fix(deps): update dependency aws-cdk-lib to v2.80.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
aws-cdk-lib (source)	2.22.0 -> 2.80.0

GitHub Vulnerability Alerts

CVE-2023-35165

If you are using the eks.Cluster or eks.FargateCluster construct we need you to take action. Other users are not affected and can stop reading.

Impact

The AWS Cloud Development Kit (CDK) allows for the definition of Amazon Elastic Container Service for Kubernetes (EKS) clusters. eks.Cluster and eks.FargateCluster constructs create two roles that have an overly permissive trust policy.

The first, referred to as the CreationRole, is used by lambda handlers to create the cluster and deploy Kubernetes resources (e.g KubernetesManifest, HelmChart, ...) onto it. Users with CDK version higher or equal to 1.62.0 (including v2 users) will be affected.

The second, referred to as the default MastersRole, is provisioned only if the mastersRole property isn't provided and has permissions to execute kubectl commands on the cluster. Users with CDK version higher or equal to 1.57.0 (including v2 users) will be affected.

Both these roles use the account root principal in their trust policy, which allows any identity in the account with the appropriate sts:AssumeRole permissions to assume it. For example, this can happen if another role in your account has sts:AssumeRole permissions on Resource: "*".

CreationRole

Users with CDK version higher or equal to 1.62.0 (including v2 users). The role in question can be located in the IAM console. It will have the following name pattern:

*-ClusterCreationRole-* 

MastersRole

Users with CDK version higher or equal to 1.57.0 (including v2 users) that are not specifying the mastersRole property. The role in question can be located in the IAM console. It will have the following name pattern:

*-MastersRole-*

Patches

The issue has been fixed in versions v1.202.0, v2.80.0. We recommend you upgrade to a fixed version as soon as possible. See Managing Dependencies in the CDK Developer Guide for instructions on how to do this.

The new versions no longer use the account root principal. Instead, they restrict the trust policy to the specific roles of lambda handlers that need it. This introduces some breaking changes that might require you to perform code changes. Refer to https://github.com/aws/aws-cdk/issues/25674 for a detailed discussion of options.

Workarounds

CreationRole

There is no workaround available for CreationRole.

MastersRole

To avoid creating the default MastersRole, use the mastersRole property to explicitly provide a role. For example:

new eks.Cluster(this, 'Cluster', { 
  ... 
  mastersRole: iam.Role.fromRoleArn(this, 'Admin', 'arn:aws:iam::xxx:role/Admin') 
}); 

References

https://github.com/aws/aws-cdk/issues/25674

If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

---

Release Notes

aws/aws-cdk (aws-cdk-lib)

v2.80.0

Compare Source

⚠ BREAKING CHANGES

• eks: A masters role is no longer provisioned by default. Use the mastersRole property to explicitly pass a role that needs cluster access. In addition, the creation role no longer allows any identity (with the appropriate sts:AssumeRole permissions) to assume it.

Features

• apigateway: add grantExecute to API Methods (#​25630) (ecb59fd)
• appmesh: access log format support for app mesh (#​25229) (c4b00be)
• appsync: Add Private API support when creating a GraphqlApi (#​25569) (d7e263d)
• cfnspec: cloudformation spec v122.0.0 (#​25555) (5ccc569)
• cli: assets can now depend on stacks (#​25536) (25d5d60)
• cli: logging can be corked (#​25644) (0643020), closes #​25536
• codepipeline-actions: add KMSEncryptionKeyARN for S3DeployAction (#​24536) (b60876f), closes #​24535
• eks: alb controller include versions 2.4.2 - 2.5.1 (#​25330) (83c4c36), closes #​25307
• msk: Kafka version 3.4.0 (#​25557) (6317518), closes #​25522
• scheduler: schedule expression construct (#​25422) (97a698e)

Bug Fixes

• bootstrap: bootstrap doesn't work in non-aws partitions anymore (revert security hub finding fix) (#​25540) (8854739), closes /github.com/aws/aws-cdk/issues/19380#issuecomment-1512009270 #​25272 #​25273 #​25507
• eks: overly permissive trust policies (#​25473) (51f0193). We would like to thank @​twelvemo and @​stefreak for reporting this issue.

