From 27b7a4529bc23b068d338b937e08c92ab4a0f962 Mon Sep 17 00:00:00 2001 From: AWS CDK Automation <43080478+aws-cdk-automation@users.noreply.github.com> Date: Mon, 22 Apr 2024 07:12:41 -0700 Subject: [PATCH 1/3] feat: update L1 CloudFormation resource definitions (#29924) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-appintegrations │ └ resources │ └[~] resource AWS::AppIntegrations::Application │ ├ properties │ │ └[+] Permissions: Array │ └ types │ └[~] type ExternalUrlConfig │ └ properties │ └ ApprovedOrigins: - Array (required) │ + Array ├[~] service aws-autoscaling │ └ resources │ ├[~] resource AWS::AutoScaling::AutoScalingGroup │ │ ├ properties │ │ │ ├ Cooldown: (documentation changed) │ │ │ ├ DesiredCapacityType: (documentation changed) │ │ │ ├ HealthCheckType: (documentation changed) │ │ │ ├ MaxInstanceLifetime: (documentation changed) │ │ │ ├ NewInstancesProtectedFromScaleIn: (documentation changed) │ │ │ └ TerminationPolicies: (documentation changed) │ │ └ types │ │ ├[~] type LaunchTemplateOverrides │ │ │ └ properties │ │ │ └ InstanceType: (documentation changed) │ │ ├[~] type LifecycleHookSpecification │ │ │ └ properties │ │ │ └ RoleARN: (documentation changed) │ │ └[~] type MetricsCollection │ │ └ properties │ │ └ Metrics: (documentation changed) │ ├[~] resource AWS::AutoScaling::LaunchConfiguration │ │ ├ properties │ │ │ ├ AssociatePublicIpAddress: (documentation changed) │ │ │ ├ EbsOptimized: (documentation changed) │ │ │ ├ ImageId: (documentation changed) │ │ │ ├ InstanceMonitoring: (documentation changed) │ │ │ ├ KeyName: (documentation changed) │ │ │ ├ MetadataOptions: (documentation changed) │ │ │ └ PlacementTenancy: (documentation changed) │ │ └ types │ │ └[~] type BlockDevice │ │ └ properties │ │ ├ Encrypted: (documentation changed) │ │ └ VolumeType: (documentation changed) │ ├[~] resource AWS::AutoScaling::LifecycleHook │ │ └ properties │ │ └ RoleARN: (documentation changed) │ └[~] resource AWS::AutoScaling::ScalingPolicy │ ├ properties │ │ └ Cooldown: (documentation changed) │ └ types │ └[~] type PredictiveScalingConfiguration │ └ properties │ └ MaxCapacityBreachBehavior: (documentation changed) ├[~] service aws-backup │ └ resources │ ├[~] resource AWS::Backup::BackupPlan │ │ ├ properties │ │ │ └ BackupPlanTags: (documentation changed) │ │ └ types │ │ ├[~] type BackupRuleResourceType │ │ │ └ properties │ │ │ └ RecoveryPointTags: (documentation changed) │ │ └[~] type LifecycleResourceType │ │ └ properties │ │ └ OptInToArchiveForSupportedResources: (documentation changed) │ ├[~] resource AWS::Backup::BackupSelection │ │ └ types │ │ └[~] type ConditionParameter │ │ └ - documentation: Includes information about tags you define to assign tagged resources to a backup plan. │ │ + documentation: Includes information about tags you define to assign tagged resources to a backup plan. │ │ Include the prefix `aws:ResourceTag` in your tags. For example, `"aws:ResourceTag/TagKey1": "Value1"` . │ ├[~] resource AWS::Backup::BackupVault │ │ └ properties │ │ └ BackupVaultTags: (documentation changed) │ ├[~] resource AWS::Backup::Framework │ │ ├ properties │ │ │ └ FrameworkTags: (documentation changed) │ │ └ types │ │ ├[~] type ControlInputParameter │ │ │ └ - documentation: A list of parameters for a control. A control can have zero, one, or more than one parameter. An example of a control with two parameters is: "backup plan frequency is at least `daily` and the retention period is at least `1 year` ". The first parameter is `daily` . The second parameter is `1 year` . │ │ │ + documentation: The parameters for a control. A control can have zero, one, or more than one parameter. An example of a control with two parameters is: "backup plan frequency is at least `daily` and the retention period is at least `1 year` ". The first parameter is `daily` . The second parameter is `1 year` . │ │ └[~] type FrameworkControl │ │ └ properties │ │ └ ControlInputParameters: (documentation changed) │ ├[~] resource AWS::Backup::ReportPlan │ │ ├ properties │ │ │ └ ReportPlanTags: (documentation changed) │ │ └ types │ │ └[~] type ReportDeliveryChannel │ │ └ properties │ │ └ Formats: (documentation changed) │ ├[~] resource AWS::Backup::RestoreTestingPlan │ │ └ - documentation: This is the first of two steps to create a restore testing plan; once this request is successful, finish the procedure with request CreateRestoreTestingSelection. │ │ You must include the parameter RestoreTestingPlan. You may optionally include CreatorRequestId and Tags. │ │ + documentation: Creates a restore testing plan. │ │ The first of two steps to create a restore testing plan. After this request is successful, finish the procedure using CreateRestoreTestingSelection. │ └[~] resource AWS::Backup::RestoreTestingSelection │ ├ properties │ │ └ RestoreTestingSelectionName: (documentation changed) │ └ types │ └[~] type ProtectedResourceConditions │ └ - documentation: A list of conditions that you define for resources in your restore testing plan using tags. │ For example, `"StringEquals": { "Key": "aws:ResourceTag/CreatedByCryo", "Value": "true" },` . Condition operators are case sensitive. │ + documentation: The conditions that you define for resources in your restore testing plan using tags. │ For example, `"StringEquals": { "Key": "aws:ResourceTag/CreatedByCryo", "Value": "true" },` . Condition operators are case sensitive. ├[~] service aws-batch │ └ resources │ └[~] resource AWS::Batch::JobDefinition │ └ types │ └[~] type ImagePullSecret │ ├ - documentation: undefined │ │ + documentation: References a Kubernetes secret resource. This name of the secret must start and end with an alphanumeric character, is required to be lowercase, can include periods (.) and hyphens (-), and can't contain more than 253 characters. │ └ properties │ └ Name: (documentation changed) ├[~] service aws-bedrock │ └ resources │ ├[~] resource AWS::Bedrock::Agent │ │ ├ properties │ │ │ ├ AgentResourceRoleArn: (documentation changed) │ │ │ └ CustomerEncryptionKeyArn: (documentation changed) │ │ ├ attributes │ │ │ └ AgentArn: (documentation changed) │ │ └ types │ │ ├[~] type ActionGroupExecutor │ │ │ └ properties │ │ │ └ Lambda: (documentation changed) │ │ └[~] type AgentActionGroup │ │ └ properties │ │ └ ActionGroupExecutor: (documentation changed) │ ├[~] resource AWS::Bedrock::AgentAlias │ │ └ attributes │ │ └ AgentAliasArn: (documentation changed) │ ├[~] resource AWS::Bedrock::DataSource │ │ └ types │ │ ├[~] type S3DataSourceConfiguration │ │ │ └ properties │ │ │ └ BucketArn: (documentation changed) │ │ └[~] type ServerSideEncryptionConfiguration │ │ └ properties │ │ └ KmsKeyArn: (documentation changed) │ └[~] resource AWS::Bedrock::KnowledgeBase │ ├ properties │ │ └ RoleArn: (documentation changed) │ ├ attributes │ │ └ KnowledgeBaseArn: (documentation changed) │ └ types │ └[~] type VectorKnowledgeBaseConfiguration │ └ properties │ └ EmbeddingModelArn: (documentation changed) ├[~] service aws-cloudwatch │ └ resources │ └[~] resource AWS::CloudWatch::AnomalyDetector │ ├ properties │ │ └[+] MetricCharacteristics: MetricCharacteristics (immutable) │ └ types │ └[+] type MetricCharacteristics │ ├ documentation: This object includes parameters that you can use to provide information to CloudWatch to help it build more accurate anomaly detection models. │ │ name: MetricCharacteristics │ └ properties │ └PeriodicSpikes: boolean ├[~] service aws-datazone │ └ resources │ └[~] resource AWS::DataZone::DataSource │ └ types │ └[~] type GlueRunConfigurationInput │ └ properties │ └[+] AutoImportDataQualityResult: boolean ├[~] service aws-dms │ └ resources │ └[~] resource AWS::DMS::Endpoint │ └ types │ └[~] type PostgreSqlSettings │ └ properties │ └ CaptureDdls: (documentation changed) ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::CustomerGateway │ │ └ properties │ │ ├ BgpAsn: - integer (required, default=65000, immutable) │ │ │ + integer (default=65000, immutable) │ │ └[+] BgpAsnExtended: number (immutable) │ └[~] resource AWS::EC2::TransitGatewayRoute │ └ properties │ └ DestinationCidrBlock: - string (immutable) │ + string (required, immutable) ├[~] service aws-ecr │ └ resources │ └[+] resource AWS::ECR::RepositoryCreationTemplate │ ├ name: RepositoryCreationTemplate │ │ cloudFormationType: AWS::ECR::RepositoryCreationTemplate │ │ documentation: AWS::ECR::RepositoryCreationTemplate is used to create repository with configuration from a pre-defined template. │ ├ properties │ │ ├Prefix: string (required, immutable) │ │ ├Description: string │ │ ├ImageTagMutability: string │ │ ├RepositoryPolicy: string │ │ ├LifecyclePolicy: string │ │ ├EncryptionConfiguration: EncryptionConfiguration │ │ ├ResourceTags: Array │ │ └AppliedFor: Array (required) │ ├ attributes │ │ ├CreatedAt: string │ │ └UpdatedAt: string │ └ types │ └type EncryptionConfiguration │ ├ documentation: The encryption configuration for the repository. This determines how the contents of your repository are encrypted at rest. │ │ By default, when no encryption configuration is set or the `AES256` encryption type is used, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts your data at rest using an AES-256 encryption algorithm. This does not require any action on your part. │ │ For more control over the encryption of the contents of your repository, you can use server-side encryption with AWS Key Management Service key stored in AWS Key Management Service ( AWS KMS ) to encrypt your images. For more information, see [Amazon ECR encryption at rest](https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html) in the *Amazon Elastic Container Registry User Guide* . │ │ name: EncryptionConfiguration │ └ properties │ ├EncryptionType: string (required) │ └KmsKey: string ├[~] service aws-kms │ └ resources │ └[~] resource AWS::KMS::Key │ └ properties │ └[+] RotationPeriodInDays: integer (default=365) ├[~] service aws-lambda │ └ resources │ └[~] resource AWS::Lambda::Alias │ └ attributes │ └[+] AliasArn: string ├[~] service aws-oam │ └ resources │ └[~] resource AWS::Oam::Link │ ├ properties │ │ └[+] LinkConfiguration: LinkConfiguration │ └ types │ ├[+] type LinkConfiguration │ │ ├ name: LinkConfiguration │ │ └ properties │ │ ├MetricConfiguration: LinkFilter │ │ └LogGroupConfiguration: LinkFilter │ └[+] type LinkFilter │ ├ name: LinkFilter │ └ properties │ └Filter: string (required) ├[~] service aws-quicksight │ └ resources │ ├[~] resource AWS::QuickSight::Dashboard │ │ └ attributes │ │ └ Version: (documentation changed) │ └[~] resource AWS::QuickSight::Template │ └ attributes │ └ Version: (documentation changed) ├[~] service aws-rds │ └ resources │ └[~] resource AWS::RDS::DBInstance │ └ properties │ ├ Engine: (documentation changed) │ ├ KmsKeyId: (documentation changed) │ └ StorageEncrypted: (documentation changed) ├[~] service aws-redshiftserverless │ └ resources │ └[~] resource AWS::RedshiftServerless::Namespace │ ├ properties │ │ └[+] SnapshotCopyConfigurations: Array │ └ types │ └[+] type SnapshotCopyConfiguration │ ├ name: SnapshotCopyConfiguration │ └ properties │ ├DestinationRegion: string (required) │ ├DestinationKmsKeyId: string │ └SnapshotRetentionPeriod: integer ├[~] service aws-securitylake │ └ resources │ ├[~] resource AWS::SecurityLake::AwsLogSource │ │ ├ - documentation: Resource Type definition for AWS::SecurityLake::AwsLogSource │ │ │ + documentation: Adds a natively supported AWS service as an AWS source. Enables source types for member accounts in required AWS Regions, based on the parameters you specify. You can choose any source type in any Region for either accounts that are part of a trusted organization or standalone accounts. Once you add an AWS service as a source, Security Lake starts collecting logs and events from it. │ │ │ > If you want to create multiple sources using `AWS::SecurityLake::AwsLogSource` , you