aws
diff --git a/‎packages/@aws-cdk/tmp-toolkit-helpers/src/context-providers/ami.ts
+55 b/‎packages/@aws-cdk/tmp-toolkit-helpers/src/context-providers/ami.ts
+55
diff --git a/‎packages/@aws-cdk/tmp-toolkit-helpers/src/context-providers/availability-zones.ts
+28 b/‎packages/@aws-cdk/tmp-toolkit-helpers/src/context-providers/availability-zones.ts
+28
diff --git a/‎packages/@aws-cdk/tmp-toolkit-helpers/src/context-providers/cc-api-provider.ts
+169 b/‎packages/@aws-cdk/tmp-toolkit-helpers/src/context-providers/cc-api-provider.ts
+169
diff --git a/‎packages/@aws-cdk/tmp-toolkit-helpers/src/context-providers/endpoint-service-availability-zones.ts
+32 b/‎packages/@aws-cdk/tmp-toolkit-helpers/src/context-providers/endpoint-service-availability-zones.ts
+32
diff --git a/‎packages/@aws-cdk/tmp-toolkit-helpers/src/context-providers/hosted-zones.ts
+73 b/‎packages/@aws-cdk/tmp-toolkit-helpers/src/context-providers/hosted-zones.ts
+73
@@ -0,0 +1,55 @@
+import type { AmiContextQuery } from '@aws-cdk/cloud-assembly-schema';
+import type { IContextProviderMessages } from '.';
+import { type SdkProvider, initContextProviderSdk } from '../api/aws-auth';
+import type { ContextProviderPlugin } from '../api/plugin';
+import { ContextProviderError } from '../api/toolkit-error';
+
+/**
+ * Plugin to search AMIs for the current account
+ */
+export class AmiContextProviderPlugin implements ContextProviderPlugin {
+  constructor(private readonly aws: SdkProvider, private readonly io: IContextProviderMessages) {
+  }
+
+  public async getValue(args: AmiContextQuery) {
+    const region = args.region;
+    const account = args.account;
+
+    // Normally we'd do this only as 'debug', but searching AMIs typically takes dozens
+    // of seconds, so be little more verbose about it so users know what is going on.
+    await this.io.info(`Searching for AMI in ${account}:${region}`);
+    await this.io.debug(`AMI search parameters: ${JSON.stringify(args)}`);
+
+    const ec2 = (await initContextProviderSdk(this.aws, args)).ec2();
+    const response = await ec2.describeImages({
+      Owners: args.owners,
+      Filters: Object.entries(args.filters).map(([key, values]) => ({
+        Name: key,
+        Values: values,
+      })),
+    });
+
+    const images = [...(response.Images || [])].filter((i) => i.ImageId !== undefined);
+
+    if (images.length === 0) {
+      throw new ContextProviderError('No AMI found that matched the search criteria');
+    }
+
+    // Return the most recent one
+    // Note: Date.parse() is not going to respect the timezone of the string,
+    // but since we only care about the relative values that is okay.
+    images.sort(descending((i) => Date.parse(i.CreationDate || '1970')));
+
+    await this.io.debug(`Selected image '${images[0].ImageId}' created at '${images[0].CreationDate}'`);
+    return images[0].ImageId!;
+  }
+}
+
+/**
+ * Make a comparator that sorts in descending order given a sort key extractor
+ */
+function descending<A>(valueOf: (x: A) => number) {
+  return (a: A, b: A) => {
+    return valueOf(b) - valueOf(a);
+  };
+}
@@ -0,0 +1,28 @@
+import type { AvailabilityZonesContextQuery } from '@aws-cdk/cloud-assembly-schema';
+import type { AvailabilityZone } from '@aws-sdk/client-ec2';
+import type { IContextProviderMessages } from '.';
+import { type SdkProvider, initContextProviderSdk } from '../api/aws-auth';
+import type { ContextProviderPlugin } from '../api/plugin';
+
+/**
+ * Plugin to retrieve the Availability Zones for the current account
+ */
+export class AZContextProviderPlugin implements ContextProviderPlugin {
+  constructor(private readonly aws: SdkProvider, private readonly io: IContextProviderMessages) {
+  }
+
+  public async getValue(args: AvailabilityZonesContextQuery) {
+    const region = args.region;
+    const account = args.account;
+    await this.io.debug(`Reading AZs for ${account}:${region}`);
+    const ec2 = (await initContextProviderSdk(this.aws, args)).ec2();
+    const response = await ec2.describeAvailabilityZones({});
+    if (!response.AvailabilityZones) {
+      return [];
+    }
+    const azs = response.AvailabilityZones.filter((zone: AvailabilityZone) => zone.State === 'available').map(
