Merge branch 'main' into pipes-targets-sagemaker

packages/@aws-cdk-testing/cli-integ/lib/with-aws.ts

@@ -10,11 +10,11 @@ export type AwsContext = { readonly aws: AwsClients };
  *
  * Allocate the next region from the REGION pool and dispose it afterwards.
  */
-export function withAws(
-  block: (context: TestContext & AwsContext & DisableBootstrapContext) => Promise<void>,
+export function withAws<A extends TestContext>(
+  block: (context: A & AwsContext & DisableBootstrapContext) => Promise<void>,
   disableBootstrap: boolean = false,
-): (context: TestContext) => Promise<void> {
-  return (context: TestContext) => regionPool().using(async (region) => {
+): (context: A) => Promise<void> {
+  return (context: A) => regionPool().using(async (region) => {
     const aws = await AwsClients.forRegion(region, context.output);
     await sanityCheck(aws);
 

packages/@aws-cdk-testing/cli-integ/tests/tool-integrations/amplify.integtest.ts

@@ -1,10 +1,11 @@
 import { promises as fs } from 'fs';
 import * as path from 'path';
-import { integTest, withTemporaryDirectory, ShellHelper, withPackages, TemporaryDirectoryContext } from '../../lib';
+import { withToolContext } from './with-tool-context';
+import { integTest, ShellHelper, TemporaryDirectoryContext } from '../../lib';
 
 const TIMEOUT = 1800_000;
 
-integTest('amplify integration', withTemporaryDirectory(withPackages(async (context) => {
+integTest('amplify integration', withToolContext(async (context) => {
   const shell = ShellHelper.fromContext(context);
 
   await shell.shell(['npm', 'create', '-y', 'amplify@latest']);
@@ -14,9 +15,24 @@ integTest('amplify integration', withTemporaryDirectory(withPackages(async (cont
   await updateCdkDependency(context, context.packages.requestedCliVersion(), context.packages.requestedFrameworkVersion());
   await shell.shell(['npm', 'install']);
 
-  await shell.shell(['npx', 'ampx', 'sandbox', '--once']);
-  await shell.shell(['npx', 'ampx', 'sandbox', 'delete', '--yes']);
-})), TIMEOUT);
+  await shell.shell(['npx', 'ampx', 'sandbox', '--once'], {
+    modEnv: {
+      AWS_REGION: context.aws.region,
+    },
+  });
+  try {
+
+    // Future code goes here, putting the try/finally here already so it doesn't
+    // get forgotten.
+
+  } finally {
+    await shell.shell(['npx', 'ampx', 'sandbox', 'delete', '--yes'], {
+      modEnv: {
+        AWS_REGION: context.aws.region,
+      },
+    });
+  }
+}), TIMEOUT);
 
 async function updateCdkDependency(context: TemporaryDirectoryContext, cliVersion: string, libVersion: string) {
   const filename = path.join(context.integTestDir, 'package.json');

packages/@aws-cdk-testing/cli-integ/tests/tool-integrations/with-tool-context.ts

@@ -0,0 +1,14 @@
+import { TestContext } from '../../lib/integ-test';
+import { AwsContext, withAws } from '../../lib/with-aws';
+import { DisableBootstrapContext } from '../../lib/with-cdk-app';
+import { PackageContext, withPackages } from '../../lib/with-packages';
+import { TemporaryDirectoryContext, withTemporaryDirectory } from '../../lib/with-temporary-directory';
+
+/**
+ * The default prerequisites for tests running tool integrations
+ */
+export function withToolContext<A extends TestContext>(
+  block: (context: A & TemporaryDirectoryContext & PackageContext & AwsContext & DisableBootstrapContext
+  ) => Promise<void>) {
+  return withAws(withTemporaryDirectory(withPackages(block)));
+}

