Merge branch 'main' into merge-back/2.86.0

packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.instance-public.js.snapshot/cdk.out

@@ -1 +1 @@
-{"version":"31.0.0"}
+{"version":"32.0.0"}

packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.instance-public.js.snapshot/instancetestDefaultTestDeployAssert5516EAF1.assets.json

@@ -1,5 +1,5 @@
 {
-  "version": "31.0.0",
+  "version": "32.0.0",
   "files": {
     "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
       "source": {

packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.instance-public.js.snapshot/integ-ec2-instance.assets.json

@@ -1,5 +1,5 @@
 {
-  "version": "31.0.0",
+  "version": "32.0.0",
   "files": {
     "488d9cf540c6790fc09af871e06438e043f47d03101ef192131f1dafbbb434cb": {
       "source": {

packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.instance-public.js.snapshot/integ.json

@@ -1,5 +1,5 @@
 {
-  "version": "31.0.0",
+  "version": "32.0.0",
   "testCases": {
     "instance-test/DefaultTest": {
       "stacks": [

packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.instance-public.js.snapshot/manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "31.0.0",
+  "version": "32.0.0",
   "artifacts": {
     "integ-ec2-instance.assets": {
       "type": "cdk:asset-manifest",
@@ -126,7 +126,10 @@
         "/integ-ec2-instance/Instance/Resource": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "InstanceC1063A87"
+            "data": "InstanceC1063A87",
+            "trace": [
+              "!!DESTRUCTIVE_CHANGES: WILL_REPLACE"
+            ]
           }
         ],
         "/integ-ec2-instance/SsmParameterValue:--aws--service--ami-amazon-linux-latest--amzn2-ami-hvm-x86_64-gp2:C96584B6-F00A-464E-AD19-53AFF4B05118.Parameter": [

packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.instance-public.js.snapshot/tree.json

@@ -587,7 +587,7 @@
                 "path": "instance-test/DefaultTest/Default",
                 "constructInfo": {
                   "fqn": "constructs.Construct",
-                  "version": "10.2.9"
+                  "version": "10.2.26"
                 }
               },
               "DeployAssert": {
@@ -633,7 +633,7 @@
         "path": "Tree",
         "constructInfo": {
           "fqn": "constructs.Construct",
-          "version": "10.2.9"
+          "version": "10.2.26"
         }
       }
     },

