Merge remote-tracking branch 'origin/master' into pr/18546

* origin/master: (27 commits)
  chore(eks): deprecate older versions of EKS (aws#18842)
  fix(tooling): update vscode devcontainer image (aws#18455)
  chore: npm-check-updates && yarn upgrade (aws#18832)
  chore(docs): Fix broken md links (aws#18384)
  chore(lambda-layer-awscli): install awscli with pip and requirements.txt (aws#18800)
  fix(aws-appsync): Strip unsupported characters from Lambda DataSource (aws#18765)
  feat(cfnspec): cloudformation spec v55.0.0 (aws#18827)
  docs(cfnspec): update CloudFormation documentation (aws#18826)
  chore(cxapi): plugin context provider limited by cx schema (aws#18709)
  feat(iotevents): add grant method to Input class (aws#18617)
  chore(cx-api): break circular dependencies (aws#18767)
  docs(core): clarify that `addOverride` does not change property casing (aws#18687)
  feat(s3-deployment): deploy data with deploy-time values (aws#18659)
  docs(cfnspec): update CloudFormation documentation (aws#18808)
  feat(cli): `cdk diff` works for Nested Stacks (aws#18207)
  docs(cfnspec): update CloudFormation documentation (aws#18783)
  chore(lambda-layer-awscli): add update mechanism for AWS CLI (aws#18780)
  chore(release): 1.143.0
  feat(fsx): add support for FSx Lustre Persistent_2 deployment type (aws#18626)
  feat(amplify): support performance mode in Branch (aws#18598)
  ...

.devcontainer.json

@@ -1,8 +1,8 @@
 {
     "name": "Dev Container Definition - AWS CDK",
-    "image": "jsii/superchain",
+    "image": "jsii/superchain:1-buster-slim",
     "postCreateCommand": "yarn build --skip-test --no-bail --skip-prereqs --skip-compat",
     "extensions": [
         "dbaeumer.vscode-eslint@2.1.5"
     ]
-}
+}

