Merge branch 'master' into master

packages/@aws-cdk/aws-appintegrations/package.json

@@ -75,6 +75,7 @@
   },
   "license": "Apache-2.0",
   "devDependencies": {
+    "@types/jest": "^26.0.22",
     "@aws-cdk/assert-internal": "0.0.0",
     "cdk-build-tools": "0.0.0",
     "cfn2ts": "0.0.0",

packages/@aws-cdk/aws-codebuild/lib/project.ts

@@ -720,7 +720,7 @@ export class Project extends ProjectBase {
 
     const ret = new Array<CfnProject.EnvironmentVariableProperty>();
     const ssmIamResources = new Array<string>();
-    const secretsManagerIamResources = new Array<string>();
+    const secretsManagerIamResources = new Set<string>();
     const kmsIamResources = new Set<string>();
 
     for (const [name, envVariable] of Object.entries(environmentVariables)) {
@@ -771,7 +771,7 @@ export class Project extends ProjectBase {
 
             // if we are passed a Token, we should assume it's the ARN of the Secret
             // (as the name would not work anyway, because it would be the full name, which CodeBuild does not support)
-            secretsManagerIamResources.push(secretArn);
+            secretsManagerIamResources.add(secretArn);
           } else {
             // check if the provided value is a full ARN of the Secret
             let parsedArn: ArnComponents | undefined;
@@ -791,7 +791,7 @@ export class Project extends ProjectBase {
               // If we were given just a name, it must be partial, as CodeBuild doesn't support providing full names.
               // In this case, we need to accommodate for the generated suffix in the IAM resource name
               : `${secretName}-??????`;
-            secretsManagerIamResources.push(stack.formatArn({
+            secretsManagerIamResources.add(stack.formatArn({
               service: 'secretsmanager',
               resource: 'secret',
               resourceName: secretIamResourceName,
@@ -828,10 +828,10 @@ export class Project extends ProjectBase {
         resources: ssmIamResources,
       }));
     }
-    if (secretsManagerIamResources.length !== 0) {
+    if (secretsManagerIamResources.size !== 0) {
       principal?.grantPrincipal.addToPrincipalPolicy(new iam.PolicyStatement({
         actions: ['secretsmanager:GetSecretValue'],
-        resources: secretsManagerIamResources,
+        resources: Array.from(secretsManagerIamResources),
       }));
     }
     if (kmsIamResources.size !== 0) {

packages/@aws-cdk/aws-codebuild/test/test.project.ts

@@ -1231,6 +1231,57 @@ export = {
         test.done();
       },
 
+      'when the same new secret is provided with different JSON keys, only adds the resource once'(test: Test) {
+        // GIVEN
+        const stack = new cdk.Stack();
+
+        // WHEN
+        const secret = new secretsmanager.Secret(stack, 'Secret');
+        new codebuild.PipelineProject(stack, 'Project', {
+          environmentVariables: {
+            'ENV_VAR1': {
+              type: codebuild.BuildEnvironmentVariableType.SECRETS_MANAGER,
+              value: `${secret.secretArn}:json-key1`,
+            },
+            'ENV_VAR2': {
+              type: codebuild.BuildEnvironmentVariableType.SECRETS_MANAGER,
+              value: `${secret.secretArn}:json-key2`,
+            },
+          },
+        });
+
+        // THEN
+        expect(stack).to(haveResourceLike('AWS::CodeBuild::Project', {
+          'Environment': {
+            'EnvironmentVariables': [
+              {
+                'Name': 'ENV_VAR1',
+                'Type': 'SECRETS_MANAGER',
+                'Value': { 'Fn::Join': ['', [{ 'Ref': 'SecretA720EF05' }, ':json-key1']] },
+              },
+              {
+                'Name': 'ENV_VAR2',
+                'Type': 'SECRETS_MANAGER',
+                'Value': { 'Fn::Join': ['', [{ 'Ref': 'SecretA720EF05' }, ':json-key2']] },
+              },
+            ],
+          },
+        }));
+
+        // THEN
+        expect(stack).to(haveResourceLike('AWS::IAM::Policy', {
+          'PolicyDocument': {
+            'Statement': arrayWith({
+              'Action': 'secretsmanager:GetSecretValue',
+              'Effect': 'Allow',
+              'Resource': { 'Ref': 'SecretA720EF05' },
+            }),
+          },
+        }));
+
+        test.done();
+      },
+
       'can be provided as the ARN attribute of a new Secret, followed by a JSON key'(test: Test) {
         // GIVEN
         const stack = new cdk.Stack();

