Merge branch 'master' into merge-back/1.139.0

Author: mergify[bot]

buildspec.yaml

@@ -27,6 +27,8 @@ phases:
       - /bin/bash ./scripts/transform.sh
   post_build:
     commands:
+      # Short-circuit: Don't run pack if the above build failed.
+      - '[[ "$CODEBUILD_BUILD_SUCCEEDING" -eq 1 ]] || exit 1'
       - "[ -f .BUILD_COMPLETED ] && /bin/bash ./pack.sh"
       - /bin/bash ./scripts/cache-store.sh
 artifacts:

package.json

@@ -123,8 +123,8 @@
       "aws-cdk-lib/@balena/dockerignore/**",
       "aws-cdk-lib/case",
       "aws-cdk-lib/case/**",
-      "aws-cdk-lib/colors",
-      "aws-cdk-lib/colors/**",
+      "aws-cdk-lib/chalk",
+      "aws-cdk-lib/chalk/**",
       "aws-cdk-lib/diff",
       "aws-cdk-lib/diff/**",
       "aws-cdk-lib/fast-deep-equal",
@@ -151,8 +151,8 @@
       "monocdk/@balena/dockerignore/**",
       "monocdk/case",
       "monocdk/case/**",
-      "monocdk/colors",
-      "monocdk/colors/**",
+      "monocdk/chalk",
+      "monocdk/chalk/**",
       "monocdk/diff",
       "monocdk/diff/**",
       "monocdk/fast-deep-equal",
@@ -180,4 +180,4 @@
   "dependencies": {
     "string-width": "^4.2.3"
   }
-}
+}

packages/@aws-cdk/aws-apigatewayv2/README.md

@@ -426,3 +426,17 @@ webSocketApi.grantManageConnections(lambda);
 API Gateway supports multiple mechanisms for [controlling and managing access to a WebSocket API](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-control-access.html) through authorizers.
 
 These authorizers can be found in the [APIGatewayV2-Authorizers](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-apigatewayv2-authorizers-readme.html) constructs library.
+
+### API Keys
+
+Websocket APIs also support usage of API Keys. An API Key is a key that is used to grant access to an API. These are useful for controlling and tracking access to an API, when used together with [usage plans](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-usage-plans.html). These together allow you to configure controls around API access such as quotas and throttling, along with per-API Key metrics on usage.
+
+To require an API Key when accessing the Websocket API:
+
+```ts
+const webSocketApi = new WebSocketApi(stack, 'mywsapi',{
+      apiKeySelectionExpression: WebSocketApiKeySelectionExpression.HEADER_X_API_KEY,
+    });
+...
+```
+

packages/@aws-cdk/aws-apigatewayv2/lib/websocket/api.ts

@@ -12,6 +12,29 @@ import { WebSocketRoute, WebSocketRouteOptions } from './route';
 export interface IWebSocketApi extends IApi {
 }
 
+/**
+ * Represents the currently available API Key Selection Expressions
+ */
+export class WebSocketApiKeySelectionExpression {
+
+  /**
+   * The API will extract the key value from the `x-api-key` header in the user request.
+   */
+  public static readonly HEADER_X_API_KEY = new WebSocketApiKeySelectionExpression('$request.header.x-api-key');
+
+  /**
+    * The API will extract the key value from the `usageIdentifierKey` attribute in the `context` map,
+    * returned by the Lambda Authorizer.
+    * See https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html
+    */
+  public static readonly AUTHORIZER_USAGE_IDENTIFIER_KEY = new WebSocketApiKeySelectionExpression('$context.authorizer.usageIdentifierKey');
+
+  /**
+   * @param customApiKeySelector The expression used by API Gateway
+   */
+  public constructor(public readonly customApiKeySelector: string) {}
+}
+
 /**
  * Props for WebSocket API
  */
@@ -22,6 +45,12 @@ export interface WebSocketApiProps {
    */
   readonly apiName?: string;
 
