chore(release): 2.47.0 (#22578)

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/bump/2.47.0/CHANGELOG.md)

.github/workflows/auto-approve.yml

@@ -12,6 +12,6 @@ jobs:
     permissions:
       pull-requests: write
     steps:
-    - uses: hmarr/auto-approve-action@v2.4.0
+    - uses: hmarr/auto-approve-action@v3.0.0
       with:
         github-token: "${{ secrets.GITHUB_TOKEN }}"

CHANGELOG.v2.alpha.md

@@ -2,6 +2,19 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.47.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.46.0-alpha.0...v2.47.0-alpha.0) (2022-10-20)
+
+
+### Features
+
+* **redshift:** support enhanced vpc routing when creating redshift cluster ([#22499](https://github.com/aws/aws-cdk/issues/22499)) ([e2b18e7](https://github.com/aws/aws-cdk/commit/e2b18e7b47eb7a87ae37356a9719c055e58e6e6c))
+
+
+### Bug Fixes
+
+* **integ-runner:** Fix call to spawnSync for hooks commands ([#22429](https://github.com/aws/aws-cdk/issues/22429)) ([9139ca9](https://github.com/aws/aws-cdk/commit/9139ca96ffc010e13393aff927d7b7eacfbae4f9)), closes [#22344](https://github.com/aws/aws-cdk/issues/22344)
+* **lambda-python:** root-owned cache items not cleaned up after install ([#22512](https://github.com/aws/aws-cdk/issues/22512)) ([5ef65e0](https://github.com/aws/aws-cdk/commit/5ef65e042c747bedf9d770b47e540393454762f2)), closes [#22398](https://github.com/aws/aws-cdk/issues/22398)
+
 ## [2.46.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.45.0-alpha.0...v2.46.0-alpha.0) (2022-10-13)
 
 

CHANGELOG.v2.md

@@ -2,6 +2,28 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.47.0](https://github.com/aws/aws-cdk/compare/v2.46.0...v2.47.0) (2022-10-20)
+
+
+### Features
+
+* **apigateway:** support multi-level paths for custom domains ([#22463](https://github.com/aws/aws-cdk/issues/22463)) ([cdc5753](https://github.com/aws/aws-cdk/commit/cdc5753982d8f674dab2362ea63790abb736fa32)), closes [#15904](https://github.com/aws/aws-cdk/issues/15904)
+* **config:** add custom policy rule constructs ([#21794](https://github.com/aws/aws-cdk/issues/21794)) ([09a5cc4](https://github.com/aws/aws-cdk/commit/09a5cc4ff55cb7d001c14059c12ada0a2801acd4)), closes [#21441](https://github.com/aws/aws-cdk/issues/21441)
+* **elbv2:** add dropInvalidHeaderFields for elbv2 ([#22466](https://github.com/aws/aws-cdk/issues/22466)) ([91767f0](https://github.com/aws/aws-cdk/commit/91767f03e76db8a63c18882b44854999b15aaff4)), closes [/docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-elb-4](https://github.com/aws//docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html/issues/fsbp-elb-4)
+
+
+### Bug Fixes
+
+* breaking change to deployment config props ([#22567](https://github.com/aws/aws-cdk/issues/22567)) ([be6074a](https://github.com/aws/aws-cdk/commit/be6074a67b68ec2f295196ad73ddb6e92984bdf3)), closes [#22566](https://github.com/aws/aws-cdk/issues/22566)
+* **apigateway:** validation for path parts does not allow creation of resources with colon ([#22531](https://github.com/aws/aws-cdk/issues/22531)) ([73c443a](https://github.com/aws/aws-cdk/commit/73c443a7cd14ad27776907095bf19100e903093f)), closes [#22477](https://github.com/aws/aws-cdk/issues/22477) [#22477](https://github.com/aws/aws-cdk/issues/22477)
+* **cli:** hotswap deploy fails on multiple CfnEvaluationException ([#22339](https://github.com/aws/aws-cdk/issues/22339)) ([7b47f41](https://github.com/aws/aws-cdk/commit/7b47f4178e4a4b9fe3dcb54daa3ec9f94fbd2a31)), closes [#22323](https://github.com/aws/aws-cdk/issues/22323)
+* **cloudwatch:** remove region from dashboard ARN ([#22524](https://github.com/aws/aws-cdk/issues/22524)) ([558d192](https://github.com/aws/aws-cdk/commit/558d1925d7c3b01d7681e28f7b85bc851e403556))
+* **codeguruprofiler:** incorrect profiling group name is returned when using importing ([#22554](https://github.com/aws/aws-cdk/issues/22554)) ([9934619](https://github.com/aws/aws-cdk/commit/9934619970dcb582106e9b2bf0d373d730de1fee))
+* **cognito:** cannot use same lambda function as trigger in multiple user pools ([#22444](https://github.com/aws/aws-cdk/issues/22444)) ([b26fc00](https://github.com/aws/aws-cdk/commit/b26fc007465ce9466cecfaf5c0bb337d741c77e8)), closes [#22315](https://github.com/aws/aws-cdk/issues/22315)
+* **config:** Creating multiple rules from the same lambda ([#21594](https://github.com/aws/aws-cdk/issues/21594)) ([0d2b529](https://github.com/aws/aws-cdk/commit/0d2b5291a10a318bed8d77166eae2bd317dee62e)), closes [#17582](https://github.com/aws/aws-cdk/issues/17582)
+* **iam:** missing validation for actions added post instantiation of a policy statement ([#21906](https://github.com/aws/aws-cdk/issues/21906)) ([10974d9](https://github.com/aws/aws-cdk/commit/10974d95693dd75e993b8f0b5808b775b55b3afd)), closes [40aws-cdk/aws-iam/lib/policy-statement.ts#L88-L95](https://github.com/40aws-cdk/aws-iam/lib/policy-statement.ts/issues/L88-L95)
+* **stepfunctions:** JsonPath.listAt does not accept strings starting with `$[` ([#22472](https://github.com/aws/aws-cdk/issues/22472)) ([6f332ef](https://github.com/aws/aws-cdk/commit/6f332efb1ae5c22f1c3b02221362018e3f4b575f)), closes [#22471](https://github.com/aws/aws-cdk/issues/22471)
+
 ## [2.46.0](https://github.com/aws/aws-cdk/compare/v2.45.0...v2.46.0) (2022-10-13)
 
