aws-cdk-lib 2.136.0__py3-none-any.whl → 2.137.0__py3-none-any.whl

aws_cdk/aws_ecr_assets/__init__.py

@@ -214,10 +214,9 @@ method. This will modify the IAM policy of the principal to allow it to
 pull images from this repository.
 
 If the pulling principal is not in the same account or is an AWS service that
-doesn't assume a role in your account (e.g. AWS CodeBuild), pull permissions
-must be granted on the **resource policy** (and not on the principal's policy).
-To do that, you can use `asset.repository.addToResourcePolicy(statement)` to
-grant the desired principal the following permissions: "ecr:GetDownloadUrlForLayer",
+doesn't assume a role in your account (e.g. AWS CodeBuild), you must either copy the image to a new repository, or
+grant pull permissions on the resource policy of the repository. Since the repository is managed by the CDK bootstrap stack,
+the following permissions must be granted there, or granted manually on the repository: "ecr:GetDownloadUrlForLayer",
 "ecr:BatchGetImage" and "ecr:BatchCheckLayerAvailability".
 '''
 from pkgutil import extend_path

aws_cdk/aws_elasticloadbalancingv2/__init__.py

@@ -234,7 +234,22 @@ lb = elbv2.ApplicationLoadBalancer(self, "LB",
     cross_zone_enabled=True,
 
     # Whether the load balancer blocks traffic through the Internet Gateway (IGW).
-    deny_all_igw_traffic=False
+    deny_all_igw_traffic=False,
+
+    # Whether to preserve host header in the request to the target
+    preserve_host_header=True,
+
+    # Whether to add the TLS information header to the request
+    x_amzn_tls_version_and_cipher_suite_headers=True,
+
+    # Whether the X-Forwarded-For header should preserve the source port
+    preserve_xff_client_port=True,
+
+    # The processing mode for X-Forwarded-For headers
+    xff_header_processing_mode=elbv2.XffHeaderProcessingMode.APPEND,
+
+    # Whether to allow a load balancer to route requests to targets if it is unable to forward the request to AWS WAF.
+    waf_fail_open=True
 )
 ```
 
@@ -10597,7 +10612,22 @@ class DesyncMitigationMode(enum.Enum):
             cross_zone_enabled=True,
         
             # Whether the load balancer blocks traffic through the Internet Gateway (IGW).
-            deny_all_igw_traffic=False
+            deny_all_igw_traffic=False,
+        
+            # Whether to preserve host header in the request to the target
+            preserve_host_header=True,
+        
+            # Whether to add the TLS information header to the request
+            x_amzn_tls_version_and_cipher_suite_headers=True,
+        
+            # Whether the X-Forwarded-For header should preserve the source port
+            preserve_xff_client_port=True,
+        
+            # The processing mode for X-Forwarded-For headers
+            xff_header_processing_mode=elbv2.XffHeaderProcessingMode.APPEND,
+        
+            # Whether to allow a load balancer to route requests to targets if it is unable to forward the request to AWS WAF.
+            waf_fail_open=True
         )
     '''
 
@@ -14730,7 +14760,22 @@ class IpAddressType(enum.Enum):
             cross_zone_enabled=True,
         
             # Whether the load balancer blocks traffic through the Internet Gateway (IGW).
-            deny_all_igw_traffic=False
+            deny_all_igw_traffic=False,
+        
+            # Whether to preserve host header in the request to the target
+            preserve_host_header=True,
+        
+            # Whether to add the TLS information header to the request
+            x_amzn_tls_version_and_cipher_suite_headers=True,
+        
+            # Whether the X-Forwarded-For header should preserve the source port
+            preserve_xff_client_port=True,
+        
+            # The processing mode for X-Forwarded-For headers
+            xff_header_processing_mode=elbv2.XffHeaderProcessingMode.APPEND,
+        
+            # Whether to allow a load balancer to route requests to targets if it is unable to forward the request to AWS WAF.