must use the `DependsOn` attribute to create the sources sequentially. With the `DependsOn` attribute you can specify that the creation of a specific `AWSLogSource` follows another. When you add a `DependsOn` attribute to a resource, that resource is created only after the creation of the resource specified in the `DependsOn` attribute. For an example, see [Add AWS log sources](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-resource-securitylake-awslogsource.html#aws-resource-securitylake-awslogsource--examples) . │ │ └ properties │ │ ├ Accounts: (documentation changed) │ │ ├ DataLakeArn: (documentation changed) │ │ ├ SourceName: (documentation changed) │ │ └ SourceVersion: (documentation changed) │ ├[~] resource AWS::SecurityLake::DataLake │ │ ├ - documentation: Resource Type definition for AWS::SecurityLake::DataLake │ │ │ + documentation: Initializes an Amazon Security Lake instance with the provided (or default) configuration. You can enable Security Lake in AWS Regions with customized settings before enabling log collection in Regions. To specify particular Regions, configure these Regions using the `configurations` parameter. If you have already enabled Security Lake in a Region when you call this command, the command will update the Region if you provide new configuration parameters. If you have not already enabled Security Lake in the Region when you call this API, it will set up the data lake in the Region with the specified configurations. │ │ │ When you enable Security Lake , it starts ingesting security data after the `CreateAwsLogSource` call. This includes ingesting security data from sources, storing data, and making data accessible to subscribers. Security Lake also enables all the existing settings and resources that it stores or maintains for your AWS account in the current Region, including security log and event data. For more information, see the [Amazon Security Lake User Guide](https://docs.aws.amazon.com//security-lake/latest/userguide/what-is-security-lake.html) . │ │ ├ properties │ │ │ ├ EncryptionConfiguration: (documentation changed) │ │ │ ├ LifecycleConfiguration: (documentation changed) │ │ │ ├ MetaStoreManagerRoleArn: (documentation changed) │ │ │ └ Tags: (documentation changed) │ │ ├ attributes │ │ │ ├ Arn: (documentation changed) │ │ │ └ S3BucketArn: (documentation changed) │ │ └ types │ │ ├[~] type EncryptionConfiguration │ │ │ ├ - documentation: Provides encryption details of Amazon Security Lake object. │ │ │ │ + documentation: Provides encryption details of the Amazon Security Lake object. The AWS shared responsibility model applies to data protection in Amazon Security Lake . As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. For more details, see [Data protection](https://docs.aws.amazon.com//security-lake/latest/userguide/data-protection.html) in the Amazon Security Lake User Guide. │ │ │ └ properties │ │ │ └ KmsKeyId: (documentation changed) │ │ ├[~] type Expiration │ │ │ ├ - documentation: Provides data expiration details of Amazon Security Lake object. │ │ │ │ + documentation: Provides data expiration details of the Amazon Security Lake object. You can specify your preferred Amazon S3 storage class and the time period for S3 objects to stay in that storage class before they expire. For more information about Amazon S3 Lifecycle configurations, see [Managing your storage lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) in the *Amazon Simple Storage Service User Guide* . │ │ │ └ properties │ │ │ └ Days: (documentation changed) │ │ ├[~] type LifecycleConfiguration │ │ │ ├ - documentation: Provides lifecycle details of Amazon Security Lake object. │ │ │ │ + documentation: Provides lifecycle details of Amazon Security Lake object. To manage your data so that it is stored cost effectively, you can configure retention settings for the data. You can specify your preferred Amazon S3 storage class and the time period for Amazon S3 objects to stay in that storage class before they transition to a different storage class or expire. For more information about Amazon S3 Lifecycle configurations, see [Managing your storage lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) in the *Amazon Simple Storage Service User Guide* . │ │ │ │ In Security Lake , you specify retention settings at the Region level. For example, you might choose to transition all S3 objects in a specific AWS Region to the `S3 Standard-IA` storage class 30 days after they're written to the data lake. The default Amazon S3 storage class is S3 Standard. │ │ │ │ > Security Lake doesn't support Amazon S3 Object Lock. When the data lake buckets are created, S3 Object Lock is disabled by default. Enabling S3 Object Lock with default retention mode interrupts the delivery of normalized log data to the data lake. │ │ │ └ properties │ │ │ ├ Expiration: (documentation changed) │ │ │ └ Transitions: (documentation changed) │ │ ├[~] type ReplicationConfiguration │ │ │ ├ - documentation: Provides replication details of Amazon Security Lake object. │ │ │ │ + documentation: Provides replication configuration details for objects stored in the Amazon Security Lake data lake. │ │ │ └ properties │ │ │ ├ Regions: (documentation changed) │ │ │ └ RoleArn: (documentation changed) │ │ └[~] type Transitions │ │ ├ - documentation: undefined │ │ │ + documentation: Provides transition lifecycle details of the Amazon Security Lake object. For more information about Amazon S3 Lifecycle configurations, see [Managing your storage lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) in the *Amazon Simple Storage Service User Guide* . │ │ └ properties │ │ ├ Days: (documentation changed) │ │ └ StorageClass: (documentation changed) │ └[~] resource AWS::SecurityLake::Subscriber │ ├ - documentation: Resource Type definition for AWS::SecurityLake::Subscriber │ │ + documentation: Creates a subscriber for accounts that are already