Merge pull request #870 from awslabs/bump/2.29.0

chore(release): 2.29.0

.gitignore

@@ -2,6 +2,9 @@
 .vscode/
 /.favorites.json
 
+# JetBrains IDEs
+/.idea
+
 # TypeScript incremental build states
 *.tsbuildinfo
 *.ts.map
@@ -20,6 +23,5 @@ source/patterns/@aws-solutions-constructs/**/cdk-integ.out/
 
 source/patterns/**/tsconfig.json
 deployment/dist/*
-.DS_Store
 
 *.pptx

CHANGELOG.md

@@ -2,6 +2,14 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.29.0](https://github.com/awslabs/aws-solutions-constructs/compare/v2.28.0...v2.29.0) (2022-12-04)
+
+### Features
+
+* **aws-s3-sns:** created new construct ([#849](https://github.com/awslabs/aws-solutions-constructs/pull/849))
+* **aws-cloudfront-*:** Add optional parameter cloudfront.ResponseHeadersPolicyProps ([#852](https://github.com/awslabs/aws-solutions-constructs/pull/852))
+* Standardize how encryption properties are used for SNS/SQS construct ([#846](https://github.com/awslabs/aws-solutions-constructs/pull/846))
+
 ## [2.28.0](https://github.com/awslabs/aws-solutions-constructs/compare/v2.27.0...v2.28.0) (2022-11-30)
 
 Built on CDK 2.53.0

DESIGN_GUIDELINES.md

@@ -307,8 +307,9 @@ Existing Inconsistencies would not be published, that’s for our internal use 
 
 | Name    | Type     |  Description | Notes    |
 | --- | --- | --- |--- |
-| existingTopicObj?	| [`sns.Topic`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html)|An optional, existing SNS topic to be used instead of the default topic. Providing both this and `topicProps` will cause an error|
-| topicProps?	| [`sns.TopicProps`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.TopicProps.html)|Optional user provided properties to override the default properties for the SNS topic.
+| existingTopicObj?	| [`sns.Topic`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html)|An optional, existing SNS topic to be used instead of the default topic. Providing both this and `topicProps` will cause an error. If the SNS Topic is encrypted with a Customer-Managed KMS Key, the key must be specified in the `existingTopicEncryptionKey` property. |
+| existingTopicEncryptionKey? | [`kms.Key`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | If an existing topic is provided in the `existingTopicObj` property, and that topic is encrypted with a Customer-Managed KMS key, this property also needs to be set with same key. |
+| topicProps?	| [`sns.TopicProps`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.TopicProps.html)|Optional user provided properties to override the default properties for the SNS topic. |
 | enableEncryptionWithCustomerManagedKey?	| `boolean`|If no key is provided, this flag determines whether the SNS Topic is encrypted with a new CMK or an AWS managed key.|This flag is ignored if any of the following are defined: topicProps.masterKey, encryptionKey or encryptionKeyProps.| Sending messages from an AWS service to an encrypted Topic [requires a Customer Master key](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html#compatibility-with-aws-services). Those constructs require these properties.  |
 | encryptionKey?		| [`kms.Key`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html)|An optional, imported encryption key to encrypt the SNS Topic with.|
 | encryptionKeyProps?		| [`kms.KeyProps`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.KeyProps.html)|Optional user provided properties to override the default properties for the KMS encryption key used to encrypt the SNS Topic with.	|