+            waf_fail_open=True
         )
     '''
 
@@ -18095,6 +18140,72 @@ class WeightedTargetGroup:
         )
 
 
+@jsii.enum(jsii_type="aws-cdk-lib.aws_elasticloadbalancingv2.XffHeaderProcessingMode")
+class XffHeaderProcessingMode(enum.Enum):
+    '''Processing mode of the X-Forwarded-For header in the HTTP request before the Application Load Balancer sends the request to the target.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        # vpc: ec2.Vpc
+        
+        
+        lb = elbv2.ApplicationLoadBalancer(self, "LB",
+            vpc=vpc,
+            internet_facing=True,
+        
+            # Whether HTTP/2 is enabled
+            http2_enabled=False,
+        
+            # The idle timeout value, in seconds
+            idle_timeout=Duration.seconds(1000),
+        
+            # Whether HTTP headers with header fields thatare not valid
+            # are removed by the load balancer (true), or routed to targets
+            drop_invalid_header_fields=True,
+        
+            # How the load balancer handles requests that might
+            # pose a security risk to your application
+            desync_mitigation_mode=elbv2.DesyncMitigationMode.DEFENSIVE,
+        
+            # The type of IP addresses to use.
+            ip_address_type=elbv2.IpAddressType.IPV4,
+        
+            # The duration of client keep-alive connections
+            client_keep_alive=Duration.seconds(500),
+        
+            # Whether cross-zone load balancing is enabled.
+            cross_zone_enabled=True,
+        
+            # Whether the load balancer blocks traffic through the Internet Gateway (IGW).
+            deny_all_igw_traffic=False,
+        
+            # Whether to preserve host header in the request to the target
+            preserve_host_header=True,
+        
+            # Whether to add the TLS information header to the request
+            x_amzn_tls_version_and_cipher_suite_headers=True,
+        
+            # Whether the X-Forwarded-For header should preserve the source port
+            preserve_xff_client_port=True,
+        
+            # The processing mode for X-Forwarded-For headers
+            xff_header_processing_mode=elbv2.XffHeaderProcessingMode.APPEND,
+        
+            # Whether to allow a load balancer to route requests to targets if it is unable to forward the request to AWS WAF.
+            waf_fail_open=True
+        )
+    '''
+
+    APPEND = "APPEND"
+    '''Application Load Balancer adds the client IP address (of the last hop) to the X-Forwarded-For header in the HTTP request before it sends it to targets.'''
+    PRESERVE = "PRESERVE"
+    '''Application Load Balancer preserves the X-Forwarded-For header in the HTTP request, and sends it to targets without any change.'''
+    REMOVE = "REMOVE"
+    '''Application Load Balancer removes the X-Forwarded-For header in the HTTP request before it sends it to targets.'''
+
+
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_elasticloadbalancingv2.AddApplicationActionProps",
     jsii_struct_bases=[AddRuleProps],
@@ -19128,7 +19239,12 @@ class ApplicationLoadBalancerLookupOptions(BaseLoadBalancerLookupOptions):
         "http2_enabled": "http2Enabled",
         "idle_timeout": "idleTimeout",
         "ip_address_type": "ipAddressType",
+        "preserve_host_header": "preserveHostHeader",
+        "preserve_xff_client_port": "preserveXffClientPort",
         "security_group": "securityGroup",
+        "waf_fail_open": "wafFailOpen",
+        "x_amzn_tls_version_and_cipher_suite_headers": "xAmznTlsVersionAndCipherSuiteHeaders",
+        "xff_header_processing_mode": "xffHeaderProcessingMode",
     },
 )
 class ApplicationLoadBalancerProps(BaseLoadBalancerProps):
@@ -19148,7 +19264,12 @@ class ApplicationLoadBalancerProps(BaseLoadBalancerProps):
         http2_enabled: typing.Optional[builtins.bool] = None,
         idle_timeout: typing.Optional[_Duration_4839e8c3] = None,
         ip_address_type: typing.Optional[IpAddressType] = None,
+        preserve_host_header: typing.Optional[builtins.bool] = None,
+        preserve_xff_client_port: typing.Optional[builtins.bool] = None,
         security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
+        waf_fail_open: typing.Optional[builtins.bool] = None,
+        x_amzn_tls_version_and_cipher_suite_headers: typing.Optional[builtins.bool] = None,
+        xff_header_processing_mode: typing.Optional[XffHeaderProcessingMode] = None,
     ) -> None:
         '''Properties for defining an Application Load Balancer.
