chore(release): 2.46.0 (#22487)

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/bump/2.46.0/CHANGELOG.md)

CHANGELOG.v2.alpha.md

@@ -2,6 +2,22 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.46.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.45.0-alpha.0...v2.46.0-alpha.0) (2022-10-13)
+
+
+### Features
+
+* **integ-tests:** add ability to `wait` for assertions to pass ([#22335](https://github.com/aws/aws-cdk/issues/22335)) ([700f9c4](https://github.com/aws/aws-cdk/commit/700f9c4d465684b784f50ec74e897c9031a639c5))
+* **integ-tests:** allow for user provided assertions stack ([#22404](https://github.com/aws/aws-cdk/issues/22404)) ([39089f5](https://github.com/aws/aws-cdk/commit/39089f5eabc61c2a546391742ff2cf906f8e0f8b))
+* **synthetics:** new runtime synthetics nodejs puppeteer 3 6 ([#22374](https://github.com/aws/aws-cdk/issues/22374)) ([e0c0b56](https://github.com/aws/aws-cdk/commit/e0c0b56dded26a897dc6243298947bd4e69321b2))
+
+
+### Bug Fixes
+
+* **appsync:** can not use Tokens in the name of a DataSource ([#22378](https://github.com/aws/aws-cdk/issues/22378)) ([511eb79](https://github.com/aws/aws-cdk/commit/511eb79cba734bcd9e013d5dfbf262c75a522f09)), closes [#18900](https://github.com/aws/aws-cdk/issues/18900)
+* **aws-lambda-python:** export poetry dependencies without hashes ([#22351](https://github.com/aws/aws-cdk/issues/22351)) ([76482f6](https://github.com/aws/aws-cdk/commit/76482f6847a46806c1a309d2f9335a3d6e838fc6)), closes [#14201](https://github.com/aws/aws-cdk/issues/14201) [#19232](https://github.com/aws/aws-cdk/issues/19232)
+* **lambda-python:** commands run non-sequentially on Graviton when building container image ([#22398](https://github.com/aws/aws-cdk/issues/22398)) ([e427fd6](https://github.com/aws/aws-cdk/commit/e427fd6f4a186784e345b8f88424d74c004f1e5a)), closes [#22012](https://github.com/aws/aws-cdk/issues/22012)
+
 ## [2.45.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.44.0-alpha.0...v2.45.0-alpha.0) (2022-10-06)
 
 

