Merge branch 'master' into patch-1

CONTRIBUTING.md

@@ -662,7 +662,7 @@ extension](https://marketplace.visualstudio.com/items?itemName=dbaeumer.vscode-e
 
 #### pkglint
 
-The `pkglint` tool "lints" package.json files across the repo according to [rules.ts](tools/pkglint/lib/rules.ts).
+The `pkglint` tool "lints" package.json files across the repo according to [rules.ts](tools/@aws-cdk/pkglint/lib/rules.ts).
 
 To evaluate (and attempt to fix) all package linting issues in the repo, run the following command from the root of the
 repository (after bootstrapping):

design/aws-ecs/aws-ecs-fargate-capacity-providers.md

@@ -2,7 +2,7 @@
 
 ## Objective
 
-Since Capacity Providers are now supported in CloudFormation, incorporating support for Fargate Spot capacity has been one of the [top asks](https://github.com/aws/aws-cdk/issues?q=is%3Aissue+is%3Aopen+label%3A%40aws-cdk%2Faws-ecs+sort%3Areactions-%2B1-desc) for the ECS CDK module, with over 60 customer reactions. While there are still some outstanding issues regarding capacity provider support in general, specifically regarding cyclic workflows with named clusters (See: [CFN issue](http://%20https//github.com/aws/containers-roadmap/issues/631#issuecomment-702580141)), we should be able to move ahead with supporting `FARGATE` and `FARGATE_SPOT` capacity providers with our existing FargateService construct.
+Since Capacity Providers are now supported in CloudFormation, incorporating support for Fargate Spot capacity has been one of the [top asks](https://github.com/aws/aws-cdk/issues?q=is%3Aissue+is%3Aopen+label%3A%40aws-cdk%2Faws-ecs+sort%3Areactions-%2B1-desc) for the ECS CDK module, with over 60 customer reactions. While there are still some outstanding issues regarding capacity provider support in general, specifically regarding cyclic workflows with named clusters (See: [CFN issue](https://github.com/aws/containers-roadmap/issues/631#issuecomment-702580141)), we should be able to move ahead with supporting `FARGATE` and `FARGATE_SPOT` capacity providers with our existing FargateService construct.
 
 See: https://github.com/aws/aws-cdk/issues/5850
 
@@ -118,4 +118,3 @@ One alternative considered was to provide a more magical experience by populatin
 For future extensibility, we can however add an `addCapacityProvider` method on the Cluster resource, to allow modifying the cluster CapacityProviders field post-construction.
 
 Another option would be to create a new FargateCluster resource, that would have the two Fargate capacity providers set by default. The main advantage with this alternative would be that it would be consistent with the current Console experience, which sets the Fargate capacity providers for you if you choose the “Networking Only” cluster template via the cluster wizard. The downside is that it would be a more restrictive resource model that would go back on the decision to have a single generic ECS Cluster resource that could potentially contain both Fargate and EC2 services or tasks. Given that we are moving towards more generic versions of ECS resources, this is not a preferable solution. That being said, in the current iteration we can set the Fargate Capacity Providers on the cluster by default, but put them behind a feature flag, which we would be able to remove in the v2 version of the ECS module. Using the feature flag would ensure that there would not be a diff in the generated CFN template for existing customers defining ECS clusters in their stack who redeploy using an updated version of the CDK.
-

package.json

@@ -16,7 +16,7 @@
   },
   "devDependencies": {
     "@yarnpkg/lockfile": "^1.1.0",
-    "cdk-generate-synthetic-examples": "^0.1.3",
+    "cdk-generate-synthetic-examples": "^0.1.5",
     "conventional-changelog-cli": "^2.2.2",
     "fs-extra": "^9.1.0",
     "graceful-fs": "^4.2.9",

packages/@aws-cdk/aws-certificatemanager/lambda-packages/dns_validated_certificate_handler/package.json

@@ -33,7 +33,7 @@
     "@types/sinon": "^9.0.11",
     "@aws-cdk/cdk-build-tools": "0.0.0",
     "aws-sdk": "^2.596.0",
-    "aws-sdk-mock": "^5.6.0",
+    "aws-sdk-mock": "5.6.0",
     "eslint": "^7.32.0",
     "eslint-config-standard": "^14.1.1",
     "eslint-plugin-import": "^2.25.4",
@@ -43,7 +43,7 @@
     "jest": "^27.4.7",
     "lambda-tester": "^3.6.0",
     "sinon": "^9.2.4",
-    "nock": "^13.2.2",
+    "nock": "^13.2.4",
     "ts-jest": "^27.1.3"
   }
 }

packages/@aws-cdk/aws-dynamodb-global/lambda-packages/aws-global-table-coordinator/package.json