DEVELOPER_GUIDE.md

@@ -12,15 +12,15 @@ Disk image size: 60 GB
 ## Preparing your Build Environment
 
 | Action                                                                                             | |
-| :------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+|:---------------------------------------------------------------------------------------------------| :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | Open up the [aws-solutions-constructs repo](https://github.com/awslabs/aws-solutions-constructs).  | As you are reading this file from the aws-solutions-constructs repo, you are probably already there...|
 | Using the Fork button at the upper right, Fork the repo into your github account.                  | While we can give some advice on what github and git commands to use, we will not attempt to be a git tutorial. Some git/github expertise is assumed.|
 | Clone forked repo to your local development environment                                            | If you wish to work off a branch in your repository, create that branch now and clone that branch. You will create a PR back to Main in aws-solutions-constructs eventually, you can do that from fork/main or fork/*branch* |
 | `cd aws-solutions-constructs`                                                                      | This is the home directory of the repo, this is where you will open your text editor, run full builds, etc.|
 | `docker run -u root --rm --net=host -it -v $PWD:$PWD -w $PWD jsii/superchain:1-buster-slim-node14` | This command downloads the Docker image (if necessary) and starts the container in which you will do all builds. The container will stay open in terminal mode, allowing you to edit/build repeatedly until your code is ready.|
 | Optional - Open a second terminal window to the aws-solutions-constructs directory.                | The docker container mounts your local drive, so shares the Solutions Constructs source code tree with the host. You may find it advantageous to maintain a second terminal not running the Docker container to run git commands, your text editor, etc. |
-| `./deployment/v2/build-patterns.sh`                                                                   | This command will build the entire repo, which is required prior to developing constructs. Some of the steps include: Installing the correct version of tools required in the build process, setting up environment variables, running JSII in each construct, and running all integration and unit tests. Commands executed across each construct are managed via yarn, so multiple commands are running in parallel most of the time. It's because of this that adding more resources to your Docker container can greatly reduce the build time (suggested values are discussed above). |
-| In the top level aws-solutions-constructs folder: `./deployment/v2/align-version.sh revert`            | This will reset all the version numbers back to 0.0.0. You need to do this before adding/committing code - you can't submit package.json files with version numbers. It's common to do a full build ./deployment/v2/build-patterns.sh after coding to ensure all tests still pass - if you do this it will revert all the version numbers for you.|
+| `./deployment/v2/build-patterns.sh`                                                                | This command will build the entire repo, which is required prior to developing constructs. Some of the steps include: Installing the correct version of tools required in the build process, setting up environment variables, running JSII in each construct, and running all integration and unit tests. Commands executed across each construct are managed via yarn, so multiple commands are running in parallel most of the time. It's because of this that adding more resources to your Docker container can greatly reduce the build time (suggested values are discussed above). |
+| In the top level aws-solutions-constructs folder: `./deployment/v2/align-version.sh revert`        | This will reset all the version numbers back to 0.0.0. You need to do this before adding/committing code - you can't submit package.json files with version numbers. It's common to do a full build ./deployment/v2/build-patterns.sh after coding to ensure all tests still pass - if you do this it will revert all the version numbers for you.|
 
 ## Working on Your Construct
 

source/lerna.json

@@ -6,5 +6,5 @@
     "./patterns/@aws-solutions-constructs/*"
   ],
   "rejectCycles": "true",
-  "version": "2.28.0"
+  "version": "2.29.0"
 }

source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway-lambda/README.md

@@ -87,6 +87,7 @@ new CloudFrontToApiGatewayToLambda(this, "test-cloudfront-apigateway-lambda",
 |apiGatewayProps?|[`api.LambdaRestApiProps`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.LambdaRestApiProps.html)|Optional user provided props to override the default props for API Gateway|
 |cloudFrontDistributionProps?|[`cloudfront.DistributionProps`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.DistributionProps.html)|Optional user provided props to override the default props for CloudFront Distribution|
 |insertHttpSecurityHeaders?|`boolean`|Optional user provided props to turn on/off the automatic injection of best practice HTTP security headers in all responses from CloudFront|
+| responseHeadersPolicyProps?   | [`cloudfront.ResponseHeadersPolicyProps`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.ResponseHeadersPolicyProps.html) | Optional user provided configuration that cloudfront applies to all http responses.                                                         |
 |logGroupProps?|[`logs.LogGroupProps`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html)|Optional user provided props to override the default props for for the CloudWatchLogs LogGroup.|
 |cloudFrontLoggingBucketProps?|[`s3.BucketProps`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html)|Optional user provided props to override the default props for the CloudFront Logging Bucket.|
 

source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway-lambda/lib/index.ts

@@ -52,11 +52,25 @@ export interface CloudFrontToApiGatewayToLambdaProps {
   readonly cloudFrontDistributionProps?: cloudfront.DistributionProps | any,
   /**
    * Optional user provided props to turn on/off the automatic injection of best practice HTTP
-   * security headers in all responses from cloudfront
+   * security headers in all responses from cloudfront.
+   * Turning this on will inject default headers and is mutually exclusive with passing custom security headers
+   * via the responseHeadersPolicyProps parameter.
    *
    * @default - true
    */
   readonly insertHttpSecurityHeaders?: boolean,
+  /**
+   * Optional user provided configuration that cloudfront applies to all http responses.
+   * Can be used to pass a custom ResponseSecurityHeadersBehavior, ResponseCustomHeadersBehavior or
+   * ResponseHeadersCorsBehavior to the cloudfront distribution.
+   *
+   * Passing a custom ResponseSecurityHeadersBehavior is mutually exclusive with turning on the default security headers
+   * via `insertHttpSecurityHeaders` prop. Will throw an error if both `insertHttpSecurityHeaders` is set to `true`
+   * and ResponseSecurityHeadersBehavior is passed.
+   *
+   * @default - undefined
+   */
+  readonly responseHeadersPolicyProps?: cloudfront.ResponseHeadersPolicyProps
   /**
    * Optional user provided props to override the default props for the CloudWatchLogs LogGroup.
    *
@@ -82,7 +96,7 @@ export class CloudFrontToApiGatewayToLambda extends Construct {
 
