Merge branch 'master' into add-ingress-protocol

Author: mergify[bot]

packages/@aws-cdk/aws-cloudfront/lib/cache-policy.ts

@@ -231,6 +231,9 @@ export class CacheHeaderBehavior {
     if (headers.length === 0) {
       throw new Error('At least one header to allow must be provided');
     }
+    if (headers.length > 10) {
+      throw new Error(`Maximum allowed headers in Cache Policy is 10; got ${headers.length}.`);
+    }
     return new CacheHeaderBehavior('whitelist', headers);
   }
 

packages/@aws-cdk/aws-cloudfront/test/cache-policy.test.ts

@@ -96,6 +96,17 @@ describe('CachePolicy', () => {
     expect(() => new CachePolicy(stack, 'CachePolicy6', { cachePolicyName: 'My_Policy' })).not.toThrow();
   });
 
+  test('throws if more than 10 CacheHeaderBehavior headers are being passed', () => {
+    const errorMessage = /Maximum allowed headers in Cache Policy is 10; got (.*?)/;
+    expect(() => new CachePolicy(stack, 'CachePolicy1', {
+      headerBehavior: CacheHeaderBehavior.allowList('Lorem', 'ipsum', 'dolor', 'sit', 'amet', 'consectetur', 'adipiscing', 'elit', 'sed', 'do', 'eiusmod'),
+    })).toThrow(errorMessage);
+
+    expect(() => new CachePolicy(stack, 'CachePolicy2', {
+      headerBehavior: CacheHeaderBehavior.allowList('Lorem', 'ipsum', 'dolor', 'sit', 'amet', 'consectetur', 'adipiscing', 'elit', 'sed', 'do'),
+    })).not.toThrow();
+  });
+
   test('does not throw if cachePolicyName is a token', () => {
     expect(() => new CachePolicy(stack, 'CachePolicy', {
       cachePolicyName: Aws.STACK_NAME,

packages/@aws-cdk/aws-codebuild/README.md

@@ -617,3 +617,31 @@ if (project.enableBatchBuilds()) {
   console.log('Batch builds were enabled');
 }
 ```
+
+## Timeouts
+
+There are two types of timeouts that can be set when creating your Project.
+The `timeout` property can be used to set an upper limit on how long your Project is able to run without being marked as completed.
+The default is 60 minutes.
+An example of overriding the default follows.
+
+```ts
+import * as codebuild from '@aws-cdk/aws-codebuild';
+
+new codebuild.Project(stack, 'MyProject', {
+  timeout: Duration.minutes(90)
+});
+```
+
+The `queuedTimeout` property can be used to set an upper limit on how your Project remains queued to run.
+There is no default value for this property.
+As an example, to allow your Project to queue for up to thirty (30) minutes before the build fails,
+use the following code.
+
+```ts
+import * as codebuild from '@aws-cdk/aws-codebuild';
+
+new codebuild.Project(stack, 'MyProject', {
+  queuedTimeout: Duration.minutes(30)
+});
+```

packages/@aws-cdk/aws-codebuild/lib/project.ts

@@ -575,6 +575,15 @@ export interface CommonProjectProps {
    * @default - no log configuration is set
    */
   readonly logging?: LoggingOptions;
+
+  /**
+   * The number of minutes after which AWS CodeBuild stops the build if it's
+   * still in queue. For valid values, see the timeoutInMinutes field in the AWS
+   * CodeBuild User Guide.
+   *
+   * @default - no queue timeout is set
+   */
+  readonly queuedTimeout?: Duration
 }
 
 export interface ProjectProps extends CommonProjectProps {
@@ -869,6 +878,7 @@ export class Project extends ProjectBase {
       cache: cache._toCloudFormation(),
       name: this.physicalName,
       timeoutInMinutes: props.timeout && props.timeout.toMinutes(),
+      queuedTimeoutInMinutes: props.queuedTimeout && props.queuedTimeout.toMinutes(),
       secondarySources: Lazy.any({ produce: () => this.renderSecondarySources() }),
       secondarySourceVersions: Lazy.any({ produce: () => this.renderSecondarySourceVersions() }),
       secondaryArtifacts: Lazy.any({ produce: () => this.renderSecondaryArtifacts() }),

packages/@aws-cdk/aws-codebuild/test/test.project.ts

@@ -960,4 +960,47 @@ export = {
       test.done();
     },
   },
+
+  'Timeouts': {
+    'can add queued timeout'(test: Test) {
+      // GIVEN
+      const stack = new cdk.Stack();
+
+      // WHEN
+      new codebuild.Project(stack, 'Project', {
+        source: codebuild.Source.s3({
+          bucket: new s3.Bucket(stack, 'Bucket'),
+          path: 'path',
+        }),
+        queuedTimeout: cdk.Duration.minutes(30),
+      });
+
+      // THEN
+      expect(stack).to(haveResourceLike('AWS::CodeBuild::Project', {
+        QueuedTimeoutInMinutes: 30,
+      }));
+
+      test.done();
+    },
+    'can override build timeout'(test: Test) {
+      // GIVEN
+      const stack = new cdk.Stack();
+
+      // WHEN
+      new codebuild.Project(stack, 'Project', {
+        source: codebuild.Source.s3({
+          bucket: new s3.Bucket(stack, 'Bucket'),
+          path: 'path',
+        }),
+        timeout: cdk.Duration.minutes(30),
+      });
+
+      // THEN
+      expect(stack).to(haveResourceLike('AWS::CodeBuild::Project', {
+        TimeoutInMinutes: 30,
+      }));
+
+      test.done();
+    },
+  },
 };

packages/@aws-cdk/aws-ecr/README.md

@@ -57,7 +57,7 @@ const user = new iam.User(this, 'User', { ... });
 ecr.AuthorizationToken.grantRead(user);
 ```
 