 

package.json

@@ -18,7 +18,7 @@
   "devDependencies": {
     "@types/prettier": "2.6.0",
     "@yarnpkg/lockfile": "^1.1.0",
-    "cdk-generate-synthetic-examples": "^0.1.29",
+    "cdk-generate-synthetic-examples": "^0.1.36",
     "conventional-changelog-cli": "^2.2.2",
     "fs-extra": "^9.1.0",
     "graceful-fs": "^4.2.10",

packages/@aws-cdk/aws-apigateway/README.md

@@ -1083,6 +1083,45 @@ new route53.ARecord(this, 'CustomDomainAliasRecord', {
 });
 ```
 
+### Custom Domains with multi-level api mapping
+
+Additional requirements for creating multi-level path mappings for RestApis:
+
+(both are defaults)
+
+- Must use `SecurityPolicy.TLS_1_2`
+- DomainNames must be `EndpointType.REGIONAL`
+
+```ts
+declare const acmCertificateForExampleCom: any;
+declare const restApi: apigateway.RestApi;
+
+new apigateway.DomainName(this, 'custom-domain', {
+  domainName: 'example.com',
+  certificate: acmCertificateForExampleCom,
+  mapping: restApi,
+  basePath: 'orders/v1/api',
+});
+```
+
+To then add additional mappings to a domain you can use the `addApiMapping` method.
+
+```ts
+declare const acmCertificateForExampleCom: any;
+declare const restApi: apigateway.RestApi;
+declare const secondRestApi: apigateway.RestApi;
+
+const domain = new apigateway.DomainName(this, 'custom-domain', {
+  domainName: 'example.com',
+  certificate: acmCertificateForExampleCom,
+  mapping: restApi,
+});
+
+domain.addApiMapping(secondRestApi.deploymentStage, {
+  basePath: 'orders/v2/api',
+});
+```
+
 ## Access Logging
 
 Access logging creates logs every time an API method is accessed. Access logs can have information on

packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts

@@ -13,7 +13,7 @@ export interface LambdaAuthorizerProps {
   /**
    * An optional human friendly name for the authorizer. Note that, this is not the primary identifier of the authorizer.
    *
-   * @default - the unique construcrt ID
+   * @default - the unique construct ID
    */
   readonly authorizerName?: string;
 

packages/@aws-cdk/aws-apigateway/lib/domain-name.ts

@@ -1,10 +1,30 @@
+import * as apigwv2 from '@aws-cdk/aws-apigatewayv2';
 import * as acm from '@aws-cdk/aws-certificatemanager';
 import { IBucket } from '@aws-cdk/aws-s3';
 import { IResource, Names, Resource, Token } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnDomainName } from './apigateway.generated';
 import { BasePathMapping, BasePathMappingOptions } from './base-path-mapping';
 import { EndpointType, IRestApi } from './restapi';
+import { IStage } from './stage';
+
+/**
+ * Options for creating an api mapping
+ */
+export interface ApiMappingOptions {
+  /**
+   * The api path name that callers of the API must provide in the URL after
+   * the domain name (e.g. `example.com/base-path`). If you specify this
+   * property, it can't be an empty string.
+   *
+   * If this is undefined, a mapping will be added for the empty path. Any request
+   * that does not match a mapping will get sent to the API that has been mapped
+   * to the empty path.
+   *
+   * @default - map requests from the domain root (e.g. `example.com`).
+   */
+  readonly basePath?: string;
+}
 
 /**
  * The minimum version of the SSL protocol that you want API Gateway to use for HTTPS connections.
@@ -54,8 +74,7 @@ export interface DomainNameOptions {
    * the domain name (e.g. `example.com/base-path`). If you specify this
    * property, it can't be an empty string.
    *
-   * @default - map requests from the domain root (e.g. `example.com`). If this
-   * is undefined, no additional mappings will be allowed on this domain name.
+   * @default - map requests from the domain root (e.g. `example.com`).