 
@@ -19165,8 +19286,14 @@ class ApplicationLoadBalancerProps(BaseLoadBalancerProps):
         :param http2_enabled: Indicates whether HTTP/2 is enabled. Default: true
         :param idle_timeout: The load balancer idle timeout, in seconds. Default: 60
         :param ip_address_type: The type of IP addresses to use. Default: IpAddressType.IPV4
+        :param preserve_host_header: Indicates whether the Application Load Balancer should preserve the host header in the HTTP request and send it to the target without any change. Default: false
+        :param preserve_xff_client_port: Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer. Default: false
         :param security_group: Security group to associate with this load balancer. Default: A security group is created
+        :param waf_fail_open: Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. Default: false
+        :param x_amzn_tls_version_and_cipher_suite_headers: Indicates whether the two headers (x-amzn-tls-version and x-amzn-tls-cipher-suite), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The x-amzn-tls-version header has information about the TLS protocol version negotiated with the client, and the x-amzn-tls-cipher-suite header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. Default: false
+        :param xff_header_processing_mode: Enables you to modify, preserve, or remove the X-Forwarded-For header in the HTTP request before the Application Load Balancer sends the request to the target. Default: XffHeaderProcessingMode.APPEND
 
+        :see: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#load-balancer-attributes
         :exampleMetadata: infused
 
         Example::
@@ -19218,7 +19345,12 @@ class ApplicationLoadBalancerProps(BaseLoadBalancerProps):
             check_type(argname="argument http2_enabled", value=http2_enabled, expected_type=type_hints["http2_enabled"])
             check_type(argname="argument idle_timeout", value=idle_timeout, expected_type=type_hints["idle_timeout"])
             check_type(argname="argument ip_address_type", value=ip_address_type, expected_type=type_hints["ip_address_type"])
+            check_type(argname="argument preserve_host_header", value=preserve_host_header, expected_type=type_hints["preserve_host_header"])
+            check_type(argname="argument preserve_xff_client_port", value=preserve_xff_client_port, expected_type=type_hints["preserve_xff_client_port"])
             check_type(argname="argument security_group", value=security_group, expected_type=type_hints["security_group"])
+            check_type(argname="argument waf_fail_open", value=waf_fail_open, expected_type=type_hints["waf_fail_open"])
+            check_type(argname="argument x_amzn_tls_version_and_cipher_suite_headers", value=x_amzn_tls_version_and_cipher_suite_headers, expected_type=type_hints["x_amzn_tls_version_and_cipher_suite_headers"])
+            check_type(argname="argument xff_header_processing_mode", value=xff_header_processing_mode, expected_type=type_hints["xff_header_processing_mode"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "vpc": vpc,
         }
@@ -19246,8 +19378,18 @@ class ApplicationLoadBalancerProps(BaseLoadBalancerProps):
             self._values["idle_timeout"] = idle_timeout
         if ip_address_type is not None:
             self._values["ip_address_type"] = ip_address_type
+        if preserve_host_header is not None:
+            self._values["preserve_host_header"] = preserve_host_header
+        if preserve_xff_client_port is not None:
+            self._values["preserve_xff_client_port"] = preserve_xff_client_port
         if security_group is not None:
             self._values["security_group"] = security_group
+        if waf_fail_open is not None:
+            self._values["waf_fail_open"] = waf_fail_open
+        if x_amzn_tls_version_and_cipher_suite_headers is not None:
+            self._values["x_amzn_tls_version_and_cipher_suite_headers"] = x_amzn_tls_version_and_cipher_suite_headers
+        if xff_header_processing_mode is not None:
+            self._values["xff_header_processing_mode"] = xff_header_processing_mode
 
     @builtins.property
     def vpc(self) -> _IVpc_f30d5663:
@@ -19366,6 +19508,24 @@ class ApplicationLoadBalancerProps(BaseLoadBalancerProps):
         result = self._values.get("ip_address_type")
         return typing.cast(typing.Optional[IpAddressType], result)
 
+    @builtins.property
+    def preserve_host_header(self) -> typing.Optional[builtins.bool]:
+        '''Indicates whether the Application Load Balancer should preserve the host header in the HTTP request and send it to the target without any change.
