Merge branch 'main' into merge-back/2.56.1

Author: mergify[bot]

packages/@aws-cdk/aws-iam/lib/grant.ts

@@ -24,6 +24,13 @@ export interface CommonGrantOptions {
    * The resource ARNs to grant to
    */
   readonly resourceArns: string[];
+
+  /**
+   * Any conditions to attach to the grant
+   *
+   * @default - No conditions
+   */
+  readonly conditions?: Record<string, Record<string, unknown>>;
 }
 
 /**
@@ -160,6 +167,7 @@ export class Grant implements IDependable {
     const statement = new PolicyStatement({
       actions: options.actions,
       resources: options.resourceArns,
+      conditions: options.conditions,
     });
 
     const addedToPrincipal = options.grantee.grantPrincipal.addToPrincipalPolicy(statement);
@@ -224,17 +232,27 @@ export class Grant implements IDependable {
   /**
    * The statement that was added to the principal's policy
    *
-   * Can be accessed to (e.g.) add additional conditions to the statement.
+   * @deprecated Use `principalStatements` instead
    */
   public readonly principalStatement?: PolicyStatement;
 
+  /**
+   * The statements that were added to the principal's policy
+   */
+  public readonly principalStatements = new Array<PolicyStatement>();
+
   /**
    * The statement that was added to the resource policy
    *
-   * Can be accessed to (e.g.) add additional conditions to the statement.
+   * @deprecated Use `resourceStatements` instead
    */
   public readonly resourceStatement?: PolicyStatement;
 
+  /**
+   * The statements that were added to the principal's policy
+   */
+  public readonly resourceStatements = new Array<PolicyStatement>();
+
   /**
    * The options originally used to set this result
    *
@@ -243,14 +261,26 @@ export class Grant implements IDependable {
    */
   private readonly options: CommonGrantOptions;
 
+  private readonly dependables = new Array<IDependable>();
+
   private constructor(props: GrantProps) {
     this.options = props.options;
     this.principalStatement = props.principalStatement;
     this.resourceStatement = props.resourceStatement;
+    if (this.principalStatement) {
+      this.principalStatements.push(this.principalStatement);
+    }
+    if (this.resourceStatement) {
+      this.resourceStatements.push(this.resourceStatement);
+    }
+    if (props.policyDependable) {
+      this.dependables.push(props.policyDependable);
+    }
 
+    const self = this;
     Dependable.implement(this, {
       get dependencyRoots() {
-        return props.policyDependable ? Dependable.of(props.policyDependable).dependencyRoots : [];
+        return Array.from(new Set(self.dependables.flatMap(d => Dependable.of(d).dependencyRoots)));
       },
     });
   }
@@ -282,6 +312,24 @@ export class Grant implements IDependable {
       construct.node.addDependency(this);
     }
   }
+
+  /**
+   * Combine two grants into a new one
+   */
+  public combine(rhs: Grant) {
+    const combinedPrinc = [...this.principalStatements, ...rhs.principalStatements];
+    const combinedRes = [...this.resourceStatements, ...rhs.resourceStatements];
+
+    const ret = new Grant({
+      options: this.options,
+      principalStatement: combinedPrinc[0],
+      resourceStatement: combinedRes[0],
+    });
+    ret.principalStatements.splice(0, ret.principalStatements.length, ...combinedPrinc);
+    ret.resourceStatements.splice(0, ret.resourceStatements.length, ...combinedRes);
+    ret.dependables.push(...this.dependables, ...rhs.dependables);
+    return ret;
+  }
 }
 