CHANGELOG.v2.md

@@ -2,6 +2,38 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.46.0](https://github.com/aws/aws-cdk/compare/v2.45.0...v2.46.0) (2022-10-13)
+
+
+### Features
+
+* **aws-certificatemanager:** Add ability to specify the certificate name ([#22301](https://github.com/aws/aws-cdk/issues/22301)) ([614ba92](https://github.com/aws/aws-cdk/commit/614ba92ba77e29c10ea4642a64e5b50b5dc775b8))
+* **aws-ec2:** add metadata options support for launchTemplate construct ([#22312](https://github.com/aws/aws-cdk/issues/22312)) ([9297bd0](https://github.com/aws/aws-cdk/commit/9297bd04884ebd05888fd14121256329dac82b43))
+* **cfnspec:** cloudformation spec v92.0.0 ([#22435](https://github.com/aws/aws-cdk/issues/22435)) ([064a1a6](https://github.com/aws/aws-cdk/commit/064a1a650c6f26d6a3087a8d39971ba33413d8ce))
+* **cloudfront-origins:** allow setting a user defined origin id ([#22349](https://github.com/aws/aws-cdk/issues/22349)) ([239215f](https://github.com/aws/aws-cdk/commit/239215fb8ceb4df5cd67669ad5daca39fb65543f)), closes [#2756](https://github.com/aws/aws-cdk/issues/2756)
+* **ec2:** adds persist option to user data on windows instances ([#21709](https://github.com/aws/aws-cdk/issues/21709)) ([cb1506f](https://github.com/aws/aws-cdk/commit/cb1506f090e36a6da78b8a8a1edf9a1256478311))
+* **sns:** topic name with `.fifo` suffix generated automatically ([#22375](https://github.com/aws/aws-cdk/issues/22375)) ([ba201cf](https://github.com/aws/aws-cdk/commit/ba201cf1d9768f9ac5d3328ec425bf566f088a16)), closes [#18740](https://github.com/aws/aws-cdk/issues/18740)
+* **sqs:** add enforceSSL property to enforce encryption of data in transit ([#22363](https://github.com/aws/aws-cdk/issues/22363)) ([f1886cf](https://github.com/aws/aws-cdk/commit/f1886cf82c50abc4e419f1450abfc3df0c5b0324))
+
+
+### Bug Fixes
+
+* **apigateway:** cannot create an ApiKey with an imported RestApi ([#22368](https://github.com/aws/aws-cdk/issues/22368)) ([83c4123](https://github.com/aws/aws-cdk/commit/83c4123273fda2a2e349b55f1e50d5afa1c7dd9d)), closes [#22102](https://github.com/aws/aws-cdk/issues/22102)
+* **apigateway:** CORS OPTIONS method should not require auth ([#22402](https://github.com/aws/aws-cdk/issues/22402)) ([ef72089](https://github.com/aws/aws-cdk/commit/ef72089d7cdf5dbaa1f172eecd29ee525f650b32)), closes [#8615](https://github.com/aws/aws-cdk/issues/8615)
+* **core:** asset bundling skipped when using --exclusively with custom stack name ([#21248](https://github.com/aws/aws-cdk/issues/21248)) ([209ddea](https://github.com/aws/aws-cdk/commit/209ddea44744509d74a080fdbd31cbb978fc8a96)), closes [/github.com/aws/aws-cdk/issues/19927#issuecomment-1189916912](https://github.com/aws//github.com/aws/aws-cdk/issues/19927/issues/issuecomment-1189916912)
+* some custom resources don't work in opt-in regions ([#22370](https://github.com/aws/aws-cdk/issues/22370)) ([456a2c7](https://github.com/aws/aws-cdk/commit/456a2c75881fe8df3803db3787b48f8d9f97f09e)), closes [#22022](https://github.com/aws/aws-cdk/issues/22022)
+* **cli:** state machine hotswap fails if the `DependsOn` change ([#22396](https://github.com/aws/aws-cdk/issues/22396)) ([0d44db2](https://github.com/aws/aws-cdk/commit/0d44db2c211204b85002342ce758aca0552e851c))
+* **core:** Custom Resource type length validation ([#22118](https://github.com/aws/aws-cdk/issues/22118)) ([c186e2d](https://github.com/aws/aws-cdk/commit/c186e2ddcffb25647b971ba1b90faa850552d219))
+* **custom-resources:** provider can fail if S3 has brown-outs ([#22362](https://github.com/aws/aws-cdk/issues/22362)) ([cdedf60](https://github.com/aws/aws-cdk/commit/cdedf606277f50a2f7e20b09560f6e14b11bbc19))
+* **ec2:** cannot deploy SecurityGroup with allowAllIpv6Outbound ([#22414](https://github.com/aws/aws-cdk/issues/22414)) ([bb16d97](https://github.com/aws/aws-cdk/commit/bb16d9729daea2702b32df81fc8259b0afd652fa)), closes [#22407](https://github.com/aws/aws-cdk/issues/22407)
+* **ecs:** removed explicit addition of ecs deployment type when circuit breaker is enabled ([#22328](https://github.com/aws/aws-cdk/issues/22328)) ([635129c](https://github.com/aws/aws-cdk/commit/635129ca95313afef7b3d8fc62d077afbfd0c088)), closes [#16126](https://github.com/aws/aws-cdk/issues/16126) [#16919](https://github.com/aws/aws-cdk/issues/16919)
+* half-written asset zips can be uploaded if process is interrupted ([#22393](https://github.com/aws/aws-cdk/issues/22393)) ([2ed006e](https://github.com/aws/aws-cdk/commit/2ed006e50b15dfca96395d442ccee648abdbb374)), closes [#18459](https://github.com/aws/aws-cdk/issues/18459)
+
+
+### Reverts
+
+* "fix(ecs): removed explicit addition of ecs deployment type when circuit breaker is enabled ([#22328](https://github.com/aws/aws-cdk/issues/22328))" ([#22418](https://github.com/aws/aws-cdk/issues/22418)) ([0f002e2](https://github.com/aws/aws-cdk/commit/0f002e2009bbab2e10c08cdf908c5091ba61b754)), closes [/github.com/aws/aws-cdk/issues/16126#issuecomment-1271626957](https://github.com/aws//github.com/aws/aws-cdk/issues/16126/issues/issuecomment-1271626957)
+
 ## [2.45.0](https://github.com/aws/aws-cdk/compare/v2.44.0...v2.45.0) (2022-10-06)
 
