Merge branch 'master' into nija-at/userpooldomain-token

README.md

@@ -118,6 +118,7 @@ for tracking bugs and feature requests.
 * Ask a question on [Stack Overflow](https://stackoverflow.com/questions/tagged/aws-cdk)
   and tag it with `aws-cdk`
 * Come join the AWS CDK community on [Gitter](https://gitter.im/awslabs/aws-cdk)
+* Talk in the CDK channel of the [AWS Developers Slack workspace](https://awsdevelopers.slack.com) (invite required)
 * Open a support ticket with [AWS Support](https://console.aws.amazon.com/support/home#/)
 * If it turns out that you may have found a bug,
   please open an [issue](https://github.com/aws/aws-cdk/issues/new)

allowed-breaking-changes.txt

@@ -1 +1,5 @@
+removed:@aws-cdk/core.BootstraplessSynthesizer.DEFAULT_ASSET_PUBLISHING_ROLE_ARN
+removed:@aws-cdk/core.DefaultStackSynthesizer.DEFAULT_ASSET_PUBLISHING_ROLE_ARN
+removed:@aws-cdk/core.DefaultStackSynthesizerProps.assetPublishingExternalId
+removed:@aws-cdk/core.DefaultStackSynthesizerProps.assetPublishingRoleArn
 

packages/@aws-cdk/aws-ecs/test/ec2/integ.secret-json-field.expected.json

@@ -95,7 +95,10 @@
         "PolicyDocument": {
           "Statement": [
             {
-              "Action": "secretsmanager:GetSecretValue",
+              "Action": [
+                "secretsmanager:GetSecretValue",
+                "secretsmanager:DescribeSecret"
+              ],
               "Effect": "Allow",
               "Resource": {
                 "Ref": "SecretA720EF05"
@@ -113,4 +116,4 @@
       }
     }
   }
-}
+}

packages/@aws-cdk/aws-ecs/test/fargate/integ.secret.expected.json

@@ -88,7 +88,10 @@
         "PolicyDocument": {
           "Statement": [
             {
-              "Action": "secretsmanager:GetSecretValue",
+              "Action": [
+                "secretsmanager:GetSecretValue",
+                "secretsmanager:DescribeSecret"
+              ],
               "Effect": "Allow",
               "Resource": {
                 "Ref": "SecretA720EF05"
@@ -106,4 +109,4 @@
       }
     }
   }
-}
+}

packages/@aws-cdk/aws-ecs/test/test.container-definition.ts

@@ -755,7 +755,10 @@ export = {
       PolicyDocument: {
         Statement: [
           {
-            Action: 'secretsmanager:GetSecretValue',
+            Action: [
+              'secretsmanager:GetSecretValue',
+              'secretsmanager:DescribeSecret',
+            ],
             Effect: 'Allow',
             Resource: {
               Ref: 'SecretA720EF05',
@@ -1111,7 +1114,10 @@ export = {
       PolicyDocument: {
         Statement: [
           {
-            Action: 'secretsmanager:GetSecretValue',
+            Action: [
+              'secretsmanager:GetSecretValue',
+              'secretsmanager:DescribeSecret',
+            ],
             Effect: 'Allow',
             Resource: mySecretArn,
           },

packages/@aws-cdk/aws-rds/lib/cluster.ts

@@ -88,19 +88,19 @@ export interface DatabaseClusterProps {
   readonly defaultDatabaseName?: string;
 
   /**
-   * Whether to enable storage encryption
+   * Whether to enable storage encryption.
    *
-   * @default false
+   * @default - true if storageEncryptionKey is provided, false otherwise
    */
   readonly storageEncrypted?: boolean
 
   /**
-   * The KMS key for storage encryption. If specified `storageEncrypted`
-   * will be set to `true`.
+   * The KMS key for storage encryption.
+   * If specified, {@link storageEncrypted} will be set to `true`.
    *
-   * @default - default master key.
+   * @default - if storageEncrypted is true then the default master key, no key otherwise
    */
-  readonly kmsKey?: kms.IKey;
+  readonly storageEncryptionKey?: kms.IKey;
 
   /**
    * A preferred maintenance window day/time range. Should be specified as a range ddd:hh24:mi-ddd:hh24:mi (24H Clock UTC).
@@ -369,7 +369,7 @@ export class DatabaseCluster extends DatabaseClusterBase {
     if (!props.masterUser.password) {
       secret = new DatabaseSecret(this, 'Secret', {
         username: props.masterUser.username,
-        encryptionKey: props.masterUser.kmsKey,
+        encryptionKey: props.masterUser.encryptionKey,
       });
     }
 
