chore(release): 1.104.0

.mergify.yml

@@ -6,7 +6,7 @@ pull_request_rules:
       label:
         add: [ contribution/core ]
     conditions:
-      - author~=^(eladb|RomainMuller|garnaat|nija-at|skinny85|rix0rrr|NGL321|Jerry-AWS|MrArnoldPalmer|NetaNir|iliapolo|njlynch|ericzbeard|ccfife|fulghum|pkandasamy91|SoManyHs|uttarasridhar)$
+      - author~=^(eladb|RomainMuller|garnaat|nija-at|skinny85|rix0rrr|NGL321|Jerry-AWS|MrArnoldPalmer|NetaNir|iliapolo|njlynch|ericzbeard|ccfife|fulghum|pkandasamy91|SoManyHs|uttarasridhar|otaviomacedo|BenChaimberg|madeline-k)$
       - -label~="contribution/core"
   - name: automatic merge
     actions:

CHANGELOG.md

@@ -2,6 +2,32 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.104.0](https://github.com/aws/aws-cdk/compare/v1.103.0...v1.104.0) (2021-05-14)
+
+
+### ⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES
+
+* **apigatewayv2:** setting the authorizer of an API route to HttpNoneAuthorizer will now remove any existing authorizer on the route
+
+### Features
+
+* **appsync:** elasticsearch data source for graphql api ([#14651](https://github.com/aws/aws-cdk/issues/14651)) ([2337b5d](https://github.com/aws/aws-cdk/commit/2337b5d965028ba06d6ff72f991c0b8e46433a8f)), closes [#6063](https://github.com/aws/aws-cdk/issues/6063)
+* **cfnspec:** cloudformation spec v35.2.0 ([#14610](https://github.com/aws/aws-cdk/issues/14610)) ([799ce1a](https://github.com/aws/aws-cdk/commit/799ce1a7d5fb261cae92d514b4f7e315d8f0e589))
+* **cloudwatch:** GraphWidget supports period and statistic ([#14679](https://github.com/aws/aws-cdk/issues/14679)) ([b240f6e](https://github.com/aws/aws-cdk/commit/b240f6ece74d129e5f43b210e8ad12f95c4a2971))
+* **cloudwatch:** time range support for GraphWidget ([#14659](https://github.com/aws/aws-cdk/issues/14659)) ([010a6b1](https://github.com/aws/aws-cdk/commit/010a6b1a14f14be5001779644df3d3a2e27d4e71)), closes [#4649](https://github.com/aws/aws-cdk/issues/4649)
+* **ecs:** add support for EC2 Capacity Providers ([#14386](https://github.com/aws/aws-cdk/issues/14386)) ([114f7cc](https://github.com/aws/aws-cdk/commit/114f7ccdaf736988834fe2be487363a992a31369))
+* **secretsmanager:** Automatically grant permissions to rotation Lambda ([#14471](https://github.com/aws/aws-cdk/issues/14471)) ([85e00fa](https://github.com/aws/aws-cdk/commit/85e00faf1e3bcc32c2f7aa881d42c6d1f6c17f63))
+
+
+### Bug Fixes
+
+* **apigatewayv2:** authorizer is not removed when HttpNoneAuthorizer is used ([#14424](https://github.com/aws/aws-cdk/issues/14424)) ([3698a91](https://github.com/aws/aws-cdk/commit/3698a91ac81a31f763c55487f200458d5b5eaf0f))
+* **ecs:** Classes FargateService and Ec2Service have no defaultChild ([#14691](https://github.com/aws/aws-cdk/issues/14691)) ([348e11e](https://github.com/aws/aws-cdk/commit/348e11e26edc0ff90b623b7cec778f4935e61e6d)), closes [#14665](https://github.com/aws/aws-cdk/issues/14665)
+* **events-targets:** circular dependency when adding a KMS-encrypted SQS queue  ([#14638](https://github.com/aws/aws-cdk/issues/14638)) ([3063818](https://github.com/aws/aws-cdk/commit/3063818aa7c3c3ff56cf55254b0f6561db190a3e)), closes [#11158](https://github.com/aws/aws-cdk/issues/11158)
+* **lambda:** custom resource fails to connect to efs filesystem ([#14431](https://github.com/aws/aws-cdk/issues/14431)) ([10a633c](https://github.com/aws/aws-cdk/commit/10a633c8cda9f21b85c82f911d88641f3a362c4d))
+* **lambda-event-sources:** incorrect documented defaults for stream types ([#14562](https://github.com/aws/aws-cdk/issues/14562)) ([0ea24e9](https://github.com/aws/aws-cdk/commit/0ea24e95939412765c0e09133a7793557f779c76)), closes [#13908](https://github.com/aws/aws-cdk/issues/13908)
+* **lambda-nodejs:** handler filename missing from error message ([#14564](https://github.com/aws/aws-cdk/issues/14564)) ([256fd4c](https://github.com/aws/aws-cdk/commit/256fd4c6fcdbe6519bc70f62415557dbeae950a1))
+
 ## [1.103.0](https://github.com/aws/aws-cdk/compare/v1.102.0...v1.103.0) (2021-05-10)
 
