Merge branch 'master' into huijbers/python-monopackage-v1

Author: mergify[bot]

link-all.sh

@@ -26,7 +26,7 @@ for module in ${modules}; do
   # according to spec (we look in the bin/ directory instead of the { "scripts"
   # } entry in package.json but it's quite a bit easier.
   if [[ -d $module/bin ]]; then
-    for script in $(find $module/bin -perm /111); do
+    for script in $(find $module/bin -perm +111); do
       echo "${script} => node_modules/.bin/$(basename $script)"
       ln -fs ${script} node_modules/.bin
     done

packages/@aws-cdk/aws-certificatemanager/README.md

@@ -68,7 +68,7 @@ When working with multiple domains, use the `CertificateValidation.fromDnsMultiZ
 const exampleCom = new route53.HostedZone(this, 'ExampleCom', {
   zoneName: 'example.com',
 });
-const exampleNet = new route53.HostedZone(this, 'ExampelNet', {
+const exampleNet = new route53.HostedZone(this, 'ExampleNet', {
   zoneName: 'example.net',
 });
 

packages/@aws-cdk/aws-ecr/README.md

@@ -74,6 +74,14 @@ ecr.PublicGalleryAuthorizationToken.grantRead(user);
 
 This user can then proceed to login to the registry using one of the [authentication methods](https://docs.aws.amazon.com/AmazonECR/latest/public/public-registries.html#public-registry-auth).
 
+### Image tag immutability
+
+You can set tag immutability on images in our repository using the `imageTagMutability` construct prop.
+
+```ts
+new ecr.Repository(stack, 'Repo', { imageTagMutability: ecr.TagMutability.IMMUTABLE });
+```
+
 ## Automatically clean up repositories
 
 You can set life cycle rules to automatically clean up old images from your

packages/@aws-cdk/aws-ecr/lib/repository.ts

@@ -354,6 +354,13 @@ export interface RepositoryProps {
    *  @default false
    */
   readonly imageScanOnPush?: boolean;
+
+  /**
+   * The tag mutability setting for the repository. If this parameter is omitted, the default setting of MUTABLE will be used which will allow image tags to be overwritten.
+   *
+   *  @default TagMutability.MUTABLE
+   */
+  readonly imageTagMutability?: TagMutability;
 }
 
 export interface RepositoryAttributes {
@@ -452,6 +459,7 @@ export class Repository extends RepositoryBase {
       imageScanningConfiguration: !props.imageScanOnPush ? undefined : {
         ScanOnPush: true,
       },
+      imageTagMutability: props.imageTagMutability || undefined,
     });
 
     resource.applyRemovalPolicy(props.removalPolicy);
@@ -610,3 +618,19 @@ const enum CountType {
    */
   SINCE_IMAGE_PUSHED = 'sinceImagePushed',
 }
+
+/**
+ * The tag mutability setting for your repository.
+ */
+export enum TagMutability {
+  /**
+   * allow image tags to be overwritten.
+   */
+  MUTABLE = 'MUTABLE',
+
+  /**
+   * all image tags within the repository will be immutable which will prevent them from being overwritten.
+   */
+  IMMUTABLE = 'IMMUTABLE',
+
+}

packages/@aws-cdk/aws-ecr/package.json

@@ -103,6 +103,7 @@
       "import:@aws-cdk/aws-ecr.Repository",
       "construct-base-is-private:@aws-cdk/aws-ecr.RepositoryBase",
       "docs-public-apis:@aws-cdk/aws-ecr.Repository.fromRepositoryArn",
+      "docs-public-apis:@aws-cdk/aws-ecr.Repository.imageTagMutability",
       "docs-public-apis:@aws-cdk/aws-ecr.Repository.fromRepositoryName",
       "props-default-doc:@aws-cdk/aws-ecr.LifecycleRule.maxImageAge",
       "props-default-doc:@aws-cdk/aws-ecr.LifecycleRule.maxImageCount",