+
+        :default: false
+        '''
+        result = self._values.get("preserve_host_header")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def preserve_xff_client_port(self) -> typing.Optional[builtins.bool]:
+        '''Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer.
+
+        :default: false
+        '''
+        result = self._values.get("preserve_xff_client_port")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def security_group(self) -> typing.Optional[_ISecurityGroup_acf8a799]:
         '''Security group to associate with this load balancer.
@@ -19375,6 +19535,40 @@ class ApplicationLoadBalancerProps(BaseLoadBalancerProps):
         result = self._values.get("security_group")
         return typing.cast(typing.Optional[_ISecurityGroup_acf8a799], result)
 
+    @builtins.property
+    def waf_fail_open(self) -> typing.Optional[builtins.bool]:
+        '''Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF.
+
+        :default: false
+        '''
+        result = self._values.get("waf_fail_open")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def x_amzn_tls_version_and_cipher_suite_headers(
+        self,
+    ) -> typing.Optional[builtins.bool]:
+        '''Indicates whether the two headers (x-amzn-tls-version and x-amzn-tls-cipher-suite), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target.
+
+        The x-amzn-tls-version header has information about the TLS protocol version negotiated with the client,
+        and the x-amzn-tls-cipher-suite header has information about the cipher suite negotiated with the client.
+
+        Both headers are in OpenSSL format.
+
+        :default: false
+        '''
+        result = self._values.get("x_amzn_tls_version_and_cipher_suite_headers")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def xff_header_processing_mode(self) -> typing.Optional[XffHeaderProcessingMode]:
+        '''Enables you to modify, preserve, or remove the X-Forwarded-For header in the HTTP request before the Application Load Balancer sends the request to the target.
+
+        :default: XffHeaderProcessingMode.APPEND
+        '''
+        result = self._values.get("xff_header_processing_mode")
+        return typing.cast(typing.Optional[XffHeaderProcessingMode], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -21287,7 +21481,12 @@ class ApplicationLoadBalancer(
         http2_enabled: typing.Optional[builtins.bool] = None,
         idle_timeout: typing.Optional[_Duration_4839e8c3] = None,
         ip_address_type: typing.Optional[IpAddressType] = None,
+        preserve_host_header: typing.Optional[builtins.bool] = None,
+        preserve_xff_client_port: typing.Optional[builtins.bool] = None,
         security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
+        waf_fail_open: typing.Optional[builtins.bool] = None,
+        x_amzn_tls_version_and_cipher_suite_headers: typing.Optional[builtins.bool] = None,
+        xff_header_processing_mode: typing.Optional[XffHeaderProcessingMode] = None,
         vpc: _IVpc_f30d5663,
         cross_zone_enabled: typing.Optional[builtins.bool] = None,
         deletion_protection: typing.Optional[builtins.bool] = None,
@@ -21305,7 +21504,12 @@ class ApplicationLoadBalancer(
         :param http2_enabled: Indicates whether HTTP/2 is enabled. Default: true
         :param idle_timeout: The load balancer idle timeout, in seconds. Default: 60
         :param ip_address_type: The type of IP addresses to use. Default: IpAddressType.IPV4
+        :param preserve_host_header: Indicates whether the Application Load Balancer should preserve the host header in the HTTP request and send it to the target without any change. Default: false
+        :param preserve_xff_client_port: Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer. Default: false
         :param security_group: Security group to associate with this load balancer. Default: A security group is created
+        :param waf_fail_open: Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. Default: false
+        :param x_amzn_tls_version_and_cipher_suite_headers: Indicates whether the two headers (x-amzn-tls-version and x-amzn-tls-cipher-suite), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The x-amzn-tls-version header has information about the TLS protocol version negotiated with the client, and the x-amzn-tls-cipher-suite header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. Default: false
+        :param xff_header_processing_mode: Enables you to modify, preserve, or remove the X-Forwarded-For header in the HTTP request before the Application Load Balancer sends the request to the target. Default: XffHeaderProcessingMode.APPEND
         :param vpc: The VPC network to place the load balancer in.
         :param cross_zone_enabled: Indicates whether cross-zone load balancing is enabled. Default: - false for Network Load Balancers and true for Application Load Balancers.