-If you access images in the [Public ECR Gallery](https://gallery.ecr.aws/) as well, it is recommended you authenticate to the regsitry to benefit from
+If you access images in the [Public ECR Gallery](https://gallery.ecr.aws/) as well, it is recommended you authenticate to the registry to benefit from
 higher rate and bandwidth limits.
 
 > See `Pricing` in https://aws.amazon.com/blogs/aws/amazon-ecr-public-a-new-public-container-registry/ and [Service quotas](https://docs.aws.amazon.com/AmazonECR/latest/public/public-service-quotas.html).

packages/@aws-cdk/aws-ecs/README.md

@@ -299,6 +299,8 @@ obtained from either DockerHub or from ECR repositories, or built directly from
   image directly from a `Dockerfile` in your source directory.
 - `ecs.ContainerImage.fromDockerImageAsset(asset)`: uses an existing
   `@aws-cdk/aws-ecr-assets.DockerImageAsset` as a container image.
+- `new ecs.TagParameterContainerImage(repository)`: use the given ECR repository as the image 
+  but a CloudFormation parameter as the tag.
 
 ### Environment variables
 

packages/@aws-cdk/aws-ecs/lib/images/tag-parameter-container-image.ts

@@ -49,4 +49,20 @@ export class TagParameterContainerImage extends ContainerImage {
       },
     });
   }
+
+  /**
+   * Returns the value of the CloudFormation Parameter that represents the tag of the image
+   * in the ECR repository.
+   */
+  public get tagParameterValue(): string {
+    return cdk.Lazy.string({
+      produce: () => {
+        if (this.imageTagParameter) {
+          return this.imageTagParameter.valueAsString;
+        } else {
+          throw new Error('TagParameterContainerImage must be used in a container definition when using tagParameterValue');
+        }
+      },
+    });
+  }
 }

packages/@aws-cdk/aws-ecs/test/images/tag-parameter-container-image.test.ts

@@ -21,5 +21,21 @@ nodeunitShim({
 
       test.done();
     },
+
+    'throws an error when tagParameterValue() is used without binding the image'(test: Test) {
+      // GIVEN
+      const stack = new cdk.Stack();
+      const repository = new ecr.Repository(stack, 'Repository');
+      const tagParameterContainerImage = new ecs.TagParameterContainerImage(repository);
+      new cdk.CfnOutput(stack, 'Output', {
+        value: tagParameterContainerImage.tagParameterValue,
+      });
+
+      test.throws(() => {
+        SynthUtils.synthesize(stack);
+      }, /TagParameterContainerImage must be used in a container definition when using tagParameterValue/);
+
+      test.done();
+    },
   },
 });

