@aws-solutions-constructs/aws-cloudfront-s3 2.95.1 → 2.97.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.jsii +4568 -233
- package/README.adoc +3 -5
- package/lib/index.d.ts +4 -2
- package/lib/index.js +2 -2
- package/package.json +8 -8
- package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/asset.bdc104ed9cab1b5b6421713c8155f0b753380595356f710400609664d3635eca/cfn-response.js +1 -0
- package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/asset.bdc104ed9cab1b5b6421713c8155f0b753380595356f710400609664d3635eca/consts.js +1 -0
- package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/asset.bdc104ed9cab1b5b6421713c8155f0b753380595356f710400609664d3635eca/framework.js +3 -0
- package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/asset.bdc104ed9cab1b5b6421713c8155f0b753380595356f710400609664d3635eca/outbound.js +1 -0
- package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/asset.bdc104ed9cab1b5b6421713c8155f0b753380595356f710400609664d3635eca/util.js +1 -0
- package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/asset.e97825c838d70ceb13ba2f6223a7d94ed35687b70bfb224a0b9128e698e3f28e/index.d.ts +30 -0
- package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/asset.e97825c838d70ceb13ba2f6223a7d94ed35687b70bfb224a0b9128e698e3f28e/index.js +129 -0
- package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/asset.faa95a81ae7d7373f3e1f242268f904eb748d8d0fdd306e8a6fe515a1905a7d6/index.js +1 -0
- package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/cdk.out +1 -1
- package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.assets.json +4 -4
- package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.template.json +1 -1
- package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/cfts3bucketencryptedwithcmkprovidedasexistingbucketIntegDefaultTestDeployAssertF6031114.assets.json +1 -1
- package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/integ.json +2 -2
- package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/manifest.json +66 -42
- package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js.snapshot/tree.json +1 -1
- package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/asset.bdc104ed9cab1b5b6421713c8155f0b753380595356f710400609664d3635eca/cfn-response.js +1 -0
- package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/asset.bdc104ed9cab1b5b6421713c8155f0b753380595356f710400609664d3635eca/consts.js +1 -0
- package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/asset.bdc104ed9cab1b5b6421713c8155f0b753380595356f710400609664d3635eca/framework.js +3 -0
- package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/asset.bdc104ed9cab1b5b6421713c8155f0b753380595356f710400609664d3635eca/outbound.js +1 -0
- package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/asset.bdc104ed9cab1b5b6421713c8155f0b753380595356f710400609664d3635eca/util.js +1 -0
- package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/asset.e97825c838d70ceb13ba2f6223a7d94ed35687b70bfb224a0b9128e698e3f28e/index.d.ts +30 -0
- package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/asset.e97825c838d70ceb13ba2f6223a7d94ed35687b70bfb224a0b9128e698e3f28e/index.js +129 -0
- package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/asset.faa95a81ae7d7373f3e1f242268f904eb748d8d0fdd306e8a6fe515a1905a7d6/index.js +1 -0
- package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/cdk.out +1 -1
- package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/cfts3-cmk-provided-as-bucket-prop.assets.json +4 -4
- package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/cfts3-cmk-provided-as-bucket-prop.template.json +1 -1
- package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/cfts3cmkprovidedasbucketpropIntegDefaultTestDeployAssert38E63D55.assets.json +1 -1
- package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/integ.json +2 -2
- package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/manifest.json +66 -42
- package/test/integ.cfts3-cmk-provided-as-bucket-prop.js.snapshot/tree.json +1 -1
|
@@ -0,0 +1,129 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
|
|
4
|
+
*
|
|
5
|
+
* Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance
|
|
6
|
+
* with the License. A copy of the License is located at
|
|
7
|
+
*
|
|
8
|
+
* http://www.apache.org/licenses/LICENSE-2.0
|
|
9
|
+
*
|
|
10
|
+
* or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES
|
|
11
|
+
* OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions
|
|
12
|
+
* and limitations under the License.
|
|
13
|
+
*/
|
|
14
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
