aws
diff --git a/‎CHANGELOG.md
+7 b/‎CHANGELOG.md
+7
diff --git a/‎README.md
+6 b/‎README.md
+6
diff --git a/‎package.json
+2-1 b/‎package.json
+2-1
diff --git a/‎packages/@aws-cdk/aws-apigatewayv2-authorizers/lib/websocket/lambda.ts
+6-2 b/‎packages/@aws-cdk/aws-apigatewayv2-authorizers/lib/websocket/lambda.ts
+6-2
diff --git a/‎packages/@aws-cdk/aws-apigatewayv2-authorizers/test/websocket/lambda.test.ts
+1-1 b/‎packages/@aws-cdk/aws-apigatewayv2-authorizers/test/websocket/lambda.test.ts
+1-1
diff --git a/‎packages/@aws-cdk/aws-certificatemanager/README.md
+12-8 b/‎packages/@aws-cdk/aws-certificatemanager/README.md
+12-8
diff --git a/‎packages/@aws-cdk/aws-certificatemanager/package.json
+8-1 b/‎packages/@aws-cdk/aws-certificatemanager/package.json
+8-1
diff --git a/‎packages/@aws-cdk/aws-certificatemanager/rosetta/default.ts-fixture
+12 b/‎packages/@aws-cdk/aws-certificatemanager/rosetta/default.ts-fixture
+12
diff --git a/‎packages/@aws-cdk/aws-cloudfront-origins/README.md
+6-8 b/‎packages/@aws-cdk/aws-cloudfront-origins/README.md
+6-8
diff --git a/‎packages/@aws-cdk/aws-cloudfront-origins/package.json
+8-1 b/‎packages/@aws-cdk/aws-cloudfront-origins/package.json
+8-1
diff --git a/‎packages/@aws-cdk/aws-cloudfront-origins/rosetta/default.ts-fixture
+15 b/‎packages/@aws-cdk/aws-cloudfront-origins/rosetta/default.ts-fixture
+15
diff --git a/‎packages/@aws-cdk/aws-cloudtrail/package.json
+2-2 b/‎packages/@aws-cdk/aws-cloudtrail/package.json
+2-2
@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.138.2](https://github.com/aws/aws-cdk/compare/v1.138.1...v1.138.2) (2022-01-09)
+
+
+### Bug Fixes
+
+* **cli:** breaks due to faulty version of `colors` ([#18324](https://github.com/aws/aws-cdk/issues/18324)) ([43bf9ae](https://github.com/aws/aws-cdk/commit/43bf9aec0b3c5e06d5382b29f4e8e0c91cd796ca))
+
 ## [1.138.1](https://github.com/aws/aws-cdk/compare/v1.138.0...v1.138.1) (2022-01-07)
 
 
 
@@ -153,6 +153,12 @@ this capability, please see the
 ## More Resources
 * [CDK Workshop](https://cdkworkshop.com/)
 * [Construct Hub](https://constructs.dev) - Find and use open-source Cloud Development Kit (CDK) libraries
+* Best Practices
+  * [Best practices for developing cloud applications with AWS CDK](https://aws.amazon.com/blogs/devops/best-practices-for-developing-cloud-applications-with-aws-cdk/)
+  * [Align with best practices while creating infrastructure using cdk aspects](https://aws.amazon.com/blogs/devops/align-with-best-practices-while-creating-infrastructure-using-cdk-aspects/)
+  * [Recommended AWS CDK project structure for Python applications](https://aws.amazon.com/blogs/developer/recommended-aws-cdk-project-structure-for-python-applications/)
+  * [Best practices for discoverability of a construct library on Construct Hub](https://aws.amazon.com/blogs/opensource/best-practices-for-discoverability-of-a-construct-library-on-construct-hub/)
+* [All developer blog posts about AWS CDK](https://aws.amazon.com/blogs/developer/category/developer-tools/aws-cloud-development-kit/)
 * **[CDK Construction Zone](https://www.twitch.tv/collections/9kCOGphNZBYVdA)** - A Twitch live coding series hosted by the CDK team, season one episodes:
   * Triggers: Join us as we implement [Triggers](https://github.com/aws/aws-cdk-rfcs/issues/71), a Construct for configuring deploy time actions. Episodes 1-3:
     * [S1E1](https://www.twitch.tv/videos/917691798): Triggers (part 1); **Participants:** @NetaNir, @eladb, @richardhboyd
 