---

Alpha modules (2.80.0-alpha.0)

v2.79.1

Compare Source

Bug Fixes

• bootstrap: bootstrap doesn't work in non-aws partitions anymore (revert security hub finding fix) (#​25272) (4c4014e)

---

Alpha modules (2.79.1-alpha.0)

v2.79.0

Compare Source

Features

• cfnspec: cloudformation spec v121.0 (#​25499) (c2ef657)
• ecr: grantRead on repositories (#​25445) (ce7bdea)
• logs: support DataProtectionPolicy in LogGroup construct (#​23402) (ed3962a), closes #​23399

Bug Fixes

• batch: JobDefinition's ContainerDefinition's Image is synthesized with [Object object] (#​25466) (b3d0d57), closes #​25250
• cfn2ts: doesn't handle property types with the same type as a primitive type (#​25460) (b76c182), closes aws-cdk/cfnspec/spec-source/specification/000_cfn/000_official/000_AWS_IoT.json#L1437-L1442 aws-cdk/cfnspec/spec-source/specification/000_cfn/000_official/000_AWS_IoT.json#L1727-L1742 #​22732
• core: crossRegionReferences don't work across multiple regions (#​25384) (65265e1), closes #​25190 #​25377
• dynamodb: fix hardcoded partition in replica-provider IAM policy (#​25428) (b5b4f66), closes #​25407
• elasticloadbalancingv2: ALB auth return internal server error (#​24510) (75212eb), closes #​21939 #​19035 #​18944
• servicecatalogappregistry: Revert deprecated method removing PR to keep deprecated method in alpha version (#​25454) (b20b1f2)

---

Alpha modules (2.79.0-alpha.0)

Bug Fixes

• servicecatalogappregistry: Revert deprecated method to keep deprecated method in alpha version (b20b123)
• batch: JobDefinition's ContainerDefinition's Image is synthesized with [Object object] (#​25250) (b3d0d57)

v2.78.0

Compare Source

Features

• appsync: L2 construct for EventBridge DataSource. (#​25369) (a0ad49d), closes #​24809
• cfnspec: cloudformation spec v120.0.0 (#​25354) (9096602)
• codebuild: add support for aws/codebuild/amazonlinux2-aarch64-standard:3.0 (#​25351) (0d187c1), closes #​25334
• ec2: Prefixlist Constructs (#​25252) (b2dfac0), closes #​24714
• ec2: restrict access to default security group (under feature flag) (#​25297) (d8272ef), closes /docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-2 #​19394
• events: Validate events rule name (#​25366) (5bdb012), closes #​25352
• rds: add missing PerformanceInsightRetention options (#​25347) (1dbae20)

Bug Fixes

• api-gateway: add validation to variables property on Stage resource (#​25267) (04427e3), closes #​3635
• apigateway: cannot use requestValidatorOptions multiple times (under feature flag) (#​25324) (2a49fd1), closes #​7613
• batch: ManagedEc2EcsComputeEnvironment instance role missing managed policy (#​25279) (c81d115), closes #​25256
• batch: JobQueue uses wrong id for underlying CfnJobQueue (#​25269) (4cbb790), closes #​25248
• core: output folder checksum is computed unnecessarily (#​25392) (f2294ba)
• ecs: Allow scheduling DAEMON services even if no EC2 capacity attached to cluster (#​25306) (#​25328) (96bb8ce)
• elasticloadbalancingv2: the bucket policy for ELB access logging is too permissive (#​25345) (748e685), closes /docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-6
• iam: Role.fromRoleName fails on AWS created roles (#​25389) (4c9ce9b)
• integ-tests: allow multiple AwsApiCalls with the same action and different parameters (#​25241) (75967e1), closes #​25014
• s3-deployment: doesn't work in ADC regions (#​25363) (432af34)
• dns-validated-cert cr doesn't use node16 (#​25348) (ad71026), closes #​25335