packages/@aws-cdk/aws-ecr/test/test.repository.ts

@@ -63,6 +63,20 @@ export = {
     test.done();
   },
 
+
+  'image tag mutability can be set'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+    new ecr.Repository(stack, 'Repo', { imageTagMutability: ecr.TagMutability.IMMUTABLE });
+
+    // THEN
+    expect(stack).to(haveResource('AWS::ECR::Repository', {
+      ImageTagMutability: 'IMMUTABLE',
+    }));
+
+    test.done();
+  },
+
   'add day-based lifecycle policy'(test: Test) {
     // GIVEN
     const stack = new cdk.Stack();

packages/@aws-cdk/aws-ecs/README.md

@@ -728,6 +728,20 @@ new ecs.Ec2Service(stack, 'Service', {
 });
 ```
 
+### Associate With a Specific CloudMap Service
+
+You may associate an ECS service with a specific CloudMap service. To do
+this, use the service's `associateCloudMapService` method:
+
+```ts
+const cloudMapService = new cloudmap.Service(...);
+const ecsService = new ecs.FargateService(...);
+
+ecsService.associateCloudMapService({
+  service: cloudMapService,
+});
+```
+
 ## Capacity Providers
 
 Currently, only `FARGATE` and `FARGATE_SPOT` capacity providers are supported.

packages/@aws-cdk/aws-ecs/lib/base/base-service.ts

@@ -601,6 +601,27 @@ export abstract class BaseService extends Resource
     return cloudmapService;
   }
 
+  /**
+   * Associates this service with a CloudMap service
+   */
+  public associateCloudMapService(options: AssociateCloudMapServiceOptions): void {
+    const service = options.service;
+
+    const { containerName, containerPort } = determineContainerNameAndPort({
+      taskDefinition: this.taskDefinition,
+      dnsRecordType: service.dnsRecordType,
+      container: options.container,
+      containerPort: options.containerPort,
+    });
+
+    // add Cloudmap service to the ECS Service's serviceRegistry
+    this.addServiceRegistry({
+      arn: service.serviceArn,
+      containerName,
+      containerPort,
+    });
+  }
+
   /**
    * This method returns the specified CloudWatch metric name for this service.
    */
@@ -748,6 +769,10 @@ export abstract class BaseService extends Resource
    * Associate Service Discovery (Cloud Map) service
    */
   private addServiceRegistry(registry: ServiceRegistry) {
+    if (this.serviceRegistries.length >= 1) {
+      throw new Error('Cannot associate with the given service discovery registry. ECS supports at most one service registry per service.');
+    }
+
     const sr = this.renderServiceRegistry(registry);
     this.serviceRegistries.push(sr);
   }
@@ -816,6 +841,28 @@ export interface CloudMapOptions {
   readonly containerPort?: number;
 }
 
+/**
+ * The options for using a cloudmap service.
+ */
+export interface AssociateCloudMapServiceOptions {
+  /**
+   * The cloudmap service to register with.
+   */
+  readonly service: cloudmap.IService;
+
+  /**
+   * The container to point to for a SRV record.
+   * @default - the task definition's default container
+   */
+  readonly container?: ContainerDefinition;
+
+  /**
+   * The port to point to for a SRV record.
+   * @default - the default port of the task definition's default container
+   */
+  readonly containerPort?: number;
+}
+
 /**
  * Service Registry for ECS service
  */

packages/@aws-cdk/aws-ecs/test/fargate/fargate-service.test.ts

@@ -262,6 +262,101 @@ nodeunitShim({
       test.done();
     },
 
+    'with user-provided cloudmap service'(test: Test) {
+      // GIVEN
+      const stack = new cdk.Stack();
+      const vpc = new ec2.Vpc(stack, 'MyVpc', {});
+      const cluster = new ecs.Cluster(stack, 'EcsCluster', { vpc });
+      const taskDefinition = new ecs.FargateTaskDefinition(stack, 'FargateTaskDef');
+
+      const container = taskDefinition.addContainer('web', {
+        image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
+        memoryLimitMiB: 512,
+      });
+      container.addPortMappings({ containerPort: 8000 });
+
+      const cloudMapNamespace = new cloudmap.PrivateDnsNamespace(stack, 'TestCloudMapNamespace', {
+        name: 'scorekeep.com',
+        vpc,
+      });
+
+      const cloudMapService = new cloudmap.Service(stack, 'Service', {
+        name: 'service-name',
+        namespace: cloudMapNamespace,
+        dnsRecordType: cloudmap.DnsRecordType.SRV,
+      });
+
+      const ecsService = new ecs.FargateService(stack, 'FargateService', {
+        cluster,
+        taskDefinition,
+      });
+
+      // WHEN
+      ecsService.associateCloudMapService({
+        service: cloudMapService,
+        container: container,
+        containerPort: 8000,
