chore(release): 1.134.0 (#17644)

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/bump/1.134.0/CHANGELOG.md)

CHANGELOG.md

@@ -2,6 +2,24 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.134.0](https://github.com/aws/aws-cdk/compare/v1.133.0...v1.134.0) (2021-11-23)
+
+
+### Features
+
+* **apigatewayv2:** domain endpoint type, security policy and endpoint migration ([#17518](https://github.com/aws/aws-cdk/issues/17518)) ([261b331](https://github.com/aws/aws-cdk/commit/261b331e89be01dc996d153c91b4018e7ddfda29))
+* **cfnspec:** cloudformation spec v49.0.0 ([#17621](https://github.com/aws/aws-cdk/issues/17621)) ([ce638b4](https://github.com/aws/aws-cdk/commit/ce638b407ac9efc6a3ee4d5ecd22c68ab68b8e58))
+* **docdb:** add option to set the name of the generated Secret ([#17574](https://github.com/aws/aws-cdk/issues/17574)) ([18c9ef7](https://github.com/aws/aws-cdk/commit/18c9ef713717fcb2f84e687c1e34c887a50264bd)), closes [#17572](https://github.com/aws/aws-cdk/issues/17572)
+* **eks:** ALB Controller ([#17618](https://github.com/aws/aws-cdk/issues/17618)) ([1faf31d](https://github.com/aws/aws-cdk/commit/1faf31d1ec7ffec4c6323a050126b0b054094c63))
+* **msk:** add Kafka version 2.6.2 ([#17497](https://github.com/aws/aws-cdk/issues/17497)) ([5f1f476](https://github.com/aws/aws-cdk/commit/5f1f4762e964345741426fa1242320a5fc117338))
+
+
+### Bug Fixes
+
+* **assets:** add missing SAM asset metadata information ([#17591](https://github.com/aws/aws-cdk/issues/17591)) ([55df760](https://github.com/aws/aws-cdk/commit/55df760fdd9514384de019e5ce338d5250c7df97)), closes [#14593](https://github.com/aws/aws-cdk/issues/14593)
+* **aws-ecs:** check for invalid capacityProviderName ([#17291](https://github.com/aws/aws-cdk/issues/17291)) ([6e2fde4](https://github.com/aws/aws-cdk/commit/6e2fde452de73c51011ddb14ede40ca0471d3663)), closes [#17321](https://github.com/aws/aws-cdk/issues/17321)
+* **opensearch:** correctly validate ebs configuration against instance types  ([#16911](https://github.com/aws/aws-cdk/issues/16911)) ([34af598](https://github.com/aws/aws-cdk/commit/34af5988b7c1ff003d10612150191803f762a79f)), closes [#11898](https://github.com/aws/aws-cdk/issues/11898)
+
 ## [1.133.0](https://github.com/aws/aws-cdk/compare/v1.132.0...v1.133.0) (2021-11-19)
 
 

package.json

@@ -20,10 +20,10 @@
     "fs-extra": "^9.1.0",
     "graceful-fs": "^4.2.8",
     "jest-junit": "^13.0.0",
-    "jsii-diff": "^1.45.0",
-    "jsii-pacmak": "^1.45.0",
-    "jsii-reflect": "^1.45.0",
-    "jsii-rosetta": "^1.45.0",
+    "jsii-diff": "^1.46.0",
+    "jsii-pacmak": "^1.46.0",
+    "jsii-reflect": "^1.46.0",
+    "jsii-rosetta": "^1.46.0",
     "lerna": "^4.0.0",
     "patch-package": "^6.4.7",
     "standard-version": "^9.3.2",

packages/@aws-cdk/assertions/rosetta/default.ts-fixture

@@ -1,4 +1,6 @@
-import { Construct, Stack } from '@aws-cdk/core';
+// Fixture with packages imported, but nothing else
+import { Construct } from 'constructs';
+import { Stack } from '@aws-cdk/core';
 import { Capture, Match, Template } from '@aws-cdk/assertions';
 
 class Fixture extends Stack {

packages/@aws-cdk/aws-apigateway/rosetta/default.ts-fixture

@@ -1,5 +1,6 @@
 // Fixture with packages imported, but nothing else
-import { Construct, Stack } from '@aws-cdk/core';
+import { Construct } from 'constructs';
+import { Stack } from '@aws-cdk/core';
 import apigateway = require('@aws-cdk/aws-apigateway');
 import cognito = require('@aws-cdk/aws-cognito');
 import lambda = require('@aws-cdk/aws-lambda');

packages/@aws-cdk/aws-apigatewayv2/README.md

@@ -204,6 +204,10 @@ const api = new apigwv2.HttpApi(this, 'HttpProxyProdApi', {
 });
 ```
 
+To migrate a domain endpoint from one type to another, you can add a new endpoint configuration via `addEndpoint()`
+and then configure DNS records to route traffic to the new endpoint. After that, you can remove the previous endpoint configuration. 
+Learn more at [Migrating a custom domain name](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-regional-api-custom-domain-migrate.html)
+
 To associate a specific `Stage` to a custom domain mapping -
 
