chore: make more examples compile (#18318)

- `docdb`
- `certificatemanager`
- `msk`
- `servicecatalogappregistry`
- `cloudfront-origins`
- `ses`

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: kaizencc

packages/@aws-cdk/aws-certificatemanager/README.md

@@ -40,9 +40,6 @@ If Amazon Route 53 is your DNS provider for the requested domain, the DNS record
 created automatically:
 
 ```ts
-import * as acm from '@aws-cdk/aws-certificatemanager';
-import * as route53 from '@aws-cdk/aws-route53';
-
 const myHostedZone = new route53.HostedZone(this, 'HostedZone', {
   zoneName: 'example.com',
 });
@@ -106,6 +103,7 @@ The `DnsValidatedCertificate` construct exists to facilitate creating these cert
 Route53-based DNS validation.
 
 ```ts
+declare const myHostedZone: route53.HostedZone;
 new acm.DnsValidatedCertificate(this, 'CrossRegionCertificate', {
   domainName: 'hello.example.com',
   hostedZone: myHostedZone,
@@ -120,10 +118,10 @@ AWS Certificate Manager can create [private certificates](https://docs.aws.amazo
 ```ts
 import * as acmpca from '@aws-cdk/aws-acmpca';
 
-new acm.PrivateCertificate(stack, 'PrivateCertificate', {
+new acm.PrivateCertificate(this, 'PrivateCertificate', {
   domainName: 'test.example.com',
   subjectAlternativeNames: ['cool.example.com', 'test.example.net'], // optional
-  certificateAuthority: acmpca.CertificateAuthority.fromCertificateAuthorityArn(stack, 'CA',
+  certificateAuthority: acmpca.CertificateAuthority.fromCertificateAuthorityArn(this, 'CA',
     'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77'),
 });
 ```
@@ -134,7 +132,7 @@ If you want to import an existing certificate, you can do so from its ARN:
 
 ```ts
 const arn = 'arn:aws:...';
-const certificate = Certificate.fromCertificateArn(this, 'Certificate', arn);
+const certificate = acm.Certificate.fromCertificateArn(this, 'Certificate', arn);
 ```
 
 ## Sharing between Stacks
@@ -152,8 +150,14 @@ An alarm can be created to determine whether a certificate is soon due for
 renewal ussing the following code:
 
 ```ts
-const certificate = new Certificate(this, 'Certificate', { /* ... */ });
-certificate.metricDaysToExpiry().createAlarm({
+import * as cloudwatch from '@aws-cdk/aws-cloudwatch';
+
+declare const myHostedZone: route53.HostedZone;
+const certificate = new acm.Certificate(this, 'Certificate', {
+  domainName: 'hello.example.com',
+  validation: acm.CertificateValidation.fromDns(myHostedZone),
+});
+certificate.metricDaysToExpiry().createAlarm(this, 'Alarm', {
   comparisonOperator: cloudwatch.ComparisonOperator.LESS_THAN_THRESHOLD,
   evaluationPeriods: 1,
   threshold: 45, // Automatic rotation happens between 60 and 45 days before expiry

packages/@aws-cdk/aws-certificatemanager/package.json

@@ -28,7 +28,14 @@
         ]
       }
     },
-    "projectReferences": true
+    "projectReferences": true,
+    "metadata": {
+      "jsii": {
+        "rosetta": {
+          "strict": true
+        }
+      }
+    }
   },
   "repository": {
     "type": "git",

packages/@aws-cdk/aws-certificatemanager/rosetta/default.ts-fixture

@@ -0,0 +1,12 @@
+// Fixture with packages imported, but nothing else
+import { Stack } from '@aws-cdk/core';
+import { Construct } from 'constructs';
+import * as acm from '@aws-cdk/aws-certificatemanager';
+import * as route53 from '@aws-cdk/aws-route53';
+
+class Fixture extends Stack {
+  constructor(scope: Construct, id: string) {
+    super(scope, id);
+    /// here
+  }
+}

packages/@aws-cdk/aws-cloudfront-origins/README.md

@@ -18,9 +18,6 @@ An S3 bucket can be added as an origin. If the bucket is configured as a website
 documents.
 