    */
   readonly basePath?: string;
 }
@@ -64,8 +83,7 @@ export interface DomainNameProps extends DomainNameOptions {
   /**
    * If specified, all requests to this domain will be mapped to the production
    * deployment of this API. If you wish to map this domain to multiple APIs
-   * with different base paths, don't specify this option and use
-   * `addBasePathMapping`.
+   * with different base paths, use `addBasePathMapping` or `addApiMapping`.
    *
    * @default - you will have to call `addBasePathMapping` to map this domain to
    * API endpoints.
@@ -115,12 +133,15 @@ export class DomainName extends Resource implements IDomainName {
   public readonly domainNameAliasDomainName: string;
   public readonly domainNameAliasHostedZoneId: string;
   private readonly basePaths = new Set<string | undefined>();
+  private readonly securityPolicy?: SecurityPolicy;
+  private readonly endpointType: EndpointType;
 
   constructor(scope: Construct, id: string, props: DomainNameProps) {
     super(scope, id);
 
-    const endpointType = props.endpointType || EndpointType.REGIONAL;
-    const edge = endpointType === EndpointType.EDGE;
+    this.endpointType = props.endpointType || EndpointType.REGIONAL;
+    const edge = this.endpointType === EndpointType.EDGE;
+    this.securityPolicy = props.securityPolicy;
 
     if (!Token.isUnresolved(props.domainName) && /[A-Z]/.test(props.domainName)) {
       throw new Error(`Domain name does not support uppercase letters. Got: ${props.domainName}`);
@@ -131,7 +152,7 @@ export class DomainName extends Resource implements IDomainName {
       domainName: props.domainName,
       certificateArn: edge ? props.certificate.certificateArn : undefined,
       regionalCertificateArn: edge ? undefined : props.certificate.certificateArn,
-      endpointConfiguration: { types: [endpointType] },
+      endpointConfiguration: { types: [this.endpointType] },
       mutualTlsAuthentication: mtlsConfig,
       securityPolicy: props.securityPolicy,
     });
@@ -146,22 +167,54 @@ export class DomainName extends Resource implements IDomainName {
       ? resource.attrDistributionHostedZoneId
       : resource.attrRegionalHostedZoneId;
 
-    if (props.mapping) {
+
+    const multiLevel = this.validateBasePath(props.basePath);
+    if (props.mapping && !multiLevel) {
       this.addBasePathMapping(props.mapping, {
         basePath: props.basePath,
       });
+    } else if (props.mapping && multiLevel) {
+      this.addApiMapping(props.mapping.deploymentStage, {
+        basePath: props.basePath,
+      });
+    }
+  }
+
+  private validateBasePath(path?: string): boolean {
+    if (this.isMultiLevel(path)) {
+      if (this.endpointType === EndpointType.EDGE) {
+        throw new Error('multi-level basePath is only supported when endpointType is EndpointType.REGIONAL');
+      }
+      if (this.securityPolicy && this.securityPolicy !== SecurityPolicy.TLS_1_2) {
+        throw new Error('securityPolicy must be set to TLS_1_2 if multi-level basePath is provided');
+      }
+      return true;
     }
+    return false;
+  }
+
+  private isMultiLevel(path?: string): boolean {
+    return (path?.split('/').filter(x => !!x) ?? []).length >= 2;
   }
 
   /**
    * Maps this domain to an API endpoint.
+   *
+   * This uses the BasePathMapping from ApiGateway v1 which does not support multi-level paths.
+   *
+   * If you need to create a mapping for a multi-level path use `addApiMapping` instead.
+   *
    * @param targetApi That target API endpoint, requests will be mapped to the deployment stage.
    * @param options Options for mapping to base path with or without a stage
    */