 

docs/DESIGN_GUIDELINES.md

@@ -671,7 +671,7 @@ new lambda.Function(this, 'MyFunction', {
   code: lambda.Code.bucket(myBucket, 'bundle.zip'), // or
   code: lambda.Code.inline('code')
   // etc
-}
+})
 ```
 
 ### Attributes

package.json

@@ -18,15 +18,15 @@
   "devDependencies": {
     "@types/prettier": "2.6.0",
     "@yarnpkg/lockfile": "^1.1.0",
-    "cdk-generate-synthetic-examples": "^0.1.17",
+    "cdk-generate-synthetic-examples": "^0.1.29",
     "conventional-changelog-cli": "^2.2.2",
     "fs-extra": "^9.1.0",
     "graceful-fs": "^4.2.10",
     "jest-junit": "^13.2.0",
-    "jsii-diff": "^1.68.0",
-    "jsii-pacmak": "^1.68.0",
-    "jsii-reflect": "^1.68.0",
-    "jsii-rosetta": "^1.68.0",
+    "jsii-diff": "^1.69.0",
+    "jsii-pacmak": "^1.69.0",
+    "jsii-reflect": "^1.69.0",
+    "jsii-rosetta": "^1.69.0",
     "lerna": "^4.0.0",
     "patch-package": "^6.4.7",
     "semver": "^6.3.0",

packages/@aws-cdk/aws-apigateway/README.md

@@ -389,6 +389,22 @@ declare const lambdaFn: lambda.Function;
 importedKey.grantRead(lambdaFn);
 ```
 
+### Adding an API Key to an imported RestApi
+
+API Keys are added to ApiGateway Stages, not to the API itself. When you import a RestApi
+it does not have any information on the Stages that may be associated with it. Since adding an API
+Key requires a stage, you should instead add the Api Key to the imported Stage.
+
+```ts
+declare const restApi: apigateway.IRestApi;
+const importedStage = apigateway.Stage.fromStageAttributes(this, 'imported-stage', {
+  stageName: 'myStageName',
+  restApi,
+});
+
+importedStage.addApiKey('MyApiKey');
+```
+
 ### ⚠️ Multiple API Keys
 
 It is possible to specify multiple API keys for a given Usage Plan, by calling `usagePlan.addApiKey()`.
@@ -426,7 +442,7 @@ declare const api: apigateway.RestApi;
 
 const key = new apigateway.RateLimitedApiKey(this, 'rate-limited-api-key', {
   customerId: 'hello-customer',
-  resources: [api],
+  stages: [api.deploymentStage],
   quota: {
     limit: 10000,
     period: apigateway.Period.MONTH
@@ -724,7 +740,51 @@ books.addMethod('GET', new apigateway.HttpIntegration('http://amazon.com'), {
 
 A full working example is shown below.
 
-[Full token authorizer example](test/authorizers/integ.token-authorizer.lit.ts).
+```ts
+import * as path from 'path';
+import * as lambda from '@aws-cdk/aws-lambda';
+import { App, Stack } from '@aws-cdk/core';
+import { MockIntegration, PassthroughBehavior, RestApi, TokenAuthorizer, Cors } from '../../lib';
+
+/// !show
+const app = new App();
+const stack = new Stack(app, 'TokenAuthorizerInteg');
+
+const authorizerFn = new lambda.Function(stack, 'MyAuthorizerFunction', {
+  runtime: lambda.Runtime.NODEJS_14_X,
+  handler: 'index.handler',
+  code: lambda.AssetCode.fromAsset(path.join(__dirname, 'integ.token-authorizer.handler')),
+});
+
+const authorizer = new TokenAuthorizer(stack, 'MyAuthorizer', {
+  handler: authorizerFn,
+});
+
+const restapi = new RestApi(stack, 'MyRestApi', {
+  cloudWatchRole: true,
+  defaultMethodOptions: {
+    authorizer,
+  },
+  defaultCorsPreflightOptions: {
+    allowOrigins: Cors.ALL_ORIGINS,
+  },
+});
+
+
+restapi.root.addMethod('ANY', new MockIntegration({
+  integrationResponses: [
+    { statusCode: '200' },
+  ],
+  passthroughBehavior: PassthroughBehavior.NEVER,
+  requestTemplates: {
+    'application/json': '{ "statusCode": 200 }',
+  },
+}), {
+  methodResponses: [
+    { statusCode: '200' },
+  ],
+});
+```
 
 By default, the `TokenAuthorizer` looks for the authorization token in the request header with the key 'Authorization'. This can,
 however, be modified by changing the `identitySource` property.

packages/@aws-cdk/aws-apigateway/lib/api-key.ts

@@ -4,6 +4,7 @@ import { Construct } from 'constructs';
 import { CfnApiKey } from './apigateway.generated';
 import { ResourceOptions } from './resource';
 import { IRestApi } from './restapi';
+import { IStage } from './stage';
 import { QuotaSettings, ThrottleSettings, UsagePlan, UsagePlanPerApiStage } from './usage-plan';
 
 /**
@@ -56,9 +57,17 @@ export interface ApiKeyProps extends ApiKeyOptions {
   /**
    * A list of resources this api key is associated with.
    * @default none
+   * @deprecated - use `stages` instead
    */
   readonly resources?: IRestApi[];
 