15
|
+
exports.updateKeyPolicy = exports.handler = void 0;
|
|
16
|
+
const client_kms_1 = require("@aws-sdk/client-kms");
|
|
17
|
+
const kmsClient = new client_kms_1.KMSClient();
|
|
18
|
+
const handler = async (event, context) => {
|
|
19
|
+
let status = 'SUCCESS';
|
|
20
|
+
let responseData = {};
|
|
21
|
+
if (event.RequestType === 'Create' || event.RequestType === 'Update') {
|
|
22
|
+
try {
|
|
23
|
+
const kmsKeyId = event.ResourceProperties.KmsKeyId;
|
|
24
|
+
const cloudFrontDistributionId = event.ResourceProperties.CloudFrontDistributionId;
|
|
25
|
+
const accountId = event.ResourceProperties.AccountId;
|
|
26
|
+
const region = process.env.AWS_REGION;
|
|
27
|
+
const describeKeyCommandResponse = await kmsClient.send(new client_kms_1.DescribeKeyCommand({
|
|
28
|
+
KeyId: kmsKeyId
|
|
29
|
+
}));
|
|
30
|
+
if (describeKeyCommandResponse.KeyMetadata?.KeyManager === client_kms_1.KeyManagerType.AWS) {
|
|
31
|
+
return {
|
|
32
|
+
Status: 'SUCCESS',
|
|
33
|
+
Reason: 'An AWS managed key was provided, no action needed from the custom resource, exiting now.',
|
|
34
|
+
PhysicalResourceId: event.PhysicalResourceId ?? context.logStreamName,
|
|
35
|
+
StackId: event.StackId,
|
|
36
|
+
RequestId: event.RequestId,
|
|
37
|
+
LogicalResourceId: event.LogicalResourceId,
|
|
38
|
+
Data: 'An AWS managed key was provided, no action needed from the custom resource, exiting now.',
|
|
39
|
+
};
|
|
40
|
+
}
|
|
41
|
+
// The PolicyName is specified as "default" below because that is the only valid name as
|
|
42
|
+
// written in the documentation for @aws-sdk/client-kms.GetKeyPolicyCommandInput:
|
|
43
|
+
// https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-kms/Interface/GetKeyPolicyCommandInput/
|
|
44
|
+
const getKeyPolicyCommandResponse = await kmsClient.send(new client_kms_1.GetKeyPolicyCommand({
|
|
45
|
+
KeyId: kmsKeyId,
|
|
46
|
+
PolicyName: 'default'
|
|
47
|
+
}));
|
|
48
|
+
if (!getKeyPolicyCommandResponse.Policy) {
|
|
49
|
+
return {
|
|
50
|
+
Status: 'FAILED',
|
|
51
|
+
Reason: 'An error occurred while retrieving the key policy.',
|
|
52
|
+
PhysicalResourceId: event.PhysicalResourceId ?? context.logStreamName,
|
|
53
|
+
StackId: event.StackId,
|
|
54
|
+
RequestId: event.RequestId,
|
|
55
|
+
LogicalResourceId: event.LogicalResourceId,
|
|
56
|
+
Data: 'An error occurred while retrieving the key policy.',
|
|
57
|
+
};
|
|
58
|
+
}
|
|
59
|
+
// Define the updated key policy to allow CloudFront access
|
|
60
|
+
const keyPolicy = JSON.parse(getKeyPolicyCommandResponse?.Policy);
|
|
61
|
+
const keyPolicyStatement = {
|
|
62
|
+
Sid: 'Grant-CloudFront-Distribution-Key-Usage',
|
|
63
|
+
Effect: 'Allow',
|
|
64
|
+
Principal: {
|
|
65
|
+
Service: 'cloudfront.amazonaws.com',
|
|
66
|
+
},
|
|
67
|
+
Action: [
|
|
68
|
+
'kms:Decrypt',
|
|
69
|
+
'kms:Encrypt',
|
|
70
|
+
'kms:GenerateDataKey*',
|
|
71
|
+
'kms:ReEncrypt*'
|
|
72
|
+
],
|
|
73
|
+
Resource: `arn:aws:kms:${region}:${accountId}:key/${kmsKeyId}`,
|
|
74
|
+
Condition: {
|
|
75
|
+
StringEquals: {
|
|
76
|
+
'AWS:SourceArn': `arn:aws:cloudfront::${accountId}:distribution/${cloudFrontDistributionId}`
|
|
77
|
+
}
|
|
78
|
+
}
|
|
79
|
+
};
|
|
80
|
+
const updatedKeyPolicy = (0, exports.updateKeyPolicy)(keyPolicy, keyPolicyStatement);
|
|
81
|
+
await kmsClient.send(new client_kms_1.PutKeyPolicyCommand({
|
|
82
|
+
KeyId: kmsKeyId,
|
|
83
|
+
Policy: JSON.stringify(updatedKeyPolicy),
|
|
84
|
+
PolicyName: 'default'
|
|
85
|
+
}));
|
|
86
|
+
}
|
|
87
|
+
catch (err) {
|
|
88
|
+
status = 'FAILED';
|
|
89
|
+
responseData = {
|
|
90
|
+
Error: JSON.stringify(err)
|
|
91
|
+
};
|
|
92
|
+
}
|
|
93
|
+
}
|
|
94
|
+
return {
|
|
95
|
+
Status: status,
|
|
96
|
+
Reason: JSON.stringify(responseData),
|
|
97
|
+
PhysicalResourceId: event.PhysicalResourceId ?? context.logStreamName,
|
|
98
|
+
StackId: event.StackId,
|
|
99
|
+
RequestId: event.RequestId,
|
|
100
|
+
LogicalResourceId: event.LogicalResourceId,
|
|
101
|
+
Data: responseData,
|
|
102
|
+
};
|
|
103
|
+
};
|
|
104
|
+
exports.handler = handler;
|
|
105
|
+
/**
|
|
106
|
+
* Updates a provided key policy with a provided key policy statement. First checks whether the provided key policy statement
|
|
107
|
+
* already exists. If an existing key policy is found with a matching sid, the provided key policy will overwrite the existing
|
|
108
|
+
* key policy. If no matching key policy is found, the provided key policy will be appended onto the array of policy statements.
|
|
109
|
+
* @param keyPolicy - the JSON.parse'd result of the otherwise stringified key policy.