 

CONTRIBUTING.md

@@ -56,6 +56,8 @@ The following tools need to be installed on your system prior to installing the
 - [Yarn >= 1.19.1, < 2](https://yarnpkg.com/lang/en/docs/install)
 - [.NET Core SDK 3.1.x](https://www.microsoft.com/net/download)
 - [Python >= 3.6.5, < 4.0](https://www.python.org/downloads/release/python-365/)
+- [Docker >= 19.03](https://docs.docker.com/get-docker/)
+  - the Docker daemon must also be running
 
 First fork the repository, and then run the following commands to clone the repository locally.
 
@@ -113,8 +115,9 @@ However, if you wish to build the the entire repository, the following command w
 
 ```console
 cd <root of the CDK repo>
-yarn build
+scripts/foreach.sh yarn build
 ```
+Note: The `foreach` command is resumable by default; you must supply `-r` or `--reset` to start a new session.
 
 You are now ready to start contributing to the CDK. See the [Pull Requests](#pull-requests) section on how to make your
 changes and submit it as a pull request.

packages/@aws-cdk-containers/ecs-service-extensions/README.md

@@ -61,19 +61,19 @@ const nameService = new Service(stack, 'name', {
 ## Creating an `Environment`
 
 An `Environment` is a place to deploy your services. You can have multiple environments
-on a single AWS account. For example you could create a `test` environment as well
-as a `production` environment so you have a place to verify that you application
+on a single AWS account. For example, you could create a `test` environment as well
+as a `production` environment so you have a place to verify that your application
 works as intended before you deploy it to a live environment.
 
-Each environment is isolated from other environments. In specific
-by default when you create an environment the construct supplies its own VPC,
+Each environment is isolated from other environments. In other words,
+when you create an environment, by default the construct supplies its own VPC,
 ECS Cluster, and any other required resources for the environment:
 
 ```ts
 const environment = new Environment(stack, 'production');
 ```
 
-However, you can also choose to build an environment out of a pre-existing VPC,
+However, you can also choose to build an environment out of a pre-existing VPC
 or ECS Cluster:
 
 ```ts
@@ -89,7 +89,7 @@ const environment = new Environment(stack, 'production', {
 ## Defining your `ServiceDescription`
 
 The `ServiceDescription` defines what application you want the service to run and
-what optional extensions you want to add to the service. The most basic form of a `ServiceExtension` looks like this:
+what optional extensions you want to add to the service. The most basic form of a `ServiceDescription` looks like this:
 
 ```ts
 const nameDescription = new ServiceDescription();
@@ -105,9 +105,9 @@ nameDescription.add(new Container({
 ```
 
 Every `ServiceDescription` requires at minimum that you add a `Container` extension
-which defines the main application container to run for the service.
+which defines the main application (essential) container to run for the service.
 
-After that you can optionally enable additional features for the service using the `ServiceDescription.add()` method:
+After that, you can optionally enable additional features for the service using the `ServiceDescription.add()` method:
 