CHANGELOG.md

@@ -2,6 +2,34 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.143.0](https://github.com/aws/aws-cdk/compare/v1.142.0...v1.143.0) (2022-02-02)
+
+
+### Features
+
+* **amplify:** support performance mode in Branch ([#18598](https://github.com/aws/aws-cdk/issues/18598)) ([bdeb8eb](https://github.com/aws/aws-cdk/commit/bdeb8eb604f5012ce3180d2f6d887fed1834e4f4)), closes [#18557](https://github.com/aws/aws-cdk/issues/18557)
+* **cfnspec:** cloudformation spec v54.0.0 ([#18764](https://github.com/aws/aws-cdk/issues/18764)) ([71601c1](https://github.com/aws/aws-cdk/commit/71601c115a6460b4532a34c83100ae70a476fad2))
+* **cloudwatch-actions:** add ssm opsitem action for cloudwatch alarm  ([#16923](https://github.com/aws/aws-cdk/issues/16923)) ([9380885](https://github.com/aws/aws-cdk/commit/93808851415bff269418f28d9de3c61727e143d3)), closes [#16861](https://github.com/aws/aws-cdk/issues/16861)
+* **dynamodb:** allow setting TableClass for a Table ([#18719](https://github.com/aws/aws-cdk/issues/18719)) ([73a889e](https://github.com/aws/aws-cdk/commit/73a889eba85d0aa542ac96a1124f3ae4f1d351bc)), closes [#18718](https://github.com/aws/aws-cdk/issues/18718)
+* **ec2:** support KMS keys for block device mappings for both instances and launch templates ([#18326](https://github.com/aws/aws-cdk/issues/18326)) ([17dbe5f](https://github.com/aws/aws-cdk/commit/17dbe5f476ac1ccc0c0e6a0905b0de5ae6186704)), closes [#18309](https://github.com/aws/aws-cdk/issues/18309)
+* **ecr:** add server-side encryption configuration  ([#16966](https://github.com/aws/aws-cdk/issues/16966)) ([c46acd5](https://github.com/aws/aws-cdk/commit/c46acd5f13442c43d0c2ed339e3091dd46002741)), closes [#15400](https://github.com/aws/aws-cdk/issues/15400) [#15571](https://github.com/aws/aws-cdk/issues/15571)
+* **ecs:** expose image name in container definition ([#17793](https://github.com/aws/aws-cdk/issues/17793)) ([1947d7c](https://github.com/aws/aws-cdk/commit/1947d7cc809fda0765bee3dbb2286190ec2847f7))
+* **fsx:** add support for FSx Lustre Persistent_2 deployment type ([#18626](https://github.com/aws/aws-cdk/issues/18626)) ([6036d99](https://github.com/aws/aws-cdk/commit/6036d9927bb3607e31a57361bf304976ff1891f7))
+* **iot:** add Action to republish MQTT messages to another MQTT topic ([#18661](https://github.com/aws/aws-cdk/issues/18661)) ([7ac1215](https://github.com/aws/aws-cdk/commit/7ac121546776cae972bbfb89c2a11949762e7c47))
+
+
+### Bug Fixes
+
+* **core:** correctly reference versionless secure parameters ([#18730](https://github.com/aws/aws-cdk/issues/18730)) ([9f6e10e](https://github.com/aws/aws-cdk/commit/9f6e10ed0a751c06fe0cc1d79f38d5fb4b686087)), closes [#18729](https://github.com/aws/aws-cdk/issues/18729)
+* **ec2:** `UserData.addSignalOnExitCommand` does not work in combination with `userDataCausesReplacement` ([#18726](https://github.com/aws/aws-cdk/issues/18726)) ([afdc550](https://github.com/aws/aws-cdk/commit/afdc550ee372dd25d9d2eef81a545da1e923f796)), closes [#12749](https://github.com/aws/aws-cdk/issues/12749)
+* **vpc:** Vpc.fromLookup should throw if subnet group name tag is explicitly given and does not exist ([#18714](https://github.com/aws/aws-cdk/issues/18714)) ([13e1c7f](https://github.com/aws/aws-cdk/commit/13e1c7f10b81fc350953fe69fcccb61ff5aa9c1e)), closes [#13962](https://github.com/aws/aws-cdk/issues/13962)
+
+
+### Reverts
+
+* "chore(cloudfront): encryption and enforceSSL on distribution s3 loggingBucket ([#18264](https://github.com/aws/aws-cdk/issues/18264))" ([#18772](https://github.com/aws/aws-cdk/issues/18772)) ([121e4a1](https://github.com/aws/aws-cdk/commit/121e4a1dec13d31644f6176d0a1d703952dc1ba3)), closes [#18271](https://github.com/aws/aws-cdk/issues/18271) [/docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-S3](https://github.com/aws//docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html/issues/AWS-logs-infrastructure-S3) [#18676](https://github.com/aws/aws-cdk/issues/18676)
+* "chore(ec2): enforceSSL on flowLog s3 bucket ([#18271](https://github.com/aws/aws-cdk/issues/18271))" ([#18770](https://github.com/aws/aws-cdk/issues/18770)) ([a2eb092](https://github.com/aws/aws-cdk/commit/a2eb092b2b468bffa2acde9b98ca34cefa3e48f1)), closes [/docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-S3](https://github.com/aws//docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html/issues/AWS-logs-infrastructure-S3) [#18676](https://github.com/aws/aws-cdk/issues/18676)
+
 ## [1.142.0](https://github.com/aws/aws-cdk/compare/v1.141.0...v1.142.0) (2022-01-28)
 
 

CONTRIBUTING.md

@@ -662,7 +662,7 @@ extension](https://marketplace.visualstudio.com/items?itemName=dbaeumer.vscode-e
 
 #### pkglint
 
-The `pkglint` tool "lints" package.json files across the repo according to [rules.ts](tools/pkglint/lib/rules.ts).
+The `pkglint` tool "lints" package.json files across the repo according to [rules.ts](tools/@aws-cdk/pkglint/lib/rules.ts).
 
 To evaluate (and attempt to fix) all package linting issues in the repo, run the following command from the root of the
 repository (after bootstrapping):

design/aws-ecs/aws-ecs-fargate-capacity-providers.md

@@ -2,7 +2,7 @@
 
 ## Objective
 
-Since Capacity Providers are now supported in CloudFormation, incorporating support for Fargate Spot capacity has been one of the [top asks](https://github.com/aws/aws-cdk/issues?q=is%3Aissue+is%3Aopen+label%3A%40aws-cdk%2Faws-ecs+sort%3Areactions-%2B1-desc) for the ECS CDK module, with over 60 customer reactions. While there are still some outstanding issues regarding capacity provider support in general, specifically regarding cyclic workflows with named clusters (See: [CFN issue](http://%20https//github.com/aws/containers-roadmap/issues/631#issuecomment-702580141)), we should be able to move ahead with supporting `FARGATE` and `FARGATE_SPOT` capacity providers with our existing FargateService construct.
+Since Capacity Providers are now supported in CloudFormation, incorporating support for Fargate Spot capacity has been one of the [top asks](https://github.com/aws/aws-cdk/issues?q=is%3Aissue+is%3Aopen+label%3A%40aws-cdk%2Faws-ecs+sort%3Areactions-%2B1-desc) for the ECS CDK module, with over 60 customer reactions. While there are still some outstanding issues regarding capacity provider support in general, specifically regarding cyclic workflows with named clusters (See: [CFN issue](https://github.com/aws/containers-roadmap/issues/631#issuecomment-702580141)), we should be able to move ahead with supporting `FARGATE` and `FARGATE_SPOT` capacity providers with our existing FargateService construct.
 