         :param deletion_protection: Indicates whether deletion protection is enabled. Default: false
@@ -21325,7 +21529,12 @@ class ApplicationLoadBalancer(
             http2_enabled=http2_enabled,
             idle_timeout=idle_timeout,
             ip_address_type=ip_address_type,
+            preserve_host_header=preserve_host_header,
+            preserve_xff_client_port=preserve_xff_client_port,
             security_group=security_group,
+            waf_fail_open=waf_fail_open,
+            x_amzn_tls_version_and_cipher_suite_headers=x_amzn_tls_version_and_cipher_suite_headers,
+            xff_header_processing_mode=xff_header_processing_mode,
             vpc=vpc,
             cross_zone_enabled=cross_zone_enabled,
             deletion_protection=deletion_protection,
@@ -23298,6 +23507,7 @@ __all__ = [
     "TargetType",
     "UnauthenticatedAction",
     "WeightedTargetGroup",
+    "XffHeaderProcessingMode",
 ]
 
 publication.publish()
@@ -25082,7 +25292,12 @@ def _typecheckingstub__e43cf75024913d9be0d5d621a5f2c2c7be60a57898a54967cd54179b2
     http2_enabled: typing.Optional[builtins.bool] = None,
     idle_timeout: typing.Optional[_Duration_4839e8c3] = None,
     ip_address_type: typing.Optional[IpAddressType] = None,
+    preserve_host_header: typing.Optional[builtins.bool] = None,
+    preserve_xff_client_port: typing.Optional[builtins.bool] = None,
     security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
+    waf_fail_open: typing.Optional[builtins.bool] = None,
+    x_amzn_tls_version_and_cipher_suite_headers: typing.Optional[builtins.bool] = None,
+    xff_header_processing_mode: typing.Optional[XffHeaderProcessingMode] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -25432,7 +25647,12 @@ def _typecheckingstub__22d249b6cdbe3ce0dfc1a873ef276c65fe89ce6a5dba0603fae0a5755
     http2_enabled: typing.Optional[builtins.bool] = None,
     idle_timeout: typing.Optional[_Duration_4839e8c3] = None,
     ip_address_type: typing.Optional[IpAddressType] = None,
+    preserve_host_header: typing.Optional[builtins.bool] = None,
+    preserve_xff_client_port: typing.Optional[builtins.bool] = None,
     security_group: typing.Optional[_ISecurityGroup_acf8a799] = None,
+    waf_fail_open: typing.Optional[builtins.bool] = None,
+    x_amzn_tls_version_and_cipher_suite_headers: typing.Optional[builtins.bool] = None,
+    xff_header_processing_mode: typing.Optional[XffHeaderProcessingMode] = None,
     vpc: _IVpc_f30d5663,
     cross_zone_enabled: typing.Optional[builtins.bool] = None,
     deletion_protection: typing.Optional[builtins.bool] = None,

aws_cdk/aws_iam/__init__.py

@@ -9907,24 +9907,20 @@ class PolicyStatement(
 
     Example::
 
-        cross_account_role_arn = "arn:aws:iam::OTHERACCOUNT:role/CrossAccountRoleName" # arn of role deployed in separate account
+        # destination_bucket: s3.Bucket
         
-        call_region = "us-west-1" # sdk call to be made in specified region (optional)
         
-        cr.AwsCustomResource(self, "CrossAccount",
-            on_create=cr.AwsSdkCall(
-                assumed_role_arn=cross_account_role_arn,
-                region=call_region,  # optional
-                service="sts",
-                action="GetCallerIdentity",
-                physical_resource_id=cr.PhysicalResourceId.of("id")
-            ),
-            policy=cr.AwsCustomResourcePolicy.from_statements([iam.PolicyStatement.from_json({
-                "Effect": "Allow",
-                "Action": "sts:AssumeRole",
-                "Resource": cross_account_role_arn
-            })])
+        deployment = s3deploy.BucketDeployment(self, "DeployFiles",
+            sources=[s3deploy.Source.asset(path.join(__dirname, "source-files"))],
+            destination_bucket=destination_bucket
         )
+        
+        deployment.handler_role.add_to_policy(
+            iam.PolicyStatement(
+                actions=["kms:Decrypt", "kms:DescribeKey"],
+                effect=iam.Effect.ALLOW,
+                resources=["<encryption key ARN>"]
+            ))
     '''
 
     def __init__(
@@ -10468,35 +10464,24 @@ class PolicyStatementProps:
         :param resources: Resource ARNs to add to the statement. Default: - no resources