enabled in Amazon Security Lake. You can create a subscriber with access to data in the current AWS Region. │ ├ properties │ │ ├ AccessTypes: (documentation changed) │ │ ├ DataLakeArn: (documentation changed) │ │ ├ Sources: (documentation changed) │ │ ├ SubscriberDescription: (documentation changed) │ │ └ SubscriberName: (documentation changed) │ ├ attributes │ │ ├ ResourceShareArn: (documentation changed) │ │ ├ ResourceShareName: (documentation changed) │ │ ├ S3BucketArn: (documentation changed) │ │ ├ SubscriberArn: (documentation changed) │ │ └ SubscriberRoleArn: (documentation changed) │ └ types │ ├[~] type AwsLogSource │ │ ├ - documentation: Amazon Security Lake supports log and event collection for natively supported AWS services. │ │ │ + documentation: Adds a natively supported AWS service as an Amazon Security Lake source. Enables source types for member accounts in required AWS Regions, based on the parameters you specify. You can choose any source type in any Region for either accounts that are part of a trusted organization or standalone accounts. Once you add an AWS service as a source, Security Lake starts collecting logs and events from it. │ │ └ properties │ │ ├ SourceName: (documentation changed) │ │ └ SourceVersion: (documentation changed) │ ├[~] type CustomLogSource │ │ ├ - documentation: undefined │ │ │ + documentation: Third-party custom log source that meets the requirements to be added to Amazon Security Lake . For more details, see [Custom log source](https://docs.aws.amazon.com//security-lake/latest/userguide/custom-sources.html#iam-roles-custom-sources) in the *Amazon Security Lake User Guide* . │ │ └ properties │ │ ├ SourceName: (documentation changed) │ │ └ SourceVersion: (documentation changed) │ ├[~] type Source │ │ ├ - documentation: undefined │ │ │ + documentation: Sources are logs and events generated from a single system that match a specific event class in the Open Cybersecurity Schema Framework (OCSF) schema. Amazon Security Lake can collect logs and events from a variety of sources, including natively supported AWS services and third-party custom sources. │ │ └ properties │ │ ├ AwsLogSource: (documentation changed) │ │ └ CustomLogSource: (documentation changed) │ └[~] type SubscriberIdentity │ ├ - documentation: The AWS identity used to access your data. │ │ + documentation: Specify the AWS account ID and external ID that the subscriber will use to access source data. │ └ properties │ ├ ExternalId: (documentation changed) │ └ Principal: (documentation changed) ├[~] service aws-ssm │ └ resources │ └[~] resource AWS::SSM::Document │ └ properties │ └ Name: (documentation changed) ├[~] service aws-timestream │ └ resources │ └[+] resource AWS::Timestream::InfluxDBInstance │ ├ name: InfluxDBInstance │ │ cloudFormationType: AWS::Timestream::InfluxDBInstance │ │ documentation: A DB instance is an isolated database environment running in the cloud. It is the basic building block of Amazon Timestream for InfluxDB. A DB instance can contain multiple user-created databases (or organizations and buckets for the case of InfluxDb 2.x databases), and can be accessed using the same client tools and applications you might use to access a standalone self-managed InfluxDB instance. │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ ├ properties │ │ ├Username: string (immutable) │ │ ├Password: string (immutable) │ │ ├Organization: string (immutable) │ │ ├Bucket: string (immutable) │ │ ├DbInstanceType: string (immutable) │ │ ├VpcSubnetIds: Array (immutable) │ │ ├VpcSecurityGroupIds: Array (immutable) │ │ ├PubliclyAccessible: boolean (default=false, immutable) │ │ ├DbStorageType: string (immutable) │ │ ├AllocatedStorage: integer (immutable) │ │ ├DbParameterGroupIdentifier: string │ │ ├LogDeliveryConfiguration: LogDeliveryConfiguration │ │ ├Name: string (immutable) │ │ ├DeploymentType: string (immutable) │ │ └Tags: Array │ ├ attributes │ │ ├Status: string │ │ ├Arn: string │ │ ├Id: string │ │ ├AvailabilityZone: string │ │ ├Endpoint: string │ │ ├SecondaryAvailabilityZone: string │ │ └InfluxAuthParametersSecretArn: string │ └ types │ ├type LogDeliveryConfiguration │ │├ documentation: Configuration for sending InfluxDB engine logs to a specified S3 bucket. │ ││ name: LogDeliveryConfiguration │ │└ properties │ │ └S3Configuration: S3Configuration (required) │ └type S3Configuration │ ├ documentation: Configuration for S3 bucket log delivery. │ │ name: S3Configuration │ └ properties │ ├BucketName: string (required) │ └Enabled: boolean (required) ├[~] service aws-transfer │ └ resources │ ├[~] resource AWS::Transfer::Certificate │ │ └ properties │ │ └ Usage: (documentation changed) │ └[~] resource AWS::Transfer::Server │ └ properties │ └ Domain: (documentation changed) └[~] service aws-wisdom └ resources └[~] resource AWS::Wisdom::KnowledgeBase └ types └[~] type AppIntegrationsConfiguration └ properties └ ObjectFields: (documentation changed) ``` --- .../@aws-cdk/cloudformation-diff/package.json | 4 +-- packages/@aws-cdk/integ-runner/package.json | 2 +- packages/aws-cdk-lib/package.json | 2 +- tools/@aws-cdk/spec2cdk/package.json | 6 ++-- yarn.lock | 28 +++++++++---------- 5 files changed, 21 insertions(+), 21 deletions(-) diff --git a/packages/@aws-cdk/cloudformation-diff/package.json b/packages/@aws-cdk/cloudformation-diff/package.json index 0ab946eff18ce..575f5057ebb4b 100644 --- a/packages/@aws-cdk/cloudformation-diff/package.json +++ b/packages/@aws-cdk/cloudformation-diff/package.json @@ -23,8 +23,8 @@ }, "license": "Apache-2.0", "dependencies": { - "@aws-cdk/aws-service-spec": "^0.0.63", - "@aws-cdk/service-spec-types": "^0.0.63", + "@aws-cdk/aws-service-spec": "^0.0.64", + "@aws-cdk/service-spec-types": "^0.0.64", "chalk": "^4", "diff": "^5.2.0", "fast-deep-equal": "^3.1.3", diff --git a/packages/@aws-cdk/integ-runner/package.json b/packages/@aws-cdk/integ-runner/package.json index a2cba70a608c2..3252e6d7a6ee4 