From 4ef45ee62e1a4cc93b7a399d450563a60eb28c5f Mon Sep 17 00:00:00 2001 From: Kendra Neil <53584728+TheRealAmazonKendra@users.noreply.github.com> Date: Thu, 11 Jul 2024 15:10:39 -0700 Subject: [PATCH 1/8] chore: remove use of deprecated ServicePrincipal Mapping They have now been standardized for a few years. We did not initially remove the old mappings out of caution and because we were unsure that the changes has made it to all regions yet. It is long past that happening at this point. --- .../__snapshots__/stepfunctions.test.ts.snap | 10 +- .../__snapshots__/stepfunctions.test.ts.snap | 20 +- packages/@aws-cdk/cx-api/FEATURE_FLAGS.md | 22 +- .../test/ecs/deployment-group.test.ts | 10 +- .../test/lambda/deployment-group.test.ts | 10 +- .../aws-ec2/lib/vpc-endpoint-service.ts | 13 +- .../aws-cdk-lib/aws-iam/lib/principals.ts | 26 +- .../aws-iam/test/policy-document.test.ts | 17 +- .../aws-iam/test/principals.test.ts | 24 +- .../test/kinesis.test.ts | 18 +- .../waiter-state-machine.test.ts | 11 +- packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md | 18 - packages/aws-cdk-lib/cx-api/lib/features.ts | 15 - packages/aws-cdk-lib/region-info/README.md | 16 +- .../build-tools/generate-static-data.ts | 6 - .../region-info/lib/aws-entities.ts | 20 - .../aws-cdk-lib/region-info/lib/default.ts | 7 +- packages/aws-cdk-lib/region-info/lib/fact.ts | 4 +- .../region-info/lib/region-info.ts | 4 +- .../__snapshots__/region-info.test.ts.snap | 560 ------------------ .../region-info/test/region-info.test.ts | 6 +- 21 files changed, 45 insertions(+), 792 deletions(-) diff --git a/packages/@aws-cdk/aws-pipes-enrichments-alpha/test/__snapshots__/stepfunctions.test.ts.snap b/packages/@aws-cdk/aws-pipes-enrichments-alpha/test/__snapshots__/stepfunctions.test.ts.snap index 641c4506ff287..826d1b8ca419c 100644 --- a/packages/@aws-cdk/aws-pipes-enrichments-alpha/test/__snapshots__/stepfunctions.test.ts.snap +++ b/packages/@aws-cdk/aws-pipes-enrichments-alpha/test/__snapshots__/stepfunctions.test.ts.snap @@ -10,15 +10,7 @@ exports[`stepfunctions should grant pipe role invoke access 1`] = ` "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": { - "Fn::FindInMap": [ - "ServiceprincipalMap", - { - "Ref": "AWS::Region", - }, - "states", - ], - }, + "Service": "states.amazonaws.com", }, }, ], diff --git a/packages/@aws-cdk/aws-pipes-targets-alpha/test/__snapshots__/stepfunctions.test.ts.snap b/packages/@aws-cdk/aws-pipes-targets-alpha/test/__snapshots__/stepfunctions.test.ts.snap index c58ce2f47f055..e0137db91ad21 100644 --- a/packages/@aws-cdk/aws-pipes-targets-alpha/test/__snapshots__/stepfunctions.test.ts.snap +++ b/packages/@aws-cdk/aws-pipes-targets-alpha/test/__snapshots__/stepfunctions.test.ts.snap @@ -74,15 +74,7 @@ exports[`step-function should grant pipe role push access (StartAsyncExecution) "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": { - "Fn::FindInMap": [ - "ServiceprincipalMap", - { - "Ref": "AWS::Region", - }, - "states", - ], - }, + "Service": "states.amazonaws.com", }, }, ], @@ -121,15 +113,7 @@ exports[`step-function should grant pipe role push access (StartSyncExecution) w "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": { - "Fn::FindInMap": [ - "ServiceprincipalMap", - { - "Ref": "AWS::Region", - }, - "states", - ], - }, + "Service": "states.amazonaws.com", }, }, ], diff --git a/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md b/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md index ced7faaa3adef..be8cfb6c4d69c 100644 --- a/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md +++ b/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md @@ -38,7 +38,6 @@ Flags come in three types: | [@aws-cdk/core:enablePartitionLiterals](#aws-cdkcoreenablepartitionliterals) | Make ARNs concrete if AWS partition is known | 2.38.0 | (fix) | | [@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker](#aws-cdkaws-ecsdisableexplicitdeploymentcontrollerforcircuitbreaker) | Avoid setting the "ECS" deployment controller when adding a circuit breaker | 2.51.0 | (fix) | | [@aws-cdk/aws-events:eventsTargetQueueSameAccount](#aws-cdkaws-eventseventstargetqueuesameaccount) | Event Rules may only push to encrypted SQS queues in the same account | 2.51.0 | (fix) | -| [@aws-cdk/aws-iam:standardizedServicePrincipals](#aws-cdkaws-iamstandardizedserviceprincipals) | Use standardized (global) service principals everywhere | 2.51.0 | (fix) | | [@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName](#aws-cdkaws-iamimportedrolestacksafedefaultpolicyname) | Enable this feature to by default create default policy names for imported roles that depend on the stack the role is in. | 2.60.0 | (fix) | | [@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy](#aws-cdkaws-s3serveraccesslogsusebucketpolicy) | Use S3 Bucket Policy instead of ACLs for Server Access Logging | 2.60.0 | (fix) | | [@aws-cdk/customresources:installLatestAwsSdkDefault](#aws-cdkcustomresourcesinstalllatestawssdkdefault) | Whether to install the latest SDK by default in AwsCustomResource | 2.60.0 | (default) | @@ -72,7 +71,7 @@ Flags come in three types: | [@aws-cdk/pipelines:reduceAssetRoleTrustScope](#aws-cdkpipelinesreduceassetroletrustscope) | Remove the root account principal from PipelineAssetsFileRole trust policy | 2.141.0 | (default) | | [@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm](#aws-cdkaws-ecsremovedefaultdeploymentalarm) | When enabled, remove default deployment alarm settings | 2.143.0 | (default) | | [@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault](#aws-cdkcustom-resourceslogapiresponsedatapropertytruedefault) | When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default | 2.145.0 | (fix) | -| [@aws-cdk/aws-stepfunctions-tasks:ecsReduceRunTaskPermissions](#aws-cdkaws-stepfunctions-tasksecsreduceruntaskpermissions) | When enabled, IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN. | V2NEXT | (fix) | +| [@aws-cdk/aws-stepfunctions-tasks:ecsReduceRunTaskPermissions](#aws-cdkaws-stepfunctions-tasksecsreduceruntaskpermissions) | When enabled, IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN. | 2.148.0 | (fix) | @@ -101,7 +100,6 @@ The following json shows the current recommended set of flags, as `cdk init` wou "@aws-cdk/aws-apigateway:disableCloudWatchRole": true, "@aws-cdk/core:enablePartitionLiterals": true, "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true, - "@aws-cdk/aws-iam:standardizedServicePrincipals": true, "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true, "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true, "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true, @@ -748,22 +746,6 @@ always apply, regardless of the value of this flag. | 2.51.0 | `false` | `true` | -### @aws-cdk/aws-iam:standardizedServicePrincipals - -*Use standardized (global) service principals everywhere* (fix) - -We used to maintain a database of exceptions to Service Principal names in various regions. This database -is no longer necessary: all service principals names have been standardized to their global form (`SERVICE.amazonaws.com`). - -This flag disables use of that exceptions database and always uses the global service principal. - - -| Since | Default | Recommended | -| ----- | ----- | ----- | -| (not in v1) | | | -| 2.51.0 | `false` | `true` | - - ### @aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName *Enable this feature to by default create default policy names for imported roles that depend on the stack the role is in.