chore: forward merge 'master' into 'v2-main' (#15985)

Automated action from aws/cdk-ops
aws · Aug 12, 2021 · 2f92e63 · 2f92e63
2 parents fb5dc58 + 32a406b
commit 2f92e63
Show file tree

Hide file tree

Showing 29 changed files with 702 additions and 45 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,20 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.118.0](https://github.com/aws/aws-cdk/compare/v1.117.0...v1.118.0) (2021-08-10)
+
+
+### Features
+
+* **aws-elbv2:** ALB target group routing algorithms ([#15622](https://github.com/aws/aws-cdk/issues/15622)) ([6b32b2f](https://github.com/aws/aws-cdk/commit/6b32b2fb0c6ed2a21eb929e39930c6c9cf668dae)), closes [#15160](https://github.com/aws/aws-cdk/issues/15160)
+* **cognito:** add support for token revocation in UserPoolClient ([#15317](https://github.com/aws/aws-cdk/issues/15317)) ([8cb0e97](https://github.com/aws/aws-cdk/commit/8cb0e97ea663e0447af77842e1a8efa8aee917eb)), closes [#15126](https://github.com/aws/aws-cdk/issues/15126)
+* **pipelines:** add `synthCodeBuildDefaults` ([#15627](https://github.com/aws/aws-cdk/issues/15627)) ([04b8d40](https://github.com/aws/aws-cdk/commit/04b8d400b2653aff4f48709e8b420c6adb996ef5))
+
+
+### Bug Fixes
+
+* **ec2:** "clientVpnEndoint" => "clientVpnEndpoint" ([#14902](https://github.com/aws/aws-cdk/issues/14902)) ([c3b872a](https://github.com/aws/aws-cdk/commit/c3b872ad47ff3bdf2c841aa195b6fa6922c03769)), closes [#13810](https://github.com/aws/aws-cdk/issues/13810)
+
 ## [1.117.0](https://github.com/aws/aws-cdk/compare/v1.116.0...v1.117.0) (2021-08-05)
 
 

diff --git a/packages/@aws-cdk/aws-apigatewayv2/README.md b/packages/@aws-cdk/aws-apigatewayv2/README.md
@@ -316,7 +316,7 @@ To retrieve a websocket URL and a callback URL:
 ```ts
 const webSocketURL = webSocketStage.url;
 // wss://${this.api.apiId}.execute-api.${s.region}.${s.urlSuffix}/${urlPath}
-const callbackURL = webSocketURL.callbackUrl;
+const callbackURL = webSocketStage.callbackUrl;
 // https://${this.api.apiId}.execute-api.${s.region}.${s.urlSuffix}/${urlPath}
 ```
 

diff --git a/packages/@aws-cdk/aws-apigatewayv2/lib/http/api.ts b/packages/@aws-cdk/aws-apigatewayv2/lib/http/api.ts
@@ -84,7 +84,7 @@ export interface IHttpApi extends IApi {
  */
 export interface HttpApiProps {
   /**
-   * Name for the HTTP API resoruce
+   * Name for the HTTP API resource
    * @default - id of the HttpApi construct.
    */
   readonly apiName?: string;
@@ -209,7 +209,7 @@ export interface CorsPreflightOptions {
 }
 
 /**
- * Options for the Route with Integration resoruce
+ * Options for the Route with Integration resource
  */
 export interface AddRoutesOptions extends BatchHttpRouteOptions {
   /**

diff --git a/packages/@aws-cdk/aws-codepipeline-actions/lib/codecommit/source-action.ts b/packages/@aws-cdk/aws-codepipeline-actions/lib/codecommit/source-action.ts
@@ -106,6 +106,15 @@ export interface CodeCommitSourceActionProps extends codepipeline.CommonAwsActio
 
 /**
  * CodePipeline Source that is provided by an AWS CodeCommit repository.
+ *
+ * If the CodeCommit repository is in a different account, you must use
+ * `CodeCommitTrigger.EVENTS` to trigger the pipeline.
+ *
+ * (That is because the Pipeline structure normally only has a `RepositoryName`
+ * field, and that is not enough for the pipeline to locate the repository's
+ * source account. However, if the pipeline is triggered via an EventBridge
+ * event, the event itself has the full repository ARN in there, allowing the
+ * pipeline to locate the repository).
  */
 export class CodeCommitSourceAction extends Action {
   /**