@@ -30,7 +30,7 @@
   "license": "Apache-2.0",
   "devDependencies": {
     "aws-sdk": "^2.596.0",
-    "aws-sdk-mock": "^5.6.0",
+    "aws-sdk-mock": "5.6.0",
     "eslint": "^7.32.0",
     "eslint-config-standard": "^14.1.1",
     "eslint-plugin-import": "^2.25.4",
@@ -39,6 +39,6 @@
     "eslint-plugin-standard": "^4.1.0",
     "jest": "^27.4.7",
     "lambda-tester": "^3.6.0",
-    "nock": "^13.2.2"
+    "nock": "^13.2.4"
   }
 }

packages/@aws-cdk/aws-dynamodb/package.json

@@ -88,7 +88,7 @@
     "@types/jest": "^27.4.0",
     "@types/sinon": "^9.0.11",
     "aws-sdk": "^2.848.0",
-    "aws-sdk-mock": "^5.6.0",
+    "aws-sdk-mock": "5.6.0",
     "jest": "^27.4.7",
     "sinon": "^9.2.4",
     "ts-jest": "^27.1.3"

packages/@aws-cdk/aws-eks-legacy/README.md

@@ -49,7 +49,7 @@ cluster.addResource('mypod', {
 });
 ```
 
-Here is a [complete sample](https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-eks/test/integ.eks-kubectl.lit.ts).
+Here is a [complete sample](https://github.com/aws/aws-cdk/blob/master/packages/@aws-cdk/aws-eks-legacy/test/integ.eks-kubectl.lit.ts).
 
 ### Capacity
 

packages/@aws-cdk/aws-eks/README.md

@@ -1174,11 +1174,11 @@ chart2.node.addDependency(chart1);
 
 [CDK8s](https://cdk8s.io/) is an open-source library that enables Kubernetes manifest authoring using familiar programming languages. It is founded on the same technologies as the AWS CDK, such as [`constructs`](https://github.com/aws/constructs) and [`jsii`](https://github.com/aws/jsii).
 
-> To learn more about cdk8s, visit the [Getting Started](https://github.com/awslabs/cdk8s/tree/master/docs/getting-started) tutorials.
+> To learn more about cdk8s, visit the [Getting Started](https://cdk8s.io/docs/latest/getting-started/) tutorials.
 
 The EKS module natively integrates with cdk8s and allows you to apply cdk8s charts on AWS EKS clusters via the `cluster.addCdk8sChart` method.
 
-In addition to `cdk8s`, you can also use [`cdk8s+`](https://github.com/awslabs/cdk8s/tree/master/packages/cdk8s-plus), which provides higher level abstraction for the core kubernetes api objects.
+In addition to `cdk8s`, you can also use [`cdk8s+`](https://cdk8s.io/docs/latest/plus/), which provides higher level abstraction for the core kubernetes api objects.
 You can think of it like the `L2` constructs for Kubernetes. Any other `cdk8s` based libraries are also supported, for example [`cdk8s-debore`](https://github.com/toricls/cdk8s-debore).
 
 To get started, add the following dependencies to your `package.json` file:
@@ -1290,7 +1290,7 @@ export class LoadBalancedWebService extends constructs.Construct {
 
 If you find yourself unable to use `cdk8s+`, or just like to directly use the `k8s` native objects or CRD's, you can do so by manually importing them using the `cdk8s-cli`.
 
-See [Importing kubernetes objects](https://github.com/awslabs/cdk8s/tree/master/packages/cdk8s-cli#import) for detailed instructions.
+See [Importing kubernetes objects](https://cdk8s.io/docs/latest/cli/import/) for detailed instructions.
 
 ## Patching Kubernetes Resources
 

packages/@aws-cdk/aws-eks/package.json

@@ -89,8 +89,8 @@
     "@types/sinon": "^9.0.11",
     "@types/yaml": "1.9.6",
     "aws-sdk": "^2.848.0",
-    "cdk8s": "^1.4.13",
-    "cdk8s-plus-21": "^1.0.0-beta.79",
+    "cdk8s": "^1.5.7",
+    "cdk8s-plus-21": "^1.0.0-beta.81",
     "jest": "^27.4.7",
     "sinon": "^9.2.4"
   },

packages/@aws-cdk/aws-events-targets/package.json

@@ -88,7 +88,7 @@
     "@aws-cdk/pkglint": "0.0.0",
     "@types/jest": "^27.4.0",
     "aws-sdk": "^2.848.0",
-    "aws-sdk-mock": "^5.6.0",
+    "aws-sdk-mock": "5.6.0",
     "jest": "^27.4.7"
   },
   "dependencies": {

packages/@aws-cdk/aws-globalaccelerator-endpoints/package.json

