diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/AlbDualstackWithoutPublicIpv4DefaultTestDeployAssertFA6F90DD.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/AlbDualstackWithoutPublicIpv4DefaultTestDeployAssertFA6F90DD.assets.json index 4a0f5e0c5e4b3..659ffb1cc71f4 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/AlbDualstackWithoutPublicIpv4DefaultTestDeployAssertFA6F90DD.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/AlbDualstackWithoutPublicIpv4DefaultTestDeployAssertFA6F90DD.assets.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "39.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/aws-cdk-elbv2-integ-dualstack-without-public-ipv4.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/aws-cdk-elbv2-integ-dualstack-without-public-ipv4.assets.json index 5091d2e660924..fb6e143f30005 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/aws-cdk-elbv2-integ-dualstack-without-public-ipv4.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/aws-cdk-elbv2-integ-dualstack-without-public-ipv4.assets.json @@ -1,7 +1,7 @@ { - "version": "36.0.0", + "version": "39.0.0", "files": { - "688bf4caeb2845f3dc89826da60063b380e5d0fe7ab50a95f9ffc76451c42a77": { + "0fac4619627ba59020023785c5d86d47abad0759e7add3aa2f150f8cbfcd7a9a": { "source": { "path": "aws-cdk-elbv2-integ-dualstack-without-public-ipv4.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "688bf4caeb2845f3dc89826da60063b380e5d0fe7ab50a95f9ffc76451c42a77.json", + "objectKey": "0fac4619627ba59020023785c5d86d47abad0759e7add3aa2f150f8cbfcd7a9a.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/aws-cdk-elbv2-integ-dualstack-without-public-ipv4.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/aws-cdk-elbv2-integ-dualstack-without-public-ipv4.template.json index 8882537e5df34..d430a9159e6c5 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/aws-cdk-elbv2-integ-dualstack-without-public-ipv4.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/aws-cdk-elbv2-integ-dualstack-without-public-ipv4.template.json @@ -530,6 +530,13 @@ "FromPort": 80, "IpProtocol": "tcp", "ToPort": 80 + }, + { + "CidrIpv6": "::/0", + "Description": "Allow from anyone on port 80", + "FromPort": 80, + "IpProtocol": "tcp", + "ToPort": 80 } ], "VpcId": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/cdk.out index 1f0068d32659a..91e1a8b9901d5 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"36.0.0"} \ No newline at end of file +{"version":"39.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/integ.json index 4fd4fa6f896d6..b780151e89492 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "39.0.0", "testCases": { "AlbDualstackWithoutPublicIpv4/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/manifest.json index 87f61f9552ca1..6534e24089c8d 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "39.0.0", "artifacts": { "aws-cdk-elbv2-integ-dualstack-without-public-ipv4.assets": { "type": "cdk:asset-manifest", @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/688bf4caeb2845f3dc89826da60063b380e5d0fe7ab50a95f9ffc76451c42a77.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/0fac4619627ba59020023785c5d86d47abad0759e7add3aa2f150f8cbfcd7a9a.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/tree.json index 07d5c271d52c2..4810b354d0d71 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb.dualstack-without-public-ipv4.js.snapshot/tree.json @@ -31,7 +31,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnVPC", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -97,7 +97,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -127,7 +127,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -146,7 +146,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -166,7 +166,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -186,7 +186,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -214,7 +214,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -234,13 +234,13 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -306,7 +306,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -336,7 +336,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -355,7 +355,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -375,7 +375,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -395,7 +395,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -423,7 +423,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -443,13 +443,13 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -493,7 +493,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -523,7 +523,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -542,7 +542,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -562,13 +562,13 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -612,7 +612,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -642,7 +642,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -661,7 +661,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -681,13 +681,13 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -706,7 +706,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnInternetGateway", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -725,13 +725,13 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnVPCGatewayAttachment", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.Vpc", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -748,7 +748,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnVPCCidrBlock", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -790,7 +790,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnLoadBalancer", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -821,6 +821,13 @@ "fromPort": 80, "toPort": 80, "description": "Allow from anyone on port 80" + }, + { + "cidrIpv6": "::/0", + "ipProtocol": "tcp", + "fromPort": 80, + "toPort": 80, + "description": "Allow from anyone on port 80" } ], "vpcId": { @@ -829,13 +836,13 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroup", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.SecurityGroup", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -865,7 +872,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnListener", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } }, @@ -899,7 +906,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnTargetGroup", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } @@ -939,7 +946,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnTargetGroup", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } @@ -982,14 +989,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnListenerRule", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationListenerRule", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } }, "action1Rule": { @@ -1028,14 +1035,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.CfnListenerRule", + "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationListenerRule", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.4.2" } } }, @@ -1269,7 +1276,7 @@ "path": "AlbDualstackWithoutPublicIpv4/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } }, "DeployAssert": { @@ -1315,7 +1322,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } } }, diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md index d780b7bb410cb..82b10a3417ef6 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md @@ -1,7 +1,5 @@ # Amazon Elastic Load Balancing V2 Construct Library - - The `aws-cdk-lib/aws-elasticloadbalancingv2` package provides constructs for configuring application and network load balancers. @@ -49,6 +47,13 @@ listener.addTargets('ApplicationFleet', { The security groups of the load balancer and the target are automatically updated to allow the network traffic. +> NOTE: If the `@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault` feature flag is set (the default for new projects), and `addListener()` is called with `open: true`, +the load balancer's security group will automatically include both IPv4 and IPv6 ingress rules when using `IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4`. +> +> For existing projects that only have IPv4 rules, you can opt-in to IPv6 ingress rules +by enabling the feature flag in your cdk.json file. Note that enabling this feature flag +will modify existing security group rules. + One (or more) security groups can be associated with the load balancer; if a security group isn't provided, one will be automatically created. @@ -100,8 +105,8 @@ where all requests that didn't match any of the conditions will be sent. Routing traffic from a Load Balancer to a Target involves the following steps: -- Create a Target Group, register the Target into the Target Group -- Add an Action to the Listener which forwards traffic to the Target Group. +* Create a Target Group, register the Target into the Target Group +* Add an Action to the Listener which forwards traffic to the Target Group. A new listener can be added to the Load Balancer by calling `addListener()`. Listeners that have been added to the load balancer can be listed using the @@ -111,27 +116,27 @@ for imported or looked up Load Balancers. Various methods on the `Listener` take care of this work for you to a greater or lesser extent: -- `addTargets()` performs both steps: automatically creates a Target Group and the +* `addTargets()` performs both steps: automatically creates a Target Group and the required Action. -- `addTargetGroups()` gives you more control: you create the Target Group (or +* `addTargetGroups()` gives you more control: you create the Target Group (or Target Groups) yourself and the method creates Action that routes traffic to the Target Groups. -- `addAction()` gives you full control: you supply the Action and wire it up +* `addAction()` gives you full control: you supply the Action and wire it up to the Target Groups yourself (or access one of the other ELB routing features). Using `addAction()` gives you access to some of the features of an Elastic Load Balancer that the other two convenience methods don't: -- **Routing stickiness**: use `ListenerAction.forward()` and supply a +* **Routing stickiness**: use `ListenerAction.forward()` and supply a `stickinessDuration` to make sure requests are routed to the same target group for a given duration. -- **Weighted Target Groups**: use `ListenerAction.weightedForward()` +* **Weighted Target Groups**: use `ListenerAction.weightedForward()` to give different weights to different target groups. -- **Fixed Responses**: use `ListenerAction.fixedResponse()` to serve +* **Fixed Responses**: use `ListenerAction.fixedResponse()` to serve a static response (ALB only). -- **Redirects**: use `ListenerAction.redirect()` to serve an HTTP +* **Redirects**: use `ListenerAction.redirect()` to serve an HTTP redirect response (ALB only). -- **Authentication**: use `ListenerAction.authenticateOidc()` to +* **Authentication**: use `ListenerAction.authenticateOidc()` to perform OpenID authentication before serving a request (see the `aws-cdk-lib/aws-elasticloadbalancingv2-actions` package for direct authentication integration with Cognito) (ALB only). @@ -254,7 +259,7 @@ For more information, see [Load balancer attributes](https://docs.aws.amazon.com ### Setting up Access Log Bucket on Application Load Balancer The only server-side encryption option that's supported is Amazon S3-managed keys (SSE-S3). For more information -Documentation: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html +Documentation: ```ts @@ -272,7 +277,7 @@ lb.logAccessLogs(bucket); ### Setting up Connection Log Bucket on Application Load Balancer Like access log bucket, the only server-side encryption option that's supported is Amazon S3-managed keys (SSE-S3). For more information -Documentation: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-connection-logging.html +Documentation: ```ts declare const vpc: ec2.Vpc; @@ -298,13 +303,14 @@ const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', { }); ``` -By setting `DUAL_STACK_WITHOUT_PUBLIC_IPV4`, you can provision load balancers without public IPv4s +By setting `DUAL_STACK_WITHOUT_PUBLIC_IPV4`, you can provision load balancers without public IPv4s: ```ts declare const vpc: ec2.Vpc; const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', { vpc, + internetFacing: true, ipAddressType: elbv2.IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4, }); ``` @@ -441,6 +447,7 @@ const listener = lb.addListener('Listener', { ``` ### Network Load Balancer and EC2 IConnectable interface + Network Load Balancer implements EC2 `IConnectable` and exposes `connections` property. EC2 Connections allows manage the allowed network connections for constructs with Security Groups. This class makes it easy to allow network connections to and from security groups, and between security groups individually. One thing to keep in mind is that network load balancers do not have security groups, and no automatic security group configuration is done for you. You will have to configure the security groups of the target yourself to allow traffic by clients and/or load balancer instances, depending on your target types. ```ts @@ -530,7 +537,7 @@ const tg = new elbv2.ApplicationTargetGroup(this, 'TG', { }); ``` -For more information see: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/sticky-sessions.html#application-based-stickiness +For more information see: ### Setting the target group protocol version @@ -809,12 +816,12 @@ Node.of(resource).addDependency(targetGroup.loadBalancerAttached); You may look up load balancers and load balancer listeners by using one of the following lookup methods: -- `ApplicationLoadBalancer.fromLookup(options)` - Look up an application load +* `ApplicationLoadBalancer.fromLookup(options)` - Look up an application load balancer. -- `ApplicationListener.fromLookup(options)` - Look up an application load +* `ApplicationListener.fromLookup(options)` - Look up an application load balancer listener. -- `NetworkLoadBalancer.fromLookup(options)` - Look up a network load balancer. -- `NetworkListener.fromLookup(options)` - Look up a network load balancer +* `NetworkLoadBalancer.fromLookup(options)` - Look up a network load balancer. +* `NetworkListener.fromLookup(options)` - Look up a network load balancer listener. ### Load Balancer lookup options @@ -850,11 +857,11 @@ const loadBalancer = elbv2.ApplicationLoadBalancer.fromLookup(this, 'ALB', { You may look up a load balancer listener by the following criteria: -- Associated load balancer ARN -- Associated load balancer tags -- Listener ARN -- Listener port -- Listener protocol +* Associated load balancer ARN +* Associated load balancer tags +* Listener ARN +* Listener port +* Listener protocol The lookup method will return the matching listener. If more than one listener matches, CDK will throw an error requesting that you specify additional diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts index 07cfb949f3b83..d55466374bdd5 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts @@ -8,7 +8,7 @@ import { ListenerCondition } from './conditions'; import { ITrustStore } from './trust-store'; import * as ec2 from '../../../aws-ec2'; import * as cxschema from '../../../cloud-assembly-schema'; -import { Duration, Lazy, Resource, Token } from '../../../core'; +import { Duration, FeatureFlags, Lazy, Resource, Token } from '../../../core'; import * as cxapi from '../../../cx-api'; import { BaseListener, BaseListenerLookupOptions, IListener } from '../shared/base-listener'; import { HealthCheck } from '../shared/base-target-group'; @@ -303,7 +303,9 @@ export class ApplicationListener extends BaseListener implements IApplicationLis if (props.open !== false) { this.connections.allowDefaultPortFrom(ec2.Peer.anyIpv4(), `Allow from anyone on port ${port}`); - if (this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK) { + if (this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK || + (this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4 && + FeatureFlags.of(this).isEnabled(cxapi.ALB_DUALSTACK_WITHOUT_PUBLIC_IPV4_SECURITY_GROUP_RULES_DEFAULT))) { this.connections.allowDefaultPortFrom(ec2.Peer.anyIpv6(), `Allow from anyone on port ${port}`); } } diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts index 57410eeb3a08a..89594b0654250 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts @@ -1079,6 +1079,15 @@ export interface IApplicationLoadBalancer extends ILoadBalancerV2, ec2.IConnecta /** * The IP Address Type for this load balancer * + * If the `@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault` + * feature flag is set (the default for new projects), and `addListener()` is called with `open: true`, + * the load balancer's security group will automatically include both IPv4 and IPv6 ingress rules + * when using `IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4`. + * + * For existing projects that only have IPv4 rules, you can opt-in to IPv6 ingress rules + * by enabling the feature flag in your cdk.json file. Note that enabling this feature flag + * will modify existing security group rules. + * * @default IpAddressType.IPV4 */ readonly ipAddressType?: IpAddressType; diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts index 1943a1945ac2a..9cb4fc15eb471 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts @@ -7,6 +7,7 @@ import * as ec2 from '../../../aws-ec2'; import * as s3 from '../../../aws-s3'; import * as cdk from '../../../core'; import { SecretValue } from '../../../core'; +import * as cxapi from '../../../cx-api'; import * as elbv2 from '../../lib'; import { FakeSelfRegisteringTarget } from '../helpers'; @@ -107,6 +108,79 @@ describe('tests', () => { }); }); + test('Listener default to open - IPv6 (dual stack without public IPv4) with feature flag enabled', () => { + // GIVEN + const app = new cdk.App({ + context: { [cxapi.ALB_DUALSTACK_WITHOUT_PUBLIC_IPV4_SECURITY_GROUP_RULES_DEFAULT]: true }, + }); + const stack = new cdk.Stack(app); + const vpc = new ec2.Vpc(stack, 'Stack'); + const loadBalancer = new elbv2.ApplicationLoadBalancer(stack, 'LB', { + vpc, + internetFacing: true, + ipAddressType: elbv2.IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4, + }); + + // WHEN + loadBalancer.addListener('MyListener', { + port: 80, + defaultTargetGroups: [new elbv2.ApplicationTargetGroup(stack, 