 ```ts

packages/@aws-cdk/aws-apigatewayv2/lib/common/domain-name.ts

@@ -1,9 +1,34 @@
 import { ICertificate } from '@aws-cdk/aws-certificatemanager';
 import { IBucket } from '@aws-cdk/aws-s3';
-import { IResource, Resource, Token } from '@aws-cdk/core';
+import { IResource, Lazy, Resource, Token } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnDomainName, CfnDomainNameProps } from '../apigatewayv2.generated';
 
+/**
+ * The minimum version of the SSL protocol that you want API Gateway to use for HTTPS connections.
+ */
+export enum SecurityPolicy {
+  /** Cipher suite TLS 1.0 */
+  TLS_1_0 = 'TLS_1_0',
+
+  /** Cipher suite TLS 1.2 */
+  TLS_1_2 = 'TLS_1_2',
+}
+
+/**
+ * Endpoint type for a domain name.
+ */
+export enum EndpointType {
+  /**
+   * For an edge-optimized custom domain name.
+   */
+  EDGE = 'EDGE',
+  /**
+   * For a regional custom domain name.
+   */
+  REGIONAL = 'REGIONAL',
+}
+
 /**
  * Represents an APIGatewayV2 DomainName
  * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-domainname.html
@@ -51,20 +76,54 @@ export interface DomainNameAttributes {
 /**
  * properties used for creating the DomainName
  */
-export interface DomainNameProps {
+export interface DomainNameProps extends EndpointOptions {
   /**
    * The custom domain name
    */
   readonly domainName: string;
+
+  /**
+   * The mutual TLS authentication configuration for a custom domain name.
+   * @default - mTLS is not configured.
+   */
+  readonly mtls?: MTLSConfig;
+}
+
+/**
+ * properties for creating a domain name endpoint
+ */
+export interface EndpointOptions {
   /**
-   * The ACM certificate for this domain name
+   * The ACM certificate for this domain name.
+   * Certificate can be both ACM issued or imported.
    */
   readonly certificate: ICertificate;
+
   /**
-   * The mutual TLS authentication configuration for a custom domain name.
-   * @default - mTLS is not configured.
+   * The user-friendly name of the certificate that will be used by the endpoint for this domain name.
+   * @default - No friendly certificate name
+   */
+  readonly certificateName?: string;
+
+  /**
+   * The type of endpoint for this DomainName.
+   * @default EndpointType.REGIONAL
+   */
+  readonly endpointType?: EndpointType;
+
+  /**
+   * The Transport Layer Security (TLS) version + cipher suite for this domain name.
+   * @default SecurityPolicy.TLS_1_2
+   */
+  readonly securityPolicy?: SecurityPolicy;
+
+  /**
+   * A public certificate issued by ACM to validate that you own a custom domain. This parameter is required
+   * only when you configure mutual TLS authentication and you specify an ACM imported or private CA certificate
+   * for `certificate`. The ownership certificate validates that you have permissions to use the domain name.
+   * @default - only required when configuring mTLS
    */
-  readonly mtls?: MTLSConfig
+  readonly ownershipCertificate?: ICertificate;
 }
 
 /**
@@ -107,6 +166,7 @@ export class DomainName extends Resource implements IDomainName {
   public readonly name: string;
   public readonly regionalDomainName: string;
   public readonly regionalHostedZoneId: string;
+  private readonly domainNameConfigurations: CfnDomainName.DomainNameConfigurationProperty[] = [];
 
   constructor(scope: Construct, id: string, props: DomainNameProps) {
     super(scope, id);
@@ -115,21 +175,25 @@ export class DomainName extends Resource implements IDomainName {
       throw new Error('empty string for domainName not allowed');
     }
 