|
|
110
|
+
* @param keyPolicyStatement - the key policy statement to be added to the key policy.
|
|
111
|
+
* @returns keyPolicy - the updated key policy.
|
|
112
|
+
*/
|
|
113
|
+
const updateKeyPolicy = (keyPolicy, keyPolicyStatement) => {
|
|
114
|
+
// Check to see if a duplicate key policy exists by matching on the sid. This is to prevent duplicate key policies
|
|
115
|
+
// from being added/updated in response to a stack being updated one or more times after initial creation.
|
|
116
|
+
const existingKeyPolicyIndex = keyPolicy.Statement.findIndex((statement) => statement.Sid === keyPolicyStatement.Sid);
|
|
117
|
+
// If a match is found, overwrite the key policy statement...
|
|
118
|
+
// Otherwise, push the new key policy to the array of statements
|
|
119
|
+
if (existingKeyPolicyIndex > -1) {
|
|
120
|
+
keyPolicy.Statement[existingKeyPolicyIndex] = keyPolicyStatement;
|
|
121
|
+
}
|
|
122
|
+
else {
|
|
123
|
+
keyPolicy.Statement.push(keyPolicyStatement);
|
|
124
|
+
}
|
|
125
|
+
// Return the result
|
|
126
|
+
return keyPolicy;
|
|
127
|
+
};
|
|
128
|
+
exports.updateKeyPolicy = updateKeyPolicy;
|
|
129
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyJpbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiO0FBQUE7Ozs7Ozs7Ozs7O0dBV0c7OztBQUVILG9EQUE4SDtBQUU5SCxNQUFNLFNBQVMsR0FBRyxJQUFJLHNCQUFTLEVBQUUsQ0FBQztBQUUzQixNQUFNLE9BQU8sR0FBRyxLQUFLLEVBQUUsS0FBVSxFQUFFLE9BQVksRUFBRSxFQUFFO0lBRXhELElBQUksTUFBTSxHQUFHLFNBQVMsQ0FBQztJQUN2QixJQUFJLFlBQVksR0FBRyxFQUFFLENBQUM7SUFFdEIsSUFBSSxLQUFLLENBQUMsV0FBVyxLQUFLLFFBQVEsSUFBSSxLQUFLLENBQUMsV0FBVyxLQUFLLFFBQVEsRUFBRSxDQUFDO1FBRXJFLElBQUksQ0FBQztZQUNILE1BQU0sUUFBUSxHQUFHLEtBQUssQ0FBQyxrQkFBa0IsQ0FBQyxRQUFRLENBQUM7WUFDbkQsTUFBTSx3QkFBd0IsR0FBRyxLQUFLLENBQUMsa0JBQWtCLENBQUMsd0JBQXdCLENBQUM7WUFDbkYsTUFBTSxTQUFTLEdBQUcsS0FBSyxDQUFDLGtCQUFrQixDQUFDLFNBQVMsQ0FBQztZQUNyRCxNQUFNLE1BQU0sR0FBRyxPQUFPLENBQUMsR0FBRyxDQUFDLFVBQVUsQ0FBQztZQUV0QyxNQUFNLDBCQUEwQixHQUFHLE1BQU0sU0FBUyxDQUFDLElBQUksQ0FBQyxJQUFJLCtCQUFrQixDQUFDO2dCQUM3RSxLQUFLLEVBQUUsUUFBUTthQUNoQixDQUFDLENBQUMsQ0FBQztZQUVKLElBQUksMEJBQTBCLENBQUMsV0FBVyxFQUFFLFVBQVUsS0FBSywyQkFBYyxDQUFDLEdBQUcsRUFBRSxDQUFDO2dCQUM5RSxPQUFPO29CQUNMLE1BQU0sRUFBRSxTQUFTO29CQUNqQixNQUFNLEVBQUUsMEZBQTBGO29CQUNsRyxrQkFBa0IsRUFBRSxLQUFLLENBQUMsa0JBQWtCLElBQUksT0FBTyxDQUFDLGFBQWE7b0JBQ3JFLE9BQU8sRUFBRSxLQUFLLENBQUMsT0FBTztvQkFDdEIsU0FBUyxFQUFFLEtBQUssQ0FBQyxTQUFTO29CQUMxQixpQkFBaUIsRUFBRSxLQUFLLENBQUMsaUJBQWlCO29CQUMxQyxJQUFJLEVBQUUsMEZBQTBGO2lCQUNqRyxDQUFDO1lBQ0osQ0FBQztZQUVELHdGQUF3RjtZQUN4RixpRkFBaUY7WUFDakYseUhBQXlIO1lBQ3pILE1BQU0sMkJBQTJCLEdBQUcsTUFBTSxTQUFTLENBQUMsSUFBSSxDQUFDLElBQUksZ0NBQW1CLENBQUM7Z0JBQy9FLEtBQUssRUFBRSxRQUFRO2dCQUNmLFVBQVUsRUFBRSxTQUFTO2FBQ3RCLENBQUMsQ0FBQyxDQUFDO1lBRUosSUFBSSxDQUFDLDJCQUEyQixDQUFDLE1BQU0sRUFBRSxDQUFDO2dCQUN4QyxPQUFPO29CQUNMLE1BQU0sRUFBRSxRQUFRO29CQUNoQixNQUFNLEVBQUUsb0RBQW9EO29CQUM1RCxrQkFBa0IsRUFBRSxLQUFLLENBQUMsa0JBQWtCLElBQUksT0FBTyxDQUFDLGFBQWE7b0JBQ3JFLE9BQU8sRUFBRSxLQUFLLENBQUMsT0FBTztvQkFDdEIsU0FBUyxFQUFFLEtBQUssQ0FBQyxTQUFTO29CQUMxQixpQkFBaUIsRUFBRSxLQUFLLENBQUMsaUJBQWlCO29CQUMxQyxJQUFJLEVBQUUsb0RBQW9EO2lCQUMzRCxDQUFDO1lBQ0osQ0FBQztZQUVELDJEQUEyRDtZQUMzRCxNQUFNLFNBQVMsR0FBRyxJQUFJLENBQUMsS0FBSyxDQUFDLDJCQUEyQixFQUFFLE1BQU0sQ0FBQyxDQUFDO1lBQ2xFLE1BQU0sa0JBQWtCLEdBQUc7Z0JBQ3pCLEdBQUcsRUFBRSx5Q0FBeUM7Z0JBQzlDLE1BQU0sRUFBRSxPQUFPO2dCQUNmLFNBQVMsRUFBRTtvQkFDVCxPQUFPLEVBQUUsMEJBQTBCO2lCQUNwQztnQkFDRCxNQUFNLEVBQUU7b0JBQ04sYUFBYTtvQkFDYixhQUFhO29CQUNiLHNCQUFzQjtvQkFDdEIsZ0JBQWdCO2lCQUNqQjtnQkFDRCxRQUFRLEVBQUUsZUFBZSxNQUFNLElBQUksU0FBUyxRQUFRLFFBQVEsRUFBRTtnQkFDOUQsU0FBUyxFQUFFO29CQUNULFlBQVksRUFBRTt3QkFDWixlQUFlLEVBQUUsdUJBQXVCLFNBQVMsaUJBQWlCLHdCQUF3QixFQUFFO3FCQUM3RjtpQkFDRjthQUNGLENBQUM7WUFDRixNQUFNLGdCQUFnQixHQUFHLElBQUEsdUJBQWUsRUFBQyxTQUFTLEVBQUUsa0JBQWtCLENBQUMsQ0FBQztZQUV4RSxNQUFNLFNBQVMsQ0FBQyxJQUFJLENBQUMsSUFBSSxnQ0FBbUIsQ0FBQztnQkFDM0MsS0FBSyxFQUFFLFFBQVE7Z0JBQ2YsTUFBTSxFQUFFLElBQUksQ0FBQyxTQUFTLENBQUMsZ0JBQWdCLENBQUM7Z0JBQ3hDLFVBQVUsRUFBRSxTQUFTO2FBQ3RCLENBQUMsQ0FBQyxDQUFDO1FBQ04sQ0FBQztRQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7WUFDYixNQUFNLEdBQUcsUUFBUSxDQUFDO1lBQ2xCLFlBQVksR0FBRztnQkFDYixLQUFLLEVBQUUsSUFBSSxDQUFDLFNBQVMsQ0FBQyxHQUFHLENBQUM7YUFDM0IsQ0FBQztRQUNKLENBQUM7SUFDSCxDQUFDO0lBRUQsT0FBTztRQUNMLE1BQU0sRUFBRSxNQUFNO1FBQ2QsTUFBTSxFQUFFLElBQUksQ0FBQyxTQUFTLENBQUMsWUFBWSxDQUFDO1FBQ3BDLGtCQUFrQixFQUFFLEtBQUssQ0FBQyxrQkFBa0IsSUFBSSxPQUFPLENBQUMsYUFBYTtRQUNyRSxPQUFPLEVBQUUsS0FBSyxDQUFDLE9BQU87UUFDdEIsU0FBUyxFQUFFLEtBQUssQ0FBQyxTQUFTO1FBQzFCLGlCQUFpQixFQUFFLEtBQUssQ0FBQyxpQkFBaUI7UUFDMUMsSUFBSSxFQUFFLFlBQVk7S0FDbkIsQ0FBQztBQUNKLENBQUMsQ0FBQztBQTlGVyxRQUFBLE9BQU8sV0E4RmxCO0FBRUY7Ozs7Ozs7R0FPRztBQUNJLE1BQU0sZUFBZSxHQUFHLENBQUMsU0FBYyxFQUFFLGtCQUF1QixFQUFFLEVBQUU7SUFDekUsa0hBQWtIO0lBQ2xILDBHQUEwRztJQUMxRyxNQUFNLHNCQUFzQixHQUFHLFNBQVMsQ0FBQyxTQUFTLENBQUMsU0FBUyxDQUFDLENBQUMsU0FBYyxFQUFFLEVBQUUsQ0FBQyxTQUFTLENBQUMsR0FBRyxLQUFLLGtCQUFrQixDQUFDLEdBQUcsQ0FBQyxDQUFDO0lBQzNILDZEQUE2RDtJQUM3RCxnRUFBZ0U7SUFDaEUsSUFBSSxzQkFBc0IsR0FBRyxDQUFDLENBQUMsRUFBRSxDQUFDO1FBQ2hDLFNBQVMsQ0FBQyxTQUFTLENBQUMsc0JBQXNCLENBQUMsR0FBRyxrQkFBa0IsQ0FBQztJQUNuRSxDQUFDO1NBQU0sQ0FBQztRQUNOLFNBQVMsQ0FBQyxTQUFTLENBQUMsSUFBSSxDQUFDLGtCQUFrQixDQUFDLENBQUM7SUFDL0MsQ0FBQztJQUNELG9CQUFvQjtJQUNwQixPQUFPLFNBQVMsQ0FBQztBQUNuQixDQUFDLENBQUM7QUFiVyxRQUFBLGVBQWUsbUJBYTFCIiwic291cmNlc0NvbnRlbnQiOlsiLyoqXG4gKiAgQ29weXJpZ2h0IEFtYXpvbi5jb20sIEluYy4gb3IgaXRzIGFmZmlsaWF0ZXMuIEFsbCBSaWdodHMgUmVzZXJ2ZWQuXG4gKlxuICogIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSBcIkxpY2Vuc2VcIikuIFlvdSBtYXkgbm90IHVzZSB0aGlzIGZpbGUgZXhjZXB0IGluIGNvbXBsaWFuY2VcbiAqICB3aXRoIHRoZSBMaWNlbnNlLiBBIGNvcHkgb2YgdGhlIExpY2Vuc2UgaXMgbG9jYXRlZCBhdFxuICpcbiAqICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzL0xJQ0VOU0UtMi4wXG4gKlxuICogIG9yIGluIHRoZSAnbGljZW5zZScgZmlsZSBhY2NvbXBhbnlpbmcgdGhpcyBmaWxlLiBUaGlzIGZpbGUgaXMgZGlzdHJpYnV0ZWQgb24gYW4gJ0FTIElTJyBCQVNJUywgV0lUSE9VVCBXQVJSQU5USUVTXG4gKiAgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZXhwcmVzcyBvciBpbXBsaWVkLiBTZWUgdGhlIExpY2Vuc2UgZm9yIHRoZSBzcGVjaWZpYyBsYW5ndWFnZSBnb3Zlcm5pbmcgcGVybWlzc2lvbnNcbiAqICBhbmQgbGltaXRhdGlvbnMgdW5kZXIgdGhlIExpY2Vuc2UuXG4gKi9cblxuaW1wb3J0IHsgS01TQ2xpZW50LCBHZXRLZXlQb2xpY3lDb21tYW5kLCBEZXNjcmliZUtleUNvbW1hbmQsIFB1dEtleVBvbGljeUNvbW1hbmQsIEtleU1hbmFnZXJUeXBlIH0gZnJvbSBcIkBhd3Mtc2RrL2NsaWVudC1rbXNcIjtcblxuY29uc3Qga21zQ2xpZW50ID0gbmV3IEtNU0NsaWVudCgpO1xuXG5leHBvcnQgY29uc3QgaGFuZGxlciA9IGFzeW5jIChldmVudDogYW55LCBjb250ZXh0OiBhbnkpID0+IHtcblxuICBsZXQgc3RhdHVzID0gJ1NVQ0NFU1MnO1xuICBsZXQgcmVzcG9uc2VEYXRhID0ge307XG5cbiAgaWYgKGV2ZW50LlJlcXVlc3RUeXBlID09PSAnQ3JlYXRlJyB8fCBldmVudC5SZXF1ZXN0VHlwZSA9PT0gJ1VwZGF0ZScpIHtcblxuICAgIHRyeSB7XG4gICAgICBjb25zdCBrbXNLZXlJZCA9IGV2ZW50LlJlc291cmNlUHJvcGVydGllcy5LbXNLZXlJZDtcbiAgICAgIGNvbnN0IGNsb3VkRnJvbnREaXN0cmlidXRpb25JZCA9IGV2ZW50LlJlc291cmNlUHJvcGVydGllcy5DbG91ZEZyb250RGlzdHJpYnV0aW9uSWQ7XG4gICAgICBjb25zdCBhY2NvdW50SWQgPSBldmVudC5SZXNvdXJjZVByb3BlcnRpZXMuQWNjb3VudElkO1xuICAgICAgY29uc3QgcmVnaW9uID0gcHJvY2Vzcy5lbnYuQVdTX1JFR0lPTjtcblxuICAgICAgY29uc3QgZGVzY3JpYmVLZXlDb21tYW5kUmVzcG9uc2UgPSBhd2FpdCBrbXNDbGllbnQuc2VuZChuZXcgRGVzY3JpYmVLZXlDb21tYW5kKHtcbiAgICAgICAgS2V5SWQ6IGttc0tleUlkXG4gICAgICB9KSk7XG5cbiAgICAgIGlmIChkZXNjcmliZUtleUNvbW1hbmRSZXNwb25zZS5LZXlNZXRhZGF0YT8uS2V5TWFuYWdlciA9PT0gS2V5TWFuYWdlclR5cGUuQVdTKSB7XG4gICAgICAgIHJldHVybiB7XG4gICAgICAgICAgU3RhdHVzOiAnU1VDQ0VTUycsXG4gICAgICAgICAgUmVhc29uOiAnQW4gQVdTIG1hbmFnZWQga2V5IHdhcyBwcm92aWRlZCwgbm8gYWN0aW9uIG5lZWRlZCBmcm9tIHRoZSBjdXN0b20gcmVzb3VyY2UsIGV4aXRpbmcgbm93LicsXG4gICAgICAgICAgUGh5c2ljYWxSZXNvdXJjZUlkOiBldmVudC5QaHlzaWNhbFJlc291cmNlSWQgPz8gY29udGV4dC5sb2dTdHJlYW1OYW1lLFxuICAgICAgICAgIFN0YWNrSWQ6IGV2ZW50LlN0YWNrSWQsXG4gICAgICAgICAgUmVxdWVzdElkOiBldmVudC5SZXF1ZXN0SWQsXG4gICAgICAgICAgTG9naWNhbFJlc291cmNlSWQ6IGV2ZW50LkxvZ2ljYWxSZXNvdXJjZUlkLFxuICAgICAgICAgIERhdGE6ICdBbiBBV1MgbWFuYWdlZCBrZXkgd2FzIHByb3ZpZGVkLCBubyBhY3Rpb24gbmVlZGVkIGZyb20gdGhlIGN1c3RvbSByZXNvdXJjZSwgZXhpdGluZyBub3cuJyxcbiAgICAgICAgfTtcbiAgICAgIH1cblxuICAgICAgLy8gVGhlIFBvbGljeU5hbWUgaXMgc3BlY2lmaWVkIGFzIFwiZGVmYXVsdFwiIGJlbG93IGJlY2F1c2UgdGhhdCBpcyB0aGUgb25seSB2YWxpZCBuYW1lIGFzXG4gICAgICAvLyB3cml0dGVuIGluIHRoZSBkb2N1bWVudGF0aW9uIGZvciBAYXdzLXNkay9jbGllbnQta21zLkdldEtleVBvbGljeUNvbW1hbmRJbnB1dDpcbiAgICAgIC8vIGh0dHBzOi8vZG9jcy5hd3MuYW1hem9uLmNvbS9BV1NKYXZhU2NyaXB0U0RLL3YzL2xhdGVzdC9QYWNrYWdlLy1hd3Mtc2RrLWNsaWVudC1rbXMvSW50ZXJmYWNlL0dldEtleVBvbGljeUNvbW1hbmRJbnB1dC9cbiAgICAgIGNvbnN0IGdldEtleVBvbGljeUNvbW1hbmRSZXNwb25zZSA9IGF3YWl0IGttc0NsaWVudC5zZW5kKG5ldyBHZXRLZXlQb2xpY3lDb21tYW5kKHtcbiAgICAgICAgS2V5SWQ6IGttc0tleUlkLFxuICAgICAgICBQb2xpY3lOYW1lOiAnZGVmYXVsdCdcbiAgICAgIH0pKTtcblxuICAgICAgaWYgKCFnZXRLZXlQb2xpY3lDb21tYW5kUmVzcG9uc2UuUG9saWN5KSB7XG4gICAgICAgIHJldHVybiB7XG4gICAgICAgICAgU3RhdHVzOiAnRkFJTEVEJyxcbiAgICAgICAgICBSZWFzb246ICdBbiBlcnJvciBvY2N1cnJlZCB3aGlsZSByZXRyaWV2aW5nIHRoZSBrZXkgcG9saWN5LicsXG4gICAgICAgICAgUGh5c2ljYWxSZXNvdXJjZUlkOiBldmVudC5QaHlzaWNhbFJlc291cmNlSWQgPz8gY29udGV4dC5sb2dTdHJlYW1OYW1lLFxuICAgICAgICAgIFN0YWNrSWQ6IGV2ZW50LlN0YWNrSWQsXG4gICAgICAgICAgUmVxdWVzdElkOiBldmVudC5SZXF1ZXN0SWQsXG4gICAgICAgICAgTG9naWNhbFJlc291cmNlSWQ6IGV2ZW50LkxvZ2ljYWxSZXNvdXJjZUlkLFxuICAgICAgICAgIERhdGE6ICdBbiBlcnJvciBvY2N1cnJlZCB3aGlsZSByZXRyaWV2aW5nIHRoZSBrZXkgcG9saWN5LicsXG4gICAgICAgIH07XG4gICAgICB9XG5cbiAgICAgIC8vIERlZmluZSB0aGUgdXBkYXRlZCBrZXkgcG9saWN5IHRvIGFsbG93IENsb3VkRnJvbnQgYWNjZXNzXG4gICAgICBjb25zdCBrZXlQb2xpY3kgPSBKU09OLnBhcnNlKGdldEtleVBvbGljeUNvbW1hbmRSZXNwb25zZT8uUG9saWN5KTtcbiAgICAgIGNvbnN0IGtleVBvbGljeVN0YXRlbWVudCA9IHtcbiAgICAgICAgU2lkOiAnR3JhbnQtQ2xvdWRGcm9udC1EaXN0cmlidXRpb24tS2V5LVVzYWdlJyxcbiAgICAgICAgRWZmZWN0OiAnQWxsb3cnLFxuICAgICAgICBQcmluY2lwYWw6IHtcbiAgICAgICAgICBTZXJ2aWNlOiAnY2xvdWRmcm9udC5hbWF6b25hd3MuY29tJyxcbiAgICAgICAgfSxcbiAgICAgICAgQWN0aW9uOiBbXG4gICAgICAgICAgJ2ttczpEZWNyeXB0JyxcbiAgICAgICAgICAna21zOkVuY3J5cHQnLFxuICAgICAgICAgICdrbXM6R2VuZXJhdGVEYXRhS2V5KicsXG4gICAgICAgICAgJ2ttczpSZUVuY3J5cHQqJ1xuICAgICAgICBdLFxuICAgICAgICBSZXNvdXJjZTogYGFybjphd3M6a21zOiR7cmVnaW9ufToke2FjY291bnRJZH06a2V5LyR7a21zS2V5SWR9YCxcbiAgICAgICAgQ29uZGl0aW9uOiB7XG4gICAgICAgICAgU3RyaW5nRXF1YWxzOiB7XG4gICAgICAgICAgICAnQVdTOlNvdXJjZUFybic6IGBhcm46YXdzOmNsb3VkZnJvbnQ6OiR7YWNjb3VudElkfTpkaXN0cmlidXRpb24vJHtjbG91ZEZyb250RGlzdHJpYnV0aW9uSWR9YFxuICAgICAgICAgIH1cbiAgICAgICAgfVxuICAgICAgfTtcbiAgICAgIGNvbnN0IHVwZGF0ZWRLZXlQb2xpY3kgPSB1cGRhdGVLZXlQb2xpY3koa2V5UG9saWN5LCBrZXlQb2xpY3lTdGF0ZW1lbnQpO1xuXG4gICAgICBhd2FpdCBrbXNDbGllbnQuc2VuZChuZXcgUHV0S2V5UG9saWN5Q29tbWFuZCh7XG4gICAgICAgIEtleUlkOiBrbXNLZXlJZCxcbiAgICAgICAgUG9saWN5OiBKU09OLnN0cmluZ2lmeSh1cGRhdGVkS2V5UG9saWN5KSxcbiAgICAgICAgUG9saWN5TmFtZTogJ2RlZmF1bHQnXG4gICAgICB9KSk7XG4gICAgfSBjYXRjaCAoZXJyKSB7XG4gICAgICBzdGF0dXMgPSAnRkFJTEVEJztcbiAgICAgIHJlc3BvbnNlRGF0YSA9IHtcbiAgICAgICAgRXJyb3I6IEpTT04uc3RyaW5naWZ5KGVycilcbiAgICAgIH07XG4gICAgfVxuICB9XG5cbiAgcmV0dXJuIHtcbiAgICBTdGF0dXM6IHN0YXR1cyxcbiAgICBSZWFzb246IEpTT04uc3RyaW5naWZ5KHJlc3BvbnNlRGF0YSksXG4gICAgUGh5c2ljYWxSZXNvdXJjZUlkOiBldmVudC5QaHlzaWNhbFJlc291cmNlSWQgPz8gY29udGV4dC5sb2dTdHJlYW1OYW1lLFxuICAgIFN0YWNrSWQ6IGV2ZW50LlN0YWNrSWQsXG4gICAgUmVxdWVzdElkOiBldmVudC5SZXF1ZXN0SWQsXG4gICAgTG9naWNhbFJlc291cmNlSWQ6IGV2ZW50LkxvZ2ljYWxSZXNvdXJjZUlkLFxuICAgIERhdGE6IHJlc3BvbnNlRGF0YSxcbiAgfTtcbn07XG5cbi8qKlxuICogVXBkYXRlcyBhIHByb3ZpZGVkIGtleSBwb2xpY3kgd2l0aCBhIHByb3ZpZGVkIGtleSBwb2xpY3kgc3RhdGVtZW50LiBGaXJzdCBjaGVja3Mgd2hldGhlciB0aGUgcHJvdmlkZWQga2V5IHBvbGljeSBzdGF0ZW1lbnRcbiAqIGFscmVhZHkgZXhpc3RzLiBJZiBhbiBleGlzdGluZyBrZXkgcG9saWN5IGlzIGZvdW5kIHdpdGggYSBtYXRjaGluZyBzaWQsIHRoZSBwcm92aWRlZCBrZXkgcG9saWN5IHdpbGwgb3ZlcndyaXRlIHRoZSBleGlzdGluZ1xuICoga2V5IHBvbGljeS4gSWYgbm8gbWF0Y2hpbmcga2V5IHBvbGljeSBpcyBmb3VuZCwgdGhlIHByb3ZpZGVkIGtleSBwb2xpY3kgd2lsbCBiZSBhcHBlbmRlZCBvbnRvIHRoZSBhcnJheSBvZiBwb2xpY3kgc3RhdGVtZW50cy5cbiAqIEBwYXJhbSBrZXlQb2xpY3kgLSB0aGUgSlNPTi5wYXJzZSdkIHJlc3VsdCBvZiB0aGUgb3RoZXJ3aXNlIHN0cmluZ2lmaWVkIGtleSBwb2xpY3kuXG4gKiBAcGFyYW0ga2V5UG9saWN5U3RhdGVtZW50IC0gdGhlIGtleSBwb2xpY3kgc3RhdGVtZW50IHRvIGJlIGFkZGVkIHRvIHRoZSBrZXkgcG9saWN5LlxuICogQHJldHVybnMga2V5UG9saWN5IC0gdGhlIHVwZGF0ZWQga2V5IHBvbGljeS5cbiAqL1xuZXhwb3J0IGNvbnN0IHVwZGF0ZUtleVBvbGljeSA9IChrZXlQb2xpY3k6IGFueSwga2V5UG9saWN5U3RhdGVtZW50OiBhbnkpID0+IHtcbiAgLy8gQ2hlY2sgdG8gc2VlIGlmIGEgZHVwbGljYXRlIGtleSBwb2xpY3kgZXhpc3RzIGJ5IG1hdGNoaW5nIG9uIHRoZSBzaWQuIFRoaXMgaXMgdG8gcHJldmVudCBkdXBsaWNhdGUga2V5IHBvbGljaWVzXG4gIC8vIGZyb20gYmVpbmcgYWRkZWQvdXBkYXRlZCBpbiByZXNwb25zZSB0byBhIHN0YWNrIGJlaW5nIHVwZGF0ZWQgb25lIG9yIG1vcmUgdGltZXMgYWZ0ZXIgaW5pdGlhbCBjcmVhdGlvbi5cbiAgY29uc3QgZXhpc3RpbmdLZXlQb2xpY3lJbmRleCA9IGtleVBvbGljeS5TdGF0ZW1lbnQuZmluZEluZGV4KChzdGF0ZW1lbnQ6IGFueSkgPT4gc3RhdGVtZW50LlNpZCA9PT0ga2V5UG9saWN5U3RhdGVtZW50LlNpZCk7XG4gIC8vIElmIGEgbWF0Y2ggaXMgZm91bmQsIG92ZXJ3cml0ZSB0aGUga2V5IHBvbGljeSBzdGF0ZW1lbnQuLi5cbiAgLy8gT3RoZXJ3aXNlLCBwdXNoIHRoZSBuZXcga2V5IHBvbGljeSB0byB0aGUgYXJyYXkgb2Ygc3RhdGVtZW50c1xuICBpZiAoZXhpc3RpbmdLZXlQb2xpY3lJbmRleCA+IC0xKSB7XG4gICAga2V5UG9saWN5LlN0YXRlbWVudFtleGlzdGluZ0tleVBvbGljeUluZGV4XSA9IGtleVBvbGljeVN0YXRlbWVudDtcbiAgfSBlbHNlIHtcbiAgICBrZXlQb2xpY3kuU3RhdGVtZW50LnB1c2goa2V5UG9saWN5U3RhdGVtZW50KTtcbiAgfVxuICAvLyBSZXR1cm4gdGhlIHJlc3VsdFxuICByZXR1cm4ga2V5UG9saWN5O1xufTtcbiJdfQ==
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
"use strict";var f=Object.create,i=Object.defineProperty,I=Object.getOwnPropertyDescriptor,C=Object.getOwnPropertyNames,w=Object.getPrototypeOf,P=Object.prototype.hasOwnProperty,A=(t,e)=>{for(var o in e)i(t,o,{get:e[o],enumerable:!0})},d=(t,e,o,r)=>{if(e&&typeof e=="object"||typeof e=="function")for(let s of C(e))!P.call(t,s)&&s!==o&&i(t,s,{get:()=>e[s],enumerable:!(r=I(e,s))||r.enumerable});return t},l=(t,e,o)=>(o=t!=null?f(w(t)):{},d(e||!t||!t.__esModule?i(o,"default",{value:t,enumerable:!0}):o,t)),B=t=>d(i({},"__esModule",{value:!0}),t),q={};A(q,{autoDeleteHandler:()=>S,handler:()=>H}),module.exports=B(q);var h=require("@aws-sdk/client-s3"),y=l(require("https")),m=l(require("url")),a={sendHttpRequest:D,log:T,includeStackTraces:!0,userHandlerIndex:"./index"},p="AWSCDK::CustomResourceProviderFramework::CREATE_FAILED",L="AWSCDK::CustomResourceProviderFramework::MISSING_PHYSICAL_ID";function R(t){return async(e,o)=>{let r={...e,ResponseURL:"..."