 ```ts
-import * as cloudfront from '@aws-cdk/aws-cloudfront';
-import * as origins from '@aws-cdk/aws-cloudfront-origins';
-
 const myBucket = new s3.Bucket(this, 'myBucket');
 new cloudfront.Distribution(this, 'myDist', {
   defaultBehavior: { origin: new origins.S3Origin(myBucket) },
@@ -38,9 +35,6 @@ URLs and not S3 URLs directly. Alternatively, a custom origin access identity ca
 You can configure CloudFront to add custom headers to the requests that it sends to your origin. These custom headers enable you to send and gather information from your origin that you don’t get with typical viewer requests. These headers can even be customized for each origin. CloudFront supports custom headers for both for custom and Amazon S3 origins.
 
 ```ts
-import * as cloudfront from '@aws-cdk/aws-cloudfront';
-import * as origins from '@aws-cdk/aws-cloudfront-origins';
-
 const myBucket = new s3.Bucket(this, 'myBucket');
 new cloudfront.Distribution(this, 'myDist', {
   defaultBehavior: { origin: new origins.S3Origin(myBucket, {
@@ -60,12 +54,12 @@ accessible (`internetFacing` is true). Both Application and Network load balance
 import * as ec2 from '@aws-cdk/aws-ec2';
 import * as elbv2 from '@aws-cdk/aws-elasticloadbalancingv2';
 
-const vpc = new ec2.Vpc(...);
+declare const vpc: ec2.Vpc;
 // Create an application load balancer in a VPC. 'internetFacing' must be 'true'
 // for CloudFront to access the load balancer and use it as an origin.
 const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', {
   vpc,
-  internetFacing: true
+  internetFacing: true,
 });
 new cloudfront.Distribution(this, 'myDist', {
   defaultBehavior: { origin: new origins.LoadBalancerV2Origin(lb) },
@@ -75,6 +69,9 @@ new cloudfront.Distribution(this, 'myDist', {
 The origin can also be customized to respond on different ports, have different connection properties, etc.
 
 ```ts
+import * as elbv2 from '@aws-cdk/aws-elasticloadbalancingv2';
+
+declare const loadBalancer: elbv2.ApplicationLoadBalancer;
 const origin = new origins.LoadBalancerV2Origin(loadBalancer, {
   connectionAttempts: 3,
   connectionTimeout: Duration.seconds(5),
@@ -103,6 +100,7 @@ CloudFront automatically switches to the secondary origin.
 You achieve that behavior in the CDK using the `OriginGroup` class:
 
 ```ts
+const myBucket = new s3.Bucket(this, 'myBucket');
 new cloudfront.Distribution(this, 'myDist', {
   defaultBehavior: {
     origin: new origins.OriginGroup({

packages/@aws-cdk/aws-cloudfront-origins/package.json

@@ -28,7 +28,14 @@
         ]
       }
     },
-    "projectReferences": true
+    "projectReferences": true,
+    "metadata": {
+      "jsii": {
+        "rosetta": {
+          "strict": true
+        }
+      }
+    }
   },
   "repository": {
     "type": "git",

packages/@aws-cdk/aws-cloudfront-origins/rosetta/default.ts-fixture

@@ -0,0 +1,15 @@
+// Fixture with packages imported, but nothing else
+import { Duration, Stack } from '@aws-cdk/core';
+import { Construct } from 'constructs';
+import * as cloudfront from '@aws-cdk/aws-cloudfront';
+import * as origins from '@aws-cdk/aws-cloudfront-origins';
+import * as s3 from '@aws-cdk/aws-s3';
+
+class Fixture extends Stack {
+  constructor(scope: Construct, id: string) {
+    super(scope, id);
+
+    /// here
+    
+  }
+}

packages/@aws-cdk/aws-docdb/README.md

@@ -18,17 +18,18 @@ always launch a database in a VPC. Use the `vpcSubnets` attribute to control whe
 your instances will be launched privately or publicly:
 