+      (zone: AvailabilityZone) => zone.ZoneName,
+    );
+    return azs;
+  }
+}
@@ -0,0 +1,169 @@
+import type { CcApiContextQuery } from '@aws-cdk/cloud-assembly-schema';
+import type { ResourceDescription } from '@aws-sdk/client-cloudcontrol';
+import { ResourceNotFoundException } from '@aws-sdk/client-cloudcontrol';
+import type { ICloudControlClient, SdkProvider } from '../api/aws-auth';
+import { initContextProviderSdk } from '../api/aws-auth';
+import type { ContextProviderPlugin } from '../api/plugin';
+import { ContextProviderError } from '../api/toolkit-error';
+import { findJsonValue, getResultObj } from '../util';
+
+export class CcApiContextProviderPlugin implements ContextProviderPlugin {
+  constructor(private readonly aws: SdkProvider) {
+  }
+
+  /**
+   * This returns a data object with the value from CloudControl API result.
+   *
+   * See the documentation in the Cloud Assembly Schema for the semantics of
+   * each query parameter.
+   */
+  public async getValue(args: CcApiContextQuery) {
+    // Validate input
+    if (args.exactIdentifier && args.propertyMatch) {
+      throw new ContextProviderError(`Provider protocol error: specify either exactIdentifier or propertyMatch, but not both (got ${JSON.stringify(args)})`);
+    }
+    if (args.ignoreErrorOnMissingContext && args.dummyValue === undefined) {
+      throw new ContextProviderError(`Provider protocol error: if ignoreErrorOnMissingContext is set, a dummyValue must be supplied (got ${JSON.stringify(args)})`);
+    }
+    if (args.dummyValue !== undefined && (!Array.isArray(args.dummyValue) || !args.dummyValue.every(isObject))) {
+      throw new ContextProviderError(`Provider protocol error: dummyValue must be an array of objects (got ${JSON.stringify(args.dummyValue)})`);
+    }
+
+    // Do the lookup
+    const cloudControl = (await initContextProviderSdk(this.aws, args)).cloudControl();
+
+    try {
+      let resources: FoundResource[];
+      if (args.exactIdentifier) {
+        // use getResource to get the exact indentifier
+        resources = await this.getResource(cloudControl, args.typeName, args.exactIdentifier);
+      } else if (args.propertyMatch) {
+        // use listResource
+        resources = await this.listResources(cloudControl, args.typeName, args.propertyMatch, args.expectedMatchCount);
+      } else {
+        throw new ContextProviderError(`Provider protocol error: neither exactIdentifier nor propertyMatch is specified in ${JSON.stringify(args)}.`);
+      }
+
+      return resources.map((r) => getResultObj(r.properties, r.identifier, args.propertiesToReturn));
+    } catch (err) {
+      if (err instanceof ZeroResourcesFoundError && args.ignoreErrorOnMissingContext) {
+        // We've already type-checked dummyValue.
+        return args.dummyValue;
+      }
+      throw err;
+    }
+  }
+
+  /**
+   * Calls getResource from CC API to get the resource.
+   * See https://docs.aws.amazon.com/cli/latest/reference/cloudcontrol/get-resource.html
+   *
+   * Will always return exactly one resource, or fail.
+   */
+  private async getResource(
+    cc: ICloudControlClient,
+    typeName: string,
+    exactIdentifier: string,
+  ): Promise<FoundResource[]> {
+    try {
+      const result = await cc.getResource({
+        TypeName: typeName,
+        Identifier: exactIdentifier,
+      });
+      if (!result.ResourceDescription) {
+        throw new ContextProviderError('Unexpected CloudControl API behavior: returned empty response');
+      }
+
+      return [foundResourceFromCcApi(result.ResourceDescription)];
+    } catch (err: any) {
+      if (err instanceof ResourceNotFoundException || (err as any).name === 'ResourceNotFoundException') {
+        throw new ZeroResourcesFoundError(`No resource of type ${typeName} with identifier: ${exactIdentifier}`);
+      }
+      if (!(err instanceof ContextProviderError)) {
+        throw new ContextProviderError(`Encountered CC API error while getting ${typeName} resource ${exactIdentifier}: ${err.message}`);
+      }
+      throw err;
+    }
+  }
+
+  /**
+   * Calls listResources from CC API to get the resources and apply args.propertyMatch to find the resources.