@@ -82,7 +82,7 @@
     "@aws-cdk/pkglint": "0.0.0",
     "@types/jest": "^27.4.0",
     "aws-sdk": "^2.848.0",
-    "aws-sdk-mock": "^5.6.0",
+    "aws-sdk-mock": "5.6.0",
     "jest": "^27.4.7"
   },
   "dependencies": {

packages/@aws-cdk/aws-iam/README.md

@@ -202,7 +202,7 @@ const principal = new iam.AccountPrincipal('123456789000')
 
 > NOTE: If you need to define an IAM condition that uses a token (such as a
 > deploy-time attribute of another resource) in a JSON map key, use `CfnJson` to
-> render this condition. See [this test](./test/integ-condition-with-ref.ts) for
+> render this condition. See [this test](./test/integ.condition-with-ref.ts) for
 > an example.
 
 The `WebIdentityPrincipal` class can be used as a principal for web identities like

packages/@aws-cdk/aws-lambda-nodejs/package.json

@@ -78,7 +78,7 @@
     "@aws-cdk/pkglint": "0.0.0",
     "@types/jest": "^27.4.0",
     "delay": "5.0.0",
-    "esbuild": "^0.14.14"
+    "esbuild": "^0.14.18"
   },
   "dependencies": {
     "@aws-cdk/aws-lambda": "0.0.0",

packages/@aws-cdk/aws-logs/package.json

@@ -88,9 +88,9 @@
     "@types/jest": "^27.4.0",
     "@types/sinon": "^9.0.11",
     "aws-sdk": "^2.848.0",
-    "aws-sdk-mock": "^5.6.0",
+    "aws-sdk-mock": "5.6.0",
     "jest": "^27.4.7",
-    "nock": "^13.2.2",
+    "nock": "^13.2.4",
     "sinon": "^9.2.4"
   },
   "dependencies": {

packages/@aws-cdk/aws-route53-targets/README.md

@@ -108,7 +108,7 @@ See [the documentation on DNS addressing](https://docs.aws.amazon.com/global-acc
 
 * InterfaceVpcEndpoints
 
-**Important:** Based on the CFN docs for VPCEndpoints - [see here](attrDnsEntries) - the attributes returned for DnsEntries in CloudFormation is a combination of the hosted zone ID and the DNS name. The entries are ordered as follows: regional public DNS, zonal public DNS, private DNS, and wildcard DNS. This order is not enforced for AWS Marketplace services, and therefore this CDK construct is ONLY guaranteed to work with non-marketplace services.
+**Important:** Based on the CFN docs for VPCEndpoints - [see here](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcendpoint.html#aws-resource-ec2-vpcendpoint-return-values) - the attributes returned for DnsEntries in CloudFormation is a combination of the hosted zone ID and the DNS name. The entries are ordered as follows: regional public DNS, zonal public DNS, private DNS, and wildcard DNS. This order is not enforced for AWS Marketplace services, and therefore this CDK construct is ONLY guaranteed to work with non-marketplace services.
 
   ```ts
   import * as ec2 from '@aws-cdk/aws-ec2';

packages/@aws-cdk/cloud-assembly-schema/CONTRIBUTING.md

@@ -59,7 +59,7 @@ This means that breaking changes will be rejected. These include:
 - Changing the type of the property.
 
 In addition, the interfaces defined here are programatically exposed to users, via the `manifest` 
-property of the [`CloudAssembly`]((../cx-api/lib/cloud-assembly.ts)) class. This means that the following are 
+property of the [`CloudAssembly`](../cx-api/lib/cloud-assembly.ts) class. This means that the following are 
 also considered breaking changes:
 
 - Changing a property from *required* to *optional*.

packages/@aws-cdk/custom-resources/package.json

@@ -92,9 +92,9 @@
     "@types/jest": "^27.4.0",
     "@types/sinon": "^9.0.11",
     "aws-sdk": "^2.848.0",
-    "aws-sdk-mock": "^5.6.0",
+    "aws-sdk-mock": "5.6.0",
     "fs-extra": "^9.1.0",
-    "nock": "^13.2.2",
+    "nock": "^13.2.4",
     "sinon": "^9.2.4"
   },
   "dependencies": {

packages/@aws-cdk/lambda-layer-awscli/README.md

@@ -12,6 +12,8 @@
 
 This module exports a single class called `AwsCliLayer` which is a `lambda.Layer` that bundles the AWS CLI.
 