+    // validation for ownership certificate
+    if (props.ownershipCertificate && !props.mtls) {
+      throw new Error('ownership certificate can only be used with mtls domains');
+    }
+
     const mtlsConfig = this.configureMTLS(props.mtls);
     const domainNameProps: CfnDomainNameProps = {
       domainName: props.domainName,
-      domainNameConfigurations: [
-        {
-          certificateArn: props.certificate.certificateArn,
-          endpointType: 'REGIONAL',
-        },
-      ],
+      domainNameConfigurations: Lazy.any({ produce: () => this.domainNameConfigurations }),
       mutualTlsAuthentication: mtlsConfig,
     };
     const resource = new CfnDomainName(this, 'Resource', domainNameProps);
     this.name = resource.ref;
     this.regionalDomainName = Token.asString(resource.getAtt('RegionalDomainName'));
     this.regionalHostedZoneId = Token.asString(resource.getAtt('RegionalHostedZoneId'));
+
+    if (props.certificate) {
+      this.addEndpoint(props);
+    }
   }
 
   private configureMTLS(mtlsConfig?: MTLSConfig): CfnDomainName.MutualTlsAuthenticationProperty | undefined {
@@ -139,4 +203,30 @@ export class DomainName extends Resource implements IDomainName {
       truststoreVersion: mtlsConfig.version,
     };
   }
+
+  /**
+   * Adds an endpoint to a domain name.
+   * @param options domain name endpoint properties to be set
+   */
+  public addEndpoint(options: EndpointOptions) : void {
+    const domainNameConfig: CfnDomainName.DomainNameConfigurationProperty = {
+      certificateArn: options.certificate.certificateArn,
+      certificateName: options.certificateName,
+      endpointType: options.endpointType ? options.endpointType?.toString() : 'REGIONAL',
+      ownershipVerificationCertificateArn: options.ownershipCertificate?.certificateArn,
+      securityPolicy: options.securityPolicy?.toString(),
+    };
+
+    this.validateEndpointType(domainNameConfig.endpointType);
+    this.domainNameConfigurations.push(domainNameConfig);
+  }
+
+  // validates that the new domain name configuration has a unique endpoint
+  private validateEndpointType(endpointType: string | undefined) : void {
+    for (let config of this.domainNameConfigurations) {
+      if (endpointType && endpointType == config.endpointType) {
+        throw new Error(`an endpoint with type ${endpointType} already exists`);
+      }
+    }
+  }
 }

packages/@aws-cdk/aws-apigatewayv2/test/http/domain-name.test.ts

@@ -2,10 +2,12 @@ import { Template } from '@aws-cdk/assertions';
 import { Certificate } from '@aws-cdk/aws-certificatemanager';
 import { Bucket } from '@aws-cdk/aws-s3';
 import { Stack } from '@aws-cdk/core';
-import { DomainName, HttpApi } from '../../lib';
+import { DomainName, EndpointType, HttpApi, SecurityPolicy } from '../../lib';
 
 const domainName = 'example.com';
 const certArn = 'arn:aws:acm:us-east-1:111111111111:certificate';
+const certArn2 = 'arn:aws:acm:us-east-1:111111111111:certificate2';
+const ownershipCertArn = 'arn:aws:acm:us-east-1:111111111111:ownershipcertificate';
 