         :param sid: The Sid (statement ID) is an optional identifier that you provide for the policy statement. You can assign a Sid value to each statement in a statement array. In services that let you specify an ID element, such as SQS and SNS, the Sid value is just a sub-ID of the policy document's ID. In IAM, the Sid value must be unique within a JSON policy. Default: - no sid
 
-        :exampleMetadata: lit=aws-ec2/test/integ.vpc-endpoint.lit.ts infused
+        :exampleMetadata: infused
 
         Example::
 
-            # Add gateway endpoints when creating the VPC
-            vpc = ec2.Vpc(self, "MyVpc",
-                gateway_endpoints={
-                    "S3": cdk.aws_ec2.GatewayVpcEndpointOptions(
-                        service=ec2.GatewayVpcEndpointAwsService.S3
-                    )
-                }
-            )
-            
-            # Alternatively gateway endpoints can be added on the VPC
-            dynamo_db_endpoint = vpc.add_gateway_endpoint("DynamoDbEndpoint",
-                service=ec2.GatewayVpcEndpointAwsService.DYNAMODB
-            )
+            # destination_bucket: s3.Bucket
             
-            # This allows to customize the endpoint policy
-            dynamo_db_endpoint.add_to_policy(
-                iam.PolicyStatement( # Restrict to listing and describing tables
-                    principals=[iam.AnyPrincipal()],
-                    actions=["dynamodb:DescribeTable", "dynamodb:ListTables"],
-                    resources=["*"]))
             
-            # Add an interface endpoint
-            vpc.add_interface_endpoint("EcrDockerEndpoint",
-                service=ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER
+            deployment = s3deploy.BucketDeployment(self, "DeployFiles",
+                sources=[s3deploy.Source.asset(path.join(__dirname, "source-files"))],
+                destination_bucket=destination_bucket
             )
+            
+            deployment.handler_role.add_to_policy(
+                iam.PolicyStatement(
+                    actions=["kms:Decrypt", "kms:DescribeKey"],
+                    effect=iam.Effect.ALLOW,
+                    resources=["<encryption key ARN>"]
+                ))
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__b1307ab5f5dd84b7184f36603f7af026efb2798812c35c96dbe60552fff14c3b)

aws_cdk/aws_kms/__init__.py

@@ -2034,20 +2034,15 @@ class Key(
 
     Example::
 
-        # vpc: ec2.Vpc
+        # destination_bucket: s3.Bucket
         
-        engine = rds.DatabaseInstanceEngine.postgres(version=rds.PostgresEngineVersion.VER_15_2)
-        my_key = kms.Key(self, "MyKey")
-        
-        rds.DatabaseInstance(self, "InstanceWithCustomizedSecret",
-            engine=engine,
-            vpc=vpc,
-            credentials=rds.Credentials.from_generated_secret("postgres",
-                secret_name="my-cool-name",
-                encryption_key=my_key,
-                exclude_characters="!&*^#@()",
-                replica_regions=[secretsmanager.ReplicaRegion(region="eu-west-1"), secretsmanager.ReplicaRegion(region="eu-west-2")]
-            )
+        source_bucket = s3.Bucket.from_bucket_attributes(self, "SourceBucket",
+            bucket_arn="arn:aws:s3:::my-source-bucket-name",
+            encryption_key=kms.Key.from_key_arn(self, "SourceBucketEncryptionKey", "arn:aws:kms:us-east-1:123456789012:key/<key-id>")
+        )
+        deployment = s3deploy.BucketDeployment(self, "DeployFiles",
+            sources=[s3deploy.Source.bucket(source_bucket, "source.zip")],
+            destination_bucket=destination_bucket
         )
     '''
 

aws_cdk/aws_route53/__init__.py

@@ -267,9 +267,9 @@ cross_account_role = iam.Role(self, "CrossAccountRole",
                     resources=["*"]
                 ),
                 iam.PolicyStatement(
-                    sid="GetHostedZoneAndChangeResourceRecordSet",
+                    sid="GetHostedZoneAndChangeResourceRecordSets",
                     effect=iam.Effect.ALLOW,
-                    actions=["route53:GetHostedZone", "route53:ChangeResourceRecordSet"],
+                    actions=["route53:GetHostedZone", "route53:ChangeResourceRecordSets"],
                     # This example assumes the RecordSet subdomain.somexample.com
