aws · mergify · May 29, 2024 · May 29, 2024 · May 29, 2024 · May 29, 2024
diff --git a/...integ/test/aws-ses-actions/test/integ.actions.js.snapshot/aws-cdk-ses-receipt.assets.json b/...integ/test/aws-ses-actions/test/integ.actions.js.snapshot/aws-cdk-ses-receipt.assets.json
diff --git a/...teg/test/aws-ses-actions/test/integ.actions.js.snapshot/aws-cdk-ses-receipt.template.json b/...teg/test/aws-ses-actions/test/integ.actions.js.snapshot/aws-cdk-ses-receipt.template.json
@@ -86,35 +86,8 @@
        "Action": "s3:PutObject",
        "Condition": {
         "StringEquals": {
-         "aws:SourceAccount": {
+         "aws:Referer": {
           "Ref": "AWS::AccountId"
-         },
-         "aws:SourceArn": {
-          "Fn::Join": [
-           "",
-           [
-            "arn:",
-            {
-             "Ref": "AWS::Partition"
-            },
-            ":ses:",
-            {
-             "Ref": "AWS::Region"
-            },
-            ":",
-            {
-             "Ref": "AWS::AccountId"
-            },
-            ":receipt-rule-set/",
-            {
-             "Ref": "RuleSetE30C6C48"
-            },
-            ":receipt-rule/",
-            {
-             "Ref": "RuleSetFirstRule0A27C8CC"
-            }
-           ]
-          ]
          }
         }
        },
@@ -313,6 +286,7 @@
     }
    },
    "DependsOn": [
+    "BucketPolicyE9A3008A",
     "FunctionAllowSes1829904A"
    ]
   },

diff --git a/...testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/manifest.json b/...testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/manifest.json
diff --git a/...cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/tree.json b/...cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/tree.json
diff --git a/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md b/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md
@@ -68,7 +68,9 @@ Flags come in three types:
 | [@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2](#aws-cdkaws-codepipelinedefaultpipelinetypetov2) | Enables Pipeline to set the default pipeline type to V2. | 2.133.0 | (default) |
 | [@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope](#aws-cdkaws-kmsreducecrossaccountregionpolicyscope) | When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only. | 2.134.0 | (fix) |
 | [@aws-cdk/aws-eks:nodegroupNameAttribute](#aws-cdkaws-eksnodegroupnameattribute) | When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix. | 2.139.0 | (fix) |
-| [@aws-cdk/aws-ec2:ebsDefaultGp3Volume](#aws-cdkaws-ec2ebsdefaultgp3volume) | When enabled, the default volume type of the EBS volume will be GP3 | V2NEXT | (default) |
+| [@aws-cdk/aws-ec2:ebsDefaultGp3Volume](#aws-cdkaws-ec2ebsdefaultgp3volume) | When enabled, the default volume type of the EBS volume will be GP3 | 2.140.0 | (default) |
+| [@aws-cdk/pipelines:reduceAssetRoleTrustScope](#aws-cdkpipelinesreduceassetroletrustscope) | Remove the root account principal from PipelineAssetsFileRole trust policy | 2.141.0 | (default) |
+| [@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm](#aws-cdkaws-ecsremovedefaultdeploymentalarm) | When enabled, remove default deployment alarm settings | 2.143.0 | (default) |
 
 <!-- END table -->
 
@@ -128,7 +130,8 @@ The following json shows the current recommended set of flags, as `cdk init` wou
     "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
     "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
     "@aws-cdk/aws-eks:nodegroupNameAttribute": true,
-    "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true
+    "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true,
+    "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true
   }
 }
 ```
@@ -171,6 +174,7 @@ are migrating a v1 CDK project to v2, explicitly set any of these flags which do
 | [@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId](#aws-cdkaws-apigatewayusageplankeyorderinsensitiveid) | Allow adding/removing multiple UsagePlanKeys independently | (fix) | 1.98.0 | `false` | `true` |
 | [@aws-cdk/aws-lambda:recognizeVersionProps](#aws-cdkaws-lambdarecognizeversionprops) | Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the  `fn.currentVersion`. | (fix) | 1.106.0 | `false` | `true` |
 | [@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2\_2021](#aws-cdkaws-cloudfrontdefaultsecuritypolicytlsv12_2021) | Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default. | (fix) | 1.117.0 | `false` | `true` |
+| [@aws-cdk/pipelines:reduceAssetRoleTrustScope](#aws-cdkpipelinesreduceassetroletrustscope) | Remove the root account principal from PipelineAssetsFileRole trust policy | (default) |  | `false` | `true` |
 
 <!-- END diff -->
 
@@ -185,7 +189,8 @@ Here is an example of a `cdk.json` file that restores v1 behavior for these flag
     "@aws-cdk/aws-rds:lowercaseDbIdentifier": false,
     "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": false,
     "@aws-cdk/aws-lambda:recognizeVersionProps": false,
-    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": false
+    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": false,
+    "@aws-cdk/pipelines:reduceAssetRoleTrustScope": false
   }
 }
 ```
@@ -1293,9 +1298,40 @@ When this featuer flag is enabled, the default volume type of the EBS volume wil
 | Since | Default | Recommended |
 | ----- | ----- | ----- |
 | (not in v1) |  |  |
-| V2NEXT | `false` | `true` |
+| 2.140.0 | `false` | `true` |
 