 See: https://github.com/aws/aws-cdk/issues/5850
 
@@ -118,4 +118,3 @@ One alternative considered was to provide a more magical experience by populatin
 For future extensibility, we can however add an `addCapacityProvider` method on the Cluster resource, to allow modifying the cluster CapacityProviders field post-construction.
 
 Another option would be to create a new FargateCluster resource, that would have the two Fargate capacity providers set by default. The main advantage with this alternative would be that it would be consistent with the current Console experience, which sets the Fargate capacity providers for you if you choose the “Networking Only” cluster template via the cluster wizard. The downside is that it would be a more restrictive resource model that would go back on the decision to have a single generic ECS Cluster resource that could potentially contain both Fargate and EC2 services or tasks. Given that we are moving towards more generic versions of ECS resources, this is not a preferable solution. That being said, in the current iteration we can set the Fargate Capacity Providers on the cluster by default, but put them behind a feature flag, which we would be able to remove in the v2 version of the ECS module. Using the feature flag would ensure that there would not be a diff in the generated CFN template for existing customers defining ECS clusters in their stack who redeploy using an updated version of the CDK.
-

package.json

@@ -16,7 +16,7 @@
   },
   "devDependencies": {
     "@yarnpkg/lockfile": "^1.1.0",
-    "cdk-generate-synthetic-examples": "^0.1.3",
+    "cdk-generate-synthetic-examples": "^0.1.5",
     "conventional-changelog-cli": "^2.2.2",
     "fs-extra": "^9.1.0",
     "graceful-fs": "^4.2.9",

packages/@aws-cdk/aws-amplify/README.md

@@ -97,7 +97,9 @@ Add branches:
 declare const amplifyApp: amplify.App;
 