* (fix) @@ -1370,7 +1352,7 @@ for more details. | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | -| V2NEXT | `false` | `true` | +| 2.148.0 | `false` | `true` | diff --git a/packages/aws-cdk-lib/aws-codedeploy/test/ecs/deployment-group.test.ts b/packages/aws-cdk-lib/aws-codedeploy/test/ecs/deployment-group.test.ts index ff244b80f66fc..68ff197fdb09d 100644 --- a/packages/aws-cdk-lib/aws-codedeploy/test/ecs/deployment-group.test.ts +++ b/packages/aws-cdk-lib/aws-codedeploy/test/ecs/deployment-group.test.ts @@ -140,15 +140,7 @@ describe('CodeDeploy ECS DeploymentGroup', () => { Action: 'sts:AssumeRole', Effect: 'Allow', Principal: { - Service: { - 'Fn::FindInMap': [ - 'ServiceprincipalMap', - { - Ref: 'AWS::Region', - }, - 'codedeploy', - ], - }, + Service: 'codedeploy.amazonaws.com', }, }], Version: '2012-10-17', diff --git a/packages/aws-cdk-lib/aws-codedeploy/test/lambda/deployment-group.test.ts b/packages/aws-cdk-lib/aws-codedeploy/test/lambda/deployment-group.test.ts index c3a7c5110fa00..ed88b27c178e9 100644 --- a/packages/aws-cdk-lib/aws-codedeploy/test/lambda/deployment-group.test.ts +++ b/packages/aws-cdk-lib/aws-codedeploy/test/lambda/deployment-group.test.ts @@ -94,15 +94,7 @@ describe('CodeDeploy Lambda DeploymentGroup', () => { Action: 'sts:AssumeRole', Effect: 'Allow', Principal: { - Service: { - 'Fn::FindInMap': [ - 'ServiceprincipalMap', - { - Ref: 'AWS::Region', - }, - 'codedeploy', - ], - }, + Service: 'codedeploy.amazonaws.com', }, }], Version: '2012-10-17', diff --git a/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint-service.ts b/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint-service.ts index d609f417cd227..0e611adc996cc 100644 --- a/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint-service.ts +++ b/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint-service.ts @@ -2,7 +2,7 @@ import { Construct } from 'constructs'; import { CfnVPCEndpointService, CfnVPCEndpointServicePermissions } from './ec2.generated'; import { ArnPrincipal } from '../../aws-iam'; import { Aws, Fn, IResource, Resource, Stack, Token } from '../../core'; -import { Default, RegionInfo } from '../../region-info'; +import { RegionInfo } from '../../region-info'; /** * A load balancer that can host a VPC Endpoint Service @@ -46,6 +46,13 @@ export interface IVpcEndpointService extends IResource { */ export class VpcEndpointService extends Resource implements IVpcEndpointService { + /** + * The default value for a VPC Endpoint Service name prefix, useful if you do + * not have a synthesize-time region literal available (all you have is + * `{ "Ref": "AWS::Region" }`) + */ + public static readonly DEFAULT_PREFIX = 'com.amazonaws.vpce'; + /** * One or more network load balancers to host the service. * @attribute @@ -119,8 +126,8 @@ export class VpcEndpointService extends Resource implements IVpcEndpointService const { region } = Stack.of(this); const serviceNamePrefix = !Token.isUnresolved(region) ? - (RegionInfo.get(region).vpcEndpointServiceNamePrefix ?? Default.VPC_ENDPOINT_SERVICE_NAME_PREFIX) : - Default.VPC_ENDPOINT_SERVICE_NAME_PREFIX; + (RegionInfo.get(region).vpcEndpointServiceNamePrefix ?? VpcEndpointService.DEFAULT_PREFIX) : + VpcEndpointService.DEFAULT_PREFIX; this.vpcEndpointServiceName = Fn.join('.', [serviceNamePrefix, Aws.REGION, this.vpcEndpointServiceId]); if (this.allowedPrincipals.length > 0) { diff --git a/packages/aws-cdk-lib/aws-iam/lib/principals.ts b/packages/aws-cdk-lib/aws-iam/lib/principals.ts index 6833334fcbf3d..35c27ebb2f0d7 100644 --- a/packages/aws-cdk-lib/aws-iam/lib/principals.ts +++ b/packages/aws-cdk-lib/aws-iam/lib/principals.ts @@ -6,8 +6,7 @@ import { defaultAddPrincipalToAssumeRole } from './private/assume-role-policy'; import { LITERAL_STRING_KEY, mergePrincipal } from './private/util'; import { ISamlProvider } from './saml-provider'; import * as cdk from '../../core'; -import * as cxapi from '../../cx-api'; -import { Default, FactName, RegionInfo } from '../../region-info'; +import { RegionInfo } from '../../region-info'; /** * Any object that has an associated principal that a permission can be granted to @@ -942,11 +941,7 @@ class ServicePrincipalToken implements cdk.IResolvable { } public resolve(ctx: cdk.IResolveContext) { - return cdk.FeatureFlags.of(ctx.scope).isEnabled(cxapi.IAM_STANDARDIZED_SERVICE_PRINCIPALS) - ? this.newStandardizedBehavior(ctx) - : this.legacyBehavior(ctx); - - // The correct behavior is to always use the global service principal + return this.newStandardizedBehavior(ctx); } /** @@ -965,23 +960,6 @@ class ServicePrincipalToken implements cdk.IResolvable { return this.service; } - /** - * Do a single lookup - */ - private legacyBehavior(ctx: cdk.IResolveContext) { - if (this.opts.region) { - // Special case, handle it separately to not break legacy behavior. - return RegionInfo.get(this.opts.region).servicePrincipal(this.service) ?? - Default.servicePrincipal(this.service, this.opts.region, cdk.Aws.URL_SUFFIX); - } - - const stack = cdk.Stack.of(ctx.scope); - return stack.regionalFact( - FactName.servicePrincipal(this.service), - Default.servicePrincipal(this.service, stack.region, cdk.Aws.URL_SUFFIX), - ); - } - public toString() { return cdk.Token.asString(this, { displayHint: this.service, diff --git a/packages/aws-cdk-lib/aws-iam/test/policy-document.test.ts b/packages/aws-cdk-lib/aws-iam/test/policy-document.test.ts index 09af35f469636..2cf20950bab70 100644 --- a/packages/aws-cdk-lib/aws-iam/test/policy-document.test.ts +++ b/packages/aws-cdk-lib/aws-iam/test/policy-document.test.ts @@ -1,4 +1,3 @@ -import { testDeprecated } from '@aws-cdk/cdk-build-tools'; import { Template } from '../../assertions'; import { Lazy, Stack, Token } from '../../core'; import { @@ -464,21 +463,7 @@ describe('IAM policy document', () => { expect(stack.resolve(s.toStatementJson())).toEqual({ Effect: 'Allow', Action: 'test:Action', - Principal: { Service: 'codedeploy.cn-north-1.amazonaws.com.cn' }, - }); - }); - - // Deprecated: 'region' parameter to ServicePrincipal shouldn't be used. - testDeprecated('regional service principals resolve appropriately (with user-set region)', () => { - const stack = new Stack(undefined, undefined, { env: { region: 'cn-northeast-1' } }); - const s = new PolicyStatement(); - s.addActions('test:Action'); - s.addServicePrincipal('codedeploy.amazonaws.com', { region: 'cn-north-1' }); - - expect(stack.resolve(s.toStatementJson())).toEqual({ - Effect: 'Allow', - Action: 'test:Action', - Principal: { Service: 'codedeploy.cn-north-1.amazonaws.com.cn' }, + Principal: { Service: 'codedeploy.amazonaws.com' }, }); }); diff --git a/packages/aws-cdk-lib/aws-iam/test/principals.test.ts b/packages/aws-cdk-lib/aws-iam/test/principals.test.ts index 67cdb361ee257..43fb71da6005a 100644 --- a/packages/aws-cdk-lib/aws-iam/test/principals.test.ts +++ b/packages/aws-cdk-lib/aws-iam/test/principals.test.ts @@ -364,29 +364,13 @@ describe('deprecated ServicePrincipal behavior', () => { const afSouthStack = new Stack(undefined, undefined, { env: { region: 'af-south-1' } }); const principalName = iam.ServicePrincipal.servicePrincipalName('states.amazonaws.com'); - expect(usEastStack.resolve(principalName)).toEqual('states.us-east-1.amazonaws.com'); - expect(afSouthStack.resolve(principalName)).toEqual('states.af-south-1.amazonaws.com'); + expect(usEastStack.resolve(principalName)).toEqual('states.amazonaws.com'); + expect(afSouthStack.resolve(principalName)).toEqual('states.amazonaws.com'); }); test('Passing non-string as accountId parameter in AccountPrincipal constructor should throw error', () => { expect(() => new iam.AccountPrincipal(1234)).toThrowError('accountId should be of type string'); }); - - test('ServicePrincipal in agnostic stack generates lookup table', () => { - // GIVEN - const stack = new Stack(); - - // WHEN - new iam.Role(stack, 'Role', { - assumedBy: new iam.ServicePrincipal('states.amazonaws.com'), - }); - - // THEN - const template = Template.fromStack(stack); - const mappings = template.findMappings('ServiceprincipalMap'); - expect(mappings.ServiceprincipalMap['af-south-1']?.states).toEqual('states.af-south-1.amazonaws.com'); - expect(mappings.ServiceprincipalMap['us-east-1']?.states).toEqual('states.us-east-1.amazonaws.com'); - }); }); describe('standardized Service Principal behavior', () => { @@ -396,9 +380,7 @@ describe('standardized Service Principal behavior', () => { let app: App; beforeEach(() => { - app = new App({ - postCliContext: { [cxapi.IAM_STANDARDIZED_SERVICE_PRINCIPALS]: true }, - }); + app = new App(); }); test('no more regional service principals by default', () => { diff --git a/packages/aws-cdk-lib/aws-logs-destinations/test/kinesis.test.ts b/packages/aws-cdk-lib/aws-logs-destinations/test/kinesis.test.ts index 2062168fa3ee8..cd773f9d8d3da 100644 --- a/packages/aws-cdk-lib/aws-logs-destinations/test/kinesis.test.ts +++ b/packages/aws-cdk-lib/aws-logs-destinations/test/kinesis.test.ts @@ -32,14 +32,7 @@ test('stream can be subscription destination', () => { Action: 'sts:AssumeRole', Effect: 'Allow', Principal: { - Service: { - 'Fn::Join': ['', [ - 'logs.', - { Ref: 'AWS::Region' }, - '.', - { Ref: 'AWS::URLSuffix' }, - ]], - }, + Service: 'logs.amazonaws.com', }, }], }, @@ -102,14 +95,7 @@ test('stream can be subscription destination twice, without duplicating permissi Action: 'sts:AssumeRole', Effect: 'Allow', Principal: { - Service: { - 'Fn::Join': ['', [ - 'logs.', - { Ref: 'AWS::Region' }, - '.', - { Ref: 'AWS::URLSuffix' }, - ]], - }, + Service: 'logs.amazonaws.com', }, }], }, diff --git a/packages/aws-cdk-lib/custom-resources/test/provider-framework/waiter-state-machine.test.ts b/packages/aws-cdk-lib/custom-resources/test/provider-framework/waiter-state-machine.test.ts index d77ebdc94fa60..907a18e5d24f5 100644 --- a/packages/aws-cdk-lib/custom-resources/test/provider-framework/waiter-state-machine.test.ts +++ b/packages/aws-cdk-lib/custom-resources/test/provider-framework/waiter-state-machine.test.ts @@ -88,16 +88,7 @@ describe('state machine', () => { Action: 'sts:AssumeRole', Effect: 'Allow', Principal: { - Service: { - 'Fn::Join': [ - '', - [ - 'states.', - stack.resolve(stack.region), - '.amazonaws.com', - ], - ], - }, + Service: 'states.amazonaws.com', }, }, ], diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md index 77e2f43760b24..be8cfb6c4d69c 100644 --- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md +++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md @@ -38,7 +38,6 @@ Flags come in three types: | [@aws-cdk/core:enablePartitionLiterals](#aws-cdkcoreenablepartitionliterals) | Make ARNs concrete if AWS partition is known | 2.38.0 | (fix) | | [@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker](#aws-cdkaws-ecsdisableexplicitdeploymentcontrollerforcircuitbreaker) | Avoid setting the "ECS" deployment controller when adding a circuit breaker | 2.51.0 | (fix) | | [@aws-cdk/aws-events:eventsTargetQueueSameAccount](#aws-cdkaws-eventseventstargetqueuesameaccount) | Event Rules may only push to encrypted SQS queues in the same account | 2.51.0 | (fix) | -| [@aws-cdk/aws-iam:standardizedServicePrincipals](#aws-cdkaws-iamstandardizedserviceprincipals) | Use standardized (global) service principals everywhere | 2.51.0 | (fix) | | [@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName](#aws-cdkaws-iamimportedrolestacksafedefaultpolicyname) | Enable this feature to by default create default policy names for imported roles that depend on the stack the role is in. | 2.60.0 | (fix) | | [@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy](#aws-cdkaws-s3serveraccesslogsusebucketpolicy) | Use S3 Bucket Policy instead of ACLs for Server Access Logging | 2.60.0 | (fix) | | [@aws-cdk/customresources:installLatestAwsSdkDefault](#aws-cdkcustomresourcesinstalllatestawssdkdefault) | Whether to install the latest SDK by default in AwsCustomResource | 2.60.0 | (default) | @@ -101,7 +100,6 @@ The following json shows the current recommended set of flags, as `cdk init` wou "@aws-cdk/aws-apigateway:disableCloudWatchRole": true, "@aws-cdk/core:enablePartitionLiterals": true, "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true, - "@aws-cdk/aws-iam:standardizedServicePrincipals": true, "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true, "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true, "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true, @@ -748,22 +746,6 @@ always apply, regardless of the value of this flag. | 2.51.0 | `false` | `true` | -### @aws-cdk/aws-iam:standardizedServicePrincipals - -*Use standardized (global) service principals everywhere* (fix) - -We used to maintain a database of exceptions to Service Principal names in various regions. This database -is no longer necessary: all service principals names have been standardized to their global form (`SERVICE.amazonaws.com`). - -This flag disables use of that exceptions database and always uses the global service principal. - - -| Since | Default | Recommended | -| ----- | ----- | ----- | -| (not in v1) | | | -| 2.51.0 | `false` | `true` | - - ### @aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName *Enable this feature to by default create default policy names for imported roles that depend on the stack the role is in.* (fix) diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts index e7fef1bdf9e82..ba01e8b9a0e6f 100644 --- a/packages/aws-cdk-lib/cx-api/lib/features.ts +++ b/packages/aws-cdk-lib/cx-api/lib/features.ts @@ -72,7 +72,6 @@ export const SNS_SUBSCRIPTIONS_SQS_DECRYPTION_POLICY = '@aws-cdk/aws-sns-subscri export const APIGATEWAY_DISABLE_CLOUDWATCH_ROLE = '@aws-cdk/aws-apigateway:disableCloudWatchRole'; export const ENABLE_PARTITION_LITERALS = '@aws-cdk/core:enablePartitionLiterals'; export const EVENTS_TARGET_QUEUE_SAME_ACCOUNT = '@aws-cdk/aws-events:eventsTargetQueueSameAccount'; -export const IAM_STANDARDIZED_SERVICE_PRINCIPALS = '@aws-cdk/aws-iam:standardizedServicePrincipals'; export const ECS_DISABLE_EXPLICIT_DEPLOYMENT_CONTROLLER_FOR_CIRCUIT_BREAKER = '@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker'; export const S3_SERVER_ACCESS_LOGS_USE_BUCKET_POLICY = '@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy'; export const ROUTE53_PATTERNS_USE_CERTIFICATE = '@aws-cdk/aws-route53-patters:useCertificate'; @@ -564,20 +563,6 @@ export const FLAGS: Record = { recommendedValue: true, }, - ////////////////////////////////////////////////////////////////////// - [IAM_STANDARDIZED_SERVICE_PRINCIPALS]: { - type: FlagType.BugFix, - summary: 'Use standardized (global) service principals everywhere', - detailsMd: ` - We used to maintain a database of exceptions to Service Principal names in various regions. This database - is no longer necessary: all service principals names have been standardized to their global form (\`SERVICE.amazonaws.com\`). - - This flag disables use of that exceptions database and always uses the global service principal. - `, - introducedIn: { v2: '2.51.0' }, - recommendedValue: true, - }, - ////////////////////////////////////////////////////////////////////// [ECS_DISABLE_EXPLICIT_DEPLOYMENT_CONTROLLER_FOR_CIRCUIT_BREAKER]: { type: FlagType.BugFix, diff --git a/packages/aws-cdk-lib/region-info/README.md b/packages/aws-cdk-lib/region-info/README.md index fcbbeeeceda26..c173e62bf2761 100644 --- a/packages/aws-cdk-lib/region-info/README.md +++ b/packages/aws-cdk-lib/region-info/README.md @@ -1,6 +1,5 @@ # AWS Region-Specific Information Directory - ## Usage Some information used in CDK Applications differs from one AWS region to @@ -19,7 +18,6 @@ const region = regionInfo.RegionInfo.get('eu-west-1'); // Access attributes: region.s3StaticWebsiteEndpoint; // s3-website-eu-west-1.amazonaws.com -region.servicePrincipal('logs.amazonaws.com'); // logs.eu-west-1.amazonaws.com ``` The `RegionInfo` layer is built on top of the Low-Level API, which is described @@ -34,10 +32,10 @@ a list of known fact names, which can then be used with the `RegionInfo` to retrieve a particular value: ```ts -const codeDeployPrincipal = regionInfo.Fact.find('us-east-1', regionInfo.FactName.servicePrincipal('codedeploy.amazonaws.com')); -// => codedeploy.us-east-1.amazonaws.com - -const staticWebsite = regionInfo.Fact.find('ap-northeast-1', regionInfo.FactName.S3_STATIC_WEBSITE_ENDPOINT); +const staticWebsite = regionInfo.Fact.find( + 'ap-northeast-1', + regionInfo.FactName.S3_STATIC_WEBSITE_ENDPOINT +); // => s3-website-ap-northeast-1.amazonaws.com ``` @@ -50,7 +48,7 @@ to inject FactName into the database: ```ts class MyFact implements regionInfo.IFact { public readonly region = 'bermuda-triangle-1'; - public readonly name = regionInfo.FactName.servicePrincipal('s3.amazonaws.com'); + public readonly name = regionInfo.FactName.S3_STATIC_WEBSITE_ENDPOINT; public readonly value = 's3-website.bermuda-triangle-1.nowhere.com'; } @@ -66,8 +64,8 @@ adding an extra boolean argument: ```ts class MyFact implements regionInfo.IFact { public readonly region = 'us-east-1'; - public readonly name = regionInfo.FactName.servicePrincipal('service.amazonaws.com'); - public readonly value = 'the-correct-principal.amazonaws.com'; + public readonly name = regionInfo.FactName.S3_STATIC_WEBSITE_ENDPOINT; + public readonly value = 'the-correct-endpoint.amazonaws.com'; } regionInfo.Fact.register(new MyFact(), true /* Allow overriding information */); diff --git a/packages/aws-cdk-lib/region-info/build-tools/generate-static-data.ts b/packages/aws-cdk-lib/region-info/build-tools/generate-static-data.ts index 7e6e9c6eeceda..041108dd6390b 100644 --- a/packages/aws-cdk-lib/region-info/build-tools/generate-static-data.ts +++ b/packages/aws-cdk-lib/region-info/build-tools/generate-static-data.ts @@ -18,12 +18,10 @@ import { import { AWS_CDK_METADATA } from './metadata'; import { AWS_REGIONS, - AWS_SERVICES, before, RULE_S3_WEBSITE_REGIONAL_SUBDOMAIN, RULE_CLASSIC_PARTITION_BECOMES_OPT_IN, } from '../lib/aws-entities'; -import { Default } from '../lib/default'; export async function main(): Promise { checkRegions(APPMESH_ECR_ACCOUNTS); @@ -98,10 +96,6 @@ export async function main(): Promise { const vpcEndpointServiceNamePrefix = `${domainSuffix.split('.').reverse().join('.')