 **Compatibility with old behavior:** Pass `volumeType: EbsDeviceVolumeType.GENERAL_PURPOSE_SSD` to `Volume` construct to restore the previous behavior.
 
 
+### @aws-cdk/pipelines:reduceAssetRoleTrustScope
+
+*Remove the root account principal from PipelineAssetsFileRole trust policy* (default)
+
+When this feature flag is enabled, the root account principal will not be added to the trust policy of asset role.
+When this feature flag is disabled, it will keep the root account principal in the trust policy.
+
+
+| Since | Default | Recommended |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| 2.141.0 | `true` | `true` |
+
+**Compatibility with old behavior:** Disable the feature flag to add the root account principal back
+
+
+### @aws-cdk/aws-ecs:removeDefaultDeploymentAlarm
+
+*When enabled, remove default deployment alarm settings* (default)
+
+When this featuer flag is enabled, remove the default deployment alarm settings when creating a AWS ECS service.
+
+
+| Since | Default | Recommended |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| 2.143.0 | `false` | `true` |
+
+**Compatibility with old behavior:** Set AWS::ECS::Service 'DeploymentAlarms' manually to restore the previous behavior.
+
+
 <!-- END details -->
diff --git a/packages/aws-cdk-lib/aws-ses-actions/lib/s3.ts b/packages/aws-cdk-lib/aws-ses-actions/lib/s3.ts
@@ -42,12 +42,32 @@ export interface S3Props {
  * a notification to Amazon SNS.
  */
 export class S3 implements ses.IReceiptRuleAction {
-  private rule?: ses.IReceiptRule;
+
   constructor(private readonly props: S3Props) {
   }
 
   public bind(rule: ses.IReceiptRule): ses.ReceiptRuleActionConfig {
-    this.rule = rule;
+    // Allow SES to write to S3 bucket
+    // See https://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-permissions.html#receiving-email-permissions-s3
+    const keyPattern = this.props.objectKeyPrefix || '';
+    const s3Statement = new iam.PolicyStatement({
+      actions: ['s3:PutObject'],
+      principals: [new iam.ServicePrincipal('ses.amazonaws.com')],
+      resources: [this.props.bucket.arnForObjects(`${keyPattern}*`)],
+      conditions: {
+        StringEquals: {
+          'aws:Referer': cdk.Aws.ACCOUNT_ID,
+        },
+      },
+    });
+    this.props.bucket.addToResourcePolicy(s3Statement);
+
+    const policy = this.props.bucket.node.tryFindChild('Policy') as s3.BucketPolicy;
+    if (policy) { // The bucket could be imported
+      rule.node.addDependency(policy);
+    } else {
+      cdk.Annotations.of(rule).addWarningV2('@aws-cdk/s3:AddBucketPermissions', 'This rule is using a S3 action with an imported bucket. Ensure permission is given to SES to write to that bucket.');
+    }
 
