fix(iam): service principals use unnecessary exceptions (under featur…

…e flag) (#22819) We have a database of service principal exceptions in different regions. This database is no longer necessary: all services now use the global service principal name for in-region references, and sometimes a standardized regional service principal name for cross-opt-in-region references. This PR changes the following things: ```ts new ServicePrincipal('service.amazonaws.com') // ➡️ always resolves to 'service.amazonaws.com', regardless of region // or service principal new ServicePrincipal('service.amazonaws.com', { region: 'me-south-1' }) // ➡️ resolves to 'service.me-south-1.amazonaws.com' in case of a // cross-region reference, or just 'service.amazonaws.com' otherwise. ``` Because change is scary (and because we are only 99% sure that this change has made it to all ADC regions), we put the new behavior behind a feature flag: ```json { "context": { "@aws-cdk/aws-iam:standardizedServicePrincipals": true } } ``` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Nov 10, 2022 · 65d8e3d · 65d8e3d
1 parent 6fe034c
commit 65d8e3d
Show file tree

Hide file tree

Showing 391 changed files with 4,297 additions and 9,244 deletions.
diff --git a/.../test/integ.stepfunctions-api.js.snapshot/StepFunctionsRestApiDeploymentStack.assets.json b/.../test/integ.stepfunctions-api.js.snapshot/StepFunctionsRestApiDeploymentStack.assets.json
@@ -1,15 +1,15 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "files": {
-    "15b69b6acb0a3b911686881039fd821b7be7a59737df5c36a7f1e7f0dc306c40": {
+    "06411bc9644c9af466e4101cc159122b7c5422ecbd496553c2a2ef821687361c": {
       "source": {
         "path": "StepFunctionsRestApiDeploymentStack.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "15b69b6acb0a3b911686881039fd821b7be7a59737df5c36a7f1e7f0dc306c40.json",
+          "objectKey": "06411bc9644c9af466e4101cc159122b7c5422ecbd496553c2a2ef821687361c.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

diff --git a/...est/integ.stepfunctions-api.js.snapshot/StepFunctionsRestApiDeploymentStack.template.json b/...est/integ.stepfunctions-api.js.snapshot/StepFunctionsRestApiDeploymentStack.template.json
@@ -9,15 +9,7 @@
        "Action": "sts:AssumeRole",
        "Effect": "Allow",
        "Principal": {
-        "Service": {
-         "Fn::FindInMap": [
-          "ServiceprincipalMap",
-          {
-           "Ref": "AWS::Region"
-          },
-          "states"
-         ]
-        }
+        "Service": "states.amazonaws.com"
        }
       }
      ],
@@ -290,100 +282,6 @@
    }
   }
  },
- "Mappings": {
-  "ServiceprincipalMap": {
-   "af-south-1": {
-    "states": "states.af-south-1.amazonaws.com"
-   },
-   "ap-east-1": {
-    "states": "states.ap-east-1.amazonaws.com"
-   },
-   "ap-northeast-1": {
-    "states": "states.ap-northeast-1.amazonaws.com"
-   },
-   "ap-northeast-2": {
-    "states": "states.ap-northeast-2.amazonaws.com"
-   },
-   "ap-northeast-3": {
-    "states": "states.ap-northeast-3.amazonaws.com"
-   },
-   "ap-south-1": {
-    "states": "states.ap-south-1.amazonaws.com"
-   },
-   "ap-southeast-1": {
-    "states": "states.ap-southeast-1.amazonaws.com"
-   },
-   "ap-southeast-2": {
-    "states": "states.ap-southeast-2.amazonaws.com"
-   },
-   "ap-southeast-3": {
-    "states": "states.ap-southeast-3.amazonaws.com"
-   },
-   "ca-central-1": {
-    "states": "states.ca-central-1.amazonaws.com"
-   },
-   "cn-north-1": {
-    "states": "states.cn-north-1.amazonaws.com"
-   },
-   "cn-northwest-1": {
-    "states": "states.cn-northwest-1.amazonaws.com"
-   },
-   "eu-central-1": {
-    "states": "states.eu-central-1.amazonaws.com"
-   },
-   "eu-north-1": {
-    "states": "states.eu-north-1.amazonaws.com"
-   },
-   "eu-south-1": {
-    "states": "states.eu-south-1.amazonaws.com"
-   },
-   "eu-south-2": {
-    "states": "states.eu-south-2.amazonaws.com"
-   },
-   "eu-west-1": {
-    "states": "states.eu-west-1.amazonaws.com"
-   },
-   "eu-west-2": {
-    "states": "states.eu-west-2.amazonaws.com"
-   },
-   "eu-west-3": {
-    "states": "states.eu-west-3.amazonaws.com"
-   },
-   "me-south-1": {
-    "states": "states.me-south-1.amazonaws.com"
-   },
-   "sa-east-1": {
-    "states": "states.sa-east-1.amazonaws.com"
-   },
-   "us-east-1": {
-    "states": "states.us-east-1.amazonaws.com"
-   },
-   "us-east-2": {
-    "states": "states.us-east-2.amazonaws.com"
-   },
-   "us-gov-east-1": {
-    "states": "states.us-gov-east-1.amazonaws.com"
-   },
-   "us-gov-west-1": {
-    "states": "states.us-gov-west-1.amazonaws.com"
-   },
-   "us-iso-east-1": {
-    "states": "states.amazonaws.com"
-   },
-   "us-iso-west-1": {
-    "states": "states.amazonaws.com"
-   },
-   "us-isob-east-1": {
-    "states": "states.amazonaws.com"
-   },
-   "us-west-1": {
-    "states": "states.us-west-1.amazonaws.com"
-   },
-   "us-west-2": {
-    "states": "states.us-west-2.amazonaws.com"
-   }
-  }
- },
  "Parameters": {
   "BootstrapVersion": {
    "Type": "AWS::SSM::Parameter::Value<String>",