}.vpce`; registerFact(region, 'VPC_ENDPOINT_SERVICE_NAME_PREFIX', vpcEndpointServiceNamePrefix); - for (const service of AWS_SERVICES) { - registerFact(region, ['servicePrincipal', service], Default.servicePrincipal(service, region, domainSuffix)); - } - for (const version in CLOUDWATCH_LAMBDA_INSIGHTS_ARNS) { for (const arch in CLOUDWATCH_LAMBDA_INSIGHTS_ARNS[version]) { registerFact(region, ['cloudwatchLambdaInsightsVersion', version, arch], CLOUDWATCH_LAMBDA_INSIGHTS_ARNS[version][arch][region]); diff --git a/packages/aws-cdk-lib/region-info/lib/aws-entities.ts b/packages/aws-cdk-lib/region-info/lib/aws-entities.ts index d291d46bc1d41..f6e2d8125f24d 100644 --- a/packages/aws-cdk-lib/region-info/lib/aws-entities.ts +++ b/packages/aws-cdk-lib/region-info/lib/aws-entities.ts @@ -78,26 +78,6 @@ export const AWS_REGIONS = AWS_REGIONS_AND_RULES .filter((x) => typeof x === 'string') .sort() as readonly string[]; -/** - * Possibly non-exhaustive list of all service names, used to locate service principals. - * - * Not in the list ==> default service principal mappings. - */ -export const AWS_SERVICES: readonly string[] = [ - 'application-autoscaling', - 'autoscaling', - 'codedeploy', - 'ec2', - 'events', - 'lambda', - 'logs', - 's3', - 'ssm', - 'sns', - 'sqs', - 'states', -].sort(); - /** * Whether or not a region predates a given rule (or region). * diff --git a/packages/aws-cdk-lib/region-info/lib/default.ts b/packages/aws-cdk-lib/region-info/lib/default.ts index ded4f1d36551b..a8f6e494918db 100644 --- a/packages/aws-cdk-lib/region-info/lib/default.ts +++ b/packages/aws-cdk-lib/region-info/lib/default.ts @@ -1,5 +1,6 @@ /** * Provides default values for certain regional information points. + * @deprecated - Service principals are now globally `.amazonaws.com` */ export class Default { @@ -7,6 +8,8 @@ export class Default { * The default value for a VPC Endpoint Service name prefix, useful if you do * not have a synthesize-time region literal available (all you have is * `{ "Ref": "AWS::Region" }`) + * + * @deprecated - Use VpceEndpointService.VPC_ENDPOINT_SERVICE_NAME_PREFIX instead */ public static readonly VPC_ENDPOINT_SERVICE_NAME_PREFIX = 'com.amazonaws.vpce'; @@ -19,6 +22,8 @@ export class Default { * @param serviceFqn the name of the service (s3, s3.amazonaws.com, ...) * @param region the region in which the service principal is needed. * @param urlSuffix deprecated and ignored. + * + * @deprecated - Service principals are now globally `.amazonaws.com` */ public static servicePrincipal(serviceFqn: string, region: string, urlSuffix: string): string { // NOTE: this whole method is deprecated, and should not be used or updated anymore. The global service @@ -26,8 +31,6 @@ export class Default { // (As a note, regional principals (`..amazonaws.com`) are required in // case of a cross-region reference to an opt-in region, but that's the only case, and that is not // controlled here). - // - // (It cannot be actually @deprecated since many of our tests use it :D) const serviceName = extractSimpleName(serviceFqn); if (!serviceName) { diff --git a/packages/aws-cdk-lib/region-info/lib/fact.ts b/packages/aws-cdk-lib/region-info/lib/fact.ts index 1657743343c87..2f98b31b7f149 100644 --- a/packages/aws-cdk-lib/region-info/lib/fact.ts +++ b/packages/aws-cdk-lib/region-info/lib/fact.ts @@ -226,9 +226,11 @@ export class FactName { * @param service the service name, either simple (e.g: `s3`, `codedeploy`) or qualified (e.g: `s3.amazonaws.com`). * The `.amazonaws.com` and `.amazonaws.com.cn` domains are stripped from service names, so they are * canonicalized in that respect. + * + * @deprecated - Use `iam.ServicePrincipal.servicePrincipalName()` instead. */ public static servicePrincipal(service: string): string { - return `service-principal:${service.replace(/\.amazonaws\.com(\.cn)?$/, '')}`; + return `${service.replace(/\.amazonaws\.com(\.cn)?$/, '')}.amazonaws.com`; } /** diff --git a/packages/aws-cdk-lib/region-info/lib/region-info.ts b/packages/aws-cdk-lib/region-info/lib/region-info.ts index 5f360f206bd0a..9b932c0c22f3b 100644 --- a/packages/aws-cdk-lib/region-info/lib/region-info.ts +++ b/packages/aws-cdk-lib/region-info/lib/region-info.ts @@ -124,9 +124,11 @@ export class RegionInfo { /** * The name of the service principal for a given service in this region. * @param service the service name (e.g: s3.amazonaws.com) + * + * @deprecated - Use `iam.ServicePrincipal.servicePrincipalName()` instead. */ public servicePrincipal(service: string): string | undefined { - return Fact.find(this.name, FactName.servicePrincipal(service)); + return `${service.replace(/\.amazonaws\.com(\.cn)?$/, '')}.amazonaws.com`; } /** diff --git a/packages/aws-cdk-lib/region-info/test/__snapshots__/region-info.test.ts.snap b/packages/aws-cdk-lib/region-info/test/__snapshots__/region-info.test.ts.snap index 72c4a87d888e9..43c20a5f9364d 100644 --- a/packages/aws-cdk-lib/region-info/test/__snapshots__/region-info.test.ts.snap +++ b/packages/aws-cdk-lib/region-info/test/__snapshots__/region-info.test.ts.snap @@ -45,20 +45,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website.af-south-1.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.af-south-1.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.af-south-1.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.af-south-1.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "ap-east-1": { @@ -104,20 +90,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website.ap-east-1.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.ap-east-1.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.ap-east-1.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.ap-east-1.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "ap-northeast-1": { @@ -163,20 +135,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website-ap-northeast-1.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.ap-northeast-1.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.ap-northeast-1.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.ap-northeast-1.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "ap-northeast-2": { @@ -222,20 +180,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website.ap-northeast-2.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.ap-northeast-2.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.ap-northeast-2.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.ap-northeast-2.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "ap-northeast-3": { @@ -281,20 +225,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website.ap-northeast-3.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.ap-northeast-3.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.ap-northeast-3.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.ap-northeast-3.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "ap-south-1": { @@ -340,20 +270,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website.ap-south-1.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.ap-south-1.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.ap-south-1.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.ap-south-1.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "ap-south-2": { @@ -399,20 +315,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website.ap-south-2.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.ap-south-2.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.ap-south-2.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.ap-south-2.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "ap-southeast-1": { @@ -458,20 +360,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website-ap-southeast-1.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.ap-southeast-1.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.ap-southeast-1.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.ap-southeast-1.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "ap-southeast-2": { @@ -517,20 +405,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website-ap-southeast-2.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.ap-southeast-2.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.ap-southeast-2.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.ap-southeast-2.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "ap-southeast-3": { @@ -576,20 +450,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website.ap-southeast-3.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.ap-southeast-3.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.ap-southeast-3.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.ap-southeast-3.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "ap-southeast-4": { @@ -635,20 +495,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website.ap-southeast-4.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.ap-southeast-4.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.ap-southeast-4.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.ap-southeast-4.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "ap-southeast-5": { @@ -694,20 +540,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website.ap-southeast-5.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.ap-southeast-5.