---

Alpha modules (2.78.0-alpha.0)

v2.77.0

Compare Source

Features

• custom-resource: upgrade builtin custom resource runtime version to Node 16 (#​24916) (6f7c4b5)
• custom-resource: expose removalPolicy (#​25235) (79881c5), closes #​25220
• ecs-patterns: Tagging support for scheduled tasks (#​25222) (6da4eba), closes #​23838 #​25106
• eks: support for Kubernetes version 1.26 (#​25088) (792e3f2), closes #​25087
• lambda: Java 17 runtime (#​25240) (5573025)
• lambda-event-sources: Add eventsourceMappingArn to IEventSourceMapping (#​24991) (ecd7374), closes #​24801
• pipelines: added logging as option for codeBuildDefaults prop on CodePipeline construct (#​25266) (d479b4d), closes #​22045 #​22045
• s3-deployment: implement new signContent option (#​24713) (5a836cb), closes #​24711
• stepfunctions-tasks: add elasticmapreduce:AddTags permission for EmrCreateCluster state with tags (#​24856) (81beab3), closes #​24842

Bug Fixes

• cli: diff doesn't display paths for removed resources (#​25294) (9bf63ed)
• pipelines: CodeBuild Action role can be assumed by too many identities (#​25316) (90cb79f)
• log buckets don't have acls enabled (#​25303) (0e9440b), closes #​25288
• apigatewayv2: does not work in non-aws partition (#​25284) (706dc89)
• appmesh: add missing port property (#​25112) (925c9ba), closes #​22452
• backup: BackupVault.fromBackupVaultArn parses wrong arn format (#​25259) (c2082a7), closes #​25212
• batch: jobDefinitionName returns ARN instead of name (#​25207) (3ea6062), closes #​25197
• bootstrap: add previous-parameters option to bootstrap command (#​25219) (02e8758), closes #​23780
• cloudfront: can't create the default log bucket (#​25298) (0eb25f2), closes /docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#access-logs-choosing-s3 #​25288 #​25291
• core: crossRegionReferences doesn't work when exporting to multiple regions (#​25190) (89b26b8), closes #​24464
• custom-resources: State functionActiveV2 not found (#​25228) (13a230e), closes #​24358
• eks: Allow helm pull from non-ECR OCI repositories (#​25237) (27da99e), closes #​24710
• eks: policy does not exist or is not attachable in China and GovCloud regions (#​25215) (ea65415), closes #​24358 #​24696
• elasticloadbalancingv2: ALB listeners with multiple forwardi… (#​25005) (512f64e), closes #​24805
• elasticloadbalancingv2: can not set sessionTimeout (#​24457) (cefbb33), closes #​12843 #​21768
• rds: Correct ARN in IAM policy for IAM database access (#​25141) (227ea09), closes #​12416 #​11851

---

Alpha modules (2.77.0-alpha.0)

v2.76.0

Compare Source

⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES

• servicecatalogappregistry: this change will deprecated associateStack and associateAttributeGroup in Application Construct.
  The user who are using these two method need to update to use alternative method.
  For associateStack, the alternative method is associateApplicationWithStack
  For associateAttributeGroup, the alternative method is AttributeGroup.associateWith

The user who are using these two method need to update to use alternative method. For associateStack, the alternative method is associateApplicationWithStack For associateAttributeGroup, the alternative method is AttributeGroup.associateWith

Purpose of this PR:

we need to remove deprecated resource before we moving into stable version The method that we remove is: associateStack and associateAttributeGroup

CHANGES:

1. in lib/application.ts, we remove these two methods and update their corresponding interface
2. in test/ application.test.ts & test/integ.application.ts, we update application.test.ts and integ.application.ts to remove these two methods' related test