diff --git a/packages/@aws-cdk/aws-apigateway/test/integ.stepfunctions-api.js.snapshot/cdk.out b/packages/@aws-cdk/aws-apigateway/test/integ.stepfunctions-api.js.snapshot/cdk.out
@@ -1 +1 @@
-{"version":"20.0.0"}
+{"version":"21.0.0"}
diff --git a/packages/@aws-cdk/aws-apigateway/test/integ.stepfunctions-api.js.snapshot/integ.json b/packages/@aws-cdk/aws-apigateway/test/integ.stepfunctions-api.js.snapshot/integ.json
@@ -1,11 +1,12 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "testCases": {
     "step-functions-restapi/DefaultTest": {
       "stacks": [
         "StepFunctionsRestApiDeploymentStack"
       ],
-      "assertionStack": "step-functions-restapi/DefaultTest/DeployAssert"
+      "assertionStack": "step-functions-restapi/DefaultTest/DeployAssert",
+      "assertionStackName": "stepfunctionsrestapiDefaultTestDeployAssert53C3797F"
     }
   }
 }
diff --git a/packages/@aws-cdk/aws-apigateway/test/integ.stepfunctions-api.js.snapshot/manifest.json b/packages/@aws-cdk/aws-apigateway/test/integ.stepfunctions-api.js.snapshot/manifest.json
@@ -1,12 +1,6 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "artifacts": {
-    "Tree": {
-      "type": "cdk:tree",
-      "properties": {
-        "file": "tree.json"
-      }
-    },
     "StepFunctionsRestApiDeploymentStack.assets": {
       "type": "cdk:asset-manifest",
       "properties": {
@@ -23,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/15b69b6acb0a3b911686881039fd821b7be7a59737df5c36a7f1e7f0dc306c40.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/06411bc9644c9af466e4101cc159122b7c5422ecbd496553c2a2ef821687361c.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
@@ -105,12 +99,6 @@
             "data": "ApiEndpoint"
           }
         ],
-        "/StepFunctionsRestApiDeploymentStack/Service-principalMap": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "ServiceprincipalMap"
-          }
-        ],
         "/StepFunctionsRestApiDeploymentStack/BootstrapVersion": [
           {
             "type": "aws:cdk:logicalId",
@@ -172,6 +160,12 @@
         ]
       },
       "displayName": "step-functions-restapi/DefaultTest/DeployAssert"
+    },
+    "Tree": {
+      "type": "cdk:tree",
+      "properties": {
+        "file": "tree.json"
+      }
     }
   }
 }
diff --git a/...functions-api.js.snapshot/stepfunctionsrestapiDefaultTestDeployAssert53C3797F.assets.json b/...functions-api.js.snapshot/stepfunctionsrestapiDefaultTestDeployAssert53C3797F.assets.json
@@ -1,5 +1,5 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "files": {
     "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
       "source": {

