Merge remote-tracking branch 'origin/main' into otaviom/cli-plugin-co…

…ntract

packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/aws-cdk-elbv2-integ-dualstack-without-public-ipv4.template.json

@@ -530,6 +530,13 @@
       "FromPort": 80,
       "IpProtocol": "tcp",
       "ToPort": 80
+     },
+     {
+      "CidrIpv6": "::/0",
+      "Description": "Allow from anyone on port 80",
+      "FromPort": 80,
+      "IpProtocol": "tcp",
+      "ToPort": 80
      }
     ],
     "VpcId": {

packages/@aws-cdk/aws-glue-alpha/lib/connection.ts

@@ -28,6 +28,16 @@ export class ConnectionType {
    */
   public static readonly MONGODB = new ConnectionType('MONGODB');
 
+  /**
+   * Designates a connection used for view validation by Amazon Redshift.
+   */
+  public static readonly VIEW_VALIDATION_REDSHIFT = new ConnectionType('VIEW_VALIDATION_REDSHIFT');
+
+  /**
+   * Designates a connection used for view validation by Amazon Athena.
+   */
+  public static readonly VIEW_VALIDATION_ATHENA = new ConnectionType('VIEW_VALIDATION_ATHENA');
+
   /**
    * Designates a network connection to a data source within an Amazon Virtual Private Cloud environment (Amazon VPC).
    */
@@ -45,6 +55,106 @@ export class ConnectionType {
    */
   public static readonly CUSTOM = new ConnectionType('CUSTOM');
 
+  /**
+   * Designates a connection to Facebook Ads.
+   */
+  public static readonly FACEBOOKADS = new ConnectionType('FACEBOOKADS');
+
+  /**
+   * Designates a connection to Google Ads.
+   */
+  public static readonly GOOGLEADS = new ConnectionType('GOOGLEADS');
+
+  /**
+   * Designates a connection to Google Sheets.
+   */
+  public static readonly GOOGLESHEETS = new ConnectionType('GOOGLESHEETS');
+
+  /**
+   * Designates a connection to Google Analytics 4.
+   */
+  public static readonly GOOGLEANALYTICS4 = new ConnectionType('GOOGLEANALYTICS4');
+
+  /**
+   * Designates a connection to HubSpot.
+   */
+  public static readonly HUBSPOT = new ConnectionType('HUBSPOT');
+
+  /**
+   * Designates a connection to Instagram Ads.
+   */
+  public static readonly INSTAGRAMADS = new ConnectionType('INSTAGRAMADS');
+
+  /**
+   * Designates a connection to Intercom.
+   */
+  public static readonly INTERCOM = new ConnectionType('INTERCOM');
+
+  /**
+   * Designates a connection to Jira Cloud.
+   */
+  public static readonly JIRACLOUD = new ConnectionType('JIRACLOUD');
+
+  /**
+   * Designates a connection to Adobe Marketo Engage.
+   */
+  public static readonly MARKETO = new ConnectionType('MARKETO');
+
+  /**
+   * Designates a connection to Oracle NetSuite.
+   */
+  public static readonly NETSUITEERP = new ConnectionType('NETSUITEERP');
+
+  /**
+   * Designates a connection to Salesforce using OAuth authentication.
+   */
+  public static readonly SALESFORCE = new ConnectionType('SALESFORCE');
+
+  /**
+   * Designates a connection to Salesforce Marketing Cloud.
+   */
+  public static readonly SALESFORCEMARKETINGCLOUD = new ConnectionType('SALESFORCEMARKETINGCLOUD');
+
+  /**
+   * Designates a connection to Salesforce Marketing Cloud Account Engagement (MCAE).
+   */
+  public static readonly SALESFORCEPARDOT = new ConnectionType('SALESFORCEPARDOT');
+
+  /**
+   * Designates a connection to SAP OData.
+   */
+  public static readonly SAPODATA = new ConnectionType('SAPODATA');
+
+  /**
+   * Designates a connection to ServiceNow.
+   */
+  public static readonly SERVICENOW = new ConnectionType('SERVICENOW');
+
+  /**
+   * Designates a connection to Slack.
+   */
+  public static readonly SLACK = new ConnectionType('SLACK');
+
+  /**
+   * Designates a connection to Snapchat Ads.
+   */
+  public static readonly SNAPCHATADS = new ConnectionType('SNAPCHATADS');
+
+  /**
+   * Designates a connection to Stripe.
+   */
+  public static readonly STRIPE = new ConnectionType('STRIPE');
+
+  /**
+   * Designates a connection to Zendesk.
+   */
+  public static readonly ZENDESK = new ConnectionType('ZENDESK');
+
+  /**
+   * Designates a connection to Zoho CRM.
+   */
+  public static readonly ZOHOCRM = new ConnectionType('ZOHOCRM');
+
   /**
    * The name of this ConnectionType, as expected by Connection resource.
    */
@@ -169,7 +279,7 @@ export class Connection extends cdk.Resource implements IConnection {
     return new Import(scope, id);
   }
 