diff --git a/packages/@aws-cdk/aws-cognito/README.md b/packages/@aws-cdk/aws-cognito/README.md
@@ -565,6 +565,21 @@ pool.addClient('app-client', {
 });
 ```
 
+If the identity provider and the app client are created in the same stack, specify the dependency between both constructs to make sure that the identity provider already exists when the app client will be created. The app client cannot handle the dependency to the identity provider automatically because the client does not have access to the provider's construct.
+
+```ts
+const provider = new cognito.UserPoolIdentityProviderAmazon(this, 'Amazon', {
+  // ...
+});
+const client = pool.addClient('app-client', {
+  // ...
+  supportedIdentityProviders: [
+    cognito.UserPoolClientIdentityProvider.AMAZON,
+  ],
+}
+client.node.addDependency(provider);
+```
+
 In accordance with the OIDC open standard, Cognito user pool clients provide access tokens, ID tokens and refresh tokens.
 More information is available at [Using Tokens with User Pools](https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html).
 The expiration time for these tokens can be configured as shown below.
@@ -603,6 +618,17 @@ pool.addClient('app-client', {
 });
 ```
 
+[Token revocation](https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html
+) can be configured to be able to revoke refresh tokens in app clients. By default, token revocation is enabled for new user pools. The property can be used to enable the token revocation in existing app clients or to change the default behavior.
+
+```ts
+const pool = new cognito.UserPool(this, 'Pool');
+pool.addClient('app-client', {
+  // ...
+  enableTokenRevocation: true,
+});
+``` 
+
 ### Resource Servers
 
 A resource server is a server for access-protected resources. It handles authenticated requests from an app that has an

diff --git a/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts b/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts
@@ -293,6 +293,13 @@ export interface UserPoolClientOptions {
    * @default - all standard and custom attributes
    */
   readonly writeAttributes?: ClientAttributes;
+
+  /**
+   * Enable token revocation for this client.
+   * @see https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html#enable-token-revocation
+   * @default true for new user pool clients
+   */
+  readonly enableTokenRevocation?: boolean;
 }
 
 /**
@@ -381,6 +388,7 @@ export class UserPoolClient extends Resource implements IUserPoolClient {
       supportedIdentityProviders: this.configureIdentityProviders(props),
       readAttributes: props.readAttributes?.attributes(),
       writeAttributes: props.writeAttributes?.attributes(),
+      enableTokenRevocation: props.enableTokenRevocation,
     });
     this.configureTokenValidity(resource, props);
 

diff --git a/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts b/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts
@@ -541,6 +541,53 @@ describe('User Pool Client', () => {
     })).toThrow(/disableOAuth is set/);
   });
 
+  test('EnableTokenRevocation is absent by default', () => {
+    // GIVEN
+    const stack = new Stack();
+    const pool = new UserPool(stack, 'Pool');
+
+    // WHEN
+    pool.addClient('Client');
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', {
+      EnableTokenRevocation: Match.absentProperty(),
+    });
+  });
+
+  test('enableTokenRevocation in addClient', () => {
+    // GIVEN
+    const stack = new Stack();
+    const pool = new UserPool(stack, 'Pool');
+
+    // WHEN
+    pool.addClient('Client', {
+      enableTokenRevocation: true,
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', {
+      EnableTokenRevocation: true,
+    });
+  });
+
+  test('enableTokenRevocation in UserPoolClient', () => {
+    // GIVEN
+    const stack = new Stack();
+    const pool = new UserPool(stack, 'Pool');
+
+    // WHEN
+    new UserPoolClient(stack, 'Client1', {
+      userPool: pool,
+      enableTokenRevocation: true,
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', {
+      EnableTokenRevocation: true,
+    });
+  });
+
   describe('token validity', () => {
     test('default', () => {
       // GIVEN

diff --git a/packages/@aws-cdk/aws-ec2/lib/client-vpn-authorization-rule.ts b/packages/@aws-cdk/aws-ec2/lib/client-vpn-authorization-rule.ts
@@ -35,19 +35,38 @@ export interface ClientVpnAuthorizationRuleOptions {
 export interface ClientVpnAuthorizationRuleProps extends ClientVpnAuthorizationRuleOptions {
   /**
    * The client VPN endpoint to which to add the rule.
+   * @default clientVpnEndpoint is required
    */
-  readonly clientVpnEndoint: IClientVpnEndpoint;
+  readonly clientVpnEndpoint?: IClientVpnEndpoint;
+
+  /**
+   * The client VPN endpoint to which to add the rule.
+   * @deprecated Use `clientVpnEndpoint` instead
+   * @default clientVpnEndpoint is required
+   */
+  readonly clientVpnEndoint?: IClientVpnEndpoint;
 }
 