+  /**
+   * An API key selection expression. Providing this option will require an API Key be provided to access the API.
+   * @default - Key is not required to access these APIs
+   */
+  readonly apiKeySelectionExpression?: WebSocketApiKeySelectionExpression
+
   /**
    * The description of the API.
    * @default - none
@@ -76,6 +105,7 @@ export class WebSocketApi extends ApiBase implements IWebSocketApi {
 
     const resource = new CfnApi(this, 'Resource', {
       name: this.webSocketApiName,
+      apiKeySelectionExpression: props?.apiKeySelectionExpression?.customApiKeySelector,
       protocolType: 'WEBSOCKET',
       description: props?.description,
       routeSelectionExpression: props?.routeSelectionExpression ?? '$request.body.action',

packages/@aws-cdk/aws-apigatewayv2/lib/websocket/route.ts

@@ -52,6 +52,12 @@ export interface WebSocketRouteProps extends WebSocketRouteOptions {
    * The key to this route.
    */
   readonly routeKey: string;
+
+  /**
+   * Whether the route requires an API Key to be provided
+   * @default false
+   */
+  readonly apiKeyRequired?: boolean;
 }
 
 /**
@@ -91,6 +97,7 @@ export class WebSocketRoute extends Resource implements IWebSocketRoute {
 
     const route = new CfnRoute(this, 'Resource', {
       apiId: props.webSocketApi.apiId,
+      apiKeyRequired: props.apiKeyRequired,
       routeKey: props.routeKey,
       target: `integrations/${config.integrationId}`,
       authorizerId: authBindResult.authorizerId,

packages/@aws-cdk/aws-apigatewayv2/test/websocket/api.test.ts

@@ -2,8 +2,12 @@ import { Match, Template } from '@aws-cdk/assertions';
 import { User } from '@aws-cdk/aws-iam';
 import { Stack } from '@aws-cdk/core';
 import {
-  WebSocketRouteIntegration, WebSocketApi, WebSocketIntegrationType,
-  WebSocketRouteIntegrationBindOptions, WebSocketRouteIntegrationConfig,
+  WebSocketRouteIntegration,
+  WebSocketApi,
+  WebSocketApiKeySelectionExpression,
+  WebSocketIntegrationType,
+  WebSocketRouteIntegrationBindOptions,
+  WebSocketRouteIntegrationConfig,
 } from '../../lib';
 
 describe('WebSocketApi', () => {
@@ -25,6 +29,27 @@ describe('WebSocketApi', () => {
     Template.fromStack(stack).resourceCountIs('AWS::ApiGatewayV2::Integration', 0);
   });
 
+  test('apiKeySelectionExpression: given a value', () => {
+    // GIVEN
+    const stack = new Stack();
+
+    // WHEN
+    new WebSocketApi(stack, 'api', {
+      apiKeySelectionExpression: WebSocketApiKeySelectionExpression.AUTHORIZER_USAGE_IDENTIFIER_KEY,
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::ApiGatewayV2::Api', {
+      ApiKeySelectionExpression: '$context.authorizer.usageIdentifierKey',
+      Name: 'api',
+      ProtocolType: 'WEBSOCKET',
+    });
+
+    Template.fromStack(stack).resourceCountIs('AWS::ApiGatewayV2::Stage', 0);
+    Template.fromStack(stack).resourceCountIs('AWS::ApiGatewayV2::Route', 0);
+    Template.fromStack(stack).resourceCountIs('AWS::ApiGatewayV2::Integration', 0);
+  });
+
   test('addRoute: adds a route with passed key', () => {
     // GIVEN
     const stack = new Stack();

packages/@aws-cdk/aws-apigatewayv2/test/websocket/integ.api-apikey.expected.json

@@ -0,0 +1,13 @@
+{
+  "Resources": {
+    "MyWebsocketApiEBAC53DF": {
+      "Type": "AWS::ApiGatewayV2::Api",
+      "Properties": {
+        "ApiKeySelectionExpression": "$request.header.x-api-key",
+        "Name": "MyWebsocketApi",
+        "ProtocolType": "WEBSOCKET",
+        "RouteSelectionExpression": "$request.body.action"
+      }
+    }
+  }
+}

packages/@aws-cdk/aws-apigatewayv2/test/websocket/integ.api-apikey.ts

@@ -0,0 +1,14 @@
+#!/usr/bin/env node
+import * as cdk from '@aws-cdk/core';
+import * as apigw from '../../lib';
+import { WebSocketApiKeySelectionExpression } from '../../lib';
+
+const app = new cdk.App();
+
+const stack = new cdk.Stack(app, 'aws-cdk-aws-apigatewayv2-websockets');
+
+new apigw.WebSocketApi(stack, 'MyWebsocketApi', {
+  apiKeySelectionExpression: WebSocketApiKeySelectionExpression.HEADER_X_API_KEY,
+});
+
+app.synth();

packages/@aws-cdk/aws-apigatewayv2/test/websocket/route.test.ts

@@ -42,6 +42,45 @@ describe('WebSocketRoute', () => {
     });
   });
 