 const master = amplifyApp.addBranch('master'); // `id` will be used as repo branch name
-const dev = amplifyApp.addBranch('dev');
+const dev = amplifyApp.addBranch('dev', {
+  performanceMode: true, // optional, enables performance mode
+});
 dev.addEnvironment('STAGE', 'dev');
 ```
 

packages/@aws-cdk/aws-amplify/lib/branch.ts

@@ -114,6 +114,17 @@ export interface BranchOptions {
    * @default - no asset
    */
   readonly asset?: Asset
+
+  /**
+   * Enables performance mode for the branch.
+   *
+   * Performance mode optimizes for faster hosting performance by keeping content cached at the edge
+   * for a longer interval. When performance mode is enabled, hosting configuration or code changes
+   * can take up to 10 minutes to roll out.
+   *
+   * @default false
+   */
+  readonly performanceMode?: boolean;
 }
 
 /**
@@ -168,6 +179,7 @@ export class Branch extends Resource implements IBranch {
       environmentVariables: Lazy.any({ produce: () => renderEnvironmentVariables(this.environmentVariables) }, { omitEmptyArray: true }),
       pullRequestEnvironmentName: props.pullRequestEnvironmentName,
       stage: props.stage,
+      enablePerformanceMode: props.performanceMode,
     });
 
     this.arn = branch.attrArn;

packages/@aws-cdk/aws-amplify/test/branch.test.ts

@@ -162,3 +162,15 @@ test('with asset deployment', () => {
     },
   });
 });
+
+test('with performance mode', () => {
+  // WHEN
+  app.addBranch('dev', {
+    performanceMode: true,
+  });
+
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('AWS::Amplify::Branch', {
+    EnablePerformanceMode: true,
+  });
+});

packages/@aws-cdk/aws-appsync/lib/data-source.ts

@@ -111,7 +111,8 @@ export abstract class BaseDataSource extends CoreConstruct {
     if (extended.type !== 'NONE') {
       this.serviceRole = props.serviceRole || new Role(this, 'ServiceRole', { assumedBy: new ServicePrincipal('appsync') });
     }
-    const name = props.name ?? id;
+    // Replace unsupported characters from DataSource name. The only allowed pattern is: {[_A-Za-z][_0-9A-Za-z]*}
+    const name = (props.name ?? id).replace(/[\W]+/g, '');
     this.ds = new CfnDataSource(this, 'Resource', {
       apiId: props.api.apiId,
       name: name,

packages/@aws-cdk/aws-appsync/test/appsync-lambda.test.ts

@@ -65,6 +65,42 @@ describe('Lambda Data Source configuration', () => {
     });
   });
 
+  test('appsync sanitized datasource name from unsupported characters', () => {
+    const badCharacters = [...'!@#$%^&*()+-=[]{}\\|;:\'",<>?/'];
+
+    badCharacters.forEach((badCharacter) => {
+      // WHEN
+      const newStack = new cdk.Stack();
+      const graphqlapi = new appsync.GraphqlApi(newStack, 'baseApi', {
+        name: 'api',
+        schema: appsync.Schema.fromAsset(path.join(__dirname, 'appsync.test.graphql')),
+      });
+      const dummyFunction = new lambda.Function(newStack, 'func', {
+        code: lambda.Code.fromAsset(path.join(__dirname, 'verify/iam-query')),
+        handler: 'iam-query.handler',
+        runtime: lambda.Runtime.NODEJS_12_X,
+      });
+      graphqlapi.addLambdaDataSource(`data-${badCharacter}-source`, dummyFunction);
+
+      // THEN
+      Template.fromStack(newStack).hasResourceProperties('AWS::AppSync::DataSource', {
+        Type: 'AWS_LAMBDA',
+        Name: 'datasource',
+      });
+    });
+  });
+
+  test('appsync leaves underscore untouched in datasource name', () => {
+    // WHEN
+    api.addLambdaDataSource('data_source', func);
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::AppSync::DataSource', {
+      Type: 'AWS_LAMBDA',
+      Name: 'data_source',
+    });
+  });
+
   test('appsync errors when creating multiple lambda data sources with no configuration', () => {
     // THEN
     expect(() => {

packages/@aws-cdk/aws-certificatemanager/lambda-packages/dns_validated_certificate_handler/package.json

@@ -33,7 +33,7 @@
     "@types/sinon": "^9.0.11",
     "@aws-cdk/cdk-build-tools": "0.0.0",
     "aws-sdk": "^2.596.0",
-    "aws-sdk-mock": "^5.6.0",
+    "aws-sdk-mock": "5.6.0",
     "eslint": "^7.32.0",
     "eslint-config-standard": "^14.1.1",
     "eslint-plugin-import": "^2.25.4",
@@ -43,7 +43,7 @@
     "jest": "^27.4.7",
     "lambda-tester": "^3.6.0",
     "sinon": "^9.2.4",
-    "nock": "^13.2.2",
+    "nock": "^13.2.4",
     "ts-jest": "^27.1.3"
   }
 }

packages/@aws-cdk/aws-cloudfront/lib/distribution.ts

@@ -430,10 +430,7 @@ export class Distribution extends Resource implements IDistribution {
       throw new Error('Explicitly disabled logging but provided a logging bucket.');
     }
 
-    const bucket = props.logBucket ?? new s3.Bucket(this, 'LoggingBucket', {
-      encryption: s3.BucketEncryption.S3_MANAGED,
-      enforceSSL: true,
-    });
+    const bucket = props.logBucket ?? new s3.Bucket(this, 'LoggingBucket');
     return {
       bucket: bucket.bucketRegionalDomainName,
       includeCookies: props.logIncludesCookies,

packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts

@@ -954,10 +954,7 @@ export class CloudFrontWebDistribution extends cdk.Resource implements IDistribu
     }
 
     if (props.loggingConfig) {
-      this.loggingBucket = props.loggingConfig.bucket || new s3.Bucket(this, 'LoggingBucket', {