-  private static buildConnectionArn(scope: constructs.Construct, connectionName: string) : string {
+  private static buildConnectionArn(scope: constructs.Construct, connectionName: string): string {
     return cdk.Stack.of(scope).formatArn({
       service: 'glue',
       resource: 'connection',
@@ -187,7 +297,7 @@ export class Connection extends cdk.Resource implements IConnection {
    */
   public readonly connectionName: string;
 
-  private readonly properties: {[key: string]: string};
+  private readonly properties: { [key: string]: string };
 
   constructor(scope: constructs.Construct, id: string, props: ConnectionProps) {
     super(scope, id, {

packages/aws-cdk-lib/aws-appsync/README.md

@@ -240,6 +240,10 @@ input DemoInput {
 type Mutation {
   callStepFunction(input: DemoInput!): job
 }
+
+type Query {
+  _placeholder: String
+}
 ```
 
 GraphQL request mapping template `request.vtl`:

packages/aws-cdk-lib/aws-cognito/README.md

@@ -79,7 +79,7 @@ userPool.grant(role, 'cognito-idp:AdminCreateUser');
 ### User pool feature plans
 
 Amazon Cognito has feature plans for user pools. Each plan has a set of features and a monthly cost per active user. Each feature plan unlocks access to more features than the one before it.
-Lean more aboug [feature plans here](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html).
+Learn more about [feature plans here](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html).
 
 - *Lite* - a low-cost feature plan for user pools with lower numbers of monthly active users.
 - *Essentials* - all of the latest user pool authentication features.

packages/aws-cdk-lib/aws-config/lib/rule.ts

@@ -2488,7 +2488,7 @@ export class ResourceType {
   /** AWS IoT mitigation action */
   public static readonly IOT_MITIGATION_ACTION = new ResourceType('AWS::IoT::MitigationAction');
   /** AWS IoT TwinMaker workspace */
-  public static readonly IOT_TWINMAKER_WORKSPACE = new ResourceType('AWS::IoTwinMaker::Workspace');
+  public static readonly IOT_TWINMAKER_WORKSPACE = new ResourceType('AWS::IoTTwinMaker::Workspace');
   /** AWS IoT TwinMaker entity */
   public static readonly IOT_TWINMAKER_ENTITY = new ResourceType('AWS::IoTTwinMaker::Entity');
   /** AWS IoT Analytics datastore */

packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md

@@ -298,13 +298,14 @@ const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', {
 });
 ```
 
-By setting `DUAL_STACK_WITHOUT_PUBLIC_IPV4`, you can provision load balancers without public IPv4s
+By setting `DUAL_STACK_WITHOUT_PUBLIC_IPV4`, you can provision load balancers without public IPv4s:
 
 ```ts
 declare const vpc: ec2.Vpc;
 
 const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', {
   vpc,
+  internetFacing: true,
   ipAddressType: elbv2.IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4,
 });
 ```

packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts

@@ -303,7 +303,8 @@ export class ApplicationListener extends BaseListener implements IApplicationLis
 
     if (props.open !== false) {
       this.connections.allowDefaultPortFrom(ec2.Peer.anyIpv4(), `Allow from anyone on port ${port}`);
-      if (this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK) {
+      if (this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK ||
+        this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4) {
         this.connections.allowDefaultPortFrom(ec2.Peer.anyIpv6(), `Allow from anyone on port ${port}`);
       }
     }

packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts

@@ -107,6 +107,43 @@ describe('tests', () => {
     });
   });
 