                     # is contained in the HostedZone
                     resources=["arn:aws:route53:::hostedzone/HZID00000000000000000"],
@@ -7282,9 +7282,9 @@ class PublicHostedZoneProps(CommonHostedZoneProps):
                                 resources=["*"]
                             ),
                             iam.PolicyStatement(
-                                sid="GetHostedZoneAndChangeResourceRecordSet",
+                                sid="GetHostedZoneAndChangeResourceRecordSets",
                                 effect=iam.Effect.ALLOW,
-                                actions=["route53:GetHostedZone", "route53:ChangeResourceRecordSet"],
+                                actions=["route53:GetHostedZone", "route53:ChangeResourceRecordSets"],
                                 # This example assumes the RecordSet subdomain.somexample.com
                                 # is contained in the HostedZone
                                 resources=["arn:aws:route53:::hostedzone/HZID00000000000000000"],

aws_cdk/aws_s3_deployment/__init__.py

@@ -24,12 +24,13 @@ This is what happens under the hood:
 
 1. When this stack is deployed (either via `cdk deploy` or via CI/CD), the
    contents of the local `website-dist` directory will be archived and uploaded
-   to an intermediary assets bucket. If there is more than one source, they will
-   be individually uploaded.
-2. The `BucketDeployment` construct synthesizes a custom CloudFormation resource
+   to an intermediary assets bucket (the `StagingBucket` of the CDK bootstrap stack).
+   If there is more than one source, they will be individually uploaded.
+2. The `BucketDeployment` construct synthesizes a Lambda-backed custom CloudFormation resource
    of type `Custom::CDKBucketDeployment` into the template. The source bucket/key
    is set to point to the assets bucket.
-3. The custom resource downloads the .zip archive, extracts it and issues `aws s3 sync --delete` against the destination bucket (in this case
+3. The custom resource invokes its associated Lambda function, which downloads the .zip archive,
+   extracts it and issues `aws s3 sync --delete` against the destination bucket (in this case
    `websiteBucket`). If there is more than one source, the sources will be
    downloaded and merged pre-deployment at this step.
 
@@ -68,6 +69,56 @@ deployment = s3deploy.BucketDeployment(self, "DeployWebsite",
 deployment.add_source(s3deploy.Source.asset("./another-asset"))
 ```
 
+For the Lambda function to download object(s) from the source bucket, besides the obvious
+`s3:GetObject*` permissions, the Lambda's execution role needs the `kms:Decrypt` and `kms:DescribeKey`
+permissions on the KMS key that is used to encrypt the bucket. By default, when the source bucket is
+encrypted with the S3 managed key of the account, these permissions are granted by the key's
+resource-based policy, so they do not need to be on the Lambda's execution role policy explicitly.
+However, if the encryption key is not the s3 managed one, its resource-based policy is quite likely
+to NOT grant such KMS permissions. In this situation, the Lambda execution will fail with an error
+message like below:
+
+```txt
+download failed: ...
+An error occurred (AccessDenied) when calling the GetObject operation:
+User: *** is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext
+because no identity-based policy allows the kms:Decrypt action
+```
+
+When this happens, users can use the public `handlerRole` property of `BucketDeployment` to manually
+add the KMS permissions:
+
+```python
+# destination_bucket: s3.Bucket
+
+
+deployment = s3deploy.BucketDeployment(self, "DeployFiles",
+    sources=[s3deploy.Source.asset(path.join(__dirname, "source-files"))],
+    destination_bucket=destination_bucket
+)
+
+deployment.handler_role.add_to_policy(
+    iam.PolicyStatement(
+        actions=["kms:Decrypt", "kms:DescribeKey"],
+        effect=iam.Effect.ALLOW,
+        resources=["<encryption key ARN>"]
+    ))
+```
+
+The situation above could arise from the following scenarios:
+
+* User created a customer managed KMS key and passed its ID to the `cdk bootstrap` command via
+  the `--bootstrap-kms-key-id` CLI option.