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.ap-southeast-5.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.ap-southeast-5.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "ap-southeast-7": { @@ -753,20 +585,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website.ap-southeast-7.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.ap-southeast-7.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.ap-southeast-7.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.ap-southeast-7.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "ca-central-1": { @@ -812,20 +630,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website.ca-central-1.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.ca-central-1.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.ca-central-1.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.ca-central-1.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "ca-west-1": { @@ -871,20 +675,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website.ca-west-1.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.ca-west-1.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.ca-west-1.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.ca-west-1.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "cn-north-1": { @@ -930,20 +720,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws-cn", "s3StaticWebsiteEndpoint": "s3-website.cn-north-1.amazonaws.com.cn", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.cn-north-1.amazonaws.com.cn", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.cn-north-1.amazonaws.com.cn", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.cn-north-1.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "cn.com.amazonaws.vpce", }, "cn-northwest-1": { @@ -989,20 +765,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws-cn", "s3StaticWebsiteEndpoint": "s3-website.cn-northwest-1.amazonaws.com.cn", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.cn-northwest-1.amazonaws.com.cn", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.cn-northwest-1.amazonaws.com.cn", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.cn-northwest-1.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "cn.com.amazonaws.vpce", }, "eu-central-1": { @@ -1048,20 +810,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website.eu-central-1.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.eu-central-1.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.eu-central-1.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.eu-central-1.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "eu-central-2": { @@ -1107,20 +855,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website.eu-central-2.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.eu-central-2.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.eu-central-2.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.eu-central-2.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "eu-isoe-west-1": { @@ -1166,20 +900,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws-iso-e", "s3StaticWebsiteEndpoint": "s3-website.eu-isoe-west-1.cloud.adc-e.uk", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.eu-isoe-west-1.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.eu-isoe-west-1.cloud.adc-e.uk", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.eu-isoe-west-1.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "uk.adc-e.cloud.vpce", }, "eu-north-1": { @@ -1225,20 +945,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website.eu-north-1.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.eu-north-1.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.eu-north-1.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.eu-north-1.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "eu-south-1": { @@ -1284,20 +990,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website.eu-south-1.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.eu-south-1.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.eu-south-1.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.eu-south-1.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "eu-south-2": { @@ -1343,20 +1035,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website.eu-south-2.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.eu-south-2.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.eu-south-2.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.eu-south-2.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "eu-west-1": { @@ -1402,20 +1080,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website-eu-west-1.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.eu-west-1.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.eu-west-1.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.eu-west-1.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "eu-west-2": { @@ -1461,20 +1125,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website.eu-west-2.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.eu-west-2.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.eu-west-2.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.eu-west-2.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "eu-west-3": { @@ -1520,20 +1170,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website.eu-west-3.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.eu-west-3.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.eu-west-3.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.eu-west-3.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "il-central-1": { @@ -1579,20 +1215,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website.il-central-1.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.il-central-1.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.il-central-1.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.il-central-1.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "me-central-1": { @@ -1638,20 +1260,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website.me-central-1.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.me-central-1.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.me-central-1.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.me-central-1.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "me-south-1": { @@ -1697,20 +1305,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website.me-south-1.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.me-south-1.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.me-south-1.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.me-south-1.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "mx-central-1": { @@ -1756,20 +1350,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website.mx-central-1.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.mx-central-1.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.mx-central-1.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.mx-central-1.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "sa-east-1": { @@ -1815,20 +1395,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website-sa-east-1.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.sa-east-1.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.sa-east-1.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.sa-east-1.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "us-east-1": { @@ -1874,20 +1440,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website-us-east-1.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.us-east-1.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.us-east-1.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.us-east-1.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "us-east-2": { @@ -1933,20 +1485,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website.us-east-2.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.us-east-2.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.us-east-2.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.us-east-2.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "us-gov-east-1": { @@ -1992,20 +1530,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws-us-gov", "s3StaticWebsiteEndpoint": "s3-website.us-gov-east-1.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.us-gov-east-1.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.us-gov-east-1.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.us-gov-east-1.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "us-gov-west-1": { @@ -2051,20 +1575,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws-us-gov", "s3StaticWebsiteEndpoint": "s3-website-us-gov-west-1.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.us-gov-west-1.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.us-gov-west-1.