100644 --- a/packages/@aws-cdk/integ-runner/package.json +++ b/packages/@aws-cdk/integ-runner/package.json @@ -74,7 +74,7 @@ "@aws-cdk/cloud-assembly-schema": "0.0.0", "@aws-cdk/cloudformation-diff": "0.0.0", "@aws-cdk/cx-api": "0.0.0", - "@aws-cdk/aws-service-spec": "^0.0.63", + "@aws-cdk/aws-service-spec": "^0.0.64", "cdk-assets": "0.0.0", "@aws-cdk/cdk-cli-wrapper": "0.0.0", "aws-cdk": "0.0.0", diff --git a/packages/aws-cdk-lib/package.json b/packages/aws-cdk-lib/package.json index 63da7bba9138b..40bbff2be61ef 100644 --- a/packages/aws-cdk-lib/package.json +++ b/packages/aws-cdk-lib/package.json @@ -135,7 +135,7 @@ "mime-types": "^2.1.35" }, "devDependencies": { - "@aws-cdk/aws-service-spec": "^0.0.63", + "@aws-cdk/aws-service-spec": "^0.0.64", "@aws-cdk/cdk-build-tools": "0.0.0", "@aws-cdk/custom-resource-handlers": "0.0.0", "@aws-cdk/pkglint": "0.0.0", diff --git a/tools/@aws-cdk/spec2cdk/package.json b/tools/@aws-cdk/spec2cdk/package.json index 7638b0c3e4923..eff274c250171 100644 --- a/tools/@aws-cdk/spec2cdk/package.json +++ b/tools/@aws-cdk/spec2cdk/package.json @@ -32,9 +32,9 @@ }, "license": "Apache-2.0", "dependencies": { - "@aws-cdk/aws-service-spec": "^0.0.63", - "@aws-cdk/service-spec-importers": "^0.0.30", - "@aws-cdk/service-spec-types": "^0.0.63", + "@aws-cdk/aws-service-spec": "^0.0.64", + "@aws-cdk/service-spec-importers": "^0.0.31", + "@aws-cdk/service-spec-types": "^0.0.64", "@cdklabs/tskb": "^0.0.3", "@cdklabs/typewriter": "^0.0.3", "camelcase": "^6", diff --git a/yarn.lock b/yarn.lock index 0cd4f5789641e..a69e825f134bd 100644 --- a/yarn.lock +++ b/yarn.lock @@ -56,12 +56,12 @@ resolved "https://registry.npmjs.org/@aws-cdk/asset-node-proxy-agent-v6/-/asset-node-proxy-agent-v6-2.0.3.tgz#9b5d213b5ce5ad4461f6a4720195ff8de72e6523" integrity sha512-twhuEG+JPOYCYPx/xy5uH2+VUsIEhPTzDY0F1KuB+ocjWWB/KEDiOVL19nHvbPCB6fhWnkykXEMJ4HHcKvjtvg== -"@aws-cdk/aws-service-spec@^0.0.63": - version "0.0.63" - resolved "https://registry.npmjs.org/@aws-cdk/aws-service-spec/-/aws-service-spec-0.0.63.tgz#ccd4ee02441064eb82794340397ae8c3b40af93b" - integrity sha512-MXU2Wlz3RTg4bv6tcBTUBrocL9ApGzH46/HNQyFpERErhfU5wQtjcWqsEZxbbvW7B+FDGO5++t+JN/+qsCqZDQ== +"@aws-cdk/aws-service-spec@^0.0.64": + version "0.0.64" + resolved "https://registry.npmjs.org/@aws-cdk/aws-service-spec/-/aws-service-spec-0.0.64.tgz#40a0eedd08b7c67d65c011ae343788528068d793" + integrity sha512-HkDYdnuegCfA4cBNjNExgrpNzbkHjbdb5nhq4Aw2NasAgECcGh0OsEoCgINqh6X4FHdCscJlwHm2cUbfHBx04Q== dependencies: - "@aws-cdk/service-spec-types" "^0.0.63" + "@aws-cdk/service-spec-types" "^0.0.64" "@cdklabs/tskb" "^0.0.3" "@aws-cdk/lambda-layer-kubectl-v24@^2.0.242": @@ -74,12 +74,12 @@ resolved "https://registry.npmjs.org/@aws-cdk/lambda-layer-kubectl-v29/-/lambda-layer-kubectl-v29-2.0.0.tgz#1c078fffa2c701c691aeb3e599e91cd3c1017e74" integrity sha512-X6RKZPcPGkYSp9/AhiNtEL7Vz2I77qCdbr5XGtqFeIyw/620Qo2ZIRFr2AjWfGEj81gvcwUbVW5lZ6+EqqyqlA== -"@aws-cdk/service-spec-importers@^0.0.30": - version "0.0.30" - resolved "https://registry.npmjs.org/@aws-cdk/service-spec-importers/-/service-spec-importers-0.0.30.tgz#c033d4328499eef4c0c072976c9948c29cb7dc71" - integrity sha512-mzi9GoxmAOD3jMuSMoTvNvYir9A+LtXQ5efBFM6jNzz+RoCutC81m5PdpQqSHT37zFuqW5gmBVZ7QH5wooVk2A== +"@aws-cdk/service-spec-importers@^0.0.31": + version "0.0.31" + resolved "https://registry.npmjs.org/@aws-cdk/service-spec-importers/-/service-spec-importers-0.0.31.tgz#3c5dcd2a8ea08260305f95fb7425dc45157ed1d9" + integrity sha512-Fyd1+TOz697vZ+2HM9LUkZD2FbIDonBeMrOhYNDviICXTvRH1pBpBrUIOjeM+joqxF4FkaRFg7lwPewwaEFvlg== dependencies: - "@aws-cdk/service-spec-types" "^0.0.63" + "@aws-cdk/service-spec-types" "^0.0.64" "@cdklabs/tskb" "^0.0.3" ajv "^6" canonicalize "^2.0.0" @@ -90,10 +90,10 @@ glob "^8" sort-json "^2.0.1" -"@aws-cdk/service-spec-types@^0.0.63": - version "0.0.63" - resolved "https://registry.npmjs.org/@aws-cdk/service-spec-types/-/service-spec-types-0.0.63.tgz#60fd7b33594491c4c2192f43e7444087b5d692d5" - integrity sha512-SN6l5rGmLgd6R7Nxv1OVrcnN3pO0oiPhSacNFQfJoU9r/4pB5DhPJxbhaQNCMor5HISQI0dfUQj4Mp9uDcHwDQ== +"@aws-cdk/service-spec-types@^0.0.64": + version "0.0.64" + resolved "https://registry.npmjs.org/@aws-cdk/service-spec-types/-/service-spec-types-0.0.64.tgz#c8be9e9099b8c3eb538b4ca3656777edb50b0128" + integrity sha512-YHu/KekOAmptELaruTfggwLHIxWKP/I+JY+z/YNG5Vww/hiqLAUnHKa2AesmxEv9q8fiKb1UGtdLd5aO+iXOCw== dependencies: "@cdklabs/tskb" "^0.0.3" From ed75b160f86b266a256ed7dd347dc54a34b937d0 Mon Sep 17 00:00:00 2001 From: Luca Pizzini Date: Mon, 22 Apr 2024 18:36:19 +0200 Subject: [PATCH 2/3] feat(ecs): support `pidMode` for `FargateTaskDefinition` (#29670) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ### Issue # (if applicable) Closes #29619. ### Reason for this change Support [`pidMode`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html#cfn-ecs-taskdefinition-pidmode) for `FargateTaskDefinition`. ### Description of changes Added support for the `pidMode` property along with the necessary validation, documentation, and test coverage. ### Description of how you validated changes - [x] Unit tests - [x] Integration tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../aws-ecs-integ-runtime.template.json | 1 + .../aws-ecs/test/fargate/integ.runtime.ts | 1 + packages/aws-cdk-lib/aws-ecs/README.md | 17 ++++ .../aws-ecs/lib/base/task-definition.ts | 20 ++++- .../aws-ecs/lib/ec2/ec2-task-definition.ts | 2 +- .../aws-ecs/lib/fargate/fargate-service.ts | 28 +++--- .../lib/fargate/fargate-task-definition.ts | 22 +++++ .../test/fargate/fargate-service.test.ts | 87 +++++++++++++++++++ .../fargate/fargate-task-definition.test.ts | 34 ++++++++ 9 files changed, 197 insertions(+), 15 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.runtime.js.snapshot/aws-ecs-integ-runtime.