     // Allow SES to use KMS master key
     // See https://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-permissions.html#receiving-email-permissions-kms
@@ -79,41 +99,4 @@ export class S3 implements ses.IReceiptRuleAction {
       },
     };
   }
-
-  /**
-   * Generate and apply the receipt rule action statement
-   *
-   * @param ruleSet The rule set the rule is being added to
-   * @internal
-   */
-  public _applyPolicyStatement(receiptRuleSet: ses.IReceiptRuleSet): void {
-    if (!this.rule) {
-      throw new Error('Cannot apply policy statement before binding the action to a receipt rule');
-    }
-
-    // Allow SES to write to S3 bucket
-    // See https://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-permissions.html#receiving-email-permissions-s3
-    const keyPattern = this.props.objectKeyPrefix || '';
-    const s3Statement = new iam.PolicyStatement({
-      actions: ['s3:PutObject'],
-      principals: [new iam.ServicePrincipal('ses.amazonaws.com')],
-      resources: [this.props.bucket.arnForObjects(`${keyPattern}*`)],
-      conditions: {
-        StringEquals: {
-          'aws:SourceAccount': cdk.Aws.ACCOUNT_ID,
-          'aws:SourceArn': cdk.Arn.format({
-            partition: cdk.Aws.PARTITION,
-            service: 'ses',
-            region: cdk.Aws.REGION,
-            account: cdk.Aws.ACCOUNT_ID,
-            resource: [
-              `receipt-rule-set/${receiptRuleSet.receiptRuleSetName}`,
-              `receipt-rule/${this.rule.receiptRuleName}`,
-            ].join(':'),
-          }),
-        },
-      },
-    });
-    this.props.bucket.addToResourcePolicy(s3Statement);
-  }
 }
diff --git a/packages/aws-cdk-lib/aws-ses-actions/test/actions.test.ts b/packages/aws-cdk-lib/aws-ses-actions/test/actions.test.ts
@@ -190,26 +190,9 @@ test('add s3 action', () => {
           Action: 's3:PutObject',
           Condition: {
             StringEquals: {
-              'aws:SourceAccount': {
+              'aws:Referer': {
                 Ref: 'AWS::AccountId',
               },
-              'aws:SourceArn': {
-                'Fn::Join': [
-                  '',
-                  [
-                    'arn:',
-                    { Ref: 'AWS::Partition' },
-                    ':ses:',
-                    { Ref: 'AWS::Region' },
-                    ':',
-                    { Ref: 'AWS::AccountId' },
-                    ':receipt-rule-set/',
-                    { Ref: 'RuleSetE30C6C48' },
-                    ':receipt-rule/',
-                    { Ref: 'RuleSetRule0B1D6BCA' },
-                  ],
-                ],
-              },
             },
           },
           Effect: 'Allow',

diff --git a/packages/aws-cdk-lib/aws-ses/lib/receipt-rule-action.ts b/packages/aws-cdk-lib/aws-ses/lib/receipt-rule-action.ts
@@ -1,5 +1,4 @@
 import { IReceiptRule } from './receipt-rule';
-import { IReceiptRuleSet } from './receipt-rule-set';
 
 /**
  * An abstract action for a receipt rule.
@@ -10,13 +9,6 @@ export interface IReceiptRuleAction {
    */
   bind(receiptRule: IReceiptRule): ReceiptRuleActionConfig;
 
-  /**
-   * Generate and apply the receipt rule action statement
-   *
-   * @param ruleSet The rule set the rule is being added to
-   * @internal
-   */
-  _applyPolicyStatement?(ruleSet: IReceiptRuleSet): void;
 }
 
 /**

diff --git a/packages/aws-cdk-lib/aws-ses/lib/receipt-rule.ts b/packages/aws-cdk-lib/aws-ses/lib/receipt-rule.ts
@@ -112,10 +112,7 @@ export class ReceiptRule extends Resource implements IReceiptRule {
   }
 
   public readonly receiptRuleName: string;
-
-  private readonly ruleSet: IReceiptRuleSet;
-  private readonly actions: IReceiptRuleAction[] = [];
-  private readonly actionProperties: CfnReceiptRule.ActionProperty[] = [];
+  private readonly actions = new Array<CfnReceiptRule.ActionProperty>();
 
   constructor(scope: Construct, id: string, props: ReceiptRuleProps) {
     super(scope, id, {
@@ -136,7 +133,6 @@ export class ReceiptRule extends Resource implements IReceiptRule {
     });
 
     this.receiptRuleName = resource.ref;
-    this.ruleSet = props.ruleSet;
 
     for (const action of props.actions || []) {
       this.addAction(action);
@@ -147,20 +143,15 @@ export class ReceiptRule extends Resource implements IReceiptRule {
    * Adds an action to this receipt rule.
    */
   public addAction(action: IReceiptRuleAction) {
-    this.actions.push(action);
-    this.actionProperties.push(action.bind(this));
+    this.actions.push(action.bind(this));
   }
 
   private renderActions() {
-    if (this.actionProperties.length === 0) {
+    if (this.actions.length === 0) {
       return undefined;
     }
 
-    for (const action of this.actions) {
-      action._applyPolicyStatement?.(this.ruleSet);
-    }
-
-    return this.actionProperties;
+    return this.actions;
   }
 }