 ```ts
-const cluster = new DatabaseCluster(this, 'Database', {
-    masterUser: {
-        username: 'myuser' // NOTE: 'admin' is reserved by DocumentDB
-        excludeCharacters: '\"@/:', // optional, defaults to the set "\"@/" and is also used for eventually created rotations
-        secretName: '/myapp/mydocdb/masteruser', // optional, if you prefer to specify the secret name
-    },
-    instanceType: ec2.InstanceType.of(ec2.InstanceClass.R5, ec2.InstanceSize.LARGE),
-    vpcSubnets: {
-        subnetType: ec2.SubnetType.PUBLIC,
-    },
-    vpc
+declare const vpc: ec2.Vpc;
+const cluster = new docdb.DatabaseCluster(this, 'Database', {
+  masterUser: {
+    username: 'myuser', // NOTE: 'admin' is reserved by DocumentDB
+    excludeCharacters: '\"@/:', // optional, defaults to the set "\"@/" and is also used for eventually created rotations
+    secretName: '/myapp/mydocdb/masteruser', // optional, if you prefer to specify the secret name
+  },
+  instanceType: ec2.InstanceType.of(ec2.InstanceClass.R5, ec2.InstanceSize.LARGE),
+  vpcSubnets: {
+    subnetType: ec2.SubnetType.PUBLIC,
+  },
+  vpc,
 });
 ```
 
@@ -42,21 +43,26 @@ To control who can access the cluster, use the `.connections` attribute. Documen
 you don't need to specify the port:
 
 ```ts
+declare const cluster: docdb.DatabaseCluster;
 cluster.connections.allowDefaultPortFromAnyIpv4('Open to the world');
 ```
 
 The endpoints to access your database cluster will be available as the `.clusterEndpoint` and `.clusterReadEndpoint`
 attributes:
 
 ```ts
+declare const cluster: docdb.DatabaseCluster;
 const writeAddress = cluster.clusterEndpoint.socketAddress;   // "HOSTNAME:PORT"
 ```
 
 If you have existing security groups you would like to add to the cluster, use the `addSecurityGroups` method. Security
 groups added in this way will not be managed by the `Connections` object of the cluster.
 
 ```ts
-const securityGroup = new ec2.SecurityGroup(stack, 'SecurityGroup', {
+declare const vpc: ec2.Vpc;
+declare const cluster: docdb.DatabaseCluster;
+
+const securityGroup = new ec2.SecurityGroup(this, 'SecurityGroup', {
   vpc,
 });
 cluster.addSecurityGroups(securityGroup);
@@ -67,16 +73,17 @@ cluster.addSecurityGroups(securityGroup);
 Deletion protection can be enabled on an Amazon DocumentDB cluster to prevent accidental deletion of the cluster:
 
 ```ts
-const cluster = new DatabaseCluster(this, 'Database', {
-    masterUser: {
-        username: 'myuser'
-    },
-    instanceType: ec2.InstanceType.of(ec2.InstanceClass.R5, ec2.InstanceSize.LARGE),
-    vpcSubnets: {
-        subnetType: ec2.SubnetType.PUBLIC,
-    },
-    vpc,
-    deletionProtection: true  // Enable deletion protection.
+declare const vpc: ec2.Vpc;
+const cluster = new docdb.DatabaseCluster(this, 'Database', {
+  masterUser: {
+    username: 'myuser',
+  },
+  instanceType: ec2.InstanceType.of(ec2.InstanceClass.R5, ec2.InstanceSize.LARGE),
+  vpcSubnets: {
+    subnetType: ec2.SubnetType.PUBLIC,
+  },
+  vpc,
+  deletionProtection: true, // Enable deletion protection.
 });
 ```
 