   /**
    * @summary Constructs a new instance of the CloudFrontToApiGatewayToLambda class.
-   * @param {cdk.App} scope - represents the scope for all the resources.
+   * @param {Construct} scope - represents the scope for all the resources.
    * @param {string} id - this is a a scope-unique id.
    * @param {CloudFrontToApiGatewayToLambdaProps} props - user provided props for the construct
    * @since 0.8.0
@@ -120,7 +134,8 @@ export class CloudFrontToApiGatewayToLambda extends Construct {
       existingApiGatewayObj: this.apiGateway,
       cloudFrontDistributionProps: props.cloudFrontDistributionProps,
       insertHttpSecurityHeaders: props.insertHttpSecurityHeaders,
-      cloudFrontLoggingBucketProps: props.cloudFrontLoggingBucketProps
+      cloudFrontLoggingBucketProps: props.cloudFrontLoggingBucketProps,
+      responseHeadersPolicyProps: props.responseHeadersPolicyProps
     });
 
     this.cloudFrontWebDistribution = apiCloudfront.cloudFrontWebDistribution;

source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway/README.md

@@ -123,6 +123,7 @@ new CloudFrontToApiGateway(this, "test-cloudfront-apigateway", new CloudFrontToA
 |existingApiGatewayObj|[`api.RestApi`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApi.html)|The regional API Gateway that will be fronted with the CloudFront|
 |cloudFrontDistributionProps?|[`cloudfront.DistributionProps \| any`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.DistributionProps.html)|Optional user provided props to override the default props for CloudFront Distribution|
 |insertHttpSecurityHeaders?|`boolean`|Optional user provided props to turn on/off the automatic injection of best practice HTTP security headers in all responses from CloudFront|
+| responseHeadersPolicyProps?   | [`cloudfront.ResponseHeadersPolicyProps`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.ResponseHeadersPolicyProps.html) | Optional user provided configuration that cloudfront applies to all http responses.|
 |cloudFrontLoggingBucketProps?|[`s3.BucketProps`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html)|Optional user provided props to override the default props for the CloudFront Logging Bucket.|
 
 ## Pattern Properties

source/patterns/@aws-solutions-constructs/aws-cloudfront-apigateway/lib/index.ts

@@ -36,11 +36,25 @@ export interface CloudFrontToApiGatewayProps {
   readonly cloudFrontDistributionProps?: cloudfront.DistributionProps | any,
   /**
    * Optional user provided props to turn on/off the automatic injection of best practice HTTP
-   * security headers in all responses from cloudfront
+   * security headers in all responses from cloudfront.
+   * Turning this on will inject default headers and is mutually exclusive with passing custom security headers
+   * via the responseHeadersPolicyProps parameter.
    *
    * @default - true
    */
   readonly insertHttpSecurityHeaders?: boolean;
+  /**
+   * Optional user provided configuration that cloudfront applies to all http responses.
+   * Can be used to pass a custom ResponseSecurityHeadersBehavior, ResponseCustomHeadersBehavior or
+   * ResponseHeadersCorsBehavior to the cloudfront distribution.
+   *
+   * Passing a custom ResponseSecurityHeadersBehavior is mutually exclusive with turning on the default security headers
+   * via `insertHttpSecurityHeaders` prop. Will throw an error if both `insertHttpSecurityHeaders` is set to `true`
+   * and ResponseSecurityHeadersBehavior is passed.
+   *
+   * @default - undefined
+   */
+  readonly responseHeadersPolicyProps?: cloudfront.ResponseHeadersPolicyProps
   /**
    * Optional user provided props to override the default props for the CloudFront Logging Bucket.
    *
@@ -57,7 +71,7 @@ export class CloudFrontToApiGateway extends Construct {
 
   /**
    * @summary Constructs a new instance of the CloudFrontToApiGateway class.
-   * @param {cdk.App} scope - represents the scope for all the resources.
+   * @param {Construct} scope - represents the scope for all the resources.
    * @param {string} id - this is a a scope-unique id.
    * @param {CloudFrontToApiGatewayProps} props - user provided props for the construct
    * @since 0.8.0
@@ -70,7 +84,13 @@ export class CloudFrontToApiGateway extends Construct {
     this.apiGateway = props.existingApiGatewayObj;
 
     [this.cloudFrontWebDistribution, this.cloudFrontFunction, this.cloudFrontLoggingBucket] =
-      defaults.CloudFrontDistributionForApiGateway(this, props.existingApiGatewayObj,
-        props.cloudFrontDistributionProps, props.insertHttpSecurityHeaders, props.cloudFrontLoggingBucketProps);
+      defaults.CloudFrontDistributionForApiGateway(
+        this,
+        props.existingApiGatewayObj,
+        props.cloudFrontDistributionProps,
+        props.insertHttpSecurityHeaders,
+        props.cloudFrontLoggingBucketProps,
+        props.responseHeadersPolicyProps
+      );
   }
 }