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.us-gov-west-1.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "us-iso-east-1": { @@ -2110,20 +1620,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws-iso", "s3StaticWebsiteEndpoint": "s3-website.us-iso-east-1.c2s.ic.gov", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.us-iso-east-1.c2s.ic.gov", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "gov.ic.c2s.vpce", }, "us-iso-west-1": { @@ -2169,20 +1665,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws-iso", "s3StaticWebsiteEndpoint": "s3-website.us-iso-west-1.c2s.ic.gov", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.us-iso-west-1.c2s.ic.gov", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "gov.ic.c2s.vpce", }, "us-isob-east-1": { @@ -2228,20 +1710,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws-iso-b", "s3StaticWebsiteEndpoint": "s3-website.us-isob-east-1.sc2s.sgov.gov", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.us-isob-east-1.sc2s.sgov.gov", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "gov.sgov.sc2s.vpce", }, "us-west-1": { @@ -2287,20 +1755,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website-us-west-1.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.us-west-1.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.us-west-1.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.us-west-1.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, "us-west-2": { @@ -2346,20 +1800,6 @@ exports[`built-in data is correct 1`] = ` }, "partition": "aws", "s3StaticWebsiteEndpoint": "s3-website-us-west-2.amazonaws.com", - "servicePrincipals": { - "application-autoscaling": "application-autoscaling.amazonaws.com", - "autoscaling": "autoscaling.amazonaws.com", - "codedeploy": "codedeploy.us-west-2.amazonaws.com", - "ec2": "ec2.amazonaws.com", - "events": "events.amazonaws.com", - "lambda": "lambda.amazonaws.com", - "logs": "logs.us-west-2.amazonaws.com", - "s3": "s3.amazonaws.com", - "sns": "sns.amazonaws.com", - "sqs": "sqs.amazonaws.com", - "ssm": "ssm.amazonaws.com", - "states": "states.us-west-2.amazonaws.com", - }, "vpcEndPointServiceNamePrefix": "com.amazonaws.vpce", }, } diff --git a/packages/aws-cdk-lib/region-info/test/region-info.test.ts b/packages/aws-cdk-lib/region-info/test/region-info.test.ts index e32147ab020a4..8adc82b0d6b0b 100644 --- a/packages/aws-cdk-lib/region-info/test/region-info.test.ts +++ b/packages/aws-cdk-lib/region-info/test/region-info.test.ts @@ -1,20 +1,17 @@ import { APPCONFIG_LAMBDA_LAYER_ARNS, CLOUDWATCH_LAMBDA_INSIGHTS_ARNS } from '../build-tools/fact-tables'; import { FactName, RegionInfo } from '../lib'; -import { AWS_REGIONS, AWS_SERVICES } from '../lib/aws-entities'; +import { AWS_REGIONS } from '../lib/aws-entities'; test('built-in data is correct', () => { const snapshot: any = {}; for (const name of AWS_REGIONS) { const region = RegionInfo.get(name); - const servicePrincipals: { [service: string]: string | undefined } = {}; const lambdaInsightsVersions: { [service: string]: string | undefined } = {}; const lambdaInsightsArmVersions: { [service: string]: string | undefined } = {}; const appConfigLayerVersions: { [service: string]: string | undefined } = {}; const appConfigLayerArmVersions: { [service: string]: string | undefined } = {}; - AWS_SERVICES.forEach(service => servicePrincipals[service] = region.servicePrincipal(service)); - for (const version in CLOUDWATCH_LAMBDA_INSIGHTS_ARNS) { lambdaInsightsVersions[version] = region.cloudwatchLambdaInsightsArn(version); @@ -36,7 +33,6 @@ test('built-in data is correct', () => { partition: region.partition, s3StaticWebsiteEndpoint: region.s3StaticWebsiteEndpoint, vpcEndPointServiceNamePrefix: region.vpcEndpointServiceNamePrefix, - servicePrincipals, lambdaInsightsVersions, lambdaInsightsArmVersions, appConfigLayerVersions, From eb427c54a78e1b46ee962588c2170365a73ab30a Mon Sep 17 00:00:00 2001 From: Kendra Neil <53584728+TheRealAmazonKendra@users.noreply.github.com> Date: Thu, 11 Jul 2024 16:46:30 -0700 Subject: [PATCH 2/8] fix test --- .../aws-kinesisanalytics-flink-alpha/test/application.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-kinesisanalytics-flink-alpha/test/application.test.ts b/packages/@aws-cdk/aws-kinesisanalytics-flink-alpha/test/application.test.ts index 996a018649db7..1acbed722bdd5 100644 --- a/packages/@aws-cdk/aws-kinesisanalytics-flink-alpha/test/application.test.ts +++ b/packages/@aws-cdk/aws-kinesisanalytics-flink-alpha/test/application.test.ts @@ -147,7 +147,7 @@ describe('Application', () => { Action: 'sts:AssumeRole', Effect: 'Allow', Principal: { - Service: 'custom-principal.amazonaws.com', + Service: 'custom-principal', }, }, ], From 2fe35017e28b96a3f94c9260f8e72f53a40100a8 Mon Sep 17 00:00:00 2001 From: Kendra Neil <53584728+TheRealAmazonKendra@users.noreply.github.com> Date: Thu, 11 Jul 2024 17:14:34 -0700 Subject: [PATCH 3/8] fix another snapshot --- .../test/__snapshots__/stepfunctions.test.ts.snap | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/packages/@aws-cdk/aws-pipes-targets-alpha/test/__snapshots__/stepfunctions.test.ts.snap b/packages/@aws-cdk/aws-pipes-targets-alpha/test/__snapshots__/stepfunctions.test.ts.snap index e0137db91ad21..ab4bac868cfbe 100644 --- a/packages/@aws-cdk/aws-pipes-targets-alpha/test/__snapshots__/stepfunctions.test.ts.snap +++ b/packages/@aws-cdk/aws-pipes-targets-alpha/test/__snapshots__/stepfunctions.test.ts.snap @@ -27,15 +27,7 @@ exports[`step-function should grant pipe role push access (StartAsyncExecution) "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": { - "Fn::FindInMap": [ - "ServiceprincipalMap", - { - "Ref": "AWS::Region", - }, - "states", - ], - }, + "Service": "states.amazonaws.com", }, }, ], From c8a6486953532c3431d6603edb07769601b80e37 Mon Sep 17 00:00:00 2001 From: Kendra Neil <53584728+TheRealAmazonKendra@users.noreply.github.com> Date: Thu, 11 Jul 2024 19:41:13 -0700 Subject: [PATCH 4/8] additional handling to avoid breaking changes --- .../test/application.test.ts | 2 +- .../aws-cdk-lib/aws-iam/lib/principals.ts | 23 ++++++++++++------- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/packages/@aws-cdk/aws-kinesisanalytics-flink-alpha/test/application.test.ts b/packages/@aws-cdk/aws-kinesisanalytics-flink-alpha/test/application.test.ts index 1acbed722bdd5..996a018649db7 100644 --- a/packages/@aws-cdk/aws-kinesisanalytics-flink-alpha/test/application.test.ts +++ b/packages/@aws-cdk/aws-kinesisanalytics-flink-alpha/test/application.test.ts @@ -147,7 +147,7 @@ describe('Application', () => { Action: 'sts:AssumeRole', Effect: 'Allow', Principal: { - Service: 'custom-principal', + Service: 'custom-principal.amazonaws.com', }, }, ], diff --git a/packages/aws-cdk-lib/aws-iam/lib/principals.ts b/packages/aws-cdk-lib/aws-iam/lib/principals.ts index 35c27ebb2f0d7..b347a8306f5a8 100644 --- a/packages/aws-cdk-lib/aws-iam/lib/principals.ts +++ b/packages/aws-cdk-lib/aws-iam/lib/principals.ts @@ -539,12 +539,14 @@ export class ServicePrincipal extends PrincipalBase { * * These days all service principal names are standardized, and they are all * of the form `.amazonaws.com`. - * - * If the feature flag `@aws-cdk/aws-iam:standardizedServicePrincipals` is set, this - * method will always return its input. If this feature flag is not set, this - * method will perform the legacy behavior, which appends the region-specific - * domain suffix for some select services (for example, it would append `.cn` - * to some service principal names). + * + * To avoid breaking changes, handling is provided for services added with the formats below, + * however, no additional handling will be added for new regions or partitions. + * - s3 + * - s3.amazonaws.com + * - s3.amazonaws.com.cn + * - s3.c2s.ic.gov + * - s3.sc2s.sgov.gov * * @example * const principalName = iam.ServicePrincipal.servicePrincipalName('ec2.amazonaws.com'); @@ -949,15 +951,20 @@ class ServicePrincipalToken implements cdk.IResolvable { */ private newStandardizedBehavior(ctx: cdk.IResolveContext) { const stack = cdk.Stack.of(ctx.scope); + + // If the user had previously set the feature flag to `false` we would allow them to provide only the service name instead of the + // entire service principal. We can't break them so now everyone gets to do it! + const match = this.service.match(/^([^.]+)(?:(?:\.amazonaws\.com(?:\.cn)?)|(?:\.c2s\.ic\.gov)|(?:\.sc2s\.sgov\.gov))?$/); + const service = match ? `${match[1]}.amazonaws.com` : this.service; if ( this.opts.region && !cdk.Token.isUnresolved(this.opts.region) && stack.region !== this.opts.region && RegionInfo.get(this.opts.region).isOptInRegion ) { - return this.service.replace(/\.amazonaws\.com$/, `.${this.opts.region}.amazonaws.com`); + return service.replace(/\.amazonaws\.com$/, `.