+      });
+
+      // THEN
+      expect(stack).to(haveResource('AWS::ECS::Service', {
+        ServiceRegistries: [
+          {
+            ContainerName: 'web',
+            ContainerPort: 8000,
+            RegistryArn: { 'Fn::GetAtt': ['ServiceDBC79909', 'Arn'] },
+          },
+        ],
+      }));
+
+      test.done();
+    },
+
+    'errors when more than one service registry used'(test: Test) {
+      // GIVEN
+      const stack = new cdk.Stack();
+      const vpc = new ec2.Vpc(stack, 'MyVpc', {});
+      const cluster = new ecs.Cluster(stack, 'EcsCluster', { vpc });
+      const taskDefinition = new ecs.FargateTaskDefinition(stack, 'FargateTaskDef');
+
+      const container = taskDefinition.addContainer('web', {
+        image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
+        memoryLimitMiB: 512,
+      });
+      container.addPortMappings({ containerPort: 8000 });
+
+      const cloudMapNamespace = new cloudmap.PrivateDnsNamespace(stack, 'TestCloudMapNamespace', {
+        name: 'scorekeep.com',
+        vpc,
+      });
+
+      const ecsService = new ecs.FargateService(stack, 'FargateService', {
+        cluster,
+        taskDefinition,
+      });
+
+      ecsService.enableCloudMap({
+        cloudMapNamespace,
+      });
+
+      const cloudMapService = new cloudmap.Service(stack, 'Service', {
+        name: 'service-name',
+        namespace: cloudMapNamespace,
+        dnsRecordType: cloudmap.DnsRecordType.SRV,
+      });
+
+      // WHEN / THEN
+      test.throws(() => {
+        ecsService.associateCloudMapService({
+          service: cloudMapService,
+          container: container,
+          containerPort: 8000,
+        });
+      }, /at most one service registry/i);
+
+      test.done();
+    },
+
     'with all properties set'(test: Test) {
       // GIVEN
       const stack = new cdk.Stack();

packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-listener.ts

@@ -266,9 +266,7 @@ export class ApplicationListener extends BaseListener implements IApplicationLis
     // Only one certificate can be specified per resource, even though
     // `certificates` is of type Array
     for (let i = 0; i < additionalCerts.length; i++) {
-      // ids should look like: `id`, `id2`, `id3` (for backwards-compatibility)
-      const certId = (i > 0) ? `${id}${i + 1}` : id;
-      new ApplicationListenerCertificate(this, certId, {
+      new ApplicationListenerCertificate(this, `${id}${i + 1}`, {
         listener: this,
         certificates: [additionalCerts[i]],
       });

packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/listener.test.ts

@@ -162,7 +162,7 @@ describe('tests', () => {
       ],
     });
 
-    expect(listener.node.tryFindChild('DefaultCertificates')).toBeDefined();
+    expect(listener.node.tryFindChild('DefaultCertificates1')).toBeDefined();
     expect(listener.node.tryFindChild('DefaultCertificates2')).toBeDefined();
     expect(listener.node.tryFindChild('DefaultCertificates3')).not.toBeDefined();
 

packages/@aws-cdk/aws-iam/lib/policy-statement.ts

@@ -64,7 +64,8 @@ export class PolicyStatement {
   constructor(props: PolicyStatementProps = {}) {
     // Validate actions
     for (const action of [...props.actions || [], ...props.notActions || []]) {
-      if (!/^(\*|[a-zA-Z0-9-]+:[a-zA-Z0-9*]+)$/.test(action)) {
+
+      if (!/^(\*|[a-zA-Z0-9-]+:[a-zA-Z0-9*]+)$/.test(action) && !cdk.Token.isUnresolved(action)) {
         throw new Error(`Action '${action}' is invalid. An action string consists of a service namespace, a colon, and the name of an action. Action names can include wildcards.`);
       }
     }

packages/@aws-cdk/aws-iam/test/policy-document.test.ts

@@ -102,6 +102,19 @@ describe('IAM policy document', () => {
     }).toThrow(/Action 'in:val:id' is invalid/);
   });
 
+  // https://github.com/aws/aws-cdk/issues/13479
+  test('Does not validate unresolved tokens', () => {
+    const stack = new Stack();
+    const perm = new PolicyStatement({
+      actions: [`${Lazy.string({ produce: () => 'sqs:sendMessage' })}`],
+    });
+
+    expect(stack.resolve(perm.toStatementJson())).toEqual({
+      Effect: 'Allow',
+      Action: 'sqs:sendMessage',
+    });
+  });
+
   test('Cannot combine Resources and NotResources', () => {
     expect(() => {
       new PolicyStatement({

packages/@aws-cdk/aws-neptune/README.md

@@ -67,13 +67,13 @@ versions and limitations.
 The following example shows enabling IAM authentication for a database cluster and granting connection access to an IAM role.
 