packages/@aws-cdk/aws-customerprofiles/package.json

@@ -76,6 +76,7 @@
   "license": "Apache-2.0",
   "devDependencies": {
     "@aws-cdk/assert-internal": "0.0.0",
+    "@types/jest": "^26.0.22",
     "cdk-build-tools": "0.0.0",
     "cfn2ts": "0.0.0",
     "pkglint": "0.0.0"

packages/@aws-cdk/aws-eks/lib/managed-nodegroup.ts

@@ -280,6 +280,12 @@ export class Nodegroup extends Resource implements INodegroup {
       throw new Error(`Minimum capacity ${this.minSize} can't be greater than desired size ${this.desiredSize}`);
     }
 
+    if (props.launchTemplateSpec && props.diskSize) {
+      // see - https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html
+      // and https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-nodegroup.html#cfn-eks-nodegroup-disksize
+      throw new Error('diskSize must be specified within the launch template');
+    }
+
     if (props.instanceType && props.instanceTypes) {
       throw new Error('"instanceType is deprecated, please use "instanceTypes" only.');
     }
@@ -331,6 +337,7 @@ export class Nodegroup extends Resource implements INodegroup {
       // because this doesn't have a default value, meaning the user had to explicitly configure this.
       instanceTypes: instanceTypes?.map(t => t.toString()),
       labels: props.labels,
+      launchTemplate: props.launchTemplateSpec,
       releaseVersion: props.releaseVersion,
       remoteAccess: props.remoteAccess ? {
         ec2SshKey: props.remoteAccess.sshKeyName,
@@ -345,25 +352,6 @@ export class Nodegroup extends Resource implements INodegroup {
       tags: props.tags,
     });
 
-    if (props.launchTemplateSpec) {
-      if (props.diskSize) {
-        // see - https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html
-        // and https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-nodegroup.html#cfn-eks-nodegroup-disksize
-        throw new Error('diskSize must be specified within the launch template');
-      }
-      /**
-       * Instance types can be specified either in `instanceType` or launch template but not both. AS we can not check the content of
-       * the provided launch template and the `instanceType` property is preferrable. We allow users to define `instanceType` property here.
-       * see - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-nodegroup.html#cfn-eks-nodegroup-instancetypes
-       */
-      // TODO: update this when the L1 resource spec is updated.
-      resource.addPropertyOverride('LaunchTemplate', {
-        Id: props.launchTemplateSpec.id,
-        Version: props.launchTemplateSpec.version,
-      });
-    }
-
-
     // managed nodegroups update the `aws-auth` on creation, but we still need to track
     // its state for consistency.
     if (this.cluster instanceof Cluster) {

packages/@aws-cdk/aws-elasticsearch/README.md

@@ -40,7 +40,7 @@ To perform version upgrades without replacing the entire domain, specify the `en
 import * as es from '@aws-cdk/aws-elasticsearch';
 
 const devDomain = new es.Domain(this, 'Domain', {
-    version: es.ElasticsearchVersion.V7_9,
+    version: es.ElasticsearchVersion.V7_10,
     enableVersionUpgrade: true // defaults to false
 });
 ```
@@ -265,7 +265,7 @@ UltraWarm nodes can be enabled to provide a cost-effective way to store large am
 
 ```ts
 const domain = new es.Domain(this, 'Domain', {
-    version: es.ElasticsearchVersion.V7_9,
+    version: es.ElasticsearchVersion.V7_10,
     capacity: {
         masterNodes: 2,
         warmNodes: 2,

packages/@aws-cdk/aws-elasticsearch/lib/domain.ts

@@ -74,6 +74,9 @@ export class ElasticsearchVersion {
   /** AWS Elasticsearch 7.9 */
   public static readonly V7_9 = ElasticsearchVersion.of('7.9');
 