${this.opts.region}.amazonaws.com`); } - return this.service; + return service; } public toString() { From 797305ea117dffd4d1e44dfbfe05c423a6911ee4 Mon Sep 17 00:00:00 2001 From: Kendra Neil <53584728+TheRealAmazonKendra@users.noreply.github.com> Date: Thu, 11 Jul 2024 20:00:36 -0700 Subject: [PATCH 5/8] spaaaaaaace --- packages/aws-cdk-lib/aws-iam/lib/principals.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-iam/lib/principals.ts b/packages/aws-cdk-lib/aws-iam/lib/principals.ts index b347a8306f5a8..a45853aff1de9 100644 --- a/packages/aws-cdk-lib/aws-iam/lib/principals.ts +++ b/packages/aws-cdk-lib/aws-iam/lib/principals.ts @@ -539,7 +539,7 @@ export class ServicePrincipal extends PrincipalBase { * * These days all service principal names are standardized, and they are all * of the form `.amazonaws.com`. - * + * * To avoid breaking changes, handling is provided for services added with the formats below, * however, no additional handling will be added for new regions or partitions. * - s3 From f9c05c4be692294cb5444ac1cbec8311fa5fc028 Mon Sep 17 00:00:00 2001 From: Kendra Neil <53584728+TheRealAmazonKendra@users.noreply.github.com> Date: Thu, 11 Jul 2024 20:54:33 -0700 Subject: [PATCH 6/8] snapshots --- .../aws-stepfunctions-integ.template.json | 466 +++++++++--------- .../aws-stepfunctions-integ.template.json | 466 +++++++++--------- 2 files changed, 466 insertions(+), 466 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/glue/integ.glue-task.js.snapshot/aws-stepfunctions-integ.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/glue/integ.glue-task.js.snapshot/aws-stepfunctions-integ.template.json index 883741e07b733..815de3a514d83 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/glue/integ.glue-task.js.snapshot/aws-stepfunctions-integ.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/glue/integ.glue-task.js.snapshot/aws-stepfunctions-integ.template.json @@ -1,253 +1,253 @@ { - "Resources": { - "GlueJobRole1CD031E0": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "glue" - } + "Resources": { + "GlueJobRole1CD031E0": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "glue.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSGlueServiceRole" + ] + ] + } + ] } - ], - "Version": "2012-10-17" }, - "ManagedPolicyArns": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" + "GlueJobRoleDefaultPolicy3D94D6F1": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + } + ] + ] + } + ] + } + ], + "Version": "2012-10-17" }, - ":iam::aws:policy/service-role/AWSGlueServiceRole" - ] - ] - } - ] - } - }, - "GlueJobRoleDefaultPolicy3D94D6F1": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":s3:::", - { - "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" - }, - "/*" - ] - ] + "PolicyName": "GlueJobRoleDefaultPolicy3D94D6F1", + "Roles": [ + { + "Ref": "GlueJobRole1CD031E0" + } + ] + } + }, + "GlueJob": { + "Type": "AWS::Glue::Job", + "Properties": { + "Command": { + "Name": "glueetl", + "PythonVersion": "3", + "ScriptLocation": { + "Fn::Join": [ + "", + [ + "s3://", + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "/d030bb7913ca422df69f29b2ea678ab4e5085bb3cbb17029e4b101d2dc4e3e0d.py" + ] + ] + } }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":s3:::", - { - "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" - } + "Role": { + "Fn::GetAtt": [ + "GlueJobRole1CD031E0", + "Arn" ] - ] + }, + "GlueVersion": "1.0", + "Name": "My Glue Job" + } + }, + "StateMachineRole543B9670": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "states.amazonaws.com" + } + } + ], + "Version": "2012-10-17" } - ] } - ], - "Version": "2012-10-17" }, - "PolicyName": "GlueJobRoleDefaultPolicy3D94D6F1", - "Roles": [ - { - "Ref": "GlueJobRole1CD031E0" - } - ] - } - }, - "GlueJob": { - "Type": "AWS::Glue::Job", - "Properties": { - "Command": { - "Name": "glueetl", - "PythonVersion": "3", - "ScriptLocation": { - "Fn::Join": [ - "", - [ - "s3://", - { - "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + "StateMachineRoleDefaultPolicyDA5F7DA8": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "glue:BatchStopJobRun", + "glue:GetJobRun", + "glue:GetJobRuns", + "glue:StartJobRun" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":glue:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":job/My Glue Job" + ] + ] + } + } + ], + "Version": "2012-10-17" }, - "/d030bb7913ca422df69f29b2ea678ab4e5085bb3cbb17029e4b101d2dc4e3e0d.py" - ] - ] - } - }, - "Role": { - "Fn::GetAtt": [ - "GlueJobRole1CD031E0", - "Arn" - ] - }, - "GlueVersion": "1.0", - "Name": "My Glue Job" - } - }, - "StateMachineRole543B9670": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "states.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "StateMachineRoleDefaultPolicyDA5F7DA8": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "glue:BatchStopJobRun", - "glue:GetJobRun", - "glue:GetJobRuns", - "glue:StartJobRun" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":glue:", + "PolicyName": "StateMachineRoleDefaultPolicyDA5F7DA8", + "Roles": [ { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":job/My Glue Job" - ] + "Ref": "StateMachineRole543B9670" + } ] - } } - ], - "Version": "2012-10-17" }, - "PolicyName": "StateMachineRoleDefaultPolicyDA5F7DA8", - "Roles": [ - { - "Ref": "StateMachineRole543B9670" - } - ] - } + "StateMachine81935E76": { + "Type": "AWS::StepFunctions::StateMachine", + "Properties": { + "RoleArn": { + "Fn::GetAtt": [ + "StateMachineRole543B9670", + "Arn" + ] + }, + "DefinitionString": { + "Fn::Join": [ + "", + [ + "{\"StartAt\":\"Start Task\",\"States\":{\"Start Task\":{\"Type\":\"Pass\",\"Next\":\"Glue Job Task\"},\"Glue Job Task\":{\"Next\":\"End Task\",\"Parameters\":{\"JobName\":\"My Glue Job\",\"Arguments\":{\"--enable-metrics\":\"true\"}},\"Type\":\"Task\",\"Resource\":\"arn:", + { + "Ref": "AWS::Partition" + }, + ":states:::glue:startJobRun.sync\"},\"End Task\":{\"Type\":\"Pass\",\"End\":true}}}" + ] + ] + } + }, + "DependsOn": [ + "StateMachineRoleDefaultPolicyDA5F7DA8", + "StateMachineRole543B9670" + ], + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } }, - "StateMachine81935E76": { - "Type": "AWS::StepFunctions::StateMachine", - "Properties": { - "RoleArn": { - "Fn::GetAtt": [ - "StateMachineRole543B9670", - "Arn" - ] - }, - "DefinitionString": { - "Fn::Join": [ - "", - [ - "{\"StartAt\":\"Start Task\",\"States\":{\"Start Task\":{\"Type\":\"Pass\",\"Next\":\"Glue Job Task\"},\"Glue Job Task\":{\"Next\":\"End Task\",\"Parameters\":{\"JobName\":\"My Glue Job\",\"Arguments\":{\"--enable-metrics\":\"true\"}},\"Type\":\"Task\",\"Resource\":\"arn:", - { - "Ref": "AWS::Partition" - }, - ":states:::glue:startJobRun.sync\"},\"End Task\":{\"Type\":\"Pass\",\"End\":true}}}" - ] - ] + "Outputs": { + "StateMachineARNOutput": { + "Value": { + "Ref": "StateMachine81935E76" + } } - }, - "DependsOn": [ - "StateMachineRoleDefaultPolicyDA5F7DA8", - "StateMachineRole543B9670" - ], - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - } - }, - "Outputs": { - "StateMachineARNOutput": { - "Value": { - "Ref": "StateMachine81935E76" - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." } - ] } - } } \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/glue/integ.start-job-run.js.snapshot/aws-stepfunctions-integ.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/glue/integ.start-job-run.js.snapshot/aws-stepfunctions-integ.template.json index e054ff5a5c807..badcc4da61922 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/glue/integ.start-job-run.js.snapshot/aws-stepfunctions-integ.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/glue/integ.start-job-run.js.snapshot/aws-stepfunctions-integ.template.json @@ -1,253 +1,253 @@ { - "Resources": { - "GlueJobRole1CD031E0": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "glue" - } + "Resources": { + "GlueJobRole1CD031E0": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "glue.