};if(a.log(JSON.stringify(r,void 0,2)),e.RequestType==="Delete"&&e.PhysicalResourceId===p){a.log("ignoring DELETE event caused by a failed CREATE event"),await u("SUCCESS",e);return}try{let s=await t(r,o),n=k(e,s);await u("SUCCESS",n)}catch(s){let n={...e,Reason:a.includeStackTraces?s.stack:s.message};n.PhysicalResourceId||(e.RequestType==="Create"?(a.log("CREATE failed, responding with a marker physical resource id so that the subsequent DELETE will be ignored"),n.PhysicalResourceId=p):a.log(`ERROR: Malformed event. "PhysicalResourceId" is required: ${JSON.stringify(e)}`)),await u("FAILED",n)}}}function k(t,e={}){let o=e.PhysicalResourceId??t.PhysicalResourceId??t.RequestId;if(t.RequestType==="Delete"&&o!==t.PhysicalResourceId)throw new Error(`DELETE: cannot change the physical resource ID from "${t.PhysicalResourceId}" to "${e.PhysicalResourceId}" during deletion`);return{...t,...e,PhysicalResourceId:o}}async function u(t,e){let o={Status:t,Reason:e.Reason??t,StackId:e.StackId,RequestId:e.RequestId,PhysicalResourceId:e.PhysicalResourceId||L,LogicalResourceId:e.LogicalResourceId,NoEcho:e.NoEcho,Data:e.Data},r=m.parse(e.ResponseURL),s=`${r.protocol}//${r.hostname}/${r.pathname}?***`;a.log("submit response to cloudformation",s,o);let n=JSON.stringify(o),E={hostname:r.hostname,path:r.path,method:"PUT",headers:{"content-type":"","content-length":Buffer.byteLength(n,"utf8")}};await O({attempts:5,sleep:1e3},a.sendHttpRequest)(E,n)}async function D(t,e){return new Promise((o,r)=>{try{let s=y.request(t,n=>{n.resume(),!n.statusCode||n.statusCode>=400?r(new Error(`Unsuccessful HTTP response: ${n.statusCode}`)):o()});s.on("error",r),s.write(e),s.end()}catch(s){r(s)}})}function T(t,...e){console.log(t,...e)}function O(t,e){return async(...o)=>{let r=t.attempts,s=t.sleep;for(;;)try{return await e(...o)}catch(n){if(r--<=0)throw n;await b(Math.floor(Math.random()*s)),s*=2}}}async function b(t){return new Promise(e=>setTimeout(e,t))}var g="aws-cdk:auto-delete-objects",x=JSON.stringify({Version:"2012-10-17",Statement:[]}),c=new h.S3({}),H=R(S);async function S(t){switch(t.RequestType){case"Create":return;case"Update":return{PhysicalResourceId:(await F(t)).PhysicalResourceId};case"Delete":return N(t.ResourceProperties?.BucketName)}}async function F(t){let e=t,o=e.OldResourceProperties?.BucketName;return{PhysicalResourceId:e.ResourceProperties?.BucketName??o}}async function _(t){try{let e=(await c.getBucketPolicy({Bucket:t}))?.Policy??x,o=JSON.parse(e);o.Statement.push({Principal:"*",Effect:"Deny",Action:["s3:PutObject"],Resource:[`arn:aws:s3:::${t}/*`]}),await c.putBucketPolicy({Bucket:t,Policy:JSON.stringify(o)})}catch(e){if(e.name==="NoSuchBucket")throw e;console.log(`Could not set new object deny policy on bucket '${t}' prior to deletion.`)}}async function U(t){let e;do{e=await c.listObjectVersions({Bucket:t});let o=[...e.Versions??[],...e.DeleteMarkers??[]];if(o.length===0)return;let r=o.map(s=>({Key:s.Key,VersionId:s.VersionId}));await c.deleteObjects({Bucket:t,Delete:{Objects:r}})}while(e?.IsTruncated)}async function N(t){if(!t)throw new Error("No BucketName was provided.");try{if(!await W(t)){console.log(`Bucket does not have '${g}' tag, skipping cleaning.`);return}await _(t),await U(t)}catch(e){if(e.name==="NoSuchBucket"){console.log(`Bucket '${t}' does not exist.`);return}throw e}}async function W(t){return(await c.getBucketTagging({Bucket:t})).TagSet?.some(o=>o.Key===g&&o.Value==="true")}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":"
|
|
1
|
+
{"version":"48.0.0"}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
{
|
|
2
|
-
"version": "
|
|
2
|
+
"version": "48.0.0",
|
|
3
3
|
"files": {
|
|
4
4
|
"faa95a81ae7d7373f3e1f242268f904eb748d8d0fdd306e8a6fe515a1905a7d6": {
|
|
5
5
|
"displayName": "cfts3-cmk-provided-as-bucket-prop/Custom::S3AutoDeleteObjectsCustomResourceProvider Code",
|
|
@@ -43,16 +43,16 @@
|
|
|
43
43
|
}
|
|
44
44
|
}
|
|
45
45
|
},
|
|
46
|
-
"
|
|
46
|
+
"05ef190ff73a6e9ee2ec74f732704f72bbdf8bf89af6191f026a609eb11efebe": {
|
|
47
47
|
"displayName": "cfts3-cmk-provided-as-bucket-prop Template",
|
|
48
48
|
"source": {
|
|
49
49
|
"path": "cfts3-cmk-provided-as-bucket-prop.template.json",
|
|
50
50
|
"packaging": "file"
|
|
51
51
|
},
|
|
52
52
|
"destinations": {
|
|
53
|
-
"current_account-current_region-
|
|
53
|
+
"current_account-current_region-505daeff": {
|
|
54
54
|