+  /**
+   * A list of Stages this api key is associated with.
+   *
+   * @default - the api key is not associated with any stages
+   */
+  readonly stages?: IStage[];
+
   /**
    * An AWS Marketplace customer identifier to use when integrating with the AWS SaaS Marketplace.
    * @link http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-apikey.html#cfn-apigateway-apikey-customerid
@@ -168,7 +177,7 @@ export class ApiKey extends ApiKeyBase {
       enabled: props.enabled ?? true,
       generateDistinctId: props.generateDistinctId,
       name: this.physicalName,
-      stageKeys: this.renderStageKeys(props.resources),
+      stageKeys: this.renderStageKeys(props.resources, props.stages),
       value: props.value,
     });
 
@@ -182,17 +191,29 @@ export class ApiKey extends ApiKeyBase {
     });
   }
 
-  private renderStageKeys(resources: IRestApi[] | undefined): CfnApiKey.StageKeyProperty[] | undefined {
-    if (!resources) {
+  private renderStageKeys(resources?: IRestApi[], stages?: IStage[]): CfnApiKey.StageKeyProperty[] | undefined {
+    if (!resources && !stages) {
       return undefined;
     }
 
-    return resources.map((resource: IRestApi) => {
-      const restApi = resource;
-      const restApiId = restApi.restApiId;
-      const stageName = restApi.deploymentStage!.stageName.toString();
-      return { restApiId, stageName };
-    });
+    if (resources && stages) {
+      throw new Error('Only one of "resources" or "stages" should be provided');
+    }
+
+    return resources
+      ? resources.map((resource: IRestApi) => {
+        const restApi = resource;
+        if (!restApi.deploymentStage) {
+          throw new Error('Cannot add an ApiKey to a RestApi that does not contain a "deploymentStage".\n'+
+          'Either set the RestApi.deploymentStage or create an ApiKey from a Stage');
+        }
+        const restApiId = restApi.restApiId;
+        const stageName = restApi.deploymentStage!.stageName.toString();
+        return { restApiId, stageName };
+      })
+      : stages ? stages.map((stage => {
+        return { restApiId: stage.restApi.restApiId, stageName: stage.stageName };
+      })) : undefined;
   }
 }
 
@@ -258,4 +279,4 @@ const writePermissions = [
   'apigateway:PUT',
   'apigateway:PATCH',
   'apigateway:DELETE',
-];
+];

packages/@aws-cdk/aws-apigateway/lib/domain-name.ts

@@ -39,7 +39,7 @@ export interface DomainNameOptions {
   /**
    * The Transport Layer Security (TLS) version + cipher suite for this domain name.
    * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html
-   * @default SecurityPolicy.TLS_1_0
+   * @default SecurityPolicy.TLS_1_2
    */
   readonly securityPolicy?: SecurityPolicy;
 

packages/@aws-cdk/aws-apigateway/lib/method.ts

@@ -186,7 +186,7 @@ export class Method extends Resource {
 
     const defaultMethodOptions = props.resource.defaultMethodOptions || {};
     const authorizer = options.authorizer || defaultMethodOptions.authorizer;
-    const authorizerId = authorizer?.authorizerId;
+    const authorizerId = authorizer?.authorizerId ? authorizer.authorizerId : undefined;
 
     const authorizationTypeOption = options.authorizationType || defaultMethodOptions.authorizationType;
     const authorizationType = authorizer?.authorizationType || authorizationTypeOption || AuthorizationType.NONE;

packages/@aws-cdk/aws-apigateway/lib/resource.ts

@@ -4,7 +4,7 @@ import { CfnResource, CfnResourceProps } from './apigateway.generated';
 import { Cors, CorsOptions } from './cors';
 import { Integration } from './integration';
 import { MockIntegration } from './integrations';
-import { Method, MethodOptions } from './method';
+import { Method, MethodOptions, AuthorizationType } from './method';
 import { IRestApi, RestApi } from './restapi';
 
 export interface IResource extends IResourceBase {
@@ -296,6 +296,12 @@ export abstract class ResourceBase extends ResourceConstruct implements IResourc
         { statusCode: `${statusCode}`, responseParameters: integrationResponseParams, responseTemplates: renderResponseTemplate() },
       ],
     }), {
+      authorizer: {
+        authorizerId: '',
+        authorizationType: AuthorizationType.NONE,
+      },
+      apiKeyRequired: false,
+      authorizationType: AuthorizationType.NONE,
       methodResponses: [
         { statusCode: `${statusCode}`, responseParameters: methodResponseParams },
       ],

packages/@aws-cdk/aws-apigateway/lib/restapi.ts

@@ -403,11 +403,11 @@ export abstract class RestApiBase extends Resource implements IRestApi {
   }
 
   /**
-   * Add an ApiKey
+   * Add an ApiKey to the deploymentStage
    */
   public addApiKey(id: string, options?: ApiKeyOptions): IApiKey {
     return new ApiKey(this, id, {
-      resources: [this],
+      stages: [this.deploymentStage],
       ...options,
     });
   }