@@ -31,6 +31,7 @@
     "typescript": "~3.9.10"
   },
   "resolutions": {
+    "colors": "1.4.0",
     "string-width": "^4.2.3"
   },
   "repository": {
@@ -179,4 +180,4 @@
   "dependencies": {
     "string-width": "^4.2.3"
   }
-}
+}
@@ -28,7 +28,11 @@ export interface WebSocketLambdaAuthorizerProps {
   /**
    * The identity source for which authorization is requested.
    *
-   * @default ['$request.header.Authorization']
+   * Request parameter match `'route.request.querystring|header.[a-zA-z0-9._-]+'`.
+   * Staged variable match `'stageVariables.[a-zA-Z0-9._-]+'`.
+   * Context parameter match `'context.[a-zA-Z0-9._-]+'`.
+   *
+   * @default ['route.request.header.Authorization']
    */
   readonly identitySource?: string[];
 }
@@ -56,7 +60,7 @@ export class WebSocketLambdaAuthorizer implements IWebSocketRouteAuthorizer {
       this.authorizer = new WebSocketAuthorizer(options.scope, this.id, {
         webSocketApi: options.route.webSocketApi,
         identitySource: this.props.identitySource ?? [
-          '$request.header.Authorization',
+          'route.request.header.Authorization',
         ],
         type: WebSocketAuthorizerType.LAMBDA,
         authorizerName: this.props.authorizerName ?? this.id,
 
@@ -35,7 +35,7 @@ describe('WebSocketLambdaAuthorizer', () => {
       Name: 'default-authorizer',
       AuthorizerType: 'REQUEST',
       IdentitySource: [
-        '$request.header.Authorization',
+        'route.request.header.Authorization',
       ],
     });
 
 
@@ -40,9 +40,6 @@ If Amazon Route 53 is your DNS provider for the requested domain, the DNS record
 created automatically:
 
 ```ts
-import * as acm from '@aws-cdk/aws-certificatemanager';
-import * as route53 from '@aws-cdk/aws-route53';
-
 const myHostedZone = new route53.HostedZone(this, 'HostedZone', {
   zoneName: 'example.com',
 });
@@ -106,6 +103,7 @@ The `DnsValidatedCertificate` construct exists to facilitate creating these cert
 Route53-based DNS validation.
 
 ```ts
+declare const myHostedZone: route53.HostedZone;
 new acm.DnsValidatedCertificate(this, 'CrossRegionCertificate', {
   domainName: 'hello.example.com',
   hostedZone: myHostedZone,
@@ -120,10 +118,10 @@ AWS Certificate Manager can create [private certificates](https://docs.aws.amazo
 ```ts
 import * as acmpca from '@aws-cdk/aws-acmpca';
 
-new acm.PrivateCertificate(stack, 'PrivateCertificate', {
+new acm.PrivateCertificate(this, 'PrivateCertificate', {
   domainName: 'test.example.com',
   subjectAlternativeNames: ['cool.example.com', 'test.example.net'], // optional
-  certificateAuthority: acmpca.CertificateAuthority.fromCertificateAuthorityArn(stack, 'CA',
+  certificateAuthority: acmpca.CertificateAuthority.fromCertificateAuthorityArn(this, 'CA',
     'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77'),
 });
 ```
@@ -134,7 +132,7 @@ If you want to import an existing certificate, you can do so from its ARN:
 
 ```ts
 const arn = 'arn:aws:...';
-const certificate = Certificate.fromCertificateArn(this, 'Certificate', arn);
+const certificate = acm.Certificate.fromCertificateArn(this, 'Certificate', arn);
 ```
 
 ## Sharing between Stacks
@@ -152,8 +150,14 @@ An alarm can be created to determine whether a certificate is soon due for
 renewal ussing the following code:
 
 ```ts
-const certificate = new Certificate(this, 'Certificate', { /* ... */ });
-certificate.metricDaysToExpiry().createAlarm({
+import * as cloudwatch from '@aws-cdk/aws-cloudwatch';
+
+declare const myHostedZone: route53.HostedZone;
+const certificate = new acm.Certificate(this, 'Certificate', {
+  domainName: 'hello.example.com',
+  validation: acm.CertificateValidation.fromDns(myHostedZone),
+});
+certificate.metricDaysToExpiry().createAlarm(this, 'Alarm', {
   comparisonOperator: cloudwatch.ComparisonOperator.LESS_THAN_THRESHOLD,
   evaluationPeriods: 1,
   threshold: 45, // Automatic rotation happens between 60 and 45 days before expiry
 
@@ -28,7 +28,14 @@
         ]
       }
     },
-    "projectReferences": true
+    "projectReferences": true,
+    "metadata": {
+      "jsii": {
+        "rosetta": {
+          "strict": true
+        }
+      }
+    }
   },
   "repository": {
     "type": "git",
 
@@ -0,0 +1,12 @@
+// Fixture with packages imported, but nothing else
+import { Stack } from '@aws-cdk/core';
+import { Construct } from 'constructs';
+import * as acm from '@aws-cdk/aws-certificatemanager';
+import * as route53 from '@aws-cdk/aws-route53';
+
+class Fixture extends Stack {
+  constructor(scope: Construct, id: string) {
+    super(scope, id);
+    /// here
+  }
+}
@@ -18,9 +18,6 @@ An S3 bucket can be added as an origin. If the bucket is configured as a website
 documents.
 