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

Features

• cli-lib: add missing deploy options (#​25042) (ac40aed)
• codebuild: adds support for standard (7.0) image (#​25136) (4eb5e99), closes #​25124
• core: add rule IDs to the analytics string (#​25084) (0c1e885)
• ec2: add new latest amazon linux machine images (#​25083) (01fd89a), closes #​21011 #​24873 #​23523
• events-targets: Add tagging for ECS tasks triggered by an event (#​23838) (e3bc59a), closes /github.com/aws/aws-cdk/pull/19583#pullrequestreview-936428722 /github.com/aws/aws-cdk/pull/19583#pullrequestreview-936428722
• kms: add required aliasname prefix to aliasnames with tokens (#​25116) (1b18a19), closes #​25033
• rds: Support SQL Server for RDS proxy (#​25102) (2ea3e45), closes #​22164 /github.com/aws/aws-cdk/issues/22164#issuecomment-1297767306

Bug Fixes

• assertions: nested stacks inside non-root stages don't resolve t… (#​25006) (2d4a60d), closes #​24004
• aws-cdk-lib: compiled .js files are no longer being minified (#​25160) (b53727f)
• batch: jobQueueName returns ARN instead of name (#​25093) (a344507), closes #​23018
• cloudwatch: correct CompositeAlarm.fromCompositeAlarmName ARN format (#​24604) (3bf6adb), closes #​24594
• core: Duration.parse() doesn't parse milliseconds (#​25010) (8ca4c09), closes #​24971
• core: pull alpine image from ecr public (#​25179) (6d906f8), closes #​24969
• ecs: allow passing execution role to imported TaskDefinitions (#​24987) (0d156a8), closes #​24984 #​24984
• kinesis: remove StreamModeDetails in template when not specified (#​24994) (787f38a), closes #​21829
• stack account id throws error if not a string (#​25134) (d9468c5)
• servicecatalogappregistry: Remove deprecated resource in Application Construct (#​25095) (9222f21)

---

Alpha modules (2.76.0-alpha.0)

v2.75.1

Compare Source

Reverts

• "fix(core): Add stage prefix to stack name shortening process #​24443

---

Alpha modules (2.75.1-alpha.0)

v2.75.0

Compare Source

Features

• aws-lambda: Add AWS Lambda runtime python3.10 (08fb3cd)

---

Alpha modules (2.75.0-alpha.0)

v2.74.0

Compare Source

⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES

• batch: ComputeEnvironment has been removed and replaced by ManagedEc2EcsComputeEnvironment, ManagedEc2EksComputeEnvironment, and UnmanagedComputeEnvironment.

JobDefinition has been removed and replaced by EcsJobDefinition, EksJobDefinition, and MultiNodeJobDefinition

Features

• batch: new L2 Constructs (#​24775) (92e6c67)
• ec2: added ulimits property to ContainerDefinitionOptions (#​24963) (e37d16a), closes #​24918
• pipelines: allow artifactBucket to be overridden (#​24945) (292c846)
• sagemaker: support dlc images in sagemaker model (#​25018) (91553e5), closes /github.com/aws/aws-cdk/pull/17399/files#diff-356f35099770f68f4ceee2e63d34aad8729b0a9be6c933a0c05e999be7374685R98-R145
• ses: event destinations for configuration sets (#​24745) (3be43eb)
• step-functions-tasks: Support PropagatedTagSource property for EcsRunTask (#​24949) (a98a981), closes #​12999
• stepfunctions-tasks: Node.js 18.x runtime for EvaluateExpression (#​25002) (f26bfe9)

Bug Fixes

• cloudwatch: p100 statistic is no longer recognized (#​24981) (adc1a13), closes #​23095 #​24976
• events-targets: parameter JobName can exceed limit of 128 characters (#​24786) (923b9f1), closes #​24654
• redshift: Column ids were not being default assigned (#​24546) (8a655bd), closes #​24545
• s3: deprecate unencrypted encryption configuration for s3 bucket (#​24770) (b971615)
• ecr policy warning always throws (#​25041) (c0c3d19), closes #​25028
• core: Add stage prefix to stack name shortening process (#​24443) (55621ad), closes #​23628
• servicecatalogappregistry: Imported attribute group cannot be associated to an application (#​24960) (4c2e7d6)