+   * See https://docs.aws.amazon.com/cli/latest/reference/cloudcontrol/list-resources.html
+   *
+   * Will return 0 or more resources.
+   *
+   * Does not currently paginate through more than one result page.
+   */
+  private async listResources(
+    cc: ICloudControlClient,
+    typeName: string,
+    propertyMatch: Record<string, unknown>,
+    expectedMatchCount?: CcApiContextQuery['expectedMatchCount'],
+  ): Promise<FoundResource[]> {
+    try {
+      const result = await cc.listResources({
+        TypeName: typeName,
+
+      });
+      const found = (result.ResourceDescriptions ?? [])
+        .map(foundResourceFromCcApi)
+        .filter((r) => {
+          return Object.entries(propertyMatch).every(([propPath, expected]) => {
+            const actual = findJsonValue(r.properties, propPath);
+            return propertyMatchesFilter(actual, expected);
+          });
+        });
+
+      if ((expectedMatchCount === 'at-least-one' || expectedMatchCount === 'exactly-one') && found.length === 0) {
+        throw new ZeroResourcesFoundError(`Could not find any resources matching ${JSON.stringify(propertyMatch)}`);
+      }
+      if ((expectedMatchCount === 'at-most-one' || expectedMatchCount === 'exactly-one') && found.length > 1) {
+        throw new ContextProviderError(`Found ${found.length} resources matching ${JSON.stringify(propertyMatch)}; please narrow the search criteria`);
+      }
+
+      return found;
+    } catch (err: any) {
+      if (!(err instanceof ContextProviderError) && !(err instanceof ZeroResourcesFoundError)) {
+        throw new ContextProviderError(`Encountered CC API error while listing ${typeName} resources matching ${JSON.stringify(propertyMatch)}: ${err.message}`);
+      }
+      throw err;
+    }
+  }
+}
+
+/**
+ * Convert a CC API response object into a nicer object (parse the JSON)
+ */
+function foundResourceFromCcApi(desc: ResourceDescription): FoundResource {
+  return {
+    identifier: desc.Identifier ?? '*MISSING*',
+    properties: JSON.parse(desc.Properties ?? '{}'),
+  };
+}
+
+/**
+ * Whether the given property value matches the given filter
+ *
+ * For now we just check for strict equality, but we can implement pattern matching and fuzzy matching here later
+ */
+function propertyMatchesFilter(actual: unknown, expected: unknown) {
+  return expected === actual;
+}
+
+function isObject(x: unknown): x is {[key: string]: unknown} {
+  return typeof x === 'object' && x !== null && !Array.isArray(x);
+}
+
+/**
+ * A parsed version of the return value from CCAPI
+ */
+interface FoundResource {
+  readonly identifier: string;
+  readonly properties: Record<string, unknown>;
+}
+
+/**
+ * A specific lookup failure indicating 0 resources found that can be recovered
+ */
+class ZeroResourcesFoundError extends Error {
+}
@@ -0,0 +1,32 @@
+import type { EndpointServiceAvailabilityZonesContextQuery } from '@aws-cdk/cloud-assembly-schema';
+import type { IContextProviderMessages } from '.';
+import { type SdkProvider, initContextProviderSdk } from '../api/aws-auth';
+import type { ContextProviderPlugin } from '../api/plugin';
+
+/**
+ * Plugin to retrieve the Availability Zones for an endpoint service
+ */
+export class EndpointServiceAZContextProviderPlugin implements ContextProviderPlugin {
+  constructor(private readonly aws: SdkProvider, private readonly io: IContextProviderMessages) {
+  }
+
+  public async getValue(args: EndpointServiceAvailabilityZonesContextQuery) {
+    const region = args.region;
+    const account = args.account;
+    const serviceName = args.serviceName;
+    await this.io.debug(`Reading AZs for ${account}:${region}:${serviceName}`);
+    const ec2 = (await initContextProviderSdk(this.aws, args)).ec2();
+    const response = await ec2.describeVpcEndpointServices({