'Group', { vpc, port: 80 })], + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::EC2::SecurityGroup', { + SecurityGroupIngress: [ + { + Description: 'Allow from anyone on port 80', + CidrIp: '0.0.0.0/0', + FromPort: 80, + IpProtocol: 'tcp', + ToPort: 80, + }, + { + Description: 'Allow from anyone on port 80', + CidrIpv6: '::/0', + FromPort: 80, + IpProtocol: 'tcp', + ToPort: 80, + }, + ], + }); + }); + + test('Listener default to open - IPv6 (dual stack without public IPv4) with feature flag disabled', () => { + // GIVEN + const app = new cdk.App({ + context: { [cxapi.ALB_DUALSTACK_WITHOUT_PUBLIC_IPV4_SECURITY_GROUP_RULES_DEFAULT]: false }, + }); + const stack = new cdk.Stack(app); + const vpc = new ec2.Vpc(stack, 'Stack'); + const loadBalancer = new elbv2.ApplicationLoadBalancer(stack, 'LB', { + vpc, + internetFacing: true, + ipAddressType: elbv2.IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4, + }); + + // WHEN + loadBalancer.addListener('MyListener', { + port: 80, + defaultTargetGroups: [new elbv2.ApplicationTargetGroup(stack, 'Group', { vpc, port: 80 })], + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::EC2::SecurityGroup', { + SecurityGroupIngress: [ + { + Description: 'Allow from anyone on port 80', + CidrIp: '0.0.0.0/0', + FromPort: 80, + IpProtocol: 'tcp', + ToPort: 80, + }, + ], + }); + }); + test('HTTPS listener requires certificate', () => { // GIVEN const stack = new cdk.Stack(); diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md index d278d6b3064ac..12075ff16f731 100644 --- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md +++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md @@ -84,8 +84,9 @@ Flags come in three types: | [@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault](#aws-cdkaws-ec2bastionhostuseamazonlinux2023bydefault) | When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2. | 2.172.0 | (default) | | [@aws-cdk/core:aspectStabilization](#aws-cdkcoreaspectstabilization) | When enabled, a stabilization loop will be run when invoking Aspects during synthesis. | 2.172.0 | (config) | | [@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource](#aws-cdkaws-route53-targetsuserpooldomainnamemethodwithoutcustomresource) | When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource. | 2.174.0 | (fix) | -| [@aws-cdk/aws-ecs:disableEcsImdsBlocking](#aws-cdkaws-ecsdisableecsimdsblocking) | When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)** | 2.175.0 | (temporary) | -| [@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature](#aws-cdkaws-ecsenableimdsblockingdeprecatedfeature) | When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)** | 2.175.0 | (temporary) | +| [@aws-cdk/aws-ecs:disableEcsImdsBlocking](#aws-cdkaws-ecsdisableecsimdsblocking) | When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)** | V2NEXT | (temporary) | +| [@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature](#aws-cdkaws-ecsenableimdsblockingdeprecatedfeature) | When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)** | V2NEXT | (temporary) | +| [@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault](#aws-cdkaws-elasticloadbalancingv2albdualstackwithoutpublicipv4securitygrouprulesdefault) | When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere | V2NEXT | (fix) | @@ -159,7 +160,8 @@ The following json shows the current recommended set of flags, as `cdk init` wou "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": true, "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": true, "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": true, - "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true + "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true, + "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true } } ``` @@ -238,7 +240,6 @@ different environments). This means that the name of the synthesized template file will be based on the construct path and not on the defined `stackName` of the stack. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.16.0 | `false` | `true` | @@ -246,7 +247,6 @@ of the stack. **Compatibility with old behavior:** Pass stack identifiers to the CLI instead of stack names. - ### aws-cdk:enableDiffNoFail *Make `cdk diff` not fail when there are differences* (default) @@ -254,14 +254,13 @@ of the stack. Determines what status code `cdk diff` should return when the specified stack differs from the deployed stack or the local CloudFormation template: -* `aws-cdk:enableDiffNoFail=true` => status code == 0 -* `aws-cdk:enableDiffNoFail=false` => status code == 1 +- `aws-cdk:enableDiffNoFail=true` => status code == 0 +- `aws-cdk:enableDiffNoFail=false` => status code == 1 You can override this behavior with the --fail flag: -* `--fail` => status code == 1 -* `--no-fail` => status code == 0 - +- `--fail` => status code == 1 +- `--no-fail` => status code == 0 | Since | Default | Recommended | | ----- | ----- | ----- | @@ -270,7 +269,6 @@ You can override this behavior with the --fail flag: **Compatibility with old behavior:** Specify `--fail` to the CLI. - ### @aws-cdk/aws-ecr-assets:dockerIgnoreSupport *DockerImageAsset properly supports `.dockerignore` files by default* (default) @@ -282,7 +280,6 @@ is standard Docker ignore semantics. This is a feature flag as the old behavior was technically incorrect but users may have come to depend on it. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.73.0 | `false` | `true` | @@ -290,7 +287,6 @@ users may have come to depend on it. **Compatibility with old behavior:** Update your `.dockerignore` file to match standard Docker ignore rules, if necessary. - ### @aws-cdk/aws-secretsmanager:parseOwnedSecretName *Fix the referencing of SecretsManager names from ARNs* (default) @@ -301,7 +297,6 @@ rather than the default full resource name, which includes the SecretsManager su If this flag is not set, Secret.secretName will include the SecretsManager suffix, which cannot be directly used by SecretsManager.DescribeSecret, and must be parsed by the user first (e.g., Fn:Join, Fn:Select, Fn:Split). - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.77.0 | `false` | `true` | @@ -309,7 +304,6 @@ used by SecretsManager.DescribeSecret, and must be parsed by the user first (e.g **Compatibility with old behavior:** Use `parseArn(secret.secretName).resourceName` to emulate the incorrect old parsing. - ### @aws-cdk/aws-kms:defaultKeyPolicies *Tighten default KMS key policies* (default) @@ -326,7 +320,6 @@ true, the policy matches what happens when this feature flag is set. Additionally, if this flag is not set and the user supplies a custom key policy, this will be appended to the key's default policy (rather than replacing it). - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.78.0 | `false` | `true` | @@ -334,7 +327,6 @@ to the key's default policy (rather than replacing it). **Compatibility with old behavior:** Pass `trustAccountIdentities: false` to `Key` construct to restore the old behavior. - ### @aws-cdk/aws-s3:grantWriteWithoutAcl *Remove `PutObjectAcl` from Bucket.grantWrite* (default) @@ -345,7 +337,6 @@ which could be used to grant read/write object access to IAM principals in other Use a feature flag to make sure existing customers who might be relying on the overly-broad permissions are not broken. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.85.0 | `false` | `true` | @@ -353,7 +344,6 @@ on the overly-broad permissions are not broken. **Compatibility with old behavior:** Call `bucket.grantPutAcl()` in addition to `bucket.grantWrite()` to grant ACL permissions. - ### @aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount *Do not specify a default DesiredCount for ECS services* (default) @@ -368,7 +358,6 @@ If this flag is not set, the default behaviour for CfnService.desiredCount is to desiredCount of 1, if one is not provided. If true, a default will not be defined for CfnService.desiredCount and as such desiredCount will be undefined, if one is not provided. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.92.0 | `false` | `true` | @@ -376,14 +365,12 @@ CfnService.desiredCount and as such desiredCount will be undefined, if one is no **Compatibility with old behavior:** You can pass `desiredCount: 1` explicitly, but you should never need this. - ### @aws-cdk/aws-efs:defaultEncryptionAtRest *Enable this feature flag to have elastic file systems encrypted at rest by default.* (default) Encryption can also be configured explicitly using the `encrypted` property. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.98.0 | `false` | `true` | @@ -391,7 +378,6 @@ Encryption can also be configured explicitly using the `encrypted` property. **Compatibility with old behavior:** Pass the `encrypted: false` property to the `FileSystem` construct to disable encryption. - ### @aws-cdk/core:newStyleStackSynthesis *Switch to new stack synthesis method which enables CI/CD* (fix) @@ -399,13 +385,11 @@ Encryption can also be configured explicitly using the `encrypted` property. If this flag is specified, all `Stack`s will use the `DefaultStackSynthesizer` by default. If it is not set, they will use the `LegacyStackSynthesizer`. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.39.0 | `false` | `true` | | 2.0.0 | `true` | `true` | - ### @aws-cdk/core:stackRelativeExports *Name exports based on the construct paths relative to the stack, rather than the global construct path* (fix) @@ -415,13 +399,11 @@ ensure uniqueness, and makes the export names robust against refactoring the location of the stack in the construct tree (specifically, moving the Stack into a Stage). - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.58.0 | `false` | `true` | | 2.0.0 | `true` | `true` | - ### @aws-cdk/aws-rds:lowercaseDbIdentifier *Force lowercasing of RDS Cluster names in CDK* (fix) @@ -436,13 +418,11 @@ Must be behind a permanent flag because changing a name from mixed case to lower would lead CloudFormation to think the name was changed and would trigger a cluster replacement (losing data!). - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.97.0 | `false` | `true` | | 2.0.0 | `true` | `true` | - ### @aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId *Allow adding/removing multiple UsagePlanKeys independently* (fix) @@ -460,13 +440,11 @@ which again is disallowed. In effect, there is no way to get out of this mess in a backwards compatible way, while supporting existing stacks. This flag changes the logical id layout of UsagePlanKey to not be sensitive to order. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.98.0 | `false` | `true` | | 2.0.0 | `true` | `true` | - ### @aws-cdk/aws-lambda:recognizeVersionProps *Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.* (fix) @@ -476,26 +454,22 @@ not constitute creating a new Version. See 'currentVersion' section in the aws-lambda module's README for more details. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.106.0 | `false` | `true` | | 2.0.0 | `true` | `true` | - ### @aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021 *Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.* (fix) The security policy can also be configured explicitly using the `minimumProtocolVersion` property. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.117.0 | `false` | `true` | | 2.0.0 | `true` | `true` | - ### @aws-cdk/core:target-partitions *What regions to include in lookup tables of environment agnostic stacks* (config) @@ -505,13 +479,11 @@ of unnecessary regions included in stacks without a known region. The type of this value should be a list of strings. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.137.0 | `false` | `["aws","aws-cn"]` | | 2.4.0 | `false` | `["aws","aws-cn"]` | - ### @aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver *ECS extensions will automatically add an `awslogs` driver if no logging is specified* (default) @@ -521,7 +493,6 @@ Enable this feature flag to configure default logging behavior for the ECS Servi This is a feature flag as the new behavior provides a better default experience for the users. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.140.0 | `false` | `true` | @@ -529,7 +500,6 @@ This is a feature flag as the new behavior provides a better default experience **Compatibility with old behavior:** Specify a log driver explicitly. - ### @aws-cdk/aws-ec2:uniqueImdsv2TemplateName *Enable this feature flag to have Launch Templates generated by the `InstanceRequireImdsv2Aspect` use unique names.* (fix) @@ -540,13 +510,11 @@ account and region, the deployments would always fail as the generated Launch Te The new implementation addresses this issue by generating the Launch Template name with the `Names.uniqueId` method. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.140.0 | `false` | `true` | | 2.8.0 | `false` | `true` | - ### @aws-cdk/aws-iam:minimizePolicies *Minimize IAM policies by combining Statements* (config) @@ -555,13 +523,11 @@ Minimize IAM policies by combining Principals, Actions and Resources of two Statements in the policies, as long as it doesn't change the meaning of the policy. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.150.0 | `false` | `true` | | 2.18.0 | `false` | `true` | - ### @aws-cdk/core:checkSecretUsage *Enable this flag to make it impossible to accidentally use SecretValues in unsafe locations* (config) @@ -570,13 +536,11 @@ With this flag enabled, `SecretValue` instances can only be passed to constructs that accept `SecretValue`s; otherwise, `unsafeUnwrap()` must be called to use it as a regular string. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.153.0 | `false` | `true` | | 2.21.0 | `false` | `true` | - ### @aws-cdk/aws-lambda:recognizeLayerVersion *Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.* (fix) @@ -585,13 +549,11 @@ This flag correct incorporates Lambda Layer properties into the Lambda Function See 'currentVersion' section in the aws-lambda module's README for more details. - | Since | Default | Recommended | | ----- | ----- | ----- | | 1.159.0 | `false` | `true` | | 2.27.0 | `false` | `true` | - ### @aws-cdk/core:validateSnapshotRemovalPolicy *Error on snapshot removal policies on resources that do not support it.* (default) @@ -601,7 +563,6 @@ If supplied on an unsupported resource, CloudFormation ignores the policy altoge This flag will reduce confusion and unexpected loss of data when erroneously supplying the snapshot removal policy. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -609,7 +570,6 @@ the snapshot removal policy. **Compatibility with old behavior:** The old behavior was incorrect. Update your source to not specify SNAPSHOT policies on resources that do not support it. - ### @aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName *Generate key aliases that include the stack name* (fix) @@ -621,13 +581,11 @@ the KMS key alias name created for these pipelines may be the same due to how th This new implementation creates a stack safe resource name for the alias using the stack name instead of the stack ID. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.29.0 | `false` | `true` | - ### @aws-cdk/aws-s3:createDefaultLoggingPolicy *Enable this feature flag to create an S3 bucket policy by default in cases where an AWS service would automatically create the Policy if one does not exist.* (fix) @@ -641,15 +599,13 @@ and error indicating that a bucket policy already exists. In cases where we know what the required policy is we can go ahead and create the policy so we can remain in control of it. -@see https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-S3 - +@see | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.31.0 | `false` | `true` | - ### @aws-cdk/aws-sns-subscriptions:restrictSqsDescryption *Restrict KMS key policy for encrypted Queues a bit more* (fix) @@ -661,13 +617,11 @@ Previously the decryption was only restricted to the SNS service principal. To m secure, it is a good practice to restrict the decryption further and only allow the connected SNS topic to decryption the subscribed queue. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.32.0 | `false` | `true` | - ### @aws-cdk/aws-ecs:arnFormatIncludesClusterName *ARN format used by ECS. In the new ARN format, the cluster name is part of the resource ID.* (fix) @@ -677,35 +631,31 @@ If this flag is set, the new ARN format (with cluster name) for ECS is used. This is a feature flag as the old format is still valid for existing ECS clusters. -See https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#ecs-resource-ids - +See | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.35.0 | `false` | `true` | - ### @aws-cdk/aws-apigateway:disableCloudWatchRole *Make default CloudWatch Role behavior safe for multiple API Gateways in one environment* (fix) Enable this feature flag to change the default behavior for aws-apigateway.RestApi and aws-apigateway.SpecRestApi -to _not_ create a CloudWatch role and Account. There is only a single ApiGateway account per AWS +to *not* create a CloudWatch role and Account. There is only a single ApiGateway account per AWS environment which means that each time you create a RestApi in your account the ApiGateway account is overwritten. If at some point the newest RestApi is deleted, the ApiGateway Account and CloudWatch role will also be deleted, breaking any existing ApiGateways that were depending on them. When this flag is enabled you should either create the ApiGateway account and CloudWatch role -separately _or_ only enable the cloudWatchRole on a single RestApi. - +separately *or* only enable the cloudWatchRole on a single RestApi. | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.38.0 | `false` | `true` | - ### @aws-cdk/core:enablePartitionLiterals *Make ARNs concrete if AWS partition is known* (fix) @@ -734,13 +684,11 @@ Principal: The intrinsic function will still be used in Stacks where no region is defined or the region's partition is unknown. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.38.0 | `false` | `true` | - ### @aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker *Avoid setting the "ECS" deployment controller when adding a circuit breaker* (fix) @@ -751,13 +699,11 @@ This does not change any behaviour as the default deployment controller when it This is a feature flag as the new behavior provides a better default experience for the users. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.51.0 | `false` | `true` | - ### @aws-cdk/aws-events:eventsTargetQueueSameAccount *Event Rules may only push to encrypted SQS queues in the same account* (fix) @@ -766,13 +712,11 @@ This flag applies to SQS Queues that are used as the target of event Rules. When from the same account as the Rule can send messages. If a queue is unencrypted, this restriction will always apply, regardless of the value of this flag. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.51.0 | `false` | `true` | - ### @aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName *Enable this feature to by default create default policy names for imported roles that depend on the stack the role is in.* (fix) @@ -783,13 +727,11 @@ of a role using the same default policy name. This new implementation creates default policy names based on the constructs node path in their stack. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.60.0 | `false` | `true` | - ### @aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy *Use S3 Bucket Policy instead of ACLs for Server Access Logging* (fix) @@ -801,15 +743,13 @@ enabled on the bucket. This flag uses a Bucket Policy statement to allow Server Access Log delivery, following best practices for S3. -@see https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html - +@see | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.60.0 | `false` | `true` | - ### @aws-cdk/customresources:installLatestAwsSdkDefault *Whether to install the latest SDK by default in AwsCustomResource* (default) @@ -821,7 +761,6 @@ do not have internet access, or in environments where 'npmjs.com' is not availab The recommended setting is to disable the default installation behavior, and pass the flag on a resource-by-resource basis to enable it if necessary. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -829,7 +768,6 @@ flag on a resource-by-resource basis to enable it if necessary. **Compatibility with old behavior:** Set installLatestAwsSdk: true on all resources that need it. - ### @aws-cdk/aws-route53-patters:useCertificate *Use the official `Certificate` resource instead of `DnsValidatedCertificate`* (default) @@ -839,7 +777,6 @@ of the deprecated `DnsValidatedCertificate` construct. If this flag is enabled a the stack in a region other than us-east-1 then you must also set `crossRegionReferences=true` on the stack. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -847,7 +784,6 @@ stack. **Compatibility with old behavior:** Define a `DnsValidatedCertificate` explicitly and pass in the `certificate` property - ### @aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup *Remove CloudWatch alarms from deployment group* (fix) @@ -856,13 +792,11 @@ Enable this flag to be able to remove all CloudWatch alarms from a deployment gr the alarms from the construct. If this flag is not set, removing all alarms from the construct will still leave the alarms configured for the deployment group. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.65.0 | `false` | `true` | - ### @aws-cdk/aws-rds:databaseProxyUniqueResourceName *Use unique resource name for Database Proxy* (fix) @@ -875,13 +809,11 @@ If this flag is set, the default behavior is to use unique resource names for ea This is a feature flag as the old behavior was technically incorrect, but users may have come to depend on it. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.65.0 | `false` | `true` | - ### @aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId *Include authorizer configuration in the calculation of the API deployment logical ID.* (fix) @@ -891,13 +823,11 @@ the API configuration, including methods, and resources, etc. Enable this featur to also include the configuration of any authorizer attached to the API in the calculation, so any changes made to an authorizer will create a new deployment. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.66.0 | `false` | `true` | - ### @aws-cdk/aws-ec2:launchTemplateDefaultUserData *Define user data for a launch template by default when a machine image is provided.* (fix) @@ -906,13 +836,11 @@ The ec2.LaunchTemplate construct did not define user data when a machine image i provided despite the document. If this is set, a user data is automatically defined according to the OS of the machine image. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.67.0 | `false` | `true` | - ### @aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments *SecretTargetAttachments uses the ResourcePolicy of the attached Secret.* (fix) @@ -928,13 +856,11 @@ This won't be possible without intervention due to limitation outlined above. First remove all permissions granted to the Secret and deploy without the ResourcePolicies. Then you can re-add the permissions and deploy again. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.67.0 | `false` | `true` | - ### @aws-cdk/aws-redshift:columnId *Whether to use an ID to track Redshift column changes* (fix) @@ -951,13 +877,11 @@ than their `name`. This will prevent data loss when columns are renamed. initial deployment, the columns will be dropped and recreated, causing data loss. After the initial deployment of the `id`s, the `name`s of the columns can be changed without data loss. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.68.0 | `false` | `true` | - ### @aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2 *Enable AmazonEMRServicePolicy_v2 managed policies* (fix) @@ -971,13 +895,11 @@ managed policies. This is a feature flag as the old behavior will be deprecated, but some resources may require manual intervention since they might not have the appropriate tags propagated automatically. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.72.0 | `false` | `true` | - ### @aws-cdk/aws-apigateway:requestValidatorUniqueId *Generate a unique id for each RequestValidator added to a method* (fix) @@ -988,13 +910,11 @@ providing the `RequestValidatorOptions` in the `addMethod()` method. If the flag is not set then only a single RequestValidator can be added in this way. Any additional RequestValidators have to be created directly with `new RequestValidator`. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.78.0 | `false` | `true` | - ### @aws-cdk/aws-ec2:restrictDefaultSecurityGroup *Restrict access to the VPC default security group* (default) @@ -1004,20 +924,17 @@ VPC default security group. When a VPC is created, a default security group is created as well and this cannot be deleted. The default security group is created with ingress/egress rules that allow -_all_ traffic. [AWS Security best practices recommend](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-2) +*all* traffic. [AWS Security best practices recommend](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-2) removing these ingress/egress rules in order to restrict access to the default security group. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.78.0 | `false` | `true` | -**Compatibility with old behavior:** +**Compatibility with old behavior:** To allow all ingress/egress traffic to the VPC default security group you can set the `restrictDefaultSecurityGroup: false`. - - ### @aws-cdk/aws-kms:aliasNameRef @@ -1029,13 +946,11 @@ when referencing key.aliasName or key.keyArn. If the flag is not set then a raw string is passed as the Alias name and no implicit dependencies will be set. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.83.0 | `false` | `true` | - ### @aws-cdk/core:includePrefixInUniqueNameGeneration *Include the stack prefix in the stack name generation process* (fix) @@ -1049,13 +964,11 @@ If the flag is not set, then the prefix of the stack is prepended to the generat feature flag can lead to a change in stacks' name. Changing a stack name mean recreating the whole stack, which is not viable in some productive setups. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.84.0 | `false` | `true` | - ### @aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig *Generate a launch template when creating an AutoScalingGroup* (fix) @@ -1068,17 +981,14 @@ will now create an equivalent 'launchTemplate'. Alternatively, users can provide attempt to set user data according to the OS of the machine image if explicit user data is not provided. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.88.0 | `false` | `true` | -**Compatibility with old behavior:** +**Compatibility with old behavior:** If backwards compatibility needs to be maintained due to an existing autoscaling group using a launch config, set this flag to false. - - ### @aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby @@ -1087,7 +997,6 @@ provided. If this is set, an opensearch domain will automatically be created with multi-az with standby enabled. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1095,7 +1004,6 @@ multi-az with standby enabled. **Compatibility with old behavior:** Pass `capacity.multiAzWithStandbyEnabled: false` to `Domain` construct to restore the old behavior. - ### @aws-cdk/aws-efs:denyAnonymousAccess *EFS denies anonymous clients accesses* (default) @@ -1106,7 +1014,6 @@ access to `efs.FileSystem`. If this flag is not set, `efs.FileSystem` will allow all anonymous clients that can access over the network. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1114,7 +1021,6 @@ that can access over the network. **Compatibility with old behavior:** You can pass `allowAnonymousAccess: true` so allow anonymous clients access. - ### @aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId *When enabled, mount targets will have a stable logicalId that is linked to the associated subnet.* (fix) @@ -1126,13 +1032,11 @@ subnets changes. Set this flag to false for existing mount targets. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.93.0 | `false` | `true` | - ### @aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion *Enables aws-lambda-nodejs.Function to use the latest available NodeJs runtime as the default* (default) @@ -1142,7 +1046,6 @@ functions will us the latest version of the runtime provided by the Lambda service. Do not use this if you your lambda function is reliant on dependencies shipped as part of the runtime environment. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1150,7 +1053,6 @@ shipped as part of the runtime environment. **Compatibility with old behavior:** Pass `runtime: lambda.Runtime.NODEJS_16_X` to `Function` construct to restore the previous behavior. - ### @aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier *When enabled, will always use the arn for identifiers for CfnSourceApiAssociation in the GraphqlApi construct rather than id.* (fix) @@ -1159,13 +1061,11 @@ When this feature flag is enabled, we use the IGraphqlApi ARN rather than ID whe the GraphqlApi construct. Using the ARN allows the association to support an association with a source api or merged api in another account. Note that for existing source api associations created with this flag disabled, enabling the flag will lead to a resource replacement. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.97.0 | `false` | `true` | - ### @aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters *When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change.* (fix) @@ -1177,13 +1077,11 @@ from AuroraCluster. If the flag is set to false then it can only make one `AuroraClusterInstance` with each `InstanceParameterGroup` in the AuroraCluster. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.97.0 | `false` | `true` | - ### @aws-cdk/aws-rds:preventRenderingDeprecatedCredentials *When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials.* (fix) @@ -1201,13 +1099,11 @@ Set this flag to prevent rendering deprecated `credentials` and creating an extra database secret when only using `snapshotCredentials` to create an RDS database cluster from a snapshot. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.98.0 | `false` | `true` | - ### @aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource *When enabled, the CodeCommit source action is using the default branch name 'main'.* (fix) @@ -1216,13 +1112,11 @@ When setting up a CodeCommit source action for the source stage of a pipeline, p default branch is 'master'. However, with the activation of this feature flag, the default branch is updated to 'main'. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.103.1 | `false` | `true` | - ### @aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction *When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID.* (fix) @@ -1234,13 +1128,11 @@ can be created with `LambdaAction`. If the flag is set to false then it can only make one alarm for the Lambda with `LambdaAction`. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.124.0 | `false` | `true` | - ### @aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse *Enables Pipeline to set the default value for crossAccountKeys to false.* (default) @@ -1248,7 +1140,6 @@ If the flag is set to false then it can only make one alarm for the Lambda with When this feature flag is enabled, and the `crossAccountKeys` property is not provided in a `Pipeline` construct, the construct automatically defaults the value of this property to false. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1256,7 +1147,6 @@ construct, the construct automatically defaults the value of this property to fa **Compatibility with old behavior:** Pass `crossAccountKeys: true` to `Pipeline` construct to restore the previous behavior. - ### @aws-cdk/aws-codepipeline:defaultPipelineTypeToV2 *Enables Pipeline to set the default pipeline type to V2.* (default) @@ -1264,7 +1154,6 @@ construct, the construct automatically defaults the value of this property to fa When this feature flag is enabled, and the `pipelineType` property is not provided in a `Pipeline` construct, the construct automatically defaults the value of this property to `PipelineType.V2`. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1272,7 +1161,6 @@ construct, the construct automatically defaults the value of this property to `P **Compatibility with old behavior:** Pass `pipelineType: PipelineType.V1` to `Pipeline` construct to restore the previous behavior. - ### @aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope *When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only.* (fix) @@ -1280,13 +1168,11 @@ construct, the construct automatically defaults the value of this property to `P When this feature flag is enabled and calling KMS key grant method, the created IAM policy will reduce the resource scope from '*' to this specific granting KMS key. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.134.0 | `false` | `true` | - ### @aws-cdk/aws-eks:nodegroupNameAttribute *When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix.* (fix) @@ -1294,20 +1180,17 @@ When this feature flag is enabled and calling KMS key grant method, the created When this feature flag is enabled, the nodegroupName attribute will be exactly the name of the nodegroup without any prefix. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.139.0 | `false` | `true` | - ### @aws-cdk/aws-ec2:ebsDefaultGp3Volume *When enabled, the default volume type of the EBS volume will be GP3* (default) When this featuer flag is enabled, the default volume type of the EBS volume will be `EbsDeviceVolumeType.GENERAL_PURPOSE_SSD_GP3`. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1315,7 +1198,6 @@ When this featuer flag is enabled, the default volume type of the EBS volume wil **Compatibility with old behavior:** Pass `volumeType: EbsDeviceVolumeType.GENERAL_PURPOSE_SSD` to `Volume` construct to restore the previous behavior. - ### @aws-cdk/pipelines:reduceAssetRoleTrustScope *Remove the root account principal from PipelineAssetsFileRole trust policy* (default) @@ -1323,7 +1205,6 @@ When this featuer flag is enabled, the default volume type of the EBS volume wil When this feature flag is enabled, the root account principal will not be added to the trust policy of asset role. When this feature flag is disabled, it will keep the root account principal in the trust policy. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1331,14 +1212,12 @@ When this feature flag is disabled, it will keep the root account principal in t **Compatibility with old behavior:** Disable the feature flag to add the root account principal back - ### @aws-cdk/aws-ecs:removeDefaultDeploymentAlarm *When enabled, remove default deployment alarm settings* (default) When this featuer flag is enabled, remove the default deployment alarm settings when creating a AWS ECS service. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1346,7 +1225,6 @@ When this featuer flag is enabled, remove the default deployment alarm settings **Compatibility with old behavior:** Set AWS::ECS::Service 'DeploymentAlarms' manually to restore the previous behavior. - ### @aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault *When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default* (fix) @@ -1354,19 +1232,17 @@ When this featuer flag is enabled, remove the default deployment alarm settings This results in 'logApiResponseData' being passed as true to the custom resource provider. This will cause the custom resource handler to receive an 'Update' event. If you don't have an SDK call configured for the 'Update' event and you're dependent on specific SDK call response data, you will see this error from CFN: -CustomResource attribute error: Vendor response doesn't contain attribute in object. See https://github.com/aws/aws-cdk/issues/29949) for more details. +CustomResource attribute error: Vendor response doesn't contain attribute in object. See ) for more details. Unlike most feature flags, we don't recommend setting this feature flag to true. However, if you're using the 'AwsCustomResource' construct with 'logApiResponseData' as true in the event object, then setting this feature flag will keep this behavior. Otherwise, setting this feature flag to false will trigger an 'Update' event by removing the 'logApiResponseData' property from the event object. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.145.0 | `false` | `false` | - ### @aws-cdk/aws-s3:keepNotificationInImportedBucket *When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack.* (fix) @@ -1376,13 +1252,11 @@ Currently, adding notifications to a bucket where it was created by ourselves wi When this feature flag is enabled, adding notifications to a bucket in the current stack will only update notification defined in this stack. Other notifications that are not managed by this stack will be kept. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.155.0 | `false` | `false` | - ### @aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask *When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model.* (fix) @@ -1393,7 +1267,6 @@ of State Machine Task definition. When this feature flag is enabled, specify newly introduced props 's3InputUri' and 's3OutputUri' to populate S3 uri under input and output fields in state machine task definition for Bedrock invoke model. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1401,7 +1274,6 @@ When this feature flag is enabled, specify newly introduced props 's3InputUri' a **Compatibility with old behavior:** Disable the feature flag to use input and output path fields for s3 URI - ### @aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions *When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration* (fix) @@ -1411,7 +1283,6 @@ specified as logConfiguration and it will grant 'Resources': ['*'] to the task r When this feature flag is enabled, we will only grant the necessary permissions when users specify cloudwatch log group. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1419,7 +1290,6 @@ When this feature flag is enabled, we will only grant the necessary permissions **Compatibility with old behavior:** Disable the feature flag to continue grant permissions to log group when no log group is specified - ### @aws-cdk/aws-ec2:ec2SumTImeoutEnabled *When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together.* (fix) @@ -1429,13 +1299,11 @@ only the value from 'resourceSignalTimeout' will be used. When this feature flag is enabled, if both initOptions.timeout and resourceSignalTimeout are specified, the values will to be summed together. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.160.0 | `false` | `true` | - ### @aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission *When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn.* (fix) @@ -1447,13 +1315,11 @@ it allows invocations from any source. When this feature flag is enabled, the AWS::Lambda::Permission will be properly scoped with the SourceArn corresponding to the specific AppSync GraphQL API. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.161.0 | `false` | `true` | - ### @aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages *When enabled, both `@aws-sdk` and `@smithy` packages will be excluded from the Lambda Node.js 18.x runtime to prevent version mismatches in bundled applications.* (fix) @@ -1464,13 +1330,11 @@ However, this can cause version mismatches between the '@aws-sdk/*' and '@smithy When this feature flag is enabled, both '@aws-sdk/*' and '@smithy/*' packages will be excluded during the bundling process. This ensures that no mismatches occur between these tightly coupled dependencies when using the AWS SDK v3 in Lambda functions. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.161.0 | `false` | `true` | - ### @aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId *When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn`* (fix) @@ -1479,7 +1343,6 @@ Currently, the value of the property 'instanceResourceId' in construct 'Database When this feature flag is enabled, the value of that property will be as expected set to 'DbiResourceId' attribute, and that will fix the grantConnect method. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1487,7 +1350,6 @@ When this feature flag is enabled, the value of that property will be as expecte **Compatibility with old behavior:** Disable the feature flag to use `DbInstanceArn` as value for property `instanceResourceId` - ### @aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics *When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values.* (fix) @@ -1496,13 +1358,11 @@ Without enabling this feature flag, `cfn-include` will silently drop resource up Enabling this feature flag will make `cfn-include` throw on these templates, unless you specify the logical ID of the resource in the 'unhydratedResources' property. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.161.0 | `false` | `true` | - ### @aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy *When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN.* (fix) @@ -1512,13 +1372,11 @@ The revision number at the end will be replaced with a wildcard which it shouldn When this feature flag is enabled, if the task definition is created in the stack, the 'Resource' section will 'Ref' the taskDefinition. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.163.0 | `false` | `true` | - ### @aws-cdk/aws-dynamodb:resourcePolicyPerReplica *When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas* (fix) @@ -1530,13 +1388,11 @@ This will prevent you from creating a new table which has an additional replica This is a feature flag as the old behavior was technically incorrect but users may have come to depend on it. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.164.0 | `false` | `true` | - ### @aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault *When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2.* (default) @@ -1548,7 +1404,6 @@ and secure option. When this feature flag is enabled, if you do not pass the machineImage property to the BastionHost construct, the latest Amazon Linux 2023 version will be used instead of Amazon Linux 2. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1556,7 +1411,6 @@ the latest Amazon Linux 2023 version will be used instead of Amazon Linux 2. **Compatibility with old behavior:** Disable the feature flag or explicitly pass an Amazon Linux 2 machine image to the BastionHost construct. - ### @aws-cdk/core:aspectStabilization *When enabled, a stabilization loop will be run when invoking Aspects during synthesis.* (config) @@ -1566,12 +1420,24 @@ This means that the Aspects that create other Aspects are not run and Aspects th When this feature flag is enabled, a stabilization loop is run to recurse the construct tree multiple times when invoking Aspects. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.172.0 | `true` | `true` | +### @aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource + +*When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource.* (fix) + +When this feature flag is enabled, a new method will be used to get the DNS Name of the user pool domain target. The old method +creates a custom resource internally, but the new method doesn't need a custom resource. + +If the flag is set to false then a custom resource will be created when using `UserPoolDomainTarget`. + +| Since | Default | Recommended | +| ----- | ----- | ----- | +| (not in v1) | | | +| 2.174.0 | `false` | `true` | ### @aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource @@ -1595,12 +1461,11 @@ If the flag is set to false then a custom resource will be created when using `U In an ECS Cluster with `MachineImageType.AMAZON_LINUX_2`, the canContainersAccessInstanceRole=false option attempts to add commands to block containers from accessing IMDS. CDK cannot guarantee the correct execution of the feature in all platforms. Setting this feature flag -to true will ensure CDK does not attempt to implement IMDS blocking. By **end of 2025**, CDK will remove the +to true will ensure CDK does not attempt to implement IMDS blocking. By **end of 2025**, CDK will remove the IMDS blocking feature. See [Github discussion](https://github.com/aws/aws-cdk/discussions/32609) for more information. It is recommended to follow ECS documentation to block IMDS for your specific platform and cluster configuration. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1608,18 +1473,16 @@ It is recommended to follow ECS documentation to block IMDS for your specific pl **Compatibility with old behavior:** It is strongly recommended to set this flag to true. However, if necessary, set this flag to false to continue using the old implementation. - ### @aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature *When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)*** (temporary) In an ECS Cluster with `MachineImageType.AMAZON_LINUX_2`, the canContainersAccessInstanceRole=false option attempts to add commands to block containers from -accessing IMDS. Set this flag to true in order to use new and updated commands. Please note that this -feature alone with this feature flag will be deprecated by **end of 2025** as CDK cannot +accessing IMDS. Set this flag to true in order to use new and updated commands. Please note that this +feature alone with this feature flag will be deprecated by **end of 2025** as CDK cannot guarantee the correct execution of the feature in all platforms. See [Github discussion](https://github.com/aws/aws-cdk/discussions/32609) for more information. It is recommended to follow ECS documentation to block IMDS for your specific platform and cluster configuration. - | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1627,5 +1490,21 @@ It is recommended to follow ECS documentation to block IMDS for your specific pl **Compatibility with old behavior:** Set this flag to false in order to continue using old and outdated commands. However, it is **not** recommended. +### @aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault + +*When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere* (fix) + +For internet facing ALBs with 'dualstack-without-public-ipv4' IP address type, the default security group rules +will allow IPv6 ingress from anywhere (::/0). Previously, the default security group rules would only allow IPv4 ingress. + +Using a feature flag to make sure existing customers who might be relying +on the overly restrictive permissions are not broken. + +| Since | Default | Recommended | +| ----- | ----- | ----- | +| (not in v1) | | | +| V2NEXT | `false` | `true` | + +**Compatibility with old behavior:** Disable the feature flag to only allow IPv4 ingress in the default security group rules. diff --git a/packages/aws-cdk-lib/cx-api/README.md b/packages/aws-cdk-lib/cx-api/README.md index e1cf51ff8364e..46da524a70ede 100644 --- a/packages/aws-cdk-lib/cx-api/README.md +++ b/packages/aws-cdk-lib/cx-api/README.md @@ -1,6 +1,5 @@ # Cloud Executable API - This module is part of the [AWS Cloud Development Kit](https://github.com/aws/aws-cdk) project. ## V2 Feature Flags @@ -19,7 +18,7 @@ and error indicating that a bucket policy already exists. In cases where we know what the required policy is we can go ahead and create the policy so we can remain in control of it. -https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-S3 + _cdk.json_ @@ -122,7 +121,7 @@ enabled on the bucket. This flag uses a Bucket Policy statement to allow Server Access Log delivery, following best practices for S3. -https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html + ```json { @@ -172,7 +171,7 @@ Enable this feature flag to use the \`AmazonEMRServicePolicy_v2\` managed polici This is a feature flag as the old behavior will be deprecated, but some resources may require manual intervention since they might not have the appropriate tags propagated automatically. -https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-managed-iam-policies.html + _cdk.json_ @@ -189,8 +188,9 @@ _cdk.json_ Enable this feature flag to include the stack's prefixes to the name generation process. Not doing so can cause the name of stack to exceed 128 characters: -- The name generation ensures it doesn't exceed 128 characters -- Without this feature flag, the prefix is prepended to the generated name, which result can exceed 128 characters + +* The name generation ensures it doesn't exceed 128 characters +* Without this feature flag, the prefix is prepended to the generated name, which result can exceed 128 characters This is a feature flag as it changes the name generated for stacks. Any CDK application deployed prior this fix will most likely be generated with a new name, causing the stack to be recreated with the new name, and then deleting the old one. @@ -228,8 +228,8 @@ _cdk.json_ Enable this feature flag to update the default branch for CodeCommit source actions to `main`. -Previously, the default branch for CodeCommit source actions was set to `master`. -However, this convention is no longer supported, and repositories created after March 2021 now have `main` as +Previously, the default branch for CodeCommit source actions was set to `master`. +However, this convention is no longer supported, and repositories created after March 2021 now have `main` as their default branch. _cdk.json_ @@ -364,7 +364,7 @@ _cdk.json_ When enabled, IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN. When this feature flag is enabled, the IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN. -The revision ARN is more specific than the task definition ARN. See https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html +The revision ARN is more specific than the task definition ARN. See for more details. _cdk.json_ @@ -412,8 +412,8 @@ _cdk.json_ * `@aws-cdk/aws-ec2:ec2SumTImeoutEnabled` -Currently is both initOptions.timeout and resourceSignalTimeout are both specified in the options for creating an EC2 Instance, only the value from 'resourceSignalTimeout' will be used. - +Currently is both initOptions.timeout and resourceSignalTimeout are both specified in the options for creating an EC2 Instance, only the value from 'resourceSignalTimeout' will be used. + When this feature flag is enabled, if both initOptions.timeout and resourceSignalTimeout are specified, the values will to be summed together. _cdk.json_ @@ -478,7 +478,7 @@ _cdk.json_ * `@aws-cdk/aws-dynamodb:resourcePolicyPerReplica` -If this flag is not set, the default behavior for \`TableV2\` is to use a different \`resourcePolicy\` for each replica. +If this flag is not set, the default behavior for \`TableV2\` is to use a different \`resourcePolicy\` for each replica. If this flag is set to false, the behavior is that each replica shares the same \`resourcePolicy\` as the source table. This will prevent you from creating a new table which has an additional replica and a resource policy. @@ -546,7 +546,6 @@ guarantee the correct execution of the feature in all platforms. See [Github dis **It is recommended to follow ECS documentation to block IMDS for your specific platform and cluster configuration.** - _cdk.json_ ```json @@ -555,4 +554,25 @@ _cdk.json_ "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": false, }, } -``` \ No newline at end of file +``` + +* `@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault` + +When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere, +For internet facing ALBs with `dualstack-without-public-ipv4` IP address type, the default security group rules +will allow IPv6 ingress from anywhere (::/0). Previously, the default security group rules would only allow IPv4 ingress. + +Using a feature flag to make sure existing customers who might be relying +on the overly restrictive permissions are not broken., + +If the flag is set to false then the default security group rules will only allow IPv4 ingress. + +_cdk.json_ + +```json +{ + "context": { + "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true + } +} +``` diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts index 98189fd5a3965..b50c93df54da0 100644 --- a/packages/aws-cdk-lib/cx-api/lib/features.ts +++ b/packages/aws-cdk-lib/cx-api/lib/features.ts @@ -120,6 +120,7 @@ export const ASPECT_STABILIZATION = '@aws-cdk/core:aspectStabilization'; export const USER_POOL_DOMAIN_NAME_METHOD_WITHOUT_CUSTOM_RESOURCE = '@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource'; export const Enable_IMDS_Blocking_Deprecated_Feature = '@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature'; export const Disable_ECS_IMDS_Blocking = '@aws-cdk/aws-ecs:disableEcsImdsBlocking'; +export const ALB_DUALSTACK_WITHOUT_PUBLIC_IPV4_SECURITY_GROUP_RULES_DEFAULT = '@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault'; export const FLAGS: Record = { ////////////////////////////////////////////////////////////////////// @@ -1339,6 +1340,21 @@ export const FLAGS: Record = { introducedIn: { v2: '2.174.0' }, recommendedValue: true, }, + + ////////////////////////////////////////////////////////////////////// + [ALB_DUALSTACK_WITHOUT_PUBLIC_IPV4_SECURITY_GROUP_RULES_DEFAULT]: { + type: FlagType.BugFix, + summary: 'When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere', + detailsMd: ` + For internet facing ALBs with 'dualstack-without-public-ipv4' IP address type, the default security group rules + will allow IPv6 ingress from anywhere (::/0). Previously, the default security group rules would only allow IPv4 ingress. + + Using a feature flag to make sure existing customers who might be relying + on the overly restrictive permissions are not broken.`, + introducedIn: { v2: 'V2NEXT' }, + recommendedValue: true, + compatibilityWithOldBehaviorMd: 'Disable the feature flag to only allow IPv4 ingress in the default security group rules.', + }, }; const CURRENT_MV = 'v2'; diff --git a/packages/aws-cdk-lib/cx-api/test/features.test.ts b/packages/aws-cdk-lib/cx-api/test/features.test.ts index 6b54f5f272a14..87d06dfaa78df 100644 --- a/packages/aws-cdk-lib/cx-api/test/features.test.ts +++ b/packages/aws-cdk-lib/cx-api/test/features.test.ts @@ -5,7 +5,7 @@ import { MAGIC_V2NEXT, compareVersions } from '../lib/private/flag-modeling'; test('all future flags have defaults configured', () => { Object.keys(feats.FLAGS).forEach(flag => { - expect(typeof(feats.futureFlagDefault(flag))).toEqual('boolean'); + expect(typeof (feats.futureFlagDefault(flag))).toEqual('boolean'); }); });