 ```ts
 nameDescription.add(new AppMeshExtension({ mesh }));
@@ -238,7 +238,7 @@ frontend.connectTo(backend);
 
 The address that a service will use to talk to another service depends on the
 type of ingress that has been created by the extension that did the connecting.
-For example if an App Mesh extension has been used then the service is accessible
+For example, if an App Mesh extension has been used, then the service is accessible
 at a DNS address of `<service name>.<environment name>`. For example:
 
 ```ts
@@ -280,7 +280,7 @@ const backend = new Service(stack, 'backend', {
 frontend.connectTo(backend);
 ```
 
-The above code uses the well known service discovery name for each
+The above code uses the well-known service discovery name for each
 service, and passes it as an environment variable to the container so
 that the container knows what address to use when communicating to
 the other service.

packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/integ.alb.expected.json

@@ -633,6 +633,7 @@
           "Ref": "HttpProxyPrivateApiA55E154D"
         },
         "RouteKey": "$default",
+        "AuthorizationType": "NONE",
         "Target": {
           "Fn::Join": [
             "",

packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/integ.http-proxy.expected.json

@@ -117,6 +117,7 @@
           "Ref": "LambdaProxyApi67594471"
         },
         "RouteKey": "$default",
+        "AuthorizationType": "NONE",
         "Target": {
           "Fn::Join": [
             "",
@@ -185,6 +186,7 @@
           "Ref": "HttpProxyApiD0217C67"
         },
         "RouteKey": "$default",
+        "AuthorizationType": "NONE",
         "Target": {
           "Fn::Join": [
             "",

packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/integ.lambda-proxy.expected.json

@@ -117,6 +117,7 @@
           "Ref": "LambdaProxyApi67594471"
         },
         "RouteKey": "$default",
+        "AuthorizationType": "NONE",
         "Target": {
           "Fn::Join": [
             "",

packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/integ.nlb.expected.json

@@ -598,6 +598,7 @@
           "Ref": "HttpProxyPrivateApiA55E154D"
         },
         "RouteKey": "$default",
+        "AuthorizationType": "NONE",
         "Target": {
           "Fn::Join": [
             "",

packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/integ.service-discovery.expected.json

@@ -602,6 +602,7 @@
           "Ref": "HttpProxyPrivateApiA55E154D"
         },
         "RouteKey": "$default",
+        "AuthorizationType": "NONE",
         "Target": {
           "Fn::Join": [
             "",

packages/@aws-cdk/aws-apigatewayv2/lib/http/route.ts

@@ -156,8 +156,6 @@ export class HttpRoute extends Resource implements IHttpRoute {
       ]));
     }
 
-    const authorizationType = authBindResult?.authorizationType === HttpAuthorizerType.NONE ? undefined : authBindResult?.authorizationType;
-
     if (authorizationScopes?.length === 0) {
       authorizationScopes = undefined;
     }
@@ -167,7 +165,7 @@ export class HttpRoute extends Resource implements IHttpRoute {
       routeKey: props.routeKey.key,
       target: `integrations/${integration.integrationId}`,
       authorizerId: authBindResult?.authorizerId,
-      authorizationType,
+      authorizationType: authBindResult?.authorizationType ?? HttpAuthorizerType.NONE, // must be explicitly NONE (not undefined) for stack updates to work correctly
       authorizationScopes,
     };
 

packages/@aws-cdk/aws-apigatewayv2/test/http/api.test.ts

@@ -429,6 +429,7 @@ describe('HttpApi', () => {
 
       expect(stack).toHaveResource('AWS::ApiGatewayV2::Route', {
         RouteKey: 'GET /chickens',
+        AuthorizationType: 'NONE',
         AuthorizerId: ABSENT,
       });
     });

packages/@aws-cdk/aws-apigatewayv2/test/http/route.test.ts

@@ -30,6 +30,7 @@ describe('HttpRoute', () => {
           ],
         ],
       },
+      AuthorizationType: 'NONE',
     });
 
     expect(stack).toHaveResource('AWS::ApiGatewayV2::Integration', {

packages/@aws-cdk/aws-appmesh/README.md

@@ -27,7 +27,7 @@ App Mesh gives you consistent visibility and network traffic controls for every
 