-  public addBasePathMapping(targetApi: IRestApi, options: BasePathMappingOptions = { }) {
-    if (this.basePaths.has(undefined)) {
-      throw new Error('This domain name already has an empty base path. No additional base paths are allowed.');
+  public addBasePathMapping(targetApi: IRestApi, options: BasePathMappingOptions = { }): BasePathMapping {
+    if (this.basePaths.has(options.basePath)) {
+      throw new Error(`DomainName ${this.node.id} already has a mapping for path ${options.basePath}`);
     }
+    if (this.isMultiLevel(options.basePath)) {
+      throw new Error('BasePathMapping does not support multi-level paths. Use "addApiMapping instead.');
+    }
+
     this.basePaths.add(options.basePath);
     const basePath = options.basePath || '/';
     const id = `Map:${basePath}=>${Names.nodeUniqueId(targetApi.node)}`;
@@ -172,6 +225,32 @@ export class DomainName extends Resource implements IDomainName {
     });
   }
 
+  /**
+   * Maps this domain to an API endpoint.
+   *
+   * This uses the ApiMapping from ApiGatewayV2 which supports multi-level paths, but
+   * also only supports:
+   * - SecurityPolicy.TLS_1_2
+   * - EndpointType.REGIONAL
+   *
+   * @param targetStage the target API stage.
+   * @param options Options for mapping to a stage
+   */
+  public addApiMapping(targetStage: IStage, options: ApiMappingOptions = {}): void {
+    if (this.basePaths.has(options.basePath)) {
+      throw new Error(`DomainName ${this.node.id} already has a mapping for path ${options.basePath}`);
+    }
+    this.validateBasePath(options.basePath);
+    this.basePaths.add(options.basePath);
+    const id = `Map:${options.basePath ?? 'none'}=>${Names.nodeUniqueId(targetStage.node)}`;
+    new apigwv2.CfnApiMapping(this, id, {
+      apiId: targetStage.restApi.restApiId,
+      stage: targetStage.stageName,
+      domainName: this.domainName,
+      apiMappingKey: options.basePath,
+    });
+  }
+
   private configureMTLS(mtlsConfig?: MTLSConfig): CfnDomainName.MutualTlsAuthenticationProperty | undefined {
     if (!mtlsConfig) return undefined;
     return {

packages/@aws-cdk/aws-apigateway/lib/resource.ts

@@ -558,8 +558,8 @@ function validateResourcePathPart(part: string) {
     }
   }
 
-  if (!/^[a-zA-Z0-9\.\_\-]+$/.test(part)) {
-    throw new Error(`Resource's path part only allow [a-zA-Z0-9._-], an optional trailing '+'
+  if (!/^[a-zA-Z0-9:\.\_\-]+$/.test(part)) {
+    throw new Error(`Resource's path part only allow [a-zA-Z0-9:._-], an optional trailing '+'
       and curly braces at the beginning and the end: ${part}`);
   }
 }

packages/@aws-cdk/aws-apigateway/package.json

@@ -84,6 +84,7 @@
     "@aws-cdk/assertions": "0.0.0",
     "@aws-cdk/cdk-build-tools": "0.0.0",
     "@aws-cdk/integ-runner": "0.0.0",
+    "@aws-cdk/aws-route53": "0.0.0",
     "@aws-cdk/cfn2ts": "0.0.0",
     "@aws-cdk/pkglint": "0.0.0",
     "@types/jest": "^27.5.2"
@@ -100,6 +101,7 @@
     "@aws-cdk/aws-s3": "0.0.0",
     "@aws-cdk/aws-s3-assets": "0.0.0",
     "@aws-cdk/aws-stepfunctions": "0.0.0",
+    "@aws-cdk/aws-apigatewayv2": "0.0.0",
     "@aws-cdk/core": "0.0.0",
     "@aws-cdk/cx-api": "0.0.0",
     "constructs": "^10.0.0"
@@ -117,6 +119,7 @@
     "@aws-cdk/aws-s3": "0.0.0",
     "@aws-cdk/aws-s3-assets": "0.0.0",
     "@aws-cdk/aws-stepfunctions": "0.0.0",
+    "@aws-cdk/aws-apigatewayv2": "0.0.0",
     "@aws-cdk/core": "0.0.0",
     "@aws-cdk/cx-api": "0.0.0",
     "constructs": "^10.0.0"
@@ -132,6 +135,11 @@
       "lib/apigatewayv2.js"
     ]
   },
+  "pkglint": {
+    "exclude": [
+      "no-experimental-dependencies"
+    ]
+  },
   "awslint": {
     "exclude": [
       "from-method:@aws-cdk/aws-apigateway.Resource",