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
|
|
55
|
-
"objectKey": "
|
|
55
|
+
"objectKey": "05ef190ff73a6e9ee2ec74f732704f72bbdf8bf89af6191f026a609eb11efebe.json",
|
|
56
56
|
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
|
|
57
57
|
}
|
|
58
58
|
}
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
{
|
|
2
|
-
"version": "
|
|
2
|
+
"version": "48.0.0",
|
|
3
3
|
"testCases": {
|
|
4
4
|
"cfts3-cmk-provided-as-bucket-prop/Integ/DefaultTest": {
|
|
5
5
|
"stacks": [
|
|
@@ -9,5 +9,5 @@
|
|
|
9
9
|
"assertionStackName": "cfts3cmkprovidedasbucketpropIntegDefaultTestDeployAssert38E63D55"
|
|
10
10
|
}
|
|
11
11
|
},
|
|
12
|
-
"minimumCliVersion": "2.
|
|
12
|
+
"minimumCliVersion": "2.1029.2"
|
|
13
13
|
}
|
|
@@ -66,7 +66,7 @@
|
|
|
66
66
|
"validateOnSynth": false,
|
|
67
67
|
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
|
|
68
68
|
"cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
|
|
69
|
-
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/
|
|
69
|
+
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/05ef190ff73a6e9ee2ec74f732704f72bbdf8bf89af6191f026a609eb11efebe.json",
|
|
70
70
|
"requiresBootstrapStackVersion": 6,
|
|
71
71
|
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
|
|
72
72
|
"additionalDependencies": [
|
|
@@ -493,7 +493,7 @@
|
|
|
493
493
|
"runtime": "*",
|
|
494
494
|
"handler": "*",
|
|
495
495
|
"timeout": "*",
|
|
496
|
-
"
|
|
496
|
+
"loggingFormat": "JSON",
|
|
497
497
|
"applicationLogLevelV2": "FATAL",
|
|
498
498
|
"logGroup": "*",
|
|
499
499
|
"vpc": "*",
|
|
@@ -718,57 +718,48 @@
|
|
|
718
718
|
"properties": {
|
|
719
719
|
"module": "aws-cdk-lib",
|
|
720
720
|
"flags": {
|
|
721
|
-
"@aws-cdk/
|
|
721
|
+
"@aws-cdk/aws-signer:signingProfileNamePassedToCfn": {
|
|
722
722
|
"recommendedValue": true,
|
|
723
|
-
"explanation": "
|
|
724
|
-
},
|
|
725
|
-
"aws-cdk:enableDiffNoFail": {
|
|
726
|
-
"recommendedValue": true,
|
|
727
|
-
"explanation": "Make `cdk diff` not fail when there are differences"
|
|
723
|
+
"explanation": "Pass signingProfileName to CfnSigningProfile"
|
|
728
724
|
},
|
|
729
725
|
"@aws-cdk/core:newStyleStackSynthesis": {
|
|
730
726
|
"recommendedValue": true,
|
|
731
|
-
"explanation": "Switch to new stack synthesis method which enables CI/CD"
|
|
727
|
+
"explanation": "Switch to new stack synthesis method which enables CI/CD",
|
|
728
|
+
"unconfiguredBehavesLike": {
|
|
729
|
+
"v2": true
|
|
730
|
+
}
|
|
732
731
|
},
|
|
733
732
|
"@aws-cdk/core:stackRelativeExports": {
|
|
734
733
|
"recommendedValue": true,
|
|
735
|
-
"explanation": "Name exports based on the construct paths relative to the stack, rather than the global construct path"
|
|
736
|
-
|
|
737
|
-
|
|
738
|
-
|
|
739
|
-
"explanation": "DockerImageAsset properly supports `.dockerignore` files by default"
|
|
740
|
-
},
|
|
741
|
-
"@aws-cdk/aws-secretsmanager:parseOwnedSecretName": {
|
|
742
|
-
"recommendedValue": true,
|
|
743
|
-
"explanation": "Fix the referencing of SecretsManager names from ARNs"
|
|
744
|
-
},
|
|
745
|
-
"@aws-cdk/aws-kms:defaultKeyPolicies": {
|
|
746
|
-
"recommendedValue": true,
|
|
747
|
-
"explanation": "Tighten default KMS key policies"
|
|
748
|
-
},
|
|
749
|
-
"@aws-cdk/aws-s3:grantWriteWithoutAcl": {
|
|
750
|
-
"recommendedValue": true,
|
|
751
|
-
"explanation": "Remove `PutObjectAcl` from Bucket.grantWrite"
|
|
734
|
+
"explanation": "Name exports based on the construct paths relative to the stack, rather than the global construct path",
|
|
735
|
+
"unconfiguredBehavesLike": {
|
|
736
|
+
"v2": true
|
|
737
|
+
}
|
|
752
738
|
},
|
|
753
|
-
"@aws-cdk/aws-ecs-patterns:
|
|
739
|
+
"@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": {
|
|
754
740
|
"recommendedValue": true,
|
|
755
|
-
"explanation": "
|
|
741
|
+
"explanation": "Disable implicit openListener when custom security groups are provided"
|
|
756
742
|
},
|
|
757
743
|
"@aws-cdk/aws-rds:lowercaseDbIdentifier": {
|
|
758
744
|
"recommendedValue": true,
|
|
759
|
-
"explanation": "Force lowercasing of RDS Cluster names in CDK"
|
|
745
|
+
"explanation": "Force lowercasing of RDS Cluster names in CDK",
|
|
746
|
+
"unconfiguredBehavesLike": {
|
|
747
|
+
"v2": true
|
|
748
|
+
}
|
|
760
749
|
},
|
|
761
750
|
"@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": {
|
|
762
751
|
"recommendedValue": true,
|
|
763
|
-
"explanation": "Allow adding/removing multiple UsagePlanKeys independently"
|
|
764
|
-
|
|
765
|
-
|
|
766
|
-
|
|
767
|
-
"explanation": "Enable this feature flag to have elastic file systems encrypted at rest by default."