+  /** AWS Elasticsearch 7.10 */
+  public static readonly V7_10 = ElasticsearchVersion.of('7.10');
+
   /**
    * Custom Elasticsearch version
    * @param version custom version number

packages/@aws-cdk/aws-elasticsearch/test/domain.test.ts

@@ -46,7 +46,7 @@ test('subnets and security groups can be provided when vpc is used', () => {
     vpc,
   });
   const domain = new Domain(stack, 'Domain', {
-    version: ElasticsearchVersion.V7_9,
+    version: ElasticsearchVersion.V7_10,
     vpc,
     vpcSubnets: [{ subnets: [vpc.privateSubnets[0]] }],
     securityGroups: [securityGroup],
@@ -77,7 +77,7 @@ test('default subnets and security group when vpc is used', () => {
 
   const vpc = new Vpc(stack, 'Vpc');
   const domain = new Domain(stack, 'Domain', {
-    version: ElasticsearchVersion.V7_9,
+    version: ElasticsearchVersion.V7_10,
     vpc,
   });
 

packages/@aws-cdk/aws-groundstation/package.json

@@ -75,6 +75,7 @@
   },
   "license": "Apache-2.0",
   "devDependencies": {
+    "@types/jest": "^26.0.22",
     "@aws-cdk/assert-internal": "0.0.0",
     "cdk-build-tools": "0.0.0",
     "cfn2ts": "0.0.0",

packages/@aws-cdk/aws-lookoutmetrics/package.json

@@ -75,6 +75,7 @@
   },
   "license": "Apache-2.0",
   "devDependencies": {
+    "@types/jest": "^26.0.22",
     "@aws-cdk/assert-internal": "0.0.0",
     "cdk-build-tools": "0.0.0",
     "cfn2ts": "0.0.0",

packages/@aws-cdk/aws-s3/lib/bucket.ts

@@ -530,7 +530,7 @@ abstract class BucketBase extends Resource implements IBucket {
    */
   public urlForObject(key?: string): string {
     const stack = Stack.of(this);
-    const prefix = `https://s3.${stack.region}.${stack.urlSuffix}/`;
+    const prefix = `https://s3.${this.env.region}.${stack.urlSuffix}/`;
     if (typeof key !== 'string') {
       return this.urlJoin(prefix, this.bucketName);
     }

packages/@aws-cdk/aws-s3/test/bucket.test.ts

@@ -1599,10 +1599,15 @@ describe('bucket', () => {
   test('urlForObject returns a token with the S3 URL of the token', () => {
     const stack = new cdk.Stack();
     const bucket = new s3.Bucket(stack, 'MyBucket');
+    const bucketWithRegion = s3.Bucket.fromBucketAttributes(stack, 'RegionalBucket', {
+      bucketArn: 'arn:aws:s3:::explicit-region-bucket',
+      region: 'us-west-2',
+    });
 
     new cdk.CfnOutput(stack, 'BucketURL', { value: bucket.urlForObject() });
     new cdk.CfnOutput(stack, 'MyFileURL', { value: bucket.urlForObject('my/file.txt') });
     new cdk.CfnOutput(stack, 'YourFileURL', { value: bucket.urlForObject('/your/file.txt') }); // "/" is optional
+    new cdk.CfnOutput(stack, 'RegionBucketURL', { value: bucketWithRegion.urlForObject() });
 
     expect(stack).toMatchTemplate({
       'Resources': {
@@ -1678,6 +1683,20 @@ describe('bucket', () => {
             ],
           },
         },
+        'RegionBucketURL': {
+          'Value': {
+            'Fn::Join': [
+              '',
+              [
+                'https://s3.us-west-2.',
+                {
+                  'Ref': 'AWS::URLSuffix',
+                },
+                '/explicit-region-bucket',
+              ],
+            ],
+          },
+        },
       },
     });
 
@@ -2453,4 +2472,4 @@ describe('bucket', () => {
       autoDeleteObjects: true,
     })).toThrow(/Cannot use \'autoDeleteObjects\' property on a bucket without setting removal policy to \'DESTROY\'/);
   });
-});
+});

packages/@aws-cdk/cfnspec/build-tools/create-missing-libraries.ts

@@ -176,6 +176,7 @@ async function main() {
       },
       license: 'Apache-2.0',
       devDependencies: {
+        '@types/jest': '^26.0.22',
         '@aws-cdk/assert-internal': version,
         'cdk-build-tools': version,
         'cfn2ts': version,