+Any Lambda Function that uses this layer must use a Python 3.x runtime.
+
 Usage:
 
 ```ts

packages/@aws-cdk/lambda-layer-awscli/layer/Dockerfile

@@ -1,4 +1,4 @@
-FROM public.ecr.aws/lambda/provided:latest
+FROM public.ecr.aws/sam/build-python3.7
 
 USER root
 RUN mkdir -p /opt
@@ -9,27 +9,19 @@ WORKDIR /tmp
 #
 
 RUN yum update -y \
-    && yum install -y zip unzip wget tar gzip python3
+    && yum install -y zip unzip wget tar gzip
 
 #
 # aws cli
 #
 
-ARG AWSCLI_VERSION=0.0.0
-
-RUN curl https://s3.amazonaws.com/aws-cli/awscli-bundle-${AWSCLI_VERSION}.zip -o awscli-bundle.zip
-RUN unzip awscli-bundle.zip
-RUN python3 ./awscli-bundle/install -i /opt/awscli -b /opt/awscli/aws
+COPY requirements.txt ./
+RUN python -m pip install -r requirements.txt -t /opt/awscli
 
 # organize for self-contained usage
-RUN mv /opt/awscli                                      /opt/awscli.tmp
-RUN pyver=$(python3 -c 'import sys; v = sys.version_info; print(f"{v[0]}.{v[1]}")') && \
-    mv /opt/awscli.tmp/lib/python${pyver}/site-packages /opt/awscli
-RUN mv /opt/awscli.tmp/bin                              /opt/awscli/bin
-RUN mv /opt/awscli/bin/aws                              /opt/awscli
+RUN mv /opt/awscli/bin/aws /opt/awscli
 
 # cleanup
-RUN rm -fr /opt/awscli.tmp
 RUN rm -rf \
     /opt/awscli/pip* \
     /opt/awscli/setuptools* \

packages/@aws-cdk/lambda-layer-awscli/layer/build.sh

@@ -3,13 +3,11 @@ set -euo pipefail
 
 cd $(dirname $0)
 
-version=$(cat ../awscli.version)
-
-echo ">> Building AWS Lambda layer inside a docker image for CLI version ${version}..."
+echo ">> Building AWS Lambda layer inside a docker image..."
 
 TAG='aws-lambda-layer'
 
-docker build -t ${TAG} . --build-arg AWSCLI_VERSION=${version}
+docker build -t ${TAG} .
 
 echo ">> Extrating layer.zip from the build container..."
 CONTAINER=$(docker run -d ${TAG} false)

packages/@aws-cdk/lambda-layer-awscli/layer/requirements.txt

@@ -0,0 +1 @@
+awscli==1.22.46

packages/@aws-cdk/lambda-layer-awscli/lib/awscli-layer.ts

@@ -1,7 +1,6 @@
-import * as crypto from 'crypto';
-import * as fs from 'fs';
 import * as path from 'path';
 import * as lambda from '@aws-cdk/aws-lambda';
+import { FileSystem } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 
 /**
@@ -11,17 +10,10 @@ export class AwsCliLayer extends lambda.LayerVersion {
   constructor(scope: Construct, id: string) {
     super(scope, id, {
       code: lambda.Code.fromAsset(path.join(__dirname, 'layer.zip'), {
-        // we hash the Dockerfile (it contains the tools versions) because hashing the zip is non-deterministic
-        assetHash: hashFile(path.join(__dirname, '..', 'layer', 'Dockerfile')),
+        // we hash the layer directory (it contains the tools versions and Dockerfile) because hashing the zip is non-deterministic
+        assetHash: FileSystem.fingerprint(path.join(__dirname, '../layer')),
       }),
       description: '/opt/awscli/aws',
     });
   }
 }
-
-function hashFile(fileName: string) {
-  return crypto
-    .createHash('sha256')
-    .update(fs.readFileSync(fileName))
-    .digest('hex');
-}

packages/@aws-cdk/lambda-layer-awscli/package.json

@@ -74,6 +74,7 @@
   "license": "Apache-2.0",
   "devDependencies": {
     "@aws-cdk/assertions": "0.0.0",
+    "@aws-cdk/custom-resources": "0.0.0",
     "@aws-cdk/cdk-build-tools": "0.0.0",
     "@aws-cdk/cdk-integ-tools": "0.0.0",
     "@aws-cdk/pkglint": "0.0.0",