 ```ts
-import * as cloudfront from '@aws-cdk/aws-cloudfront';
-import * as origins from '@aws-cdk/aws-cloudfront-origins';
-
 const myBucket = new s3.Bucket(this, 'myBucket');
 new cloudfront.Distribution(this, 'myDist', {
   defaultBehavior: { origin: new origins.S3Origin(myBucket) },
@@ -38,9 +35,6 @@ URLs and not S3 URLs directly. Alternatively, a custom origin access identity ca
 You can configure CloudFront to add custom headers to the requests that it sends to your origin. These custom headers enable you to send and gather information from your origin that you don’t get with typical viewer requests. These headers can even be customized for each origin. CloudFront supports custom headers for both for custom and Amazon S3 origins.
 
 ```ts
-import * as cloudfront from '@aws-cdk/aws-cloudfront';
-import * as origins from '@aws-cdk/aws-cloudfront-origins';
-
 const myBucket = new s3.Bucket(this, 'myBucket');
 new cloudfront.Distribution(this, 'myDist', {
   defaultBehavior: { origin: new origins.S3Origin(myBucket, {
@@ -60,12 +54,12 @@ accessible (`internetFacing` is true). Both Application and Network load balance
 import * as ec2 from '@aws-cdk/aws-ec2';
 import * as elbv2 from '@aws-cdk/aws-elasticloadbalancingv2';
 
-const vpc = new ec2.Vpc(...);
+declare const vpc: ec2.Vpc;
 // Create an application load balancer in a VPC. 'internetFacing' must be 'true'
 // for CloudFront to access the load balancer and use it as an origin.
 const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', {
   vpc,
-  internetFacing: true
+  internetFacing: true,
 });
 new cloudfront.Distribution(this, 'myDist', {
   defaultBehavior: { origin: new origins.LoadBalancerV2Origin(lb) },
@@ -75,6 +69,9 @@ new cloudfront.Distribution(this, 'myDist', {
 The origin can also be customized to respond on different ports, have different connection properties, etc.
 
 ```ts
+import * as elbv2 from '@aws-cdk/aws-elasticloadbalancingv2';
+
+declare const loadBalancer: elbv2.ApplicationLoadBalancer;
 const origin = new origins.LoadBalancerV2Origin(loadBalancer, {
   connectionAttempts: 3,
   connectionTimeout: Duration.seconds(5),
@@ -103,6 +100,7 @@ CloudFront automatically switches to the secondary origin.
 You achieve that behavior in the CDK using the `OriginGroup` class:
 
 ```ts
+const myBucket = new s3.Bucket(this, 'myBucket');
 new cloudfront.Distribution(this, 'myDist', {
   defaultBehavior: {
     origin: new origins.OriginGroup({
 
@@ -28,7 +28,14 @@
         ]
       }
     },
-    "projectReferences": true
+    "projectReferences": true,
+    "metadata": {
+      "jsii": {
+        "rosetta": {
+          "strict": true
+        }
+      }
+    }
   },
   "repository": {
     "type": "git",
 
@@ -0,0 +1,15 @@
+// Fixture with packages imported, but nothing else
+import { Duration, Stack } from '@aws-cdk/core';
+import { Construct } from 'constructs';
+import * as cloudfront from '@aws-cdk/aws-cloudfront';
+import * as origins from '@aws-cdk/aws-cloudfront-origins';
+import * as s3 from '@aws-cdk/aws-s3';
+
+class Fixture extends Stack {
+  constructor(scope: Construct, id: string) {
+    super(scope, id);
+
+    /// here
+    
+  }
+}
@@ -86,7 +86,7 @@
     "@aws-cdk/pkglint": "0.0.0",
     "@types/jest": "^27.0.3",
     "aws-sdk": "^2.848.0",
-    "colors": "^1.4.0",
+    "colors": "1.4.0",
     "jest": "^27.4.5"
   },
   "dependencies": {
@@ -128,4 +128,4 @@
   "publishConfig": {
     "tag": "latest"
   }
-}
+}