 function describeGrant(options: CommonGrantOptions) {

packages/@aws-cdk/aws-iam/test/grant.test.ts

@@ -1,4 +1,4 @@
-import { Template } from '@aws-cdk/assertions';
+import { Template, Match } from '@aws-cdk/assertions';
 import { CfnResource, Resource, Stack } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import * as iam from '../lib';
@@ -97,6 +97,34 @@ describe('Grant dependencies', () => {
     expectDependencyOn('RoleDefaultPolicy5FFB7DAB');
     expectDependencyOn('BuckarooPolicy74174DA4');
   });
+
+  test('can combine two grants', () => {
+    // GIVEN
+    const role1 = new iam.Role(stack, 'Role1', {
+      assumedBy: new iam.ServicePrincipal('bla.amazonaws.com'),
+    });
+    const role2 = new iam.Role(stack, 'Role2', {
+      assumedBy: new iam.ServicePrincipal('bla.amazonaws.com'),
+    });
+
+    // WHEN
+    const g1 = iam.Grant.addToPrincipal({
+      actions: ['service:DoAThing'],
+      grantee: role1,
+      resourceArns: ['*'],
+    });
+    const g2 = iam.Grant.addToPrincipal({
+      actions: ['service:DoAThing'],
+      grantee: role2,
+      resourceArns: ['*'],
+    });
+
+    (g1.combine(g2)).applyBefore(resource);
+
+    // THEN
+    expectDependencyOn('Role1DefaultPolicyD3EF4D0A');
+    expectDependencyOn('Role2DefaultPolicy3A7A0A1B');
+  });
 });
 
 function applyGrantWithDependencyTo(principal: iam.IPrincipal) {
@@ -108,8 +136,8 @@ function applyGrantWithDependencyTo(principal: iam.IPrincipal) {
 }
 
 function expectDependencyOn(id: string) {
-  Template.fromStack(stack).hasResource('CDK::Test::SomeResource', (props: any) => {
-    return (props?.DependsOn ?? []).includes(id);
+  Template.fromStack(stack).hasResource('CDK::Test::SomeResource', {
+    DependsOn: Match.arrayWith([id]),
   });
 }
 

packages/@aws-cdk/aws-lambda/README.md

@@ -764,6 +764,55 @@ const fn = new lambda.Function(this, 'MyFunction', {
 See [the AWS documentation](https://docs.aws.amazon.com/lambda/latest/dg/lambda-x-ray.html)
 to learn more about AWS Lambda's X-Ray support.
 
+## Lambda with AWS Distro for OpenTelemetry layer
+
+To have automatic integration with XRay without having to add dependencies or change your code, you can use the
+[AWS Distro for OpenTelemetry Lambda (ADOT) layer](https://aws-otel.github.io/docs/getting-started/lambda).
+Consuming the latest ADOT layer can be done with the following snippet:
+
+```ts
+import {
+  AdotLambdaExecWrapper,
+  AdotLayerVersion,
+  AdotLambdaLayerJavaScriptSdkVersion,
+} from 'aws-cdk-lib/aws-lambda';
+
+const fn = new lambda.Function(this, 'MyFunction', {
+  runtime: lambda.Runtime.NODEJS_18_X,
+  handler: 'index.handler',
+  code: lambda.Code.fromInline('exports.handler = function(event, ctx, cb) { return cb(null, "hi"); }'),
+  adotInstrumentation: {
+    layerVersion: AdotLayerVersion.fromJavaScriptSdkLayerVersion(AdotLambdaLayerJavaScriptSdkVersion.LATEST),
+    execWrapper: AdotLambdaExecWrapper.REGULAR_HANDLER,
+  },
+});
+```
+
+To use a different layer version, use one of the following helper functions for the `layerVersion` prop:
+
+* `AdotLayerVersion.fromJavaScriptSdkLayerVersion`
+* `AdotLayerVersion.fromPythonSdkLayerVersion`
+* `AdotLayerVersion.fromJavaSdkLayerVersion`
+* `AdotLayerVersion.fromJavaAutoInstrumentationSdkLayerVersion`
+* `AdotLayerVersion.fromGenericSdkLayerVersion`
+
+Each helper function expects a version value from a corresponding enum-like class as below:
+
+* `AdotLambdaLayerJavaScriptSdkVersion`
+* `AdotLambdaLayerPythonSdkVersion`
+* `AdotLambdaLayerJavaSdkVersion`
+* `AdotLambdaLayerJavaAutoInstrumentationSdkVersion`
+* `AdotLambdaLayerGenericSdkVersion`
+
+For more examples, see our [the integration test](test/integ.lambda-adot.ts).
+
+If you want to retrieve the ARN of the ADOT Lambda layer without enabling ADOT in a Lambda function:
+
+```ts
+declare const fn: lambda.Function;
+const layerArn = lambda.AdotLambdaLayerJavaSdkVersion.V1_19_0.layerArn(fn.stack, fn.architecture);
+```
+
 ## Lambda with Profiling
 
 The following code configures the lambda function with CodeGuru profiling. By default, this creates a new CodeGuru