fix test

aws · Jun 25, 2024 · 5e5ffd5 · 5e5ffd5
1 parent f2d5906
commit 5e5ffd5
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 8 deletions.
diff --git a/...dk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.s3-origin-oac-ssekms.ts b/...dk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.s3-origin-oac-ssekms.ts
@@ -18,8 +18,8 @@ const originAccessControl = new cloudfront.OriginAccessControl(stack, 'OriginAcc
 new cloudfront.Distribution(stack, 'Distribution', {
   defaultBehavior: {
     origin: new origins.S3Origin(bucket, {
-      originAccessControl: originAccessControl
-    })
+      originAccessControl: originAccessControl,
+    }),
   },
 });
 

diff --git a/.../@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.s3-origin-oac.ts b/.../@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.s3-origin-oac.ts
@@ -11,10 +11,10 @@ const stack = new cdk.Stack(app, 'cloudfront-s3-origin-oac');
 const bucket = new s3.Bucket(stack, 'Bucket');
 const originAccessControl = new cloudfront.OriginAccessControl(stack, 'OriginAccessControl');
 new cloudfront.Distribution(stack, 'Distribution', {
-  defaultBehavior: { 
+  defaultBehavior: {
     origin: new origins.S3Origin(bucket, {
-      originAccessControl: originAccessControl
-    })
+      originAccessControl: originAccessControl,
+    }),
   },
 });
 

diff --git a/...ndlers/test/aws-cloudfront-origins/s3-origin-access-control-bucket-policy-handler.test.ts b/...ndlers/test/aws-cloudfront-origins/s3-origin-access-control-bucket-policy-handler.test.ts
@@ -46,12 +46,12 @@ describe('S3 OAC bucket policy handler', () => {
   })
 });
 
-describe('updatePolicy', () => {
+describe('appendStatementToPolicy', () => {
   it('should add a new policy statement if it does not exist', () => {
     const currentPolicy = { Statement: [] };
     const policyStatementToAdd = { Sid: 'NewStatement', Effect: 'Allow', Action: 's3:GetObject', Resource: 'arn:aws:s3:::bucket/*' };
 
-    const updatedPolicy = updatePolicy(currentPolicy, policyStatementToAdd);
+    const updatedPolicy = appendStatementToPolicy(currentPolicy, policyStatementToAdd);
 
     expect(updatedPolicy.Statement).toContainEqual(policyStatementToAdd);
   });

diff --git a/...-handlers/test/aws-cloudfront-origins/s3-origin-access-control-key-policy-handler.test.ts b/...-handlers/test/aws-cloudfront-origins/s3-origin-access-control-key-policy-handler.test.ts
@@ -149,7 +149,7 @@ describe('getActions', () => {
   });
 });
 
-describe('updatePolicy', () => {
+describe('appendStatementToPolicy', () => {
   it('should add a new policy statement if it does not exist', () => {
     const currentPolicy = { Statement: [] };
     const policyStatementToAdd = { Sid: 'NewStatement', Effect: 'Allow', Action: ['kms:Decrypt'], Resource: '*' };

diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md
@@ -73,6 +73,7 @@ Flags come in three types:
 | [@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm](#aws-cdkaws-ecsremovedefaultdeploymentalarm) | When enabled, remove default deployment alarm settings | 2.143.0 | (default) |
 | [@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault](#aws-cdkcustom-resourceslogapiresponsedatapropertytruedefault) | When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default | 2.145.0 | (fix) |
 | [@aws-cdk/aws-cloudfront:useOriginAccessControlByDefault](#aws-cdkaws-cloudfrontuseoriginaccesscontrolbydefault) | When enabled, an origin access control will be created by default when a new S3 origin is created. | V2NEXT | (fix) |
+| [@aws-cdk/aws-stepfunctions-tasks:ecsReduceRunTaskPermissions](#aws-cdkaws-stepfunctions-tasksecsreduceruntaskpermissions) | When enabled, IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN. | V2NEXT | (fix) |
 
 <!-- END table -->
 
@@ -135,6 +136,7 @@ The following json shows the current recommended set of flags, as `cdk init` wou
     "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true,
     "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true,
     "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false,
+    "@aws-cdk/aws-stepfunctions-tasks:ecsReduceRunTaskPermissions": true,
     "@aws-cdk/aws-cloudfront:useOriginAccessControlByDefault": true
   }
 }
@@ -1372,4 +1374,19 @@ of an origin access identity (legacy).
 | V2NEXT | `false` | `true` |
 
 
+### @aws-cdk/aws-stepfunctions-tasks:ecsReduceRunTaskPermissions
+
+*When enabled, IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN.* (fix)
+
+When this feature flag is enabled, the IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN.
+The revision ARN is more specific than the task definition ARN. See https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html
+for more details.
+
+
+| Since | Default | Recommended |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| V2NEXT | `false` | `true` |
+
+
 <!-- END details -->