+  The [default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-root-enable-iam)
+  alone is not sufficient to grant the Lambda KMS permissions.
+* A corporation uses its own custom CDK bootstrap process, which encrypts the CDK `StagingBucket`
+  by a KMS key from a management account of the corporation's AWS Organization. In this cross-account
+  access scenario, the KMS permissions must be explicitly present in the Lambda's execution role policy.
+* One of the sources for the `BucketDeployment` comes from the `Source.bucket` static method, which
+  points to a bucket whose encryption key is not the S3 managed one, and the resource-based policy
+  of the encryption key is not sufficient to grant the Lambda `kms:Decrypt` and `kms:DescribeKey`
+  permissions.
+
 ## Supported sources
 
 The following source types are supported for bucket deployments:
@@ -378,7 +429,6 @@ The syntax for template variables is `{{ variableName }}` in your local file. Th
 specify the substitutions in CDK like this:
 
 ```python
-import aws_cdk.aws_iam as iam
 import aws_cdk.aws_lambda as lambda_
 
 # my_lambda_function: lambda.Function
@@ -678,6 +728,12 @@ class BucketDeployment(
         '''
         return typing.cast(_IBucket_42e086fd, jsii.get(self, "deployedBucket"))
 
+    @builtins.property
+    @jsii.member(jsii_name="handlerRole")
+    def handler_role(self) -> _IRole_235f5d8e:
+        '''Execution role of the Lambda function behind the custom CloudFormation resource of type ``Custom::CDKBucketDeployment``.'''
+        return typing.cast(_IRole_235f5d8e, jsii.get(self, "handlerRole"))
+
     @builtins.property
     @jsii.member(jsii_name="objectKeys")
     def object_keys(self) -> typing.List[builtins.str]:
@@ -1457,7 +1513,6 @@ class DeployTimeSubstitutedFile(
 
     Example::
 
-        import aws_cdk.aws_iam as iam
         import aws_cdk.aws_lambda as lambda_
         
         # my_lambda_function: lambda.Function
@@ -1555,7 +1610,6 @@ class DeployTimeSubstitutedFileProps:
 
         Example::
 
-            import aws_cdk.aws_iam as iam
             import aws_cdk.aws_lambda as lambda_
             
             # my_lambda_function: lambda.Function
@@ -1870,8 +1924,31 @@ class Source(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_s3_deployment.S
 
         Make sure you trust the producer of the archive.
 
+        If the ``bucket`` parameter is an "out-of-app" reference "imported" via static methods such
+        as ``s3.Bucket.fromBucketName``, be cautious about the bucket's encryption key. In general,
+        CDK does not query for additional properties of imported constructs at synthesis time.
+        For example, for a bucket created from ``s3.Bucket.fromBucketName``, CDK does not know
+        its ``IBucket.encryptionKey`` property, and therefore will NOT give KMS permissions to the
+        Lambda execution role of the ``BucketDeployment`` construct. If you want the
+        ``kms:Decrypt`` and ``kms:DescribeKey`` permissions on the bucket's encryption key
+        to be added automatically, reference the imported bucket via ``s3.Bucket.fromBucketAttributes``
+        and pass in the ``encryptionKey`` attribute explicitly.
+
         :param bucket: The S3 Bucket.
         :param zip_object_key: The S3 object key of the zip file with contents.
+
+        Example::
+
+            # destination_bucket: s3.Bucket
+            
+            source_bucket = s3.Bucket.from_bucket_attributes(self, "SourceBucket",
+                bucket_arn="arn:aws:s3:::my-source-bucket-name",
+                encryption_key=kms.Key.from_key_arn(self, "SourceBucketEncryptionKey", "arn:aws:kms:us-east-1:123456789012:key/<key-id>")
+            )
+            deployment = s3deploy.BucketDeployment(self, "DeployFiles",
+                sources=[s3deploy.Source.bucket(source_bucket, "source.zip")],
+                destination_bucket=destination_bucket
+            )
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__bcaba123a95f1aa9d99f9f5af319da23dd5f345454e757ba9257364325b3efb5)