packages/@aws-cdk/aws-apprunner-alpha/README.md

@@ -201,6 +201,43 @@ new apprunner.Service(this, 'Service', {
 });
 ```
 
+## VPC Ingress Connection
+
+To make your App Runner service private and only accessible from within a VPC use the `isPubliclyAccessible` property and associate it to a `VpcIngressConnection` resource.
+
+To set up a `VpcIngressConnection`, specify a VPC, a VPC Interface Endpoint, and the App Runner service.
+Also you must set `isPubliclyAccessible` property in ther `Service` to `false`.
+
+For more information, see [Enabling Private endpoint for incoming traffic](https://docs.aws.amazon.com/apprunner/latest/dg/network-pl.html).
+
+```typescript
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+
+declare const vpc: ec2.Vpc;
+
+const interfaceVpcEndpoint = new ec2.InterfaceVpcEndpoint(this, 'MyVpcEndpoint', {
+  vpc,
+  service: ec2.InterfaceVpcEndpointAwsService.APP_RUNNER_REQUESTS,
+  privateDnsEnabled: false,
+});
+
+const service = new apprunner.Service(this, 'Service', {
+  source: apprunner.Source.fromEcrPublic({
+    imageConfiguration: {
+      port: 8000,
+    },
+    imageIdentifier: 'public.ecr.aws/aws-containers/hello-app-runner:latest',
+  }),
+  isPubliclyAccessible: false, // set false
+});
+
+new apprunner.VpcIngressConnection(this, 'VpcIngressConnection', {
+  vpc,
+  interfaceVpcEndpoint,
+  service,
+});
+```
+
 ## Dual Stack
 
 To use dual stack (IPv4 and IPv6) for your incoming public network configuration, set `ipAddressType` to `IpAddressType.DUAL_STACK`.

packages/@aws-cdk/aws-apprunner-alpha/lib/index.ts

@@ -3,3 +3,4 @@ export * from './auto-scaling-configuration';
 export * from './observability-configuration';
 export * from './service';
 export * from './vpc-connector';
+export * from './vpc-ingress-connection';

packages/@aws-cdk/aws-apprunner-alpha/lib/service.ts

@@ -732,6 +732,15 @@ export interface ServiceProps {
    */
   readonly vpcConnector?: IVpcConnector;
 
+  /**
+   * Specifies whether your App Runner service is publicly accessible.
+   *
+   * If you use `VpcIngressConnection`, you must set this property to `false`.
+   *
+   * @default true
+   */
+  readonly isPubliclyAccessible?: boolean;
+
   /**
    * Settings for the health check that AWS App Runner performs to monitor the health of a service.
    *
@@ -1310,6 +1319,7 @@ export class Service extends cdk.Resource implements iam.IGrantable {
           egressType: this.props.vpcConnector ? 'VPC' : 'DEFAULT',
           vpcConnectorArn: this.props.vpcConnector?.vpcConnectorArn,
         },
+        ingressConfiguration: props.isPubliclyAccessible !== undefined ? { isPubliclyAccessible: props.isPubliclyAccessible } : undefined,
         ipAddressType: this.props.ipAddressType,
       },
       healthCheckConfiguration: this.props.healthCheck ?

packages/@aws-cdk/aws-apprunner-alpha/lib/vpc-ingress-connection.ts

@@ -0,0 +1,168 @@
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as cdk from 'aws-cdk-lib/core';
+import { Construct } from 'constructs';
+import { IService } from './service';
+import { CfnVpcIngressConnection } from 'aws-cdk-lib/aws-apprunner';
+
+/**
+ * Properties of the AppRunner VPC Ingress Connection
+ */
+export interface VpcIngressConnectionProps {
+  /**
+   * The name for the VPC Ingress Connection.
+   *
+   * @default - a name generated by CloudFormation
+   */
+  readonly vpcIngressConnectionName?: string;
+
+  /**
+   * The service to connect.
+   */
+  readonly service: IService;
+
+  /**
+   * The VPC for the VPC Ingress Connection.
+   */
+  readonly vpc: ec2.IVpc;
+
+  /**
+   * The VPC Interface Endpoint for the VPC Ingress Connection.
+   */
+  readonly interfaceVpcEndpoint: ec2.IInterfaceVpcEndpoint;
+}
+
+/**
+ * Attributes for the App Runner VPC Ingress Connection
+ */
+export interface VpcIngressConnectionAttributes {
+  /**
+   * The Amazon Resource Name (ARN) of the VPC Ingress Connection.
+   */
+  readonly vpcIngressConnectionArn: string;