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.runtime.js.snapshot/aws-ecs-integ-runtime.template.json index b9b747f93c73e..0108491f8601d 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.runtime.js.snapshot/aws-ecs-integ-runtime.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.runtime.js.snapshot/aws-ecs-integ-runtime.template.json @@ -570,6 +570,7 @@ "Family": "awsecsintegruntimeTaskDefGraviton28E28B263", "Memory": "1024", "NetworkMode": "awsvpc", + "PidMode": "host", "RequiresCompatibilities": [ "FARGATE" ], diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.runtime.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.runtime.ts index f3d1038e6c9ba..8f224e13e86cd 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.runtime.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.runtime.ts @@ -27,6 +27,7 @@ const taskDefinitiongraviton2 = new ecs.FargateTaskDefinition(stack, 'TaskDefGra }, cpu: 256, memoryLimitMiB: 1024, + pidMode: ecs.PidMode.HOST, }); taskDefinitionwindows.addContainer('windowsservercore', { diff --git a/packages/aws-cdk-lib/aws-ecs/README.md b/packages/aws-cdk-lib/aws-ecs/README.md index 3f3999c788d5a..3dcad8549d0a0 100644 --- a/packages/aws-cdk-lib/aws-ecs/README.md +++ b/packages/aws-cdk-lib/aws-ecs/README.md @@ -362,6 +362,23 @@ const fargateTaskDefinition = new ecs.FargateTaskDefinition(this, 'TaskDef', { }); ``` +To specify the process namespace to use for the containers in the task, use the `pidMode` property: + +```ts +const fargateTaskDefinition = new ecs.FargateTaskDefinition(this, 'TaskDef', { + runtimePlatform: { + operatingSystemFamily: ecs.OperatingSystemFamily.LINUX, + cpuArchitecture: ecs.CpuArchitecture.ARM64, + }, + memoryLimitMiB: 512, + cpu: 256, + pidMode: ecs.PidMode.HOST, +}); +``` + +**Note:** `pidMode` is only supported for tasks that are hosted on AWS Fargate if the tasks are using platform version 1.4.0 +or later (Linux). This isn't supported for Windows containers on Fargate. + To add containers to a task definition, call `addContainer()`: ```ts diff --git a/packages/aws-cdk-lib/aws-ecs/lib/base/task-definition.ts b/packages/aws-cdk-lib/aws-ecs/lib/base/task-definition.ts index c675d9166f35d..c079f1aae02a3 100644 --- a/packages/aws-cdk-lib/aws-ecs/lib/base/task-definition.ts +++ b/packages/aws-cdk-lib/aws-ecs/lib/base/task-definition.ts @@ -193,7 +193,9 @@ export interface TaskDefinitionProps extends CommonTaskDefinitionProps { /** * The process namespace to use for the containers in the task. * - * Not supported in Fargate and Windows containers. + * Only supported for tasks that are hosted on AWS Fargate if the tasks + * are using platform version 1.4.0 or later (Linux). + * Not supported in Windows containers. * * @default - PidMode used by the task is not specified */ @@ -219,8 +221,8 @@ export interface TaskDefinitionProps extends CommonTaskDefinitionProps { /** * The operating system that your task definitions are running on. - * A runtimePlatform is supported only for tasks using the Fargate launch type. * + * A runtimePlatform is supported only for tasks using the Fargate launch type. * * @default - Undefined. */ @@ -372,6 +374,15 @@ export class TaskDefinition extends TaskDefinitionBase { */ public readonly ephemeralStorageGiB?: number; + /** + * The process namespace to use for the containers in the task. + * + * Only supported for tasks that are hosted on AWS Fargate if the tasks + * are using platform version 1.4.0 or later (Linux). + * Not supported in Windows containers. + */ + public readonly pidMode?: PidMode; + /** * The container definitions. */ @@ -453,9 +464,10 @@ export class TaskDefinition extends TaskDefinitionBase { } this.ephemeralStorageGiB = props.ephemeralStorageGiB; + this.pidMode = props.pidMode; // validate the cpu and memory size for the Windows operation system family. - if (props.runtimePlatform?.operatingSystemFamily?._operatingSystemFamily.includes('WINDOWS')) { + if (props.runtimePlatform?.operatingSystemFamily?.isWindows()) { // We know that props.cpu and props.memoryMiB are defined because an error would have been thrown previously if they were not. // But, typescript is not able to figure this out, so using the `!` operator here to let the type-checker know they are defined. this.checkFargateWindowsBasedTasksSize(props.cpu!, props.memoryMiB!, props.runtimePlatform!); @@ -485,7 +497,7 @@ export class TaskDefinition extends TaskDefinitionBase { cpu: props.cpu, memory: props.memoryMiB, ipcMode: props.ipcMode, - pidMode: props.pidMode, + pidMode: this.pidMode, inferenceAccelerators: Lazy.any({ produce: () => !isFargateCompatible(this.compatibility) ? this.renderInferenceAccelerators() : undefined, diff --git a/packages/aws-cdk-lib/aws-ecs/lib/ec2/ec2-task-definition.ts b/packages/aws-cdk-lib/aws-ecs/lib/ec2/ec2-task-definition.ts index e4092f76d9cf5..a75284934598b 100644 --- a/packages/aws-cdk-lib/aws-ecs/lib/ec2/ec2-task-definition.ts +++ b/packages/aws-cdk-lib/aws-ecs/lib/ec2/ec2-task-definition.ts @@ -49,7 +49,7 @@ export interface Ec2TaskDefinitionProps extends CommonTaskDefinitionProps { /** * The process namespace to use for the containers in the task. * - * Not supported in Fargate and Windows containers. + * Not supported in Windows containers. * * @default - PidMode used by the task is not specified */ diff --git a/packages/aws-cdk-lib/aws-ecs/lib/fargate/fargate-service.ts b/packages/aws-cdk-lib/aws-ecs/lib/fargate/fargate-service.ts index fa4194fa4f1aa..b4d1324e18947 100644 --- a/packages/aws-cdk-lib/aws-ecs/lib/fargate/fargate-service.ts +++ b/packages/aws-cdk-lib/aws-ecs/lib/fargate/fargate-service.ts @@ -128,6 +128,23 @@ export class FargateService extends BaseService implements IFargateService { throw new Error('Only one of SecurityGroup or SecurityGroups can be populated.'); } + // Platform versions not supporting referencesSecretJsonField, ephemeralStorageGiB, or pidMode on a task definition + const unsupportedPlatformVersions = [ + FargatePlatformVersion.VERSION1_0, + FargatePlatformVersion.VERSION1_1, + FargatePlatformVersion.VERSION1_2, + FargatePlatformVersion.VERSION1_3, + ]; + const isUnsupportedPlatformVersion = props.platformVersion && unsupportedPlatformVersions.includes(props.platformVersion); + + if (props.taskDefinition.ephemeralStorageGiB && isUnsupportedPlatformVersion) { + throw new Error(`The ephemeralStorageGiB feature requires platform version ${FargatePlatformVersion.VERSION1_4} or later, got ${props.platformVersion}.