 App Mesh supports microservice applications that use service discovery naming for their components. To use App Mesh, you must have an existing application running on AWS Fargate, Amazon ECS, Amazon EKS, Kubernetes on AWS, or Amazon EC2.
 
-For futher information on **AWS AppMesh** visit the [AWS Docs for AppMesh](https://docs.aws.amazon.com/app-mesh/index.html).
+For further information on **AWS AppMesh** visit the [AWS Docs for AppMesh](https://docs.aws.amazon.com/app-mesh/index.html).
 
 ## Create the App and Stack
 

packages/@aws-cdk/aws-appsync/README.md

@@ -240,6 +240,47 @@ httpDs.createResolver({
 });
 ```
 
+### Elasticsearch
+
+AppSync has builtin support for Elasticsearch from domains that are provisioned
+through your AWS account. You can use AppSync resolvers to perform GraphQL operations
+such as queries, mutations, and subscriptions.
+
+```ts
+const user = new User(stack, 'User');
+const domain = new es.Domain(stack, 'Domain', {
+  version: es.ElasticsearchVersion.V7_1,
+  removalPolicy: cdk.RemovalPolicy.DESTROY,
+  fineGrainedAccessControl: { masterUserArn: user.userArn },
+  encryptionAtRest: { enabled: true },
+  nodeToNodeEncryption: true,
+  enforceHttps: true,
+});
+
+const ds = api.addElasticsearchDataSource('ds', domain);
+
+ds.createResolver({
+  typeName: 'Query',
+  fieldName: 'getTests',
+  requestMappingTemplate: appsync.MappingTemplate.fromString(JSON.stringify({
+    version: '2017-02-28',
+    operation: 'GET',
+    path: '/id/post/_search',
+    params: {
+      headers: {},
+      queryString: {},
+      body: { from: 0, size: 50 },
+    },
+  })),
+  responseMappingTemplate: appsync.MappingTemplate.fromString(`[
+    #foreach($entry in $context.result.hits.hits)
+    #if( $velocityCount > 1 ) , #end
+    $utils.toJson($entry.get("_source"))
+    #end
+  ]`),
+});
+```
+
 ## Schema
 
 Every GraphQL Api needs a schema to define the Api. CDK offers `appsync.Schema`
@@ -718,7 +759,7 @@ You can create Object Types in three ways:
       name: 'demo',
     });
     const demo = new appsync.ObjectType('Demo', {
-      defintion: {
+      definition: {
         id: appsync.GraphqlType.string({ isRequired: true }),
         version: appsync.GraphqlType.string({ isRequired: true }),
       },
@@ -741,7 +782,7 @@ You can create Object Types in three ways:
     ```ts
     import { required_string } from './scalar-types';
     export const demo = new appsync.ObjectType('Demo', {
-      defintion: {
+      definition: {
         id: required_string,
         version: required_string,
       },
@@ -765,7 +806,7 @@ You can create Object Types in three ways:
     });
     const demo = new appsync.ObjectType('Demo', {
       interfaceTypes: [ node ],
-      defintion: {
+      definition: {
         version: appsync.GraphqlType.string({ isRequired: true }),
       },
     });

packages/@aws-cdk/aws-appsync/lib/data-source.ts

@@ -1,4 +1,5 @@
 import { ITable } from '@aws-cdk/aws-dynamodb';
+import { IDomain } from '@aws-cdk/aws-elasticsearch';
 import { Grant, IGrantable, IPrincipal, IRole, Role, ServicePrincipal } from '@aws-cdk/aws-iam';
 import { IFunction } from '@aws-cdk/aws-lambda';
 import { IServerlessCluster } from '@aws-cdk/aws-rds';
@@ -349,12 +350,14 @@ export class RdsDataSource extends BackedDataSource {
     props.secretStore.grantRead(this);
 