+  test('Listener default to open - IPv6 (dual stack without public IPV4)', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const vpc = new ec2.Vpc(stack, 'Stack');
+    const loadBalancer = new elbv2.ApplicationLoadBalancer(stack, 'LB', {
+      vpc,
+      internetFacing: true,
+      ipAddressType: elbv2.IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4,
+    });
+
+    // WHEN
+    loadBalancer.addListener('MyListener', {
+      port: 80,
+      defaultTargetGroups: [new elbv2.ApplicationTargetGroup(stack, 'Group', { vpc, port: 80 })],
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::EC2::SecurityGroup', {
+      SecurityGroupIngress: [
+        {
+          Description: 'Allow from anyone on port 80',
+          CidrIp: '0.0.0.0/0',
+          FromPort: 80,
+          IpProtocol: 'tcp',
+          ToPort: 80,
+        },
+        {
+          Description: 'Allow from anyone on port 80',
+          CidrIpv6: '::/0',
+          FromPort: 80,
+          IpProtocol: 'tcp',
+          ToPort: 80,
+        },
+      ],
+    });
+  });
+
   test('HTTPS listener requires certificate', () => {
     // GIVEN
     const stack = new cdk.Stack();

packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts

@@ -9,6 +9,7 @@ import { makeCachingProvider } from './provider-caching';
 import type { SdkHttpOptions } from './sdk-provider';
 import { readIfPossible } from './util';
 import { debug } from '../../logging';
+import { AuthenticationError } from '../../toolkit/error';
 
 const DEFAULT_CONNECTION_TIMEOUT = 10000;
 const DEFAULT_TIMEOUT = 300000;
@@ -291,7 +292,7 @@ async function tokenCodeFn(serialArn: string): Promise<string> {
     return token;
   } catch (err: any) {
     debug('Failed to get MFA token', err);
-    const e = new Error(`Error fetching MFA token: ${err.message ?? err}`);
+    const e = new AuthenticationError(`Error fetching MFA token: ${err.message ?? err}`);
     e.name = 'SharedIniFileCredentialsProviderFailure';
     throw e;
   }

packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts

@@ -3,6 +3,7 @@ import type { CredentialProviderSource, ForReading, ForWriting, PluginProviderRe
 import type { AwsCredentialIdentity, AwsCredentialIdentityProvider } from '@smithy/types';
 import { credentialsAboutToExpire, makeCachingProvider } from './provider-caching';
 import { debug, warning } from '../../logging';
+import { AuthenticationError } from '../../toolkit/error';
 import { Mode } from '../plugin/mode';
 import { PluginHost } from '../plugin/plugin';
 
@@ -126,7 +127,7 @@ async function v3ProviderFromPlugin(producer: () => Promise<PluginProviderResult
     // V2 credentials that refresh and cache themselves
     return v3ProviderFromV2Credentials(initial);
   } else {
-    throw new Error(`Plugin returned a value that doesn't resemble AWS credentials: ${inspect(initial)}`);
+    throw new AuthenticationError(`Plugin returned a value that doesn't resemble AWS credentials: ${inspect(initial)}`);
   }
 }
 
@@ -154,7 +155,7 @@ function refreshFromPluginProvider(current: AwsCredentialIdentity, producer: ()
     if (credentialsAboutToExpire(current)) {
       const newCreds = await producer();
       if (!isV3Credentials(newCreds)) {
-        throw new Error(`Plugin initially returned static V3 credentials but now returned something else: ${inspect(newCreds)}`);
+        throw new AuthenticationError(`Plugin initially returned static V3 credentials but now returned something else: ${inspect(newCreds)}`);
       }
       current = newCreds;
     }