 /**
  * A client VPN authorization rule
  */
 export class ClientVpnAuthorizationRule extends Resource {
   constructor(scope: Construct, id: string, props: ClientVpnAuthorizationRuleProps) {
+    if (!props.clientVpnEndoint && !props.clientVpnEndpoint) {
+      throw new Error(
+        'ClientVpnAuthorizationRule: either clientVpnEndpoint or clientVpnEndoint (deprecated) must be specified',
+      );
+    }
+    if (props.clientVpnEndoint && props.clientVpnEndpoint) {
+      throw new Error(
+        'ClientVpnAuthorizationRule: either clientVpnEndpoint or clientVpnEndoint (deprecated) must be specified' +
+          ', but not both',
+      );
+    }
+    const clientVpnEndpoint = props.clientVpnEndoint || props.clientVpnEndpoint;
     super(scope, id);
-
     new CfnClientVpnAuthorizationRule(this, 'Resource', {
-      clientVpnEndpointId: props.clientVpnEndoint.endpointId,
+      clientVpnEndpointId: clientVpnEndpoint!.endpointId,
       targetNetworkCidr: props.cidr,
       accessGroupId: props.groupId,
       authorizeAllGroups: !props.groupId,

diff --git a/packages/@aws-cdk/aws-ec2/lib/client-vpn-endpoint.ts b/packages/@aws-cdk/aws-ec2/lib/client-vpn-endpoint.ts
@@ -356,7 +356,7 @@ export class ClientVpnEndpoint extends Resource implements IClientVpnEndpoint {
   public addAuthorizationRule(id: string, props: ClientVpnAuthorizationRuleOptions): ClientVpnAuthorizationRule {
     return new ClientVpnAuthorizationRule(this, id, {
       ...props,
-      clientVpnEndoint: this,
+      clientVpnEndpoint: this,
     });
   }
 
@@ -366,7 +366,7 @@ export class ClientVpnEndpoint extends Resource implements IClientVpnEndpoint {
   public addRoute(id: string, props: ClientVpnRouteOptions): ClientVpnRoute {
     return new ClientVpnRoute(this, id, {
       ...props,
-      clientVpnEndoint: this,
+      clientVpnEndpoint: this,
     });
   }
 }

diff --git a/packages/@aws-cdk/aws-ec2/lib/client-vpn-route.ts b/packages/@aws-cdk/aws-ec2/lib/client-vpn-route.ts
@@ -62,27 +62,47 @@ export abstract class ClientVpnRouteTarget {
  * Properties for a ClientVpnRoute
  */
 export interface ClientVpnRouteProps extends ClientVpnRouteOptions {
+
+  /**
+   * The client VPN endpoint to which to add the route.
+   * @default clientVpnEndpoint is required
+   */
+  readonly clientVpnEndpoint?: IClientVpnEndpoint;
   /**
    * The client VPN endpoint to which to add the route.
+   * @deprecated Use `clientVpnEndpoint` instead
+   * @default clientVpnEndpoint is required
+
    */
-  readonly clientVpnEndoint: IClientVpnEndpoint;
+  readonly clientVpnEndoint?: IClientVpnEndpoint;
 }
 
 /**
  * A client VPN route
  */
 export class ClientVpnRoute extends Resource {
   constructor(scope: Construct, id: string, props: ClientVpnRouteProps) {
+    if (!props.clientVpnEndoint && !props.clientVpnEndpoint) {
+      throw new Error(
+        'ClientVpnRoute: either clientVpnEndpoint or clientVpnEndoint (deprecated) must be specified',
+      );
+    }
+    if (props.clientVpnEndoint && props.clientVpnEndpoint) {
+      throw new Error(
+        'ClientVpnRoute: either clientVpnEndpoint or clientVpnEndoint (deprecated) must be specified' +
+          ', but not both',
+      );
+    }
+    const clientVpnEndpoint = props.clientVpnEndoint || props.clientVpnEndpoint;
     super(scope, id);
-
     const route = new CfnClientVpnRoute(this, 'Resource', {
-      clientVpnEndpointId: props.clientVpnEndoint.endpointId,
+      clientVpnEndpointId: clientVpnEndpoint!.endpointId,
       description: props.description,
       destinationCidrBlock: props.cidr,
       targetVpcSubnetId: props.target.subnetId,
     });
 