     // Change to grant with RDS grant becomes implemented
+
+    props.serverlessCluster.grantDataApiAccess(this);
+
     Grant.addToPrincipal({
       grantee: this,
       actions: [
         'rds-data:DeleteItems',
         'rds-data:ExecuteSql',
-        'rds-data:ExecuteStatement',
         'rds-data:GetItems',
         'rds-data:InsertItems',
         'rds-data:UpdateItems',
@@ -363,4 +366,31 @@ export class RdsDataSource extends BackedDataSource {
       scope: this,
     });
   }
+}
+
+/**
+ * Properities for the Elasticsearch Data Source
+ */
+export interface ElasticsearchDataSourceProps extends BackedDataSourceProps {
+  /**
+   * The elasticsearch domain containing the endpoint for the data source
+   */
+  readonly domain: IDomain;
+}
+
+/**
+ * An Appsync datasource backed by Elasticsearch
+ */
+export class ElasticsearchDataSource extends BackedDataSource {
+  constructor(scope: Construct, id: string, props: ElasticsearchDataSourceProps) {
+    super(scope, id, props, {
+      type: 'AMAZON_ELASTICSEARCH',
+      elasticsearchConfig: {
+        awsRegion: props.domain.stack.region,
+        endpoint: `https://${props.domain.domainEndpoint}`,
+      },
+    });
+
+    props.domain.grantReadWrite(this);
+  }
 }

packages/@aws-cdk/aws-appsync/lib/graphqlapi-base.ts

@@ -1,9 +1,10 @@
 import { ITable } from '@aws-cdk/aws-dynamodb';
+import { IDomain } from '@aws-cdk/aws-elasticsearch';
 import { IFunction } from '@aws-cdk/aws-lambda';
 import { IServerlessCluster } from '@aws-cdk/aws-rds';
 import { ISecret } from '@aws-cdk/aws-secretsmanager';
 import { CfnResource, IResource, Resource } from '@aws-cdk/core';
-import { DynamoDbDataSource, HttpDataSource, LambdaDataSource, NoneDataSource, RdsDataSource, AwsIamConfig } from './data-source';
+import { DynamoDbDataSource, HttpDataSource, LambdaDataSource, NoneDataSource, RdsDataSource, AwsIamConfig, ElasticsearchDataSource } from './data-source';
 import { Resolver, ExtendedResolverProps } from './resolver';
 
 /**
@@ -110,6 +111,15 @@ export interface IGraphqlApi extends IResource {
     options?: DataSourceOptions
   ): RdsDataSource;
 
+  /**
+   * add a new elasticsearch data source to this API
+   *
+   * @param id The data source's id
+   * @param domain The elasticsearch domain for this data source
+   * @param options The optional configuration for this data source
+   */
+  addElasticsearchDataSource(id: string, domain: IDomain, options?: DataSourceOptions): ElasticsearchDataSource;
+
   /**
    * creates a new resolver for this datasource and API using the given properties
    */
@@ -228,6 +238,22 @@ export abstract class GraphqlApiBase extends Resource implements IGraphqlApi {
     });
   }
 
+  /**
+   * add a new elasticsearch data source to this API
+   *
+   * @param id The data source's id
+   * @param domain The elasticsearch domain for this data source
+   * @param options The optional configuration for this data source
+   */
+  public addElasticsearchDataSource(id: string, domain: IDomain, options?: DataSourceOptions): ElasticsearchDataSource {
+    return new ElasticsearchDataSource(this, id, {
+      api: this,
+      name: options?.name,
+      description: options?.description,
+      domain,
+    });
+  }
+
   /**
    * creates a new resolver for this datasource and API using the given properties
    */