+  test('Api Key is required for route when apiKeyIsRequired is true', () => {
+    // GIVEN
+    const stack = new Stack();
+    const webSocketApi = new WebSocketApi(stack, 'Api');
+
+    // WHEN
+    new WebSocketRoute(stack, 'Route', {
+      webSocketApi,
+      integration: new DummyIntegration(),
+      routeKey: 'message',
+      apiKeyRequired: true,
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::ApiGatewayV2::Route', {
+      ApiId: stack.resolve(webSocketApi.apiId),
+      ApiKeyRequired: true,
+      RouteKey: 'message',
+      Target: {
+        'Fn::Join': [
+          '',
+          [
+            'integrations/',
+            {
+              Ref: 'RouteDummyIntegrationE40E82B4',
+            },
+          ],
+        ],
+      },
+    });
+
+    Template.fromStack(stack).hasResourceProperties('AWS::ApiGatewayV2::Integration', {
+      ApiId: stack.resolve(webSocketApi.apiId),
+      IntegrationType: 'AWS_PROXY',
+      IntegrationUri: 'some-uri',
+    });
+  });
+
+
   test('integration cannot be used across WebSocketApis', () => {
     // GIVEN
     const integration = new DummyIntegration();

packages/@aws-cdk/aws-cloudtrail/package.json

@@ -86,7 +86,6 @@
     "@aws-cdk/pkglint": "0.0.0",
     "@types/jest": "^27.4.0",
     "aws-sdk": "^2.848.0",
-    "colors": "1.4.0",
     "jest": "^27.4.7"
   },
   "dependencies": {

packages/@aws-cdk/aws-iot-actions/README.md

@@ -189,9 +189,9 @@ const stream = new firehose.DeliveryStream(this, 'MyStream', {
 const topicRule = new iot.TopicRule(this, 'TopicRule', {
   sql: iot.IotSql.fromStringAsVer20160323("SELECT * FROM 'device/+/data'"),
   actions: [
-    new actions.FirehoseStreamAction(stream, {
+    new actions.FirehosePutRecordAction(stream, {
       batchMode: true,
-      recordSeparator: actions.FirehoseStreamRecordSeparator.NEWLINE,
+      recordSeparator: actions.FirehoseRecordSeparator.NEWLINE,
     }),
   ],
 });

packages/@aws-cdk/aws-iot-actions/lib/firehose-stream-action.ts renamed to packages/@aws-cdk/aws-iot-actions/lib/firehose-put-record-action.ts

@@ -7,7 +7,7 @@ import { singletonActionRole } from './private/role';
 /**
  * Record Separator to be used to separate records.
  */
-export enum FirehoseStreamRecordSeparator {
+export enum FirehoseRecordSeparator {
   /**
    * Separate by a new line
    */
@@ -32,7 +32,7 @@ export enum FirehoseStreamRecordSeparator {
 /**
  * Configuration properties of an action for the Kinesis Data Firehose stream.
  */
-export interface FirehoseStreamActionProps extends CommonActionProps {
+export interface FirehosePutRecordActionProps extends CommonActionProps {
   /**
    * Whether to deliver the Kinesis Data Firehose stream as a batch by using `PutRecordBatch`.
    * When batchMode is true and the rule's SQL statement evaluates to an Array, each Array
@@ -48,14 +48,14 @@ export interface FirehoseStreamActionProps extends CommonActionProps {
    *
    * @default - none -- the stream does not use a separator
    */
-  readonly recordSeparator?: FirehoseStreamRecordSeparator;
+  readonly recordSeparator?: FirehoseRecordSeparator;
 }
 