 ```ts
-const cluster = new rds.DatabaseCluster(stack, 'Cluster', {
+const cluster = new neptune.DatabaseCluster(this, 'Cluster', {
   vpc,
   instanceType: neptune.InstanceType.R5_LARGE,
   iamAuthentication: true, // Optional - will be automatically set if you call grantConnect().
 });
-const role = new Role(stack, 'DBRole', { assumedBy: new AccountPrincipal(stack.account) });
-instance.grantConnect(role); // Grant the role connection access to the DB.
+const role = new iam.Role(this, 'DBRole', { assumedBy: new iam.AccountPrincipal(this.account) });
+cluster.grantConnect(role); // Grant the role connection access to the DB.
 ```
 
 ## Customizing parameters

packages/@aws-cdk/aws-neptune/rosetta/default.ts-fixture

@@ -1,5 +1,6 @@
 import { Duration, Stack } from '@aws-cdk/core';
 import { Construct } from 'constructs';
+import * as iam from '@aws-cdk/aws-iam';
 import * as ec2 from '@aws-cdk/aws-ec2';
 import * as neptune from '@aws-cdk/aws-neptune';
 

packages/@aws-cdk/aws-s3outposts/.eslintrc.js

@@ -0,0 +1,3 @@
+const baseConfig = require('cdk-build-tools/config/eslintrc');
+baseConfig.parserOptions.project = __dirname + '/tsconfig.json';
+module.exports = baseConfig;

packages/@aws-cdk/aws-s3outposts/.gitignore

@@ -0,0 +1,19 @@
+*.js
+*.js.map
+*.d.ts
+tsconfig.json
+node_modules
+*.generated.ts
+dist
+.jsii
+
+.LAST_BUILD
+.nyc_output
+coverage
+.nycrc
+.LAST_PACKAGE
+*.snk
+nyc.config.js
+!.eslintrc.js
+!jest.config.js
+junit.xml