packages/@aws-cdk/aws-batch-alpha/README.md

@@ -495,6 +495,29 @@ jobDefn.container.addVolume(batch.EcsVolume.efs({
 }));
 ```
 
+### Secrets
+
+You can expose SecretsManager Secret ARNs to your container as environment variables.
+The following example defines the `MY_SECRET_ENV_VAR` environment variable that contains the
+ARN of the Secret defined by `mySecret`:
+
+```ts
+import * as cdk from 'aws-cdk-lib';
+
+declare const mySecret: secretsmanager.ISecret;
+
+const jobDefn = new batch.EcsJobDefinition(this, 'JobDefn', {
+  container: new batch.EcsEc2ContainerDefinition(this, 'containerDefn', {
+    image: ecs.ContainerImage.fromRegistry('public.ecr.aws/amazonlinux/amazonlinux:latest'),
+    memory: cdk.Size.mebibytes(2048),
+    cpu: 256,
+    secrets: {
+      MY_SECRET_ENV_VAR: mySecret,
+    }
+  }),
+});
+```
+
 ### Running Kubernetes Workflows
 
 Batch also supports running workflows on EKS. The following example creates a `JobDefinition` that runs on EKS:

packages/@aws-cdk/aws-batch-alpha/lib/ecs-container-definition.ts

@@ -342,13 +342,14 @@ export interface IEcsContainerDefinition extends IConstruct {
   readonly readonlyRootFilesystem?: boolean;
 
   /**
-   * The secrets for the container. Can be referenced in your job definition.
+   * A map from environment variable names to the secrets for the container. Allows your job definitions
+   * to reference the secret by the environment variable name defined in this property.
    *
    * @see https://docs.aws.amazon.com/batch/latest/userguide/specifying-sensitive-data.html
    *
    * @default - no secrets
    */
-  readonly secrets?: secretsmanager.ISecret[];
+  readonly secrets?: { [envVarName: string]: secretsmanager.ISecret };
 
   /**
    * The user name to use inside the container
@@ -458,13 +459,14 @@ export interface EcsContainerDefinitionProps {
   readonly readonlyRootFilesystem?: boolean;
 
   /**
-   * The secrets for the container. Can be referenced in your job definition.
+   * A map from environment variable names to the secrets for the container. Allows your job definitions
+   * to reference the secret by the environment variable name defined in this property.
    *
    * @see https://docs.aws.amazon.com/batch/latest/userguide/specifying-sensitive-data.html
    *
    * @default - no secrets
    */
-  readonly secrets?: secretsmanager.ISecret[];
+  readonly secrets?: { [envVarName: string]: secretsmanager.ISecret };
 
   /**
    * The user name to use inside the container
@@ -495,7 +497,7 @@ abstract class EcsContainerDefinitionBase extends Construct implements IEcsConta
   public readonly linuxParameters?: LinuxParameters;
   public readonly logDriverConfig?: ecs.LogDriverConfig;
   public readonly readonlyRootFilesystem?: boolean;
-  public readonly secrets?: secretsmanager.ISecret[];
+  public readonly secrets?: { [envVarName: string]: secretsmanager.ISecret };
   public readonly user?: string;
   public readonly volumes: EcsVolume[];
 
@@ -553,12 +555,12 @@ abstract class EcsContainerDefinitionBase extends Construct implements IEcsConta
       logConfiguration: this.logDriverConfig,
       readonlyRootFilesystem: this.readonlyRootFilesystem,
       resourceRequirements: this._renderResourceRequirements(),
-      secrets: this.secrets?.map((secret) => {
+      secrets: this.secrets ? Object.entries(this.secrets).map(([name, secret]) => {
         return {
-          name: secret.secretName,
+          name,
           valueFrom: secret.secretArn,
         };
-      }),
+      }) : undefined,
       mountPoints: Lazy.any({
         produce: () => {
           if (this.volumes.length === 0) {

packages/@aws-cdk/aws-batch-alpha/lib/eks-container-definition.ts

@@ -647,9 +647,9 @@ export interface EksVolumeOptions {
   readonly name: string;
 
   /**
-   * The path on the container where the container is mounted.
+   * The path on the container where the volume is mounted.
    *
-   * @default - the container is not mounted
+   * @default - the volume is not mounted
    */
   readonly mountPath?: string;
 
@@ -902,7 +902,7 @@ export class SecretPathVolume extends EksVolume {
   constructor(options: SecretPathVolumeOptions) {
     super(options);
     this.secretName = options.secretName;
-    this.optional = options.optional;
+    this.optional = options.optional ?? true;
   }
 }
 

packages/@aws-cdk/aws-batch-alpha/lib/eks-job-definition.ts

@@ -192,14 +192,13 @@ export class EksJobDefinition extends JobDefinitionBase implements IEksJobDefini
                   };
                 }
                 if (SecretPathVolume.isSecretPathVolume(volume)) {
-                  /*return {
+                  return {
                     name: volume.name,
                     secret: {
                       optional: volume.optional,
                       secretName: volume.secretName,
                     },
                   };
-                  */
                 }
 
                 throw new Error('unknown volume type');

packages/@aws-cdk/aws-batch-alpha/test/ecs-container-definition.test.ts

@@ -255,9 +255,9 @@ describe.each([EcsEc2ContainerDefinition, EcsFargateContainerDefinition])('%p',
     new EcsJobDefinition(stack, 'ECSJobDefn', {
       container: new ContainerDefinition(stack, 'EcsContainer', {
         ...defaultContainerProps,
-        secrets: [
-          new Secret(stack, 'testSecret'),
-        ],
+        secrets: {
+          envName: new Secret(stack, 'testSecret'),
+        },
       }),
     });
 
@@ -268,59 +268,7 @@ describe.each([EcsEc2ContainerDefinition, EcsFargateContainerDefinition])('%p',
         ...pascalCaseExpectedProps.ContainerProperties,
         Secrets: [
           {
-            Name: {
-              'Fn::Join': [
-                '-',
-                [
-                  {
-                    'Fn::Select': [
-                      0,
-                      {
-                        'Fn::Split': [
-                          '-',
-                          {
-                            'Fn::Select': [
-                              6,
-                              {
-                                'Fn::Split': [
-                                  ':',
-                                  {
-                                    Ref: 'testSecretB96AD12C',
-                                  },
-                                ],
-                              },
-                            ],
-                          },
-                        ],
-                      },
-                    ],
-                  },
-                  {
-                    'Fn::Select': [
-                      1,
-                      {
-                        'Fn::Split': [
-                          '-',
-                          {
-                            'Fn::Select': [
-                              6,
-                              {
-                                'Fn::Split': [
-                                  ':',
-                                  {
-                                    Ref: 'testSecretB96AD12C',
-                                  },
-                                ],
-                              },
-                            ],
-                          },
-                        ],
-                      },
-                    ],
-                  },
-                ],
-              ],
-            },
+            Name: 'envName',
             ValueFrom: { Ref: 'testSecretB96AD12C' },
           },
         ],