`); + } + + if (props.taskDefinition.pidMode && isUnsupportedPlatformVersion) { + throw new Error(`The pidMode feature requires platform version ${FargatePlatformVersion.VERSION1_4} or later, got ${props.platformVersion}.`); + } + super(scope, id, { ...props, desiredCount: props.desiredCount, @@ -153,9 +170,7 @@ export class FargateService extends BaseService implements IFargateService { } this.node.addValidation({ - validate: () => this.taskDefinition.referencesSecretJsonField - && props.platformVersion - && SECRET_JSON_FIELD_UNSUPPORTED_PLATFORM_VERSIONS.includes(props.platformVersion) + validate: () => this.taskDefinition.referencesSecretJsonField && isUnsupportedPlatformVersion ? [`The task definition of this service uses at least one container that references a secret JSON field. This feature requires platform version ${FargatePlatformVersion.VERSION1_4} or later.`] : [], }); @@ -214,10 +229,3 @@ export enum FargatePlatformVersion { */ VERSION1_0 = '1.0.0', } - -const SECRET_JSON_FIELD_UNSUPPORTED_PLATFORM_VERSIONS = [ - FargatePlatformVersion.VERSION1_0, - FargatePlatformVersion.VERSION1_1, - FargatePlatformVersion.VERSION1_2, - FargatePlatformVersion.VERSION1_3, -]; diff --git a/packages/aws-cdk-lib/aws-ecs/lib/fargate/fargate-task-definition.ts b/packages/aws-cdk-lib/aws-ecs/lib/fargate/fargate-task-definition.ts index bb42e4262764c..34d0bed643aa2 100644 --- a/packages/aws-cdk-lib/aws-ecs/lib/fargate/fargate-task-definition.ts +++ b/packages/aws-cdk-lib/aws-ecs/lib/fargate/fargate-task-definition.ts @@ -7,6 +7,7 @@ import { Compatibility, ITaskDefinition, NetworkMode, + PidMode, TaskDefinition, } from '../base/task-definition'; import { RuntimePlatform } from '../runtime-platform'; @@ -77,6 +78,17 @@ export interface FargateTaskDefinitionProps extends CommonTaskDefinitionProps { * @default - Undefined. */ readonly runtimePlatform?: RuntimePlatform; + + /** + * The process namespace to use for the containers in the task. + * + * Only supported for tasks that are hosted on AWS Fargate if the tasks + * are using platform version 1.4.0 or later (Linux). + * Not supported in Windows containers. + * + * @default - PidMode used by the task is not specified + */ + readonly pidMode?: PidMode; } /** @@ -147,6 +159,7 @@ export class FargateTaskDefinition extends TaskDefinition implements IFargateTas memoryMiB: props.memoryLimitMiB !== undefined ? Tokenization.stringifyNumber(props.memoryLimitMiB) : '512', compatibility: Compatibility.FARGATE, networkMode: NetworkMode.AWS_VPC, + pidMode: props.pidMode, }); // eslint-disable-next-line max-len @@ -154,6 +167,15 @@ export class FargateTaskDefinition extends TaskDefinition implements IFargateTas throw new Error('Ephemeral storage size must be between 21GiB and 200GiB'); } + if (props.pidMode) { + if (props.runtimePlatform?.operatingSystemFamily?.isWindows()) { + throw new Error('\'pidMode\' is not supported for Windows containers.'); + } + if (!Token.isUnresolved(props.pidMode) && props.pidMode !== PidMode.HOST) { + throw new Error(`\'pidMode\' can only be set to \'${PidMode.HOST}\' for Fargate containers, got: \'${props.pidMode}\'.`); + } + } + this.ephemeralStorageGiB = props.ephemeralStorageGiB; } } diff --git a/packages/aws-cdk-lib/aws-ecs/test/fargate/fargate-service.test.ts b/packages/aws-cdk-lib/aws-ecs/test/fargate/fargate-service.test.ts index 3ef83abd316b3..0ecd027501019 100644 --- a/packages/aws-cdk-lib/aws-ecs/test/fargate/fargate-service.test.ts +++ b/packages/aws-cdk-lib/aws-ecs/test/fargate/fargate-service.test.ts @@ -1,6 +1,7 @@ import { testDeprecated } from '@aws-cdk/cdk-build-tools'; import { Annotations, Match, Template } from '../../../assertions'; import * as appscaling from '../../../aws-applicationautoscaling'; +import * as batch from '../../../aws-batch'; import * as cloudwatch from '../../../aws-cloudwatch'; import * as ec2 from '../../../aws-ec2'; import * as elbv2 from '../../../aws-elasticloadbalancingv2'; @@ -685,6 +686,92 @@ describe('fargate service', () => { }).toThrow(/one essential container/); }); + test('errors when platform version does not support containers which references secret JSON field', () => { + // GIVEN + const stack = new cdk.Stack(); + const vpc = new ec2.Vpc(stack, 'MyVpc', {}); + const cluster = new ecs.Cluster(stack, 'EcsCluster', { vpc }); + const taskDefinition = new ecs.FargateTaskDefinition(stack, 'FargateTaskDef', { + runtimePlatform: { + operatingSystemFamily: ecs.OperatingSystemFamily.LINUX, + cpuArchitecture: ecs.CpuArchitecture.ARM64, + }, + memoryLimitMiB: 512, + cpu: 256, + }); + + // Errors on validation, not on construction. + new ecs.FargateService(stack, 'FargateService', { + cluster, + taskDefinition, + platformVersion: ecs.FargatePlatformVersion.VERSION1_2, + }); + + taskDefinition.addContainer('main', { + image: ecs.ContainerImage.fromRegistry('somecontainer'), + secrets: { + envName: batch.Secret.fromSecretsManager(new secretsmanager.Secret(stack, 'testSecret'), 'secretField'), + }, + }); + + // THEN + expect(() => { + Template.fromStack(stack); + }).toThrow(/This feature requires platform version/); + }); + + test('errors when platform version does not support ephemeralStorageGiB', () => { + // GIVEN + const stack = new cdk.Stack(); + const vpc = new ec2.Vpc(stack, 'MyVpc', {}); + const cluster = new ecs.Cluster(stack, 'EcsCluster', { vpc }); + const taskDefinition = new ecs.FargateTaskDefinition(stack, 'FargateTaskDef', { + runtimePlatform: { + operatingSystemFamily: ecs.OperatingSystemFamily.LINUX, + cpuArchitecture: ecs.CpuArchitecture.ARM64, + }, + memoryLimitMiB: 512, + cpu: 256, + ephemeralStorageGiB: 100, + }); + + // WHEN + // THEN + expect(() => { + new ecs.FargateService(stack, 'FargateService', { + cluster, + taskDefinition, + platformVersion: ecs.FargatePlatformVersion.VERSION1_2, + }); + }).toThrow(/The ephemeralStorageGiB feature requires platform version/); + }); + + test('errors when platform version does not support pidMode', () => { + // GIVEN + const stack = new cdk.Stack(); + const vpc = new ec2.Vpc(stack, 'MyVpc', {}); + const cluster = new ecs.Cluster(stack, 'EcsCluster', { vpc }); + const taskDefinition = new ecs.FargateTaskDefinition(stack, 'FargateTaskDef', { + runtimePlatform: { + operatingSystemFamily: ecs.OperatingSystemFamily.LINUX, + cpuArchitecture: ecs.CpuArchitecture.ARM64, + }, + memoryLimitMiB: 512, + cpu: 256, + pidMode: ecs.PidMode.HOST, + }); + + // WHEN + // THEN + expect(() => { + new ecs.FargateService(stack, 'FargateService', { + cluster, + taskDefinition, + platformVersion: ecs.FargatePlatformVersion.VERSION1_2, + }); + }).toThrow(/The pidMode feature requires platform version/); + }); + test('allows adding the default container after creating the service', () => { // GIVEN const stack = new cdk.Stack(); diff --git a/packages/aws-cdk-lib/aws-ecs/test/fargate/fargate-task-definition.test.ts b/packages/aws-cdk-lib/aws-ecs/test/fargate/fargate-task-definition.test.ts index df7beb1b3fec8..def9ba61aaea8 100644 --- a/packages/aws-cdk-lib/aws-ecs/test/fargate/fargate-task-definition.test.ts +++ b/packages/aws-cdk-lib/aws-ecs/test/fargate/fargate-task-definition.test.ts @@ -60,6 +60,7 @@ describe('fargate task definition', () => { cpuArchitecture: ecs.CpuArchitecture.X86_64, operatingSystemFamily: ecs.OperatingSystemFamily.LINUX, }, + pidMode: ecs.PidMode.HOST, }); taskDefinition.addVolume({ @@ -84,6 +85,7 @@ describe('fargate task definition', () => { Family: 'myApp', Memory: '1024', NetworkMode: 'awsvpc', + PidMode: 'host', RequiresCompatibilities: [ ecs.LaunchType.FARGATE, ], @@ -161,6 +163,38 @@ describe('fargate task definition', () => { // THEN }); + + test('throws when pidMode is specified on Windows', () => { + // GIVEN + const stack = new cdk.Stack(); + + // WHEN + // THEN + expect(() => { + new ecs.FargateTaskDefinition(stack, 'FargateTaskDef', { + pidMode: ecs.PidMode.HOST, + runtimePlatform: { + operatingSystemFamily: ecs.OperatingSystemFamily.WINDOWS_SERVER_2019_CORE, + cpuArchitecture: ecs.CpuArchitecture.X86_64, + }, + cpu: 1024, + memoryLimitMiB: 2048, + }); + }).toThrow(/'pidMode' is not supported for Windows containers./); + }); + + test('throws when pidMode is not host', () => { + // GIVEN + const stack = new cdk.Stack(); + + // WHEN + // THEN + expect(() => { + new ecs.FargateTaskDefinition(stack, 'FargateTaskDef', { + pidMode: ecs.PidMode.TASK, + }); + }).toThrow(/'pidMode' can only be set to 'host' for Fargate containers, got: 'task'./); + }); }); describe('When configuredAtLaunch in the Volume', ()=> { test('do not throw when configuredAtLaunch is false', () => { From 31492c621c835e3fa08de2bbac24a0adc6fc2d69 Mon Sep 17 00:00:00 2001 From: Hiroki Yamazaki <121911537+ymhiroki@users.noreply.github.com> Date: Tue, 23 Apr 2024 03:49:41 +0900 Subject: [PATCH 3/3] chore(bedrock): support claude3-opus and base models for provisioned throughput (#29905) ### Issue # (if applicable) N/A ### Reason for this change [Anthropic's Claude 3 Opus mode is now available](https://aws.amazon.com/jp/blogs/aws/anthropics-claude-3-opus-model-on-amazon-bedrock/), and new model IDs are published in [the guide](https://docs.aws.amazon.com/bedrock/latest/userguide/model-ids.html). ### Description of changes I added model IDs for Claude 3 Opus for on-demand throughput and Claude 3 Sonnet/Haiku for provisioned throughput. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../aws-bedrock/lib/foundation-model.ts | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts b/packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts index e7a1913f1a7bc..8476d1088678e 100644 --- a/packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts +++ b/packages/aws-cdk-lib/aws-bedrock/lib/foundation-model.ts @@ -89,9 +89,24 @@ export class FoundationModelIdentifier { /** Base model "anthropic.claude-3-sonnet-20240229-v1:0". */ public static readonly ANTHROPIC_CLAUDE_3_SONNET_20240229_V1_0 = new FoundationModelIdentifier('anthropic.claude-3-sonnet-20240229-v1:0'); + /** Base model "anthropic.claude-3-sonnet-20240229-v1:0:28k" */ + public static readonly ANTHROPIC_CLAUDE_3_SONNET_20240229_V1_0_28K = new FoundationModelIdentifier('anthropic.claude-3-sonnet-20240229-v1:0:28k'); + + /** Base model "anthropic.claude-3-sonnet-20240229-v1:0:200k" */ + public static readonly ANTHROPIC_CLAUDE_3_SONNET_20240229_V1_0_200K = new FoundationModelIdentifier('anthropic.claude-3-sonnet-20240229-v1:0:200k'); + /** Base model "anthropic.claude-3-haiku-20240307-v1:0". */ public static readonly ANTHROPIC_CLAUDE_3_HAIKU_20240307_V1_0 = new FoundationModelIdentifier('anthropic.claude-3-haiku-20240307-v1:0'); + /** Base model "anthropic.claude-3-haiku-20240307-v1:0:48k" */ + public static readonly ANTHROPIC_CLAUDE_3_HAIKU_20240307_V1_0_48K = new FoundationModelIdentifier('anthropic.claude-3-haiku-20240307-v1:0:48k'); + + /** Base model "anthropic.claude-3-haiku-20240307-v1:0:200k" */ + public static readonly ANTHROPIC_CLAUDE_3_HAIKU_20240307_V1_0_200K = new FoundationModelIdentifier('anthropic.claude-3-haiku-20240307-v1:0:200k'); + + /** Base model "anthropic.claude-3-opus-20240229-v1:0" */ + public static readonly ANTHROPIC_CLAUDE_3_OPUS_20240229_V1_0 = new FoundationModelIdentifier('anthropic.claude-3-opus-20240229-v1:0'); + /** Base model "anthropic.claude-instant-v1". */ public static readonly ANTHROPIC_CLAUDE_INSTANT_V1 = new FoundationModelIdentifier('anthropic.claude-instant-v1');