 describe('DomainName', () => {
   test('create domain name correctly', () => {
@@ -231,4 +233,109 @@ describe('DomainName', () => {
       },
     });
   });
+
+  test('domain with mutual tls configuration and ownership cert', () => {
+    // GIVEN
+    const stack = new Stack();
+    const bucket = Bucket.fromBucketName(stack, 'testBucket', 'example-bucket');
+
+    // WHEN
+    new DomainName(stack, 'DomainName', {
+      domainName,
+      certificate: Certificate.fromCertificateArn(stack, 'cert2', certArn2),
+      ownershipCertificate: Certificate.fromCertificateArn(stack, 'ownershipCert', ownershipCertArn),
+      endpointType: EndpointType.REGIONAL,
+      securityPolicy: SecurityPolicy.TLS_1_2,
+      mtls: {
+        bucket,
+        key: 'someca.pem',
+        version: 'version',
+      },
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::ApiGatewayV2::DomainName', {
+      DomainName: 'example.com',
+      DomainNameConfigurations: [
+        {
+          CertificateArn: 'arn:aws:acm:us-east-1:111111111111:certificate2',
+          EndpointType: 'REGIONAL',
+          SecurityPolicy: 'TLS_1_2',
+          OwnershipVerificationCertificateArn: 'arn:aws:acm:us-east-1:111111111111:ownershipcertificate',
+        },
+      ],
+      MutualTlsAuthentication: {
+        TruststoreUri: 's3://example-bucket/someca.pem',
+        TruststoreVersion: 'version',
+      },
+    });
+  });
+
+  test('throws when ownerhsip cert is used for non-mtls domain', () => {
+    // GIVEN
+    const stack = new Stack();
+
+    // WHEN
+    const t = () => {
+      new DomainName(stack, 'DomainName', {
+        domainName,
+        certificate: Certificate.fromCertificateArn(stack, 'cert2', certArn2),
+        ownershipCertificate: Certificate.fromCertificateArn(stack, 'ownershipCert', ownershipCertArn),
+      });
+    };
+
+    // THEN
+    expect(t).toThrow(/ownership certificate can only be used with mtls domains/);
+  });
+
+  test('add new configuration to a domain name for migration', () => {
+    // GIVEN
+    const stack = new Stack();
+
+    // WHEN
+    const dn = new DomainName(stack, 'DomainName', {
+      domainName,
+      certificate: Certificate.fromCertificateArn(stack, 'cert', certArn),
+      endpointType: EndpointType.REGIONAL,
+    });
+    dn.addEndpoint({
+      certificate: Certificate.fromCertificateArn(stack, 'cert2', certArn2),
+      endpointType: EndpointType.EDGE,
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::ApiGatewayV2::DomainName', {
+      DomainName: 'example.com',
+      DomainNameConfigurations: [
+        {
+          CertificateArn: 'arn:aws:acm:us-east-1:111111111111:certificate',
+          EndpointType: 'REGIONAL',
+        },
+        {
+          CertificateArn: 'arn:aws:acm:us-east-1:111111111111:certificate2',
+          EndpointType: 'EDGE',
+        },
+      ],
+    });
+  });
+
+  test('throws when endpoint types for two domain name configurations are the same', () => {
+    // GIVEN
+    const stack = new Stack();
+
+    // WHEN
+    const t = () => {
+      const dn = new DomainName(stack, 'DomainName', {
+        domainName,
+        certificate: Certificate.fromCertificateArn(stack, 'cert', certArn),
+        endpointType: EndpointType.REGIONAL,
+      });
+      dn.addEndpoint({
+        certificate: Certificate.fromCertificateArn(stack, 'cert2', certArn2),
+      });
+    };
+
+    // THEN
+    expect(t).toThrow(/an endpoint with type REGIONAL already exists/);
+  });
 });

packages/@aws-cdk/aws-appsync/rosetta/default.ts-fixture

@@ -1,5 +1,6 @@
 // Fixture with packages imported, but nothing else
-import { Construct, RemovalPolicy, Stack } from '@aws-cdk/core';
+import { Construct } from 'constructs';
+import { RemovalPolicy, Stack } from '@aws-cdk/core';
 import appsync = require('@aws-cdk/aws-appsync');
 import ec2 = require('@aws-cdk/aws-ec2');
 import dynamodb = require('@aws-cdk/aws-dynamodb');

packages/@aws-cdk/aws-appsync/rosetta/with-objects.ts-fixture

@@ -1,5 +1,6 @@
 // Fixture with packages imported, but nothing else
-import { Construct, Stack } from '@aws-cdk/core';
+import { Construct } from 'constructs';
+import { Stack } from '@aws-cdk/core';
 import appsync = require('@aws-cdk/aws-appsync');
 const pluralize = require('pluralize');
 

packages/@aws-cdk/aws-docdb/README.md

@@ -22,6 +22,7 @@ const cluster = new DatabaseCluster(this, 'Database', {
     masterUser: {
         username: 'myuser' // NOTE: 'admin' is reserved by DocumentDB
         excludeCharacters: '\"@/:', // optional, defaults to the set "\"@/"
+        secretName: '/myapp/mydocdb/masteruser', // optional, if you prefer to specify the secret name
     },
     instanceType: ec2.InstanceType.of(ec2.InstanceClass.R5, ec2.InstanceSize.LARGE),
     vpcSubnets: {

packages/@aws-cdk/aws-docdb/lib/cluster.ts

@@ -353,6 +353,7 @@ export class DatabaseCluster extends DatabaseClusterBase {
         username: props.masterUser.username,
         encryptionKey: props.masterUser.kmsKey,
         excludeCharacters: props.masterUser.excludeCharacters,
+        secretName: props.masterUser.secretName,
       });
     }