|
|
752
|
+
"explanation": "Allow adding/removing multiple UsagePlanKeys independently",
|
|
753
|
+
"unconfiguredBehavesLike": {
|
|
754
|
+
"v2": true
|
|
755
|
+
}
|
|
768
756
|
},
|
|
769
757
|
"@aws-cdk/aws-lambda:recognizeVersionProps": {
|
|
770
758
|
"recommendedValue": true,
|
|
771
|
-
"explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`."
|
|
759
|
+
"explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.",
|
|
760
|
+
"unconfiguredBehavesLike": {
|
|
761
|
+
"v2": true
|
|
762
|
+
}
|
|
772
763
|
},
|
|
773
764
|
"@aws-cdk/aws-lambda:recognizeLayerVersion": {
|
|
774
765
|
"userValue": true,
|
|
@@ -777,7 +768,10 @@
|
|
|
777
768
|
},
|
|
778
769
|
"@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": {
|
|
779
770
|
"recommendedValue": true,
|
|
780
|
-
"explanation": "Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default."
|
|
771
|
+
"explanation": "Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.",
|
|
772
|
+
"unconfiguredBehavesLike": {
|
|
773
|
+
"v2": true
|
|
774
|
+
}
|
|
781
775
|
},
|
|
782
776
|
"@aws-cdk/core:checkSecretUsage": {
|
|
783
777
|
"userValue": true,
|
|
@@ -854,7 +848,7 @@
|
|
|
854
848
|
"@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": {
|
|
855
849
|
"userValue": true,
|
|
856
850
|
"recommendedValue": true,
|
|
857
|
-
"explanation": "Enable this feature to
|
|
851
|
+
"explanation": "Enable this feature to create default policy names for imported roles that depend on the stack the role is in."
|
|
858
852
|
},
|
|
859
853
|
"@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": {
|
|
860
854
|
"userValue": true,
|
|
@@ -998,7 +992,10 @@
|
|
|
998
992
|
},
|
|
999
993
|
"@aws-cdk/pipelines:reduceAssetRoleTrustScope": {
|
|
1000
994
|
"recommendedValue": true,
|
|
1001
|
-
"explanation": "Remove the root account principal from PipelineAssetsFileRole trust policy"
|
|
995
|
+
"explanation": "Remove the root account principal from PipelineAssetsFileRole trust policy",
|
|
996
|
+
"unconfiguredBehavesLike": {
|
|
997
|
+
"v2": true
|
|
998
|
+
}
|
|
1002
999
|
},
|
|
1003
1000
|
"@aws-cdk/aws-eks:nodegroupNameAttribute": {
|
|
1004
1001
|
"userValue": true,
|
|
@@ -1027,7 +1024,10 @@
|
|
|
1027
1024
|
},
|
|
1028
1025
|
"@aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask": {
|
|
1029
1026
|
"recommendedValue": true,
|
|
1030
|
-
"explanation": "When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model."
|
|
1027
|
+
"explanation": "When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model.",
|
|
1028
|
+
"unconfiguredBehavesLike": {
|
|
1029
|
+
"v2": true
|
|
1030
|
+
}
|
|
1031
1031
|
},
|
|
1032
1032
|
"@aws-cdk/core:explicitStackTags": {
|
|
1033
1033
|
"userValue": true,
|
|
@@ -1091,7 +1091,10 @@
|
|
|
1091
1091
|
},
|
|
1092
1092
|
"@aws-cdk/core:aspectStabilization": {
|
|
1093
1093
|
"recommendedValue": true,
|
|
1094
|
-
"explanation": "When enabled, a stabilization loop will be run when invoking Aspects during synthesis."
|
|
1094
|
+
"explanation": "When enabled, a stabilization loop will be run when invoking Aspects during synthesis.",
|
|
1095
|
+
"unconfiguredBehavesLike": {
|
|
1096
|
+
"v2": true
|
|
1097
|
+
}
|
|
1095
1098
|
},
|
|
1096
1099
|
"@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": {
|
|
1097
1100
|
"userValue": true,
|
|
@@ -1125,7 +1128,10 @@
|
|
|
1125
1128
|
},
|
|
1126
1129
|
"@aws-cdk/pipelines:reduceStageRoleTrustScope": {
|
|
1127
1130
|
"recommendedValue": true,
|
|
1128
|
-
"explanation": "Remove the root account principal from Stage addActions trust policy"
|
|
1131
|
+
"explanation": "Remove the root account principal from Stage addActions trust policy",
|
|
1132
|
+
"unconfiguredBehavesLike": {
|
|
1133
|
+
"v2": true
|
|
1134
|
+
}
|
|
1129
1135
|
},
|
|
1130
1136
|
"@aws-cdk/aws-events:requireEventBusPolicySid": {
|
|
1131
1137
|
"userValue": true,
|
|
@@ -1148,7 +1154,10 @@
|
|
|
1148
1154
|
},
|
|
1149
1155
|
"@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope": {
|
|
1150
1156
|
"recommendedValue": true,
|
|
1151
|
-
"explanation": "When enabled, scopes down the trust policy for the cross-account action role"
|
|
1157
|
+
"explanation": "When enabled, scopes down the trust policy for the cross-account action role",
|
|
1158
|
+
"unconfiguredBehavesLike": {
|
|
1159
|
+
"v2": true
|
|
1160
|
+
}
|
|
1152
1161
|
},
|
|
1153
1162
|
"@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": {
|
|
1154
1163
|
"userValue": true,
|
|
@@ -1178,6 +1187,21 @@
|
|
|
1178
1187
|
"userValue": true,
|
|
1179
1188
|
"recommendedValue": true,
|
|
1180
1189
|
"explanation": "When enabled, CDK creates and manages loggroup for the lambda function"
|
|
1190
|
+
},
|
|
1191
|
+
"@aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault": {
|
|
1192
|
+
"recommendedValue": true,
|
|
1193
|
+
"explanation": "When enabled, Network Load Balancer will be created with a security group by default."
|
|
1194
|
+
},
|
|
1195
|
+
"@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint": {
|
|
1196
|
+
"recommendedValue": true,
|
|
1197
|
+
"explanation": "When enabled, allows using a dynamic apiEndpoint with JSONPath format in HttpInvoke tasks.",
|
|
1198
|
+
"unconfiguredBehavesLike": {
|
|
1199
|
+
"v2": true
|
|
1200
|
+
}
|
|
1201
|
+
},
|
|
1202
|
+
"@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId": {
|
|
1203
|
+
"recommendedValue": true,
|
|
1204
|
+
"explanation": "When enabled, ECS patterns will generate unique target group IDs to prevent conflicts during load balancer replacement"
|
|
1181
1205
|
}
|
|
1182
1206
|
}
|
|
1183
1207
|
}
|