packages/@aws-cdk/aws-events-targets/README.md

@@ -90,6 +90,39 @@ const rule = new events.Rule(this, 'rule', {
 rule.addTarget(new targets.CloudWatchLogGroup(logGroup));
 ```
 
+## Trigger a CodeBuild project
+
+Use the `CodeBuildProject` target to trigger a CodeBuild project.
+
+The code snippet below creates a CodeCommit repository that triggers a CodeBuild project
+on commit to the master branch. You can optionally attach a
+[dead letter queue](https://docs.aws.amazon.com/eventbridge/latest/userguide/rule-dlq.html).
+
+```ts
+import * as codebuild from '@aws-sdk/aws-codebuild';
+import * as codecommit from '@aws-sdk/aws-codecommit';
+import * as sqs from '@aws-sdk/aws-sqs';
+import * as targets from "@aws-cdk/aws-events-targets";
+
+const repo = new codecommit.Repository(this, 'MyRepo', {
+  repositoryName: 'aws-cdk-codebuild-events',
+});
+
+const project = new codebuild.Project(this, 'MyProject', {
+  source: codebuild.Source.codeCommit({ repository: repo }),
+});
+
+const deadLetterQueue = new sqs.Queue(this, 'DeadLetterQueue');
+
+// trigger a build when a commit is pushed to the repo
+const onCommitRule = repo.onCommit('OnCommit', {
+  target: new targets.CodeBuildProject(project, {
+    deadLetterQueue: deadLetterQueue,
+  }),
+  branches: ['master'],
+});
+```
+
 ## Trigger a State Machine
 
 Use the `SfnStateMachine` target to trigger a State Machine.

packages/@aws-cdk/aws-events-targets/lib/codebuild.ts

@@ -1,7 +1,8 @@
 import * as codebuild from '@aws-cdk/aws-codebuild';
 import * as events from '@aws-cdk/aws-events';
 import * as iam from '@aws-cdk/aws-iam';
-import { singletonEventRole } from './util';
+import * as sqs from '@aws-cdk/aws-sqs';
+import { addToDeadLetterQueueResourcePolicy, singletonEventRole } from './util';
 
 /**
  * Customize the CodeBuild Event Target
@@ -24,6 +25,18 @@ export interface CodeBuildProjectProps {
    * @default - the entire EventBridge event
    */
   readonly event?: events.RuleTargetInput;
+
+  /**
+   * The SQS queue to be used as deadLetterQueue.
+   * Check out the [considerations for using a dead-letter queue](https://docs.aws.amazon.com/eventbridge/latest/userguide/rule-dlq.html#dlq-considerations).
+   *
+   * The events not successfully delivered are automatically retried for a specified period of time,
+   * depending on the retry policy of the target.
+   * If an event is not delivered before all retry attempts are exhausted, it will be sent to the dead letter queue.
+   *
+   * @default - no dead-letter queue
+   */
+  readonly deadLetterQueue?: sqs.IQueue;
 }
 
 /**
@@ -39,9 +52,15 @@ export class CodeBuildProject implements events.IRuleTarget {
    * Allows using build projects as event rule targets.
    */
   public bind(_rule: events.IRule, _id?: string): events.RuleTargetConfig {
+
+    if (this.props.deadLetterQueue) {
+      addToDeadLetterQueueResourcePolicy(_rule, this.props.deadLetterQueue);
+    }
+
     return {
       id: '',
       arn: this.project.projectArn,
+      deadLetterConfig: this.props.deadLetterQueue ? { arn: this.props.deadLetterQueue?.queueArn } : undefined,
       role: this.props.eventRole || singletonEventRole(this.project, [
         new iam.PolicyStatement({
           actions: ['codebuild:StartBuild'],

packages/@aws-cdk/aws-events-targets/test/codebuild/codebuild.test.ts

@@ -2,6 +2,7 @@ import { expect, haveResource } from '@aws-cdk/assert';
 import * as codebuild from '@aws-cdk/aws-codebuild';
 import * as events from '@aws-cdk/aws-events';
 import * as iam from '@aws-cdk/aws-iam';
+import * as sqs from '@aws-cdk/aws-sqs';
 import { CfnElement, Stack } from '@aws-cdk/core';
 import * as targets from '../../lib';
 
@@ -120,4 +121,84 @@ describe('CodeBuild event target', () => {
       ],
     }));
   });
+
+  test('use a Dead Letter Queue for the rule target', () => {
+    // GIVEN
+    const rule = new events.Rule(stack, 'Rule', {
+      schedule: events.Schedule.expression('rate(1 hour)'),
+    });
+
+    const queue = new sqs.Queue(stack, 'Queue');
+
+    // WHEN
+    const eventInput = {
+      buildspecOverride: 'buildspecs/hourly.yml',
+    };
+
+    rule.addTarget(
+      new targets.CodeBuildProject(project, {
+        event: events.RuleTargetInput.fromObject(eventInput),
+        deadLetterQueue: queue,
+      }),
+    );
+
+    // THEN
+    expect(stack).to(haveResource('AWS::Events::Rule', {
+      Targets: [
+        {
+          Arn: projectArn,
+          Id: 'Target0',
+          DeadLetterConfig: {
+            Arn: {
+              'Fn::GetAtt': [
+                'Queue4A7E3555',
+                'Arn',
+              ],
+            },
+          },
+          Input: JSON.stringify(eventInput),
+          RoleArn: {
+            'Fn::GetAtt': ['MyProjectEventsRole5B7D93F5', 'Arn'],
+          },
+        },
+      ],
+    }));
+
+    expect(stack).to(haveResource('AWS::SQS::QueuePolicy', {
+      PolicyDocument: {
+        Statement: [
+          {
+            Action: 'sqs:SendMessage',
+            Condition: {
+              ArnEquals: {
+                'aws:SourceArn': {
+                  'Fn::GetAtt': [
+                    'Rule4C995B7F',
+                    'Arn',
+                  ],
+                },
+              },
+            },
+            Effect: 'Allow',
+            Principal: {
+              Service: 'events.amazonaws.com',
+            },
+            Resource: {
+              'Fn::GetAtt': [
+                'Queue4A7E3555',
+                'Arn',
+              ],
+            },
+            Sid: 'AllowEventRuleRule',
+          },
+        ],
+        Version: '2012-10-17',
+      },
+      Queues: [
+        {
+          Ref: 'Queue4A7E3555',
+        },
+      ],
+    }));
+  });
 });