '../../../aws-ec2'; +import { Key } from '../../../aws-kms'; import * as s3 from '../../../aws-s3'; import * as cdk from '../../../core'; import * as elbv2 from '../../lib'; @@ -284,11 +285,16 @@ describe('tests', () => { } } - function loggingSetup(): { stack: cdk.Stack; bucket: s3.Bucket; lb: elbv2.ApplicationLoadBalancer } { + function loggingSetup(withEncryption: boolean = false ): { stack: cdk.Stack; bucket: s3.Bucket; lb: elbv2.ApplicationLoadBalancer } { const app = new cdk.App(); const stack = new cdk.Stack(app, undefined, { env: { region: 'us-east-1' } }); const vpc = new ec2.Vpc(stack, 'Stack'); - const bucket = new s3.Bucket(stack, 'AccessLoggingBucket'); + let bucketProps = {}; + if (withEncryption) { + const kmsKey = new Key(stack, 'TestKMSKey'); + bucketProps = { ...bucketProps, encryption: s3.BucketEncryption.KMS, encyptionKey: kmsKey }; + } + const bucket = new s3.Bucket(stack, 'AccessLogBucket', { ...bucketProps }); const lb = new elbv2.ApplicationLoadBalancer(stack, 'LB', { vpc }); return { stack, bucket, lb }; } @@ -309,7 +315,7 @@ describe('tests', () => { }, { Key: 'access_logs.s3.bucket', - Value: { Ref: 'AccessLoggingBucketA6D88F29' }, + Value: { Ref: 'AccessLogBucketDA470295' }, }, { Key: 'access_logs.s3.prefix', @@ -329,7 +335,7 @@ describe('tests', () => { // THEN // verify the ALB depends on the bucket policy Template.fromStack(stack).hasResource('AWS::ElasticLoadBalancingV2::LoadBalancer', { - DependsOn: ['AccessLoggingBucketPolicy700D7CC6'], + DependsOn: ['AccessLogBucketPolicyF52D2D01'], }); }); @@ -351,7 +357,7 @@ describe('tests', () => { Effect: 'Allow', Principal: { AWS: { 'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::127311923021:root']] } }, Resource: { - 'Fn::Join': ['', [{ 'Fn::GetAtt': ['AccessLoggingBucketA6D88F29', 'Arn'] }, '/AWSLogs/', + 'Fn::Join': ['', [{ 'Fn::GetAtt': ['AccessLogBucketDA470295', 'Arn'] }, '/AWSLogs/', { Ref: 'AWS::AccountId' }, '/*']], }, }, @@ -360,7 +366,7 @@ describe('tests', () => { Effect: 'Allow', Principal: { Service: 'delivery.logs.amazonaws.com' }, Resource: { - 'Fn::Join': ['', [{ 'Fn::GetAtt': ['AccessLoggingBucketA6D88F29', 'Arn'] }, '/AWSLogs/', + 'Fn::Join': ['', [{ 'Fn::GetAtt': ['AccessLogBucketDA470295', 'Arn'] }, '/AWSLogs/', { Ref: 'AWS::AccountId' }, '/*']], }, Condition: { StringEquals: { 's3:x-amz-acl': 'bucket-owner-full-control' } }, @@ -370,7 +376,7 @@ describe('tests', () => { Effect: 'Allow', Principal: { Service: 'delivery.logs.amazonaws.com' }, Resource: { - 'Fn::GetAtt': ['AccessLoggingBucketA6D88F29', 'Arn'], + 'Fn::GetAtt': ['AccessLogBucketDA470295', 'Arn'], }, }, ], @@ -395,7 +401,7 @@ describe('tests', () => { }, { Key: 'access_logs.s3.bucket', - Value: { Ref: 'AccessLoggingBucketA6D88F29' }, + Value: { Ref: 'AccessLogBucketDA470295' }, }, { Key: 'access_logs.s3.prefix', @@ -414,7 +420,7 @@ describe('tests', () => { Effect: 'Allow', Principal: { AWS: { 'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::127311923021:root']] } }, Resource: { - 'Fn::Join': ['', [{ 'Fn::GetAtt': ['AccessLoggingBucketA6D88F29', 'Arn'] }, '/prefix-of-access-logs/AWSLogs/', + 'Fn::Join': ['', [{ 'Fn::GetAtt': ['AccessLogBucketDA470295', 'Arn'] }, '/prefix-of-access-logs/AWSLogs/', { Ref: 'AWS::AccountId' }, '/*']], }, }, @@ -423,7 +429,7 @@ describe('tests', () => { Effect: 'Allow', Principal: { Service: 'delivery.logs.amazonaws.com' }, Resource: { - 'Fn::Join': ['', [{ 'Fn::GetAtt': ['AccessLoggingBucketA6D88F29', 'Arn'] }, '/prefix-of-access-logs/AWSLogs/', + 'Fn::Join': ['', [{ 'Fn::GetAtt': ['AccessLogBucketDA470295', 'Arn'] }, '/prefix-of-access-logs/AWSLogs/', { Ref: 'AWS::AccountId' }, '/*']], }, Condition: { StringEquals: { 's3:x-amz-acl': 'bucket-owner-full-control' } }, @@ -433,7 +439,7 @@ describe('tests', () => { Effect: 'Allow', Principal: { Service: 'delivery.logs.amazonaws.com' }, Resource: { - 'Fn::GetAtt': ['AccessLoggingBucketA6D88F29', 'Arn'], + 'Fn::GetAtt': ['AccessLogBucketDA470295', 'Arn'], }, }, ], @@ -441,6 +447,19 @@ describe('tests', () => { }); }); + test('bucket with KMS throws validation error', () => { + //GIVEN + const { stack, bucket, lb } = loggingSetup(true); + + // WHEN + const logAccessLogFunctionTest = () => lb.logAccessLogs(bucket); + + // THEN + // verify failure in case the access log bucket is encrypted with KMS + expect(logAccessLogFunctionTest).toThrow('Encryption key detected. Bucket encryption using KMS keys is unsupported'); + + }); + test('access logging on imported bucket', () => { // GIVEN const { stack, lb } = loggingSetup(); diff --git a/packages/aws-cdk-lib/rosetta/aws_elasticloadbalancingv2/default.ts-fixture b/packages/aws-cdk-lib/rosetta/aws_elasticloadbalancingv2/default.ts-fixture index 9f9c0bb37b6be..48fd3869082f0 100644 --- a/packages/aws-cdk-lib/rosetta/aws_elasticloadbalancingv2/default.ts-fixture +++ b/packages/aws-cdk-lib/rosetta/aws_elasticloadbalancingv2/default.ts-fixture @@ -5,6 +5,7 @@ import * as elbv2 from 'aws-cdk-lib/aws-elasticloadbalancingv2'; import * as ec2 from 'aws-cdk-lib/aws-ec2'; import * as autoscaling from 'aws-cdk-lib/aws-autoscaling'; import * as cloudwatch from 'aws-cdk-lib/aws-cloudwatch'; +import * as s3 from 'aws-cdk-lib/aws-s3'; class Fixture extends Stack { constructor(scope: Construct, id: string) {