 
 /**
  * The action to put the record from an MQTT message to the Kinesis Data Firehose stream.
  */
-export class FirehoseStreamAction implements iot.IAction {
+export class FirehosePutRecordAction implements iot.IAction {
   private readonly batchMode?: boolean;
   private readonly recordSeparator?: string;
   private readonly role?: iam.IRole;
@@ -64,7 +64,7 @@ export class FirehoseStreamAction implements iot.IAction {
    * @param stream The Kinesis Data Firehose stream to which to put records.
    * @param props Optional properties to not use default
    */
-  constructor(private readonly stream: firehose.IDeliveryStream, props: FirehoseStreamActionProps = {}) {
+  constructor(private readonly stream: firehose.IDeliveryStream, props: FirehosePutRecordActionProps = {}) {
     this.batchMode = props.batchMode;
     this.recordSeparator = props.recordSeparator;
     this.role = props.role;

packages/@aws-cdk/aws-iot-actions/lib/index.ts

@@ -2,8 +2,7 @@ export * from './cloudwatch-logs-action';
 export * from './cloudwatch-put-metric-action';
 export * from './cloudwatch-set-alarm-state-action';
 export * from './common-action-props';
-export * from './firehose-stream-action';
+export * from './firehose-put-record-action';
 export * from './lambda-function-action';
 export * from './s3-put-object-action';
 export * from './sqs-queue-action';
-

packages/@aws-cdk/aws-iot-actions/test/kinesis-firehose/firehose-stream-action.test.ts renamed to packages/@aws-cdk/aws-iot-actions/test/kinesis-firehose/firehose-put-record-action.test.ts

@@ -15,7 +15,7 @@ test('Default firehose stream action', () => {
 
   // WHEN
   topicRule.addAction(
-    new actions.FirehoseStreamAction(stream),
+    new actions.FirehosePutRecordAction(stream),
   );
 
   // THEN
@@ -77,7 +77,7 @@ test('can set batchMode', () => {
 
   // WHEN
   topicRule.addAction(
-    new actions.FirehoseStreamAction(stream, { batchMode: true }),
+    new actions.FirehosePutRecordAction(stream, { batchMode: true }),
   );
 
   // THEN
@@ -100,7 +100,7 @@ test('can set separotor', () => {
 
   // WHEN
   topicRule.addAction(
-    new actions.FirehoseStreamAction(stream, { recordSeparator: actions.FirehoseStreamRecordSeparator.NEWLINE }),
+    new actions.FirehosePutRecordAction(stream, { recordSeparator: actions.FirehoseRecordSeparator.NEWLINE }),
   );
 
   // THEN
@@ -124,7 +124,7 @@ test('can set role', () => {
 
   // WHEN
   topicRule.addAction(
-    new actions.FirehoseStreamAction(stream, { role }),
+    new actions.FirehosePutRecordAction(stream, { role }),
   );
 
   // THEN

packages/@aws-cdk/aws-iot-actions/test/kinesis-firehose/integ.firehose-stream-action.expected.json renamed to packages/@aws-cdk/aws-iot-actions/test/kinesis-firehose/integ.firehose-put-record-action.expected.json

@@ -25,9 +25,9 @@ class TestStack extends cdk.Stack {
       destinations: [new destinations.S3Bucket(bucket)],
     });
     topicRule.addAction(
-      new actions.FirehoseStreamAction(stream, {
+      new actions.FirehosePutRecordAction(stream, {
         batchMode: true,
-        recordSeparator: actions.FirehoseStreamRecordSeparator.NEWLINE,
+        recordSeparator: actions.FirehoseRecordSeparator.NEWLINE,
       }),
     );
   }

packages/@aws-cdk/aws-iot-actions/test/kinesis-firehose/integ.firehose-stream-action.ts renamed to packages/@aws-cdk/aws-iot-actions/test/kinesis-firehose/integ.firehose-put-record-action.ts

@@ -1,4 +1,4 @@
-import * as colors from 'colors/safe';
+import * as chalk from 'chalk';
 import * as stringWidth from 'string-width';
 import * as table from 'table';
 
@@ -93,7 +93,7 @@ function sum(xs: number[]): number {
 }
 
 // What color the table is going to be
-const tableColor = colors.gray;
+const tableColor = chalk.gray;
 
 // Unicode table characters with a color
 const TABLE_BORDER_CHARACTERS = {