---

Alpha modules (2.74.0-alpha.0)

v2.73.0

Compare Source

Features

• cli: exposed synth's quiet option in cdk.json (#​24793) (8c58b25), closes #​24251
• pipelines: Add ability to define fileSystemLocations for a CodePipeline (#​24584) (55906bb), closes #​24495
• rds: Add dbname parameter to RDS.DatabaseSecret construct (#​24729) (b9ce0ee), closes #​24728
• trigger: Allow trigger to work with Lambda functions with long timeouts (#​24435) (30e05f0), closes #​23788

Bug Fixes

• core: some trace info is missing from the validation report (#​24889) (5003cad)
• ec2: looking up a shared VPC has incorrect account ID in ARN (#​24486) (963634b), closes #​23865
• ecr: policytext errors when includes resource (#​24401) (a9d6966)
• globalaccelerator: parameter name can exceed limit of 64 characters (#​24796) (334dc80), closes #​24325
• iam: roleName not validated in fromRoleName function (#​24549) (637fc6a), closes #​24503
• lambda-nodejs: pnpm installs frozen lockfile in a CI environment (#​24781) (552cef4), closes /github.com/pnpm/pnpm/issues/1994#issuecomment-609403673

---

Alpha modules (2.73.0-alpha.0)

v2.72.1

Compare Source

---

Alpha modules (2.72.1-alpha.0)

v2.72.0

Compare Source

⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES

• cdk-lib: The return type of aws-cdk-lib.aws_ec2.SecurityGroup.determineRuleScope was changed from a tuple ([SecurityGroupBase, string]) to a struct with the same values, because tuple types are not supported over the jsii interoperability layer, but jsii@v1 was incorrectly allowing this to be represented as the JSON primitive type. This made the API unusable in non-JS languages. The type of the metadata property of aws-cdk-lib.aws_s3_deployment.BucketDeploymentProps was changed from an index-only struct to an inline map, because jsii@v1 silently ignored the index signature (which is otherwise un-supported), resulting in an empty object in non-JS/TS languages. As a consequence, the values of that map can no longer be undefined (as jsii does not currently support nullable elements in collections).

Features

• apprunner-alpha: support autoDeploymentsEnabled flag for Service (#​24612) (cf5a9c4), closes #​24529
• cfnspec: cloudformation spec v117.0.0 (#​24779) (1b94ea6)
• cfnspec: cloudformation spec v117.0.0 (#​24841) (84630e9)
• cloudfront-origins: allow custom originPath for apigateway.RestApi constructs (#​24023) (bc3db02)
• core: template validation after synthesis (#​23951) (20aeb0f)
• dynamodb: adds deletion protection for tables (#​24581) (6e400a9), closes #​24540
• ecs: support pseudo terminal allocation in container definition (#​24790) (3c0756a)
• efs: implement IResourceWithPolicy (#​24453) (5771d79), closes #​15805
• kms: Adds support for hmac and sm2 key spec (#​23866) (f2f3c21), closes #​23727
• s3: add allowedActionPatterns parameter to grantWrite (#​24211) (5b5c36f), closes #​24074
• s3-deployment: added Source.dataYaml helper function (#​24579) (d969ddf), closes #​24554
• added AllViewerExceptHostHeader as new OriginRequest policy (#​24562) (8dbca12), closes #​24552