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSGlueServiceRole" + ] + ] + } + ] } - ], - "Version": "2012-10-17" }, - "ManagedPolicyArns": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" + "GlueJobRoleDefaultPolicy3D94D6F1": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + } + ] + ] + } + ] + } + ], + "Version": "2012-10-17" }, - ":iam::aws:policy/service-role/AWSGlueServiceRole" - ] - ] - } - ] - } - }, - "GlueJobRoleDefaultPolicy3D94D6F1": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":s3:::", - { - "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" - }, - "/*" - ] - ] + "PolicyName": "GlueJobRoleDefaultPolicy3D94D6F1", + "Roles": [ + { + "Ref": "GlueJobRole1CD031E0" + } + ] + } + }, + "GlueJob": { + "Type": "AWS::Glue::Job", + "Properties": { + "Command": { + "Name": "glueetl", + "PythonVersion": "3", + "ScriptLocation": { + "Fn::Join": [ + "", + [ + "s3://", + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "/d030bb7913ca422df69f29b2ea678ab4e5085bb3cbb17029e4b101d2dc4e3e0d.py" + ] + ] + } }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":s3:::", - { - "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" - } + "Role": { + "Fn::GetAtt": [ + "GlueJobRole1CD031E0", + "Arn" ] - ] + }, + "GlueVersion": "1.0", + "Name": "My Glue Job" + } + }, + "StateMachineRole543B9670": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "states.amazonaws.com" + } + } + ], + "Version": "2012-10-17" } - ] } - ], - "Version": "2012-10-17" }, - "PolicyName": "GlueJobRoleDefaultPolicy3D94D6F1", - "Roles": [ - { - "Ref": "GlueJobRole1CD031E0" - } - ] - } - }, - "GlueJob": { - "Type": "AWS::Glue::Job", - "Properties": { - "Command": { - "Name": "glueetl", - "PythonVersion": "3", - "ScriptLocation": { - "Fn::Join": [ - "", - [ - "s3://", - { - "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + "StateMachineRoleDefaultPolicyDA5F7DA8": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "glue:BatchStopJobRun", + "glue:GetJobRun", + "glue:GetJobRuns", + "glue:StartJobRun" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":glue:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":job/My Glue Job" + ] + ] + } + } + ], + "Version": "2012-10-17" }, - "/d030bb7913ca422df69f29b2ea678ab4e5085bb3cbb17029e4b101d2dc4e3e0d.py" - ] - ] - } - }, - "Role": { - "Fn::GetAtt": [ - "GlueJobRole1CD031E0", - "Arn" - ] - }, - "GlueVersion": "1.0", - "Name": "My Glue Job" - } - }, - "StateMachineRole543B9670": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "states.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "StateMachineRoleDefaultPolicyDA5F7DA8": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "glue:BatchStopJobRun", - "glue:GetJobRun", - "glue:GetJobRuns", - "glue:StartJobRun" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":glue:", + "PolicyName": "StateMachineRoleDefaultPolicyDA5F7DA8", + "Roles": [ { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":job/My Glue Job" - ] + "Ref": "StateMachineRole543B9670" + } ] - } } - ], - "Version": "2012-10-17" }, - "PolicyName": "StateMachineRoleDefaultPolicyDA5F7DA8", - "Roles": [ - { - "Ref": "StateMachineRole543B9670" - } - ] - } + "StateMachine81935E76": { + "Type": "AWS::StepFunctions::StateMachine", + "Properties": { + "RoleArn": { + "Fn::GetAtt": [ + "StateMachineRole543B9670", + "Arn" + ] + }, + "DefinitionString": { + "Fn::Join": [ + "", + [ + "{\"StartAt\":\"Start Task\",\"States\":{\"Start Task\":{\"Type\":\"Pass\",\"Next\":\"Glue Job Task\"},\"Glue Job Task\":{\"Next\":\"End Task\",\"Type\":\"Task\",\"Resource\":\"arn:", + { + "Ref": "AWS::Partition" + }, + ":states:::glue:startJobRun.sync\",\"Parameters\":{\"JobName\":\"My Glue Job\",\"Arguments\":{\"--enable-metrics\":\"true\"}}},\"End Task\":{\"Type\":\"Pass\",\"End\":true}}}" + ] + ] + } + }, + "DependsOn": [ + "StateMachineRoleDefaultPolicyDA5F7DA8", + "StateMachineRole543B9670" + ], + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } }, - "StateMachine81935E76": { - "Type": "AWS::StepFunctions::StateMachine", - "Properties": { - "RoleArn": { - "Fn::GetAtt": [ - "StateMachineRole543B9670", - "Arn" - ] - }, - "DefinitionString": { - "Fn::Join": [ - "", - [ - "{\"StartAt\":\"Start Task\",\"States\":{\"Start Task\":{\"Type\":\"Pass\",\"Next\":\"Glue Job Task\"},\"Glue Job Task\":{\"Next\":\"End Task\",\"Type\":\"Task\",\"Resource\":\"arn:", - { - "Ref": "AWS::Partition" - }, - ":states:::glue:startJobRun.sync\",\"Parameters\":{\"JobName\":\"My Glue Job\",\"Arguments\":{\"--enable-metrics\":\"true\"}}},\"End Task\":{\"Type\":\"Pass\",\"End\":true}}}" - ] - ] + "Outputs": { + "StateMachineARNOutput": { + "Value": { + "Ref": "StateMachine81935E76" + } } - }, - "DependsOn": [ - "StateMachineRoleDefaultPolicyDA5F7DA8", - "StateMachineRole543B9670" - ], - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - } - }, - "Outputs": { - "StateMachineARNOutput": { - "Value": { - "Ref": "StateMachine81935E76" - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." } - ] } - } } \ No newline at end of file From e73cd3a73f6d0baabdcf4069b24c87839b5be3b8 Mon Sep 17 00:00:00 2001 From: Kendra Neil <53584728+TheRealAmazonKendra@users.noreply.github.com> Date: Thu, 11 Jul 2024 22:02:30 -0700 Subject: [PATCH 7/8] false advertising, not breaking --- scripts/check-region-info-compatibility.ts | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/scripts/check-region-info-compatibility.ts b/scripts/check-region-info-compatibility.ts index 175c82b8e215a..dd437bfad7efa 100644 --- a/scripts/check-region-info-compatibility.ts +++ b/scripts/check-region-info-compatibility.ts @@ -21,6 +21,12 @@ function main(oldPackage: string, newPackage: string) { const disappearedFacts = oldFacts .filter((oldFact) => !newFacts.some((newFact) => factEq(oldFact, newFact))) .map((fact) => ({ fact, key: `${fact[0]}:${fact[1]}` })) + // These aren't accessed directly and we've just updated our handling of them, + // not removed this functionality. The mapping is unnecessary. + // While we could have just added these to the file tracking allowed breaking changes, + // that seemed like it would clutter that file excessively rather than adding this check. + // We can remove this after the next release, if we feel so inclined. + .filter(({ key }) => !key.includes('service-principal')) .filter(({ key }) => !allowedBreaks.has(key)); if (disappearedFacts.length > 0) { From dc0183a5a4435833e2a0e78d77374feeecf4019c Mon Sep 17 00:00:00 2001 From: Kendra Neil <53584728+TheRealAmazonKendra@users.noreply.github.com> Date: Fri, 12 Jul 2024 12:52:21 -0700 Subject: [PATCH 8/8] update documentation a bit for better clarity --- packages/aws-cdk-lib/region-info/lib/default.ts | 8 +++++--- scripts/check-region-info-compatibility.ts | 6 ++++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/packages/aws-cdk-lib/region-info/lib/default.ts b/packages/aws-cdk-lib/region-info/lib/default.ts index a8f6e494918db..f763884bfccaf 100644 --- a/packages/aws-cdk-lib/region-info/lib/default.ts +++ b/packages/aws-cdk-lib/region-info/lib/default.ts @@ -1,6 +1,8 @@ /** * Provides default values for certain regional information points. - * @deprecated - Service principals are now globally `.amazonaws.com` + * This class is no longer needed because service principals are no longer needed except in very specific cases + * that are handled in the IAM ServicePrincipal class. + * @deprecated - Service principals are now globally `.amazonaws.com`, use iam.ServicePrincipal instead. */ export class Default { @@ -9,7 +11,7 @@ export class Default { * not have a synthesize-time region literal available (all you have is * `{ "Ref": "AWS::Region" }`) * - * @deprecated - Use VpceEndpointService.VPC_ENDPOINT_SERVICE_NAME_PREFIX instead + * @deprecated - Use VpceEndpointService.DEFAULT_PREFIX instead */ public static readonly VPC_ENDPOINT_SERVICE_NAME_PREFIX = 'com.amazonaws.vpce'; @@ -23,7 +25,7 @@ export class Default { * @param region the region in which the service principal is needed. * @param urlSuffix deprecated and ignored. * - * @deprecated - Service principals are now globally `.amazonaws.com` + * @deprecated - Service principals are now globally `.amazonaws.com`, use iam.ServicePrincipal instead. */ public static servicePrincipal(serviceFqn: string, region: string, urlSuffix: string): string { // NOTE: this whole method is deprecated, and should not be used or updated anymore. The global service diff --git a/scripts/check-region-info-compatibility.ts b/scripts/check-region-info-compatibility.ts index dd437bfad7efa..f9886c09c615b 100644 --- a/scripts/check-region-info-compatibility.ts +++ b/scripts/check-region-info-compatibility.ts @@ -21,8 +21,10 @@ function main(oldPackage: string, newPackage: string) { const disappearedFacts = oldFacts .filter((oldFact) => !newFacts.some((newFact) => factEq(oldFact, newFact))) .map((fact) => ({ fact, key: `${fact[0]}:${fact[1]}` })) - // These aren't accessed directly and we've just updated our handling of them, - // not removed this functionality. The mapping is unnecessary. + // This mapping is generated dynamically at build time and the values in the mapping + // aren't accessed directly by users. + // This change updates the handling and generation of service principals but does not + // remove the ability of users to utilize them. The mapping is unnecessary. // While we could have just added these to the file tracking allowed breaking changes, // that seemed like it would clutter that file excessively rather than adding this check. // We can remove this after the next release, if we feel so inclined.