@@ -460,8 +460,8 @@ export class DatabaseCluster extends DatabaseClusterBase {
       preferredMaintenanceWindow: props.preferredMaintenanceWindow,
       databaseName: props.defaultDatabaseName,
       // Encryption
-      kmsKeyId: props.kmsKey && props.kmsKey.keyArn,
-      storageEncrypted: props.kmsKey ? true : props.storageEncrypted,
+      kmsKeyId: props.storageEncryptionKey && props.storageEncryptionKey.keyArn,
+      storageEncrypted: props.storageEncryptionKey ? true : props.storageEncrypted,
     });
 
     // if removalPolicy was not specified,

packages/@aws-cdk/aws-rds/lib/instance.ts

@@ -476,7 +476,7 @@ export interface DatabaseInstanceNewProps {
    *
    * @default - default master key
    */
-  readonly performanceInsightKmsKey?: kms.IKey;
+  readonly performanceInsightEncryptionKey?: kms.IKey;
 
   /**
    * The list of log types that need to be enabled for exporting to
@@ -624,7 +624,7 @@ abstract class DatabaseInstanceNew extends DatabaseInstanceBase implements IData
       multiAz: props.multiAz,
       optionGroupName: props.optionGroup && props.optionGroup.optionGroupName,
       performanceInsightsKmsKeyId: props.enablePerformanceInsights
-        ? props.performanceInsightKmsKey && props.performanceInsightKmsKey.keyArn
+        ? props.performanceInsightEncryptionKey && props.performanceInsightEncryptionKey.keyArn
         : undefined,
       performanceInsightsRetentionPeriod: props.enablePerformanceInsights
         ? (props.performanceInsightRetention || PerformanceInsightRetention.DEFAULT)
@@ -706,11 +706,11 @@ export interface DatabaseInstanceSourceProps extends DatabaseInstanceNewProps {
   readonly masterUserPassword?: SecretValue;
 
   /**
-   * The KMS key to use to encrypt the secret for the master user password.
+   * The KMS key used to encrypt the secret for the master user password.
    *
    * @default - default master key
    */
-  readonly secretKmsKey?: kms.IKey;
+  readonly masterUserPasswordEncryptionKey?: kms.IKey;
 
   /**
    * The name of the database.
@@ -832,16 +832,16 @@ export interface DatabaseInstanceProps extends DatabaseInstanceSourceProps {
   /**
    * Indicates whether the DB instance is encrypted.
    *
-   * @default false
+   * @default - true if storageEncryptionKey has been provided, false otherwise
    */
   readonly storageEncrypted?: boolean;
 
   /**
-   * The master key that's used to encrypt the DB instance.
+   * The KMS key that's used to encrypt the DB instance.
    *
-   * @default - default master key
+   * @default - default master key if storageEncrypted is true, no key otherwise
    */
-  readonly kmsKey?: kms.IKey;
+  readonly storageEncryptionKey?: kms.IKey;
 }
 
 /**
@@ -863,19 +863,19 @@ export class DatabaseInstance extends DatabaseInstanceSource implements IDatabas
     if (!props.masterUserPassword) {
       secret = new DatabaseSecret(this, 'Secret', {
         username: props.masterUsername,
-        encryptionKey: props.secretKmsKey,
+        encryptionKey: props.masterUserPasswordEncryptionKey,
       });
     }
 
     const instance = new CfnDBInstance(this, 'Resource', {
       ...this.sourceCfnProps,
       characterSetName: props.characterSetName,
-      kmsKeyId: props.kmsKey && props.kmsKey.keyArn,
+      kmsKeyId: props.storageEncryptionKey && props.storageEncryptionKey.keyArn,
       masterUsername: secret ? secret.secretValueFromJson('username').toString() : props.masterUsername,
       masterUserPassword: secret
         ? secret.secretValueFromJson('password').toString()
         : props.masterUserPassword && props.masterUserPassword.toString(),
-      storageEncrypted: props.kmsKey ? true : props.storageEncrypted,
+      storageEncrypted: props.storageEncryptionKey ? true : props.storageEncrypted,
     });
 
     this.instanceIdentifier = instance.ref;
@@ -958,7 +958,7 @@ export class DatabaseInstanceFromSnapshot extends DatabaseInstanceSource impleme
 
       secret = new DatabaseSecret(this, 'Secret', {
         username: props.masterUsername,
-        encryptionKey: props.secretKmsKey,
+        encryptionKey: props.masterUserPasswordEncryptionKey,
       });
     } else {
       if (props.masterUsername) { // It's not possible to change the master username of a RDS instance
@@ -1008,16 +1008,16 @@ export interface DatabaseInstanceReadReplicaProps extends DatabaseInstanceSource
   /**
    * Indicates whether the DB instance is encrypted.
    *
-   * @default false
+   * @default - true if storageEncryptionKey has been provided, false otherwise
    */
   readonly storageEncrypted?: boolean;
 