+
+  /**
+   * The name of the VPC Ingress Connection.
+   */
+  readonly vpcIngressConnectionName: string;
+
+  /**
+   * The domain name associated with the VPC Ingress Connection resource.
+   */
+  readonly domainName: string;
+
+  /**
+   * The current status of the VPC Ingress Connection.
+   */
+  readonly status: string;
+}
+
+/**
+ * Represents the App Runner VPC Ingress Connection.
+ */
+export interface IVpcIngressConnection extends cdk.IResource {
+  /**
+   * The Amazon Resource Name (ARN) of the VPC Ingress Connection.
+   * @attribute
+   */
+  readonly vpcIngressConnectionArn: string;
+
+  /**
+    * The name of the VPC Ingress Connection.
+    * @attribute
+    */
+  readonly vpcIngressConnectionName: string;
+}
+
+/**
+ * The App Runner VPC Ingress Connection
+ *
+ * @resource AWS::AppRunner::VpcIngressConnection
+ */
+export class VpcIngressConnection extends cdk.Resource implements IVpcIngressConnection {
+  /**
+   * Import from VPC Ingress Connection from attributes.
+   */
+  public static fromVpcIngressConnectionAttributes(scope: Construct, id: string, attrs: VpcIngressConnectionAttributes): IVpcIngressConnection {
+    const vpcIngressConnectionArn = attrs.vpcIngressConnectionArn;
+    const domainName = attrs.domainName;
+    const status = attrs.status;
+    const vpcIngressConnectionName = attrs.vpcIngressConnectionName;
+
+    class Import extends cdk.Resource implements IVpcIngressConnection {
+      public readonly vpcIngressConnectionArn = vpcIngressConnectionArn;
+      public readonly domainName = domainName;
+      public readonly status = status;
+      public readonly vpcIngressConnectionName = vpcIngressConnectionName;
+    }
+
+    return new Import(scope, id);
+  }
+
+  /**
+   * Imports an App Runner VPC Ingress Connection from its ARN
+   */
+  public static fromArn(scope: Construct, id: string, vpcIngressConnectionArn: string): IVpcIngressConnection {
+    const resourceParts = cdk.Fn.split('/', vpcIngressConnectionArn);
+
+    const vpcIngressConnectionName = cdk.Fn.select(0, resourceParts);
+
+    class Import extends cdk.Resource implements IVpcIngressConnection {
+      public readonly vpcIngressConnectionName = vpcIngressConnectionName;
+      public readonly vpcIngressConnectionArn = vpcIngressConnectionArn;
+    }
+
+    return new Import(scope, id);
+  }
+
+  /**
+   * The ARN of the VPC Ingress Connection.
+   * @attribute
+   */
+  readonly vpcIngressConnectionArn: string;
+
+  /**
+   * The domain name associated with the VPC Ingress Connection resource.
+   * @attribute
+   */
+  readonly domainName: string;
+
+  /**
+   * The current status of the VPC Ingress Connection.
+   * @attribute
+   */
+  readonly status: string;
+
+  /**
+   * The name of the VPC Ingress Connection.
+   * @attribute
+   */
+  readonly vpcIngressConnectionName: string;
+
+  public constructor(scope: Construct, id: string, props: VpcIngressConnectionProps) {
+    super(scope, id, {
+      physicalName: props.vpcIngressConnectionName,
+    });
+
+    if (
+      props.vpcIngressConnectionName !== undefined &&
+      !cdk.Token.isUnresolved(props.vpcIngressConnectionName) &&
+      !/^[A-Za-z0-9][A-Za-z0-9\-_]{3,39}$/.test(props.vpcIngressConnectionName)
+    ) {
+      throw new Error(`vpcIngressConnectionName must match the \`^[A-Za-z0-9][A-Za-z0-9\-_]{3,39}\` pattern, got ${props.vpcIngressConnectionName}`);
+    }
+
+    const resource = new CfnVpcIngressConnection(this, 'Resource', {
+      ingressVpcConfiguration: {
+        vpcEndpointId: props.interfaceVpcEndpoint.vpcEndpointId,
+        vpcId: props.vpc.vpcId,
+      },
+      serviceArn: props.service.serviceArn,
+      vpcIngressConnectionName: this.physicalName,
+    });
+
+    this.vpcIngressConnectionArn = resource.attrVpcIngressConnectionArn;
+    this.vpcIngressConnectionName = resource.ref;
+    this.domainName = resource.attrDomainName;
+    this.status = resource.attrStatus;
+  }
+}