@@ -85,6 +92,7 @@ const cluster = new DatabaseCluster(this, 'Database', {
 When the master password is generated and stored in AWS Secrets Manager, it can be rotated automatically:
 
 ```ts
+declare const cluster: docdb.DatabaseCluster;
 cluster.addRotationSingleUser(); // Will rotate automatically after 30 days
 ```
 
@@ -93,22 +101,28 @@ cluster.addRotationSingleUser(); // Will rotate automatically after 30 days
 The multi user rotation scheme is also available:
 
 ```ts
+import * as secretsmanager from '@aws-cdk/aws-secretsmanager';
+
+declare const myImportedSecret: secretsmanager.Secret;
+declare const cluster: docdb.DatabaseCluster;
+
 cluster.addRotationMultiUser('MyUser', {
-  secret: myImportedSecret // This secret must have the `masterarn` key
+  secret: myImportedSecret, // This secret must have the `masterarn` key
 });
 ```
 
 It's also possible to create user credentials together with the cluster and add rotation:
 
 ```ts
+declare const cluster: docdb.DatabaseCluster;
 const myUserSecret = new docdb.DatabaseSecret(this, 'MyUserSecret', {
   username: 'myuser',
-  masterSecret: cluster.secret
+  masterSecret: cluster.secret,
 });
 const myUserSecretAttached = myUserSecret.attach(cluster); // Adds DB connections information in the secret
 
 cluster.addRotationMultiUser('MyUser', { // Add rotation using the multi user scheme
-  secret: myUserSecretAttached // This secret must have the `masterarn` key
+  secret: myUserSecretAttached, // This secret must have the `masterarn` key
 });
 ```
 
@@ -126,8 +140,21 @@ Sending audit or profiler needs to be configured in two places:
 2. Enable the corresponding option(s) when creating the `DatabaseCluster`:
 
 ```ts
-const cluster = new DatabaseCluster(this, 'Database', {
-  ...,
+import * as iam from '@aws-cdk/aws-iam';
+import * as logs from'@aws-cdk/aws-logs';
+
+declare const myLogsPublishingRole: iam.Role;
+declare const vpc: ec2.Vpc;
+
+const cluster = new docdb.DatabaseCluster(this, 'Database', {
+  masterUser: {
+    username: 'myuser',
+  },
+  instanceType: ec2.InstanceType.of(ec2.InstanceClass.R5, ec2.InstanceSize.LARGE),
+  vpcSubnets: {
+    subnetType: ec2.SubnetType.PUBLIC,
+  },
+  vpc,
   exportProfilerLogsToCloudWatch: true, // Enable sending profiler logs
   exportAuditLogsToCloudWatch: true, // Enable sending audit logs
   cloudWatchLogsRetention: logs.RetentionDays.THREE_MONTHS, // Optional - default is to never expire logs

packages/@aws-cdk/aws-docdb/package.json

@@ -28,7 +28,14 @@
         ]
       }
     },
-    "projectReferences": true
+    "projectReferences": true,
+    "metadata": {
+      "jsii": {
+        "rosetta": {
+          "strict": true
+        }
+      }
+    }
   },
   "repository": {
     "type": "git",

packages/@aws-cdk/aws-docdb/rosetta/default.ts-fixture

@@ -0,0 +1,12 @@
+// Fixture with packages imported, but nothing else
+import { Stack } from '@aws-cdk/core';
+import { Construct } from 'constructs';
+import * as docdb from '@aws-cdk/aws-docdb';
+import * as ec2 from '@aws-cdk/aws-ec2';
+
+class Fixture extends Stack {
+  constructor(scope: Construct, id: string) {
+    super(scope, id);
+    /// here
+  }
+}