diff --git a/packages/@aws-cdk/aws-apigateway/test/integ.stepfunctions-api.js.snapshot/tree.json b/packages/@aws-cdk/aws-apigateway/test/integ.stepfunctions-api.js.snapshot/tree.json
@@ -4,14 +4,6 @@
     "id": "App",
     "path": "",
     "children": {
-      "Tree": {
-        "id": "Tree",
-        "path": "Tree",
-        "constructInfo": {
-          "fqn": "constructs.Construct",
-          "version": "10.1.85"
-        }
-      },
       "StepFunctionsRestApiDeploymentStack": {
         "id": "StepFunctionsRestApiDeploymentStack",
         "path": "StepFunctionsRestApiDeploymentStack",
@@ -44,15 +36,7 @@
                               "Action": "sts:AssumeRole",
                               "Effect": "Allow",
                               "Principal": {
-                                "Service": {
-                                  "Fn::FindInMap": [
-                                    "ServiceprincipalMap",
-                                    {
-                                      "Ref": "AWS::Region"
-                                    },
-                                    "states"
-                                  ]
-                                }
+                                "Service": "states.amazonaws.com"
                               }
                             }
                           ],
@@ -453,22 +437,30 @@
             "id": "ApiEndpoint",
             "path": "StepFunctionsRestApiDeploymentStack/ApiEndpoint",
             "constructInfo": {
-              "fqn": "constructs.Construct",
-              "version": "10.1.85"
+              "fqn": "@aws-cdk/core.CfnOutput",
+              "version": "0.0.0"
             }
           },
-          "Service-principalMap": {
-            "id": "Service-principalMap",
-            "path": "StepFunctionsRestApiDeploymentStack/Service-principalMap",
+          "BootstrapVersion": {
+            "id": "BootstrapVersion",
+            "path": "StepFunctionsRestApiDeploymentStack/BootstrapVersion",
             "constructInfo": {
-              "fqn": "constructs.Construct",
-              "version": "10.1.85"
+              "fqn": "@aws-cdk/core.CfnParameter",
+              "version": "0.0.0"
+            }
+          },
+          "CheckBootstrapVersion": {
+            "id": "CheckBootstrapVersion",
+            "path": "StepFunctionsRestApiDeploymentStack/CheckBootstrapVersion",
+            "constructInfo": {
+              "fqn": "@aws-cdk/core.CfnRule",
+              "version": "0.0.0"
             }
           }
         },
         "constructInfo": {
-          "fqn": "constructs.Construct",
-          "version": "10.1.85"
+          "fqn": "@aws-cdk/core.Stack",
+          "version": "0.0.0"
         }
       },
       "step-functions-restapi": {
@@ -484,15 +476,33 @@
                 "path": "step-functions-restapi/DefaultTest/Default",
                 "constructInfo": {
                   "fqn": "constructs.Construct",
-                  "version": "10.1.85"
+                  "version": "10.1.140"
                 }
               },
               "DeployAssert": {
                 "id": "DeployAssert",
                 "path": "step-functions-restapi/DefaultTest/DeployAssert",
+                "children": {
+                  "BootstrapVersion": {
+                    "id": "BootstrapVersion",
+                    "path": "step-functions-restapi/DefaultTest/DeployAssert/BootstrapVersion",
+                    "constructInfo": {
+                      "fqn": "@aws-cdk/core.CfnParameter",
+                      "version": "0.0.0"
+                    }
+                  },
+                  "CheckBootstrapVersion": {
+                    "id": "CheckBootstrapVersion",
+                    "path": "step-functions-restapi/DefaultTest/DeployAssert/CheckBootstrapVersion",
+                    "constructInfo": {
+                      "fqn": "@aws-cdk/core.CfnRule",
+                      "version": "0.0.0"
+                    }
+                  }
+                },
                 "constructInfo": {
-                  "fqn": "constructs.Construct",
-                  "version": "10.1.85"
+                  "fqn": "@aws-cdk/core.Stack",
+                  "version": "0.0.0"
                 }
               }
             },
@@ -506,11 +516,19 @@
           "fqn": "@aws-cdk/integ-tests.IntegTest",
           "version": "0.0.0"
         }
+      },
+      "Tree": {
+        "id": "Tree",
+        "path": "Tree",
+        "constructInfo": {
+          "fqn": "constructs.Construct",
+          "version": "10.1.140"
+        }
       }
     },
     "constructInfo": {
-      "fqn": "constructs.Construct",
-      "version": "10.1.85"
+      "fqn": "@aws-cdk/core.App",
+      "version": "0.0.0"
     }
   }
 }
diff --git a/...ges/@aws-cdk/aws-appsync/test/integ.auth-apikey.js.snapshot/aws-appsync-integ.assets.json b/...ges/@aws-cdk/aws-appsync/test/integ.auth-apikey.js.snapshot/aws-appsync-integ.assets.json
@@ -1,15 +1,15 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "files": {
-    "b0462850439179659920597f4327262b24073af4f4969622163b0a295fce1dda": {
+    "8af15bf3b17fb15e9d1b558caa4d5484d9b85fd19d3d939c866e805212d8d66a": {
       "source": {
         "path": "aws-appsync-integ.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "b0462850439179659920597f4327262b24073af4f4969622163b0a295fce1dda.json",
+          "objectKey": "8af15bf3b17fb15e9d1b558caa4d5484d9b85fd19d3d939c866e805212d8d66a.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

diff --git a/...s/@aws-cdk/aws-appsync/test/integ.auth-apikey.js.snapshot/aws-appsync-integ.template.json b/...s/@aws-cdk/aws-appsync/test/integ.auth-apikey.js.snapshot/aws-appsync-integ.template.json
@@ -42,7 +42,7 @@
        "Action": "sts:AssumeRole",
        "Effect": "Allow",
        "Principal": {
-        "Service": "appsync.amazonaws.com"
+        "Service": "appsync"
        }
       }
      ],

diff --git a/packages/@aws-cdk/aws-appsync/test/integ.auth-apikey.js.snapshot/cdk.out b/packages/@aws-cdk/aws-appsync/test/integ.auth-apikey.js.snapshot/cdk.out
@@ -1 +1 @@
-{"version":"20.0.0"}
+{"version":"21.0.0"}
diff --git a/packages/@aws-cdk/aws-appsync/test/integ.auth-apikey.js.snapshot/integ.json b/packages/@aws-cdk/aws-appsync/test/integ.auth-apikey.js.snapshot/integ.json
@@ -1,5 +1,5 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "testCases": {
     "integ.auth-apikey": {
       "stacks": [