Bug Fixes

• bootstrap: ECR repository produces Security Hub finding [ECR.3] because of missing lifecycle policy (#​24735) (cdfa970)
• cli: cdk deploy output hook failure reason if cloudformation failed by hook (#​24444) (9d4b66a)
• cli: pathMetadata and assetMetadata defaults cannot be configured in cdk.json (#​24533) (45bc57a), closes #​3573
• dynamodb: add missing iam permissions to custom resource for deleting dynamodb replica table (#​24682) (f35b70b), closes #​22069
• ec2: tokenised subnet.subnetId filtered by the SubnetIdSubnetFilter returns an empty array (#​24625) (d0912ca), closes #​24427
• ec2: VPC Flow Log record fields are not available (#​24812) (65fb7a6), closes #​24807
• ecs: cpu in container definition may be less than total cpu allocated to the container (#​24647) (dc064be), closes #​24629
• lambda-nodejs: pnpm no longer supports nodejs14.x (#​24821) (b1c9ab2)
• logs-destinations: missing dependency to Permission Policy created by LambdaDestination (#​24823) (72b3a95), closes #​21941 /github.com/aws/aws-cdk/pull/22100#issue-1377109110
• logs-destinations: missing dependency to Policy created by KinesisDestination (#​24811) (3c98d1e), closes #​21827 /github.com/aws/aws-cdk/issues/21827#issuecomment-1382128416
• s3-deployment: physical id not set during failure scenario (#​24428) (be4be99), closes #​22670
• stepfunctions-tasks: updated EMR service role to use AmazonEMRServicePolicy_v2 (under feature flag) (#​23985) (f3fd183), closes #​23915

Miscellaneous Chores

• cdk-lib: migrate to jsii@5.0 / jsii-rosetta@5.0 (#​24425) (6d581d7)

---

Alpha modules (2.72.0-alpha.0)

⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES

• servicecatalogappregistry: This commit involves share replacement during the deployment of ApplicationAssociator due to share construct id update. After this change, frequent share replacements due to structural change in Application construct should be avoided. Application.shareApplication starts to require construct id (first argument) and share name (added in ShareOption) as input.
• ivs: Renamed ChannelProps.name to ChannelProps.channelName
• Renamed PlaybackKeyPairProps.name to PlaybackKeyPairProps.playbackKeyPairName
• Channel now generates a physical name if one is not provided
• PlaybackKeyPair now generates a physical name if one is not provided

Bug Fixes

• integ-runner: update workflow doesn't support resource replacement (#​24720) (07d3aa7)
• ivs: Not a standard physical name pattern (#​24706) (7d17fe3)
• servicecatalogappregistry: RAM Share is replaced on every change to Application (#​24760) (8977d0d)

v2.71.0

Compare Source

Features

• core: template validation after synthesis (#​23951) (91d6509)

Bug Fixes

• lambda-nodejs: pnpm no longer supports nodejs14.x (#​24821) (a8e9370)

---

Alpha modules (2.71.0-alpha.0)

v2.70.0

Compare Source

Features

• cfnspec: cloudformation spec v116.0.0 (#​24662) (e8158af)
• cloudwatch: added defaultInterval prop to cw-dashboard (#​24707) (d4717cf)
• ec2: CFN-init support for systemd (#​24683) (f3fe8e1)
• ec2: SSM sessions (#​24673) (9744a82)
• ecr: add option to auto delete images upon ECR repository removal (#​24572) (7de5b00), closes #​15932 #​12618 #​15932
• elasticloadbalancing: classic load balancer supports ec2 instances (#​24353) (25b6edd), closes #​23500
• servicecatalogappregistry-alpha: Introduce flag to control application sharing and association behavior for cross-account stacks (#​24408) (2167289), closes aws-cdk/aws-servicecatalogappregistry/lib/aspects/stack-associator.ts#L91-L95

Bug Fixes

• bootstrap: remove Security Hub finding KMS.2 (#​24588) (274c3d5), closes /docs.aws.amazon.com/securityhub/latest/userguide/kms-controls.html#kms-2
• cli: no change deployment prints "hotswap deployment skipped" without hotswap flag (#​24602) (79151fd)
• cli: user agent is reported as undefined/undefined (#​24663) (3e8d8d8)
• eks: fail to update cluster by disabling logging props (#​24688) (767cf93)
• sfn: stop replacing JsonPath.DISCARD with null (#​24717) (413b643), closes #​24593
• toolkit: RWLock.acquireRead is not re-entrant (#​24702) (3b7431b)
• WAFv2: add patch to revert struct names ([#​24651](https://redirect.gith

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.