+      ServiceNames: [serviceName],
+    });
+
+    // expect a service in the response
+    if (!response.ServiceDetails || response.ServiceDetails.length === 0) {
+      await this.io.debug(`Could not retrieve service details for ${account}:${region}:${serviceName}`);
+      return [];
+    }
+    const azs = response.ServiceDetails[0].AvailabilityZones;
+    await this.io.debug(`Endpoint service ${account}:${region}:${serviceName} is available in availability zones ${azs}`);
+    return azs;
+  }
+}
@@ -0,0 +1,73 @@
+import type { HostedZoneContextQuery } from '@aws-cdk/cloud-assembly-schema';
+import type { HostedZone } from '@aws-sdk/client-route-53';
+import type { IContextProviderMessages } from '.';
+import type { IRoute53Client, SdkProvider } from '../api/aws-auth';
+import { initContextProviderSdk } from '../api/aws-auth';
+import type { ContextProviderPlugin } from '../api/plugin';
+import { ContextProviderError } from '../api/toolkit-error';
+
+export class HostedZoneContextProviderPlugin implements ContextProviderPlugin {
+  constructor(private readonly aws: SdkProvider, private readonly io: IContextProviderMessages) {
+  }
+
+  public async getValue(args: HostedZoneContextQuery): Promise<object> {
+    const account = args.account;
+    const region = args.region;
+    if (!this.isHostedZoneQuery(args)) {
+      throw new ContextProviderError(`HostedZoneProvider requires domainName property to be set in ${args}`);
+    }
+    const domainName = args.domainName;
+    await this.io.debug(`Reading hosted zone ${account}:${region}:${domainName}`);
+    const r53 = (await initContextProviderSdk(this.aws, args)).route53();
+    const response = await r53.listHostedZonesByName({ DNSName: domainName });
+    if (!response.HostedZones) {
+      throw new ContextProviderError(`Hosted Zone not found in account ${account}, region ${region}: ${domainName}`);
+    }
+    const candidateZones = await this.filterZones(r53, response.HostedZones, args);
+    if (candidateZones.length !== 1) {
+      const filteProps = `dns:${domainName}, privateZone:${args.privateZone}, vpcId:${args.vpcId}`;
+      throw new ContextProviderError(`Found zones: ${JSON.stringify(candidateZones)} for ${filteProps}, but wanted exactly 1 zone`);
+    }
+
+    return {
+      Id: candidateZones[0].Id,
+      Name: candidateZones[0].Name,
+    };
+  }
+
+  private async filterZones(
+    r53: IRoute53Client,
+    zones: HostedZone[],
+    props: HostedZoneContextQuery,
+  ): Promise<HostedZone[]> {
+    let candidates: HostedZone[] = [];
+    const domainName = props.domainName.endsWith('.') ? props.domainName : `${props.domainName}.`;
+    await this.io.debug(`Found the following zones ${JSON.stringify(zones)}`);
+    candidates = zones.filter((zone) => zone.Name === domainName);
+    await this.io.debug(`Found the following matched name zones ${JSON.stringify(candidates)}`);
+    if (props.privateZone) {
+      candidates = candidates.filter((zone) => zone.Config && zone.Config.PrivateZone);
+    } else {
+      candidates = candidates.filter((zone) => !zone.Config || !zone.Config.PrivateZone);
+    }
+    if (props.vpcId) {
+      const vpcZones: HostedZone[] = [];
+      for (const zone of candidates) {
+        const data = await r53.getHostedZone({ Id: zone.Id });
+        if (!data.VPCs) {
+          await this.io.debug(`Expected VPC for private zone but no VPC found ${zone.Id}`);
+          continue;
+        }
+        if (data.VPCs.map((vpc) => vpc.VPCId).includes(props.vpcId)) {
+          vpcZones.push(zone);
+        }
+      }
+      return vpcZones;
+    }
+    return candidates;
+  }
+
+  private isHostedZoneQuery(props: HostedZoneContextQuery | any): props is HostedZoneContextQuery {
+    return (props as HostedZoneContextQuery).domainName !== undefined;
+  }
+}