     // See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-clientvpnroute.html
-    route.node.addDependency(props.clientVpnEndoint.targetNetworksAssociated);
+    route.node.addDependency(clientVpnEndpoint!.targetNetworksAssociated);
   }
 }
diff --git a/packages/@aws-cdk/aws-ec2/test/client-vpn-authorization-rule.test.ts b/packages/@aws-cdk/aws-ec2/test/client-vpn-authorization-rule.test.ts
@@ -0,0 +1,98 @@
+import '@aws-cdk/assert-internal/jest';
+import { App, Stack } from '@aws-cdk/core';
+import { Connections, IClientVpnEndpoint } from '../lib';
+import { ClientVpnAuthorizationRule } from '../lib/client-vpn-authorization-rule';
+
+let stack: Stack;
+beforeEach(() => {
+  const app = new App({
+    context: {
+      '@aws-cdk/core:newStyleStackSynthesis': false,
+    },
+  });
+  stack = new Stack(app);
+});
+
+describe('ClientVpnAuthorizationRule constructor', () => {
+  test('normal usage', () => {
+    const clientVpnEndpoint: IClientVpnEndpoint = {
+      endpointId: 'myClientVpnEndpoint',
+      targetNetworksAssociated: [],
+      stack,
+      env: { account: 'myAccount', region: 'us-east-1' },
+      connections: new Connections(),
+      node: stack.node,
+    };
+    new ClientVpnAuthorizationRule(stack, 'NormalRule', {
+      cidr: '10.0.10.0/32',
+      clientVpnEndpoint,
+    });
+    expect(stack).toCountResources('AWS::EC2::ClientVpnAuthorizationRule', 1);
+    expect(stack.node.children.length).toBe(1);
+  });
+  test('either clientVpnEndoint (deprecated, typo) or clientVpnEndpoint is required', () => {
+    expect(() => {
+      new ClientVpnAuthorizationRule(stack, 'RuleNoEndointNoEndpoint', {
+        cidr: '10.0.10.0/32',
+      });
+    }).toThrow(
+      new Error(
+        'ClientVpnAuthorizationRule: either clientVpnEndpoint or clientVpnEndoint (deprecated) must be specified',
+      ),
+    );
+  });
+  test('specifying both clientVpnEndoint (deprecated, typo) and clientVpnEndpoint is not allowed', () => {
+    const clientVpnEndoint: IClientVpnEndpoint = {
+      endpointId: 'typoTypo',
+      targetNetworksAssociated: [],
+      stack,
+      env: { account: 'myAccount', region: 'us-east-1' },
+      connections: new Connections(),
+      node: stack.node,
+    };
+    const clientVpnEndpoint: IClientVpnEndpoint = {
+      endpointId: 'myClientVpnEndpoint',
+      targetNetworksAssociated: [],
+      stack,
+      env: { account: 'myAccount', region: 'us-east-1' },
+      connections: new Connections(),
+      node: stack.node,
+    };
+    expect(() => {
+      new ClientVpnAuthorizationRule(stack, 'RuleBothEndointAndEndpoint', {
+        cidr: '10.0.10.0/32',
+        clientVpnEndoint,
+        clientVpnEndpoint,
+      });
+    }).toThrow(
+      new Error(
+        'ClientVpnAuthorizationRule: either clientVpnEndpoint or clientVpnEndoint (deprecated) must be specified' +
+          ', but not both',
+      ),
+    );
+  });
+  test('invalid constructor calls should not add anything to the stack', () => {
+    expect(() => {
+      new ClientVpnAuthorizationRule(stack, 'RuleNoEndointNoEndpoint', {
+        cidr: '10.0.10.0/32',
+      });
+    }).toThrow();
+    expect(stack.node.children.length).toBe(0);
+  });
+  test('supplying clientVpnEndoint (deprecated due to typo) should still work', () => {
+    const clientVpnEndoint: IClientVpnEndpoint = {
+      endpointId: 'myClientVpnEndpoint',
+      targetNetworksAssociated: [],
+      stack,
+      env: { account: 'myAccount', region: 'us-east-1' },
+      connections: new Connections(),
+      node: stack.node,
+    };
+    new ClientVpnAuthorizationRule(stack, 'RuleWithEndointTypo', {
+      cidr: '10.0.10.0/32',
+      clientVpnEndoint,
+    });
+    expect(stack).toCountResources('AWS::EC2::ClientVpnAuthorizationRule', 1);
+    expect(stack.node.children.length).toBe(1);
+  });
+});