   /**
-   * The master key that's used to encrypt the DB instance.
+   * The KMS key that's used to encrypt the DB instance.
    *
-   * @default - default master key
+   * @default - default master key if storageEncrypted is true, no key otherwise
    */
-  readonly kmsKey?: kms.IKey;
+  readonly storageEncryptionKey?: kms.IKey;
 }
 
 /**
@@ -1038,8 +1038,8 @@ export class DatabaseInstanceReadReplica extends DatabaseInstanceNew implements
       ...this.newCfnProps,
       // this must be ARN, not ID, because of https://github.com/terraform-providers/terraform-provider-aws/issues/528#issuecomment-391169012
       sourceDbInstanceIdentifier: props.sourceDatabaseInstance.instanceArn,
-      kmsKeyId: props.kmsKey && props.kmsKey.keyArn,
-      storageEncrypted: props.kmsKey ? true : props.storageEncrypted,
+      kmsKeyId: props.storageEncryptionKey && props.storageEncryptionKey.keyArn,
+      storageEncrypted: props.storageEncryptionKey ? true : props.storageEncrypted,
     });
 
     this.instanceIdentifier = instance.ref;

packages/@aws-cdk/aws-rds/lib/props.ts

@@ -178,7 +178,7 @@ export interface Login {
    *
    * @default default master key
    */
-  readonly kmsKey?: kms.IKey;
+  readonly encryptionKey?: kms.IKey;
 }
 
 /**

packages/@aws-cdk/aws-rds/test/integ.cluster-s3.ts

@@ -25,7 +25,7 @@ const cluster = new DatabaseCluster(stack, 'Database', {
     vpcSubnets: { subnetType: ec2.SubnetType.PUBLIC },
     vpc,
   },
-  kmsKey,
+  storageEncryptionKey: kmsKey,
   s3ImportBuckets: [importBucket],
   s3ExportBuckets: [exportBucket],
 });

packages/@aws-cdk/aws-rds/test/integ.cluster.ts

@@ -31,7 +31,7 @@ const cluster = new DatabaseCluster(stack, 'Database', {
     vpc,
   },
   parameterGroup: params,
-  kmsKey,
+  storageEncryptionKey: kmsKey,
 });
 
 cluster.connections.allowDefaultPortFromAnyIpv4('Open to the world');

packages/@aws-cdk/aws-rds/test/test.cluster.ts

@@ -242,7 +242,7 @@ export = {
         instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.SMALL),
         vpc,
       },
-      kmsKey: new kms.Key(stack, 'Key'),
+      storageEncryptionKey: new kms.Key(stack, 'Key'),
     });
 
     // THEN

packages/@aws-cdk/aws-s3-assets/.gitignore

@@ -15,3 +15,4 @@ nyc.config.js
 .LAST_PACKAGE
 *.snk
 !.eslintrc.js
+!jest.config.js

packages/@aws-cdk/aws-s3-assets/.npmignore

@@ -19,3 +19,4 @@ dist
 
 tsconfig.json
 .eslintrc.js
+jest.config.js

packages/@aws-cdk/aws-s3-assets/jest.config.js

@@ -0,0 +1,2 @@
+const baseConfig = require('../../../tools/cdk-build-tools/config/jest.config');
+module.exports = baseConfig;

packages/@aws-cdk/aws-s3-assets/package.json

@@ -45,6 +45,9 @@
     "build+test": "npm run build && npm test",
     "compat": "cdk-compat"
   },
+  "cdk-build": {
+    "jest": true
+  },
   "keywords": [
     "aws",
     "cdk",
@@ -60,16 +63,10 @@
   "license": "Apache-2.0",
   "devDependencies": {
     "@aws-cdk/assert": "0.0.0",
-    "@types/nodeunit": "^0.0.31",
-    "@types/sinon": "^9.0.4",
-    "aws-cdk": "0.0.0",
     "cdk-build-tools": "0.0.0",
     "cdk-integ-tools": "0.0.0",
-    "nodeunit": "^0.11.3",
     "pkglint": "0.0.0",
-    "sinon": "^9.0.2",
-    "@aws-cdk/cloud-assembly-schema": "0.0.0",
-    "ts-mock-imports": "^1.3.0"
+    "@aws-cdk/cloud-assembly-schema": "0.0.0"
   },
   "dependencies": {
     "@aws-cdk/assets": "0.0.0",
@@ -93,9 +90,6 @@
   },
   "stability": "experimental",
   "maturity": "experimental",
-  "nyc": {
-    "statements": 75
-  },
   "awslint": {
     "exclude": [
       "docs-public-apis:@aws-cdk/aws-s3-assets.AssetOptions",