-        encryption: s3.BucketEncryption.S3_MANAGED,
-        enforceSSL: true,
-      });
+      this.loggingBucket = props.loggingConfig.bucket || new s3.Bucket(this, 'LoggingBucket');
       distributionConfig = {
         ...distributionConfig,
         logging: {

packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-bucket-logging.expected.json

@@ -75,67 +75,9 @@
     },
     "AnAmazingWebsiteProbably2LoggingBucket222F7CE9": {
       "Type": "AWS::S3::Bucket",
-      "Properties": {
-        "BucketEncryption": {
-          "ServerSideEncryptionConfiguration": [
-            {
-              "ServerSideEncryptionByDefault": {
-                "SSEAlgorithm": "AES256"
-              }
-            }
-          ]
-        }
-      },
       "UpdateReplacePolicy": "Retain",
       "DeletionPolicy": "Retain"
     },
-    "AnAmazingWebsiteProbably2LoggingBucketPolicyE298B456": {
-      "Type": "AWS::S3::BucketPolicy",
-      "Properties": {
-        "Bucket": {
-          "Ref": "AnAmazingWebsiteProbably2LoggingBucket222F7CE9"
-        },
-        "PolicyDocument": {
-          "Statement": [
-            {
-              "Action": "s3:*",
-              "Condition": {
-                "Bool": {
-                  "aws:SecureTransport": "false"
-                }
-              },
-              "Effect": "Deny",
-              "Principal": {
-                "AWS": "*"
-              },
-              "Resource": [
-                {
-                  "Fn::GetAtt": [
-                    "AnAmazingWebsiteProbably2LoggingBucket222F7CE9",
-                    "Arn"
-                  ]
-                },
-                {
-                  "Fn::Join": [
-                    "",
-                    [
-                      {
-                        "Fn::GetAtt": [
-                          "AnAmazingWebsiteProbably2LoggingBucket222F7CE9",
-                          "Arn"
-                        ]
-                      },
-                      "/*"
-                    ]
-                  ]
-                }
-              ]
-            }
-          ],
-          "Version": "2012-10-17"
-        }
-      }
-    },
     "AnAmazingWebsiteProbably2CFDistribution7C1CCD12": {
       "Type": "AWS::CloudFront::Distribution",
       "Properties": {

packages/@aws-cdk/aws-cloudfront/test/integ.distribution-extensive.expected.json

@@ -2,67 +2,9 @@
   "Resources": {
     "MyDistLoggingBucket9B8976BC": {
       "Type": "AWS::S3::Bucket",
-      "Properties": {
-        "BucketEncryption": {
-          "ServerSideEncryptionConfiguration": [
-            {
-              "ServerSideEncryptionByDefault": {
-                "SSEAlgorithm": "AES256"
-              }
-            }
-          ]
-        }
-      },
       "UpdateReplacePolicy": "Retain",
       "DeletionPolicy": "Retain"
     },
-    "MyDistLoggingBucketPolicy847D8D11": {
-      "Type": "AWS::S3::BucketPolicy",
-      "Properties": {
-        "Bucket": {
-          "Ref": "MyDistLoggingBucket9B8976BC"
-        },
-        "PolicyDocument": {
-          "Statement": [
-            {
-              "Action": "s3:*",
-              "Condition": {
-                "Bool": {
-                  "aws:SecureTransport": "false"
-                }
-              },
-              "Effect": "Deny",
-              "Principal": {
-                "AWS": "*"
-              },
-              "Resource": [
-                {
-                  "Fn::GetAtt": [
-                    "MyDistLoggingBucket9B8976BC",
-                    "Arn"
-                  ]
-                },
-                {
-                  "Fn::Join": [
-                    "",
-                    [
-                      {
-                        "Fn::GetAtt": [
-                          "MyDistLoggingBucket9B8976BC",
-                          "Arn"
-                        ]
-                      },
-                      "/*"
-                    ]
-                  ]
-                }
-              ]
-            }
-          ],
-          "Version": "2012-10-17"
-        }
-      }
-    },
     "MyDistDB88FD9A": {
       "Type": "AWS::CloudFront::Distribution",
       "Properties": {

packages/@aws-cdk/aws-cloudwatch-actions/README.md

@@ -11,7 +11,7 @@
 
 This library contains a set of classes which can be used as CloudWatch Alarm actions.
 
-The currently implemented actions are: EC2 Actions, SNS Actions, Autoscaling Actions and Aplication Autoscaling Actions
+The currently implemented actions are: EC2 Actions, SNS Actions, SSM OpsCenter Actions, Autoscaling Actions and Application Autoscaling Actions
 
 
 ## EC2 Action Example
@@ -25,4 +25,17 @@ alarm.addAlarmAction(
 );
 ```
 
+## SSM OpsCenter Action Example
+
+```ts
+declare const alarm: cloudwatch.Alarm;
+// Create an OpsItem with specific severity and category when alarm triggers
+alarm.addAlarmAction(
+  new actions.SsmAction(
+    actions.OpsItemSeverity.CRITICAL,
+    actions.OpsItemCategory.PERFORMANCE // category is optional
+  )
+);
+```
+
 See `@aws-cdk/aws-cloudwatch` for more information.

packages/@aws-cdk/aws-cloudwatch-actions/lib/index.ts

@@ -2,3 +2,4 @@ export * from './appscaling';
 export * from './autoscaling';
 export * from './sns';
 export * from './ec2';
+export * from './ssm';