Merge branch 'master' into feat/rds-paramaeter-group

Author: mergify[bot]

packages/@aws-cdk/aws-rds/README.md

@@ -252,13 +252,13 @@ import * as secrets from '@aws-cdk/aws-secretsmanager';
 
 const vpc: ec2.IVpc = ...;
 const securityGroup: ec2.ISecurityGroup = ...;
-const secret: secrets.ISecret = ...;
+const secrets: secrets.ISecret[] = [...];
 const dbInstance: rds.IDatabaseInstance = ...;
 
 const proxy = dbInstance.addProxy('proxy', {
     connectionBorrowTimeout: cdk.Duration.seconds(30),
     maxConnectionsPercent: 50,
-    secret,
+    secrets,
     vpc,
 });
 ```

packages/@aws-cdk/aws-rds/lib/proxy.ts

@@ -235,10 +235,9 @@ export interface DatabaseProxyOptions {
   /**
    * The secret that the proxy uses to authenticate to the RDS DB instance or Aurora DB cluster.
    * These secrets are stored within Amazon Secrets Manager.
-   *
-   * @default - no secret
+   * One or more secrets are required.
    */
-  readonly secret: secretsmanager.ISecret;
+  readonly secrets: secretsmanager.ISecret[];
 
   /**
    * One or more VPC security groups to associate with the new proxy.
@@ -379,20 +378,26 @@ export class DatabaseProxy extends cdk.Resource
       assumedBy: new iam.ServicePrincipal('rds.amazonaws.com'),
     });
 
-    props.secret.grantRead(role);
+    for (const secret of props.secrets) {
+      secret.grantRead(role);
+    }
 
     this.connections = new ec2.Connections({ securityGroups: props.securityGroups });
 
     const bindResult = props.proxyTarget.bind(this);
 
+    if (props.secrets.length < 1) {
+      throw new Error('One or more secrets are required.');
+    }
+
     this.resource = new CfnDBProxy(this, 'Resource', {
-      auth: [
-        {
+      auth: props.secrets.map(_ => {
+        return {
           authScheme: 'SECRETS',
           iamAuth: props.iamAuth ? 'REQUIRED' : 'DISABLED',
-          secretArn: props.secret.secretArn,
-        },
-      ],
+          secretArn: _.secretArn,
+        };
+      }),
       dbProxyName: this.physicalName,
       debugLogging: props.debugLogging,
       engineFamily: bindResult.engineFamily,

packages/@aws-cdk/aws-rds/test/integ.proxy.ts

@@ -17,7 +17,7 @@ const dbInstance = new rds.DatabaseInstance(stack, 'dbInstance', {
 new rds.DatabaseProxy(stack, 'dbProxy', {
   borrowTimeout: cdk.Duration.seconds(30),
   maxConnectionsPercent: 50,
-  secret: dbInstance.secret!,
+  secrets: [dbInstance.secret!],
   proxyTarget: rds.ProxyTarget.fromInstance(dbInstance),
   vpc,
 });

packages/@aws-cdk/aws-rds/test/test.proxy.ts

@@ -19,7 +19,7 @@ export = {
     // WHEN
     new rds.DatabaseProxy(stack, 'Proxy', {
       proxyTarget: rds.ProxyTarget.fromInstance(instance),
-      secret: instance.secret!,
+      secrets: [instance.secret!],
       vpc,
     });
 
@@ -94,7 +94,7 @@ export = {
     // WHEN
     new rds.DatabaseProxy(stack, 'Proxy', {
       proxyTarget: rds.ProxyTarget.fromCluster(cluster),
-      secret: cluster.secret!,
+      secrets: [cluster.secret!],
       vpc,
     });
 
@@ -170,7 +170,7 @@ export = {
     test.doesNotThrow(() => {
       new rds.DatabaseProxy(stack, 'Proxy', {
         proxyTarget: rds.ProxyTarget.fromCluster(cluster),
-        secret: cluster.secret!,
+        secrets: [cluster.secret!],
         vpc,
       });
     }, /Cannot specify both dbInstanceIdentifiers and dbClusterIdentifiers/);
@@ -181,4 +181,29 @@ export = {
 
     test.done();
   },
+
+  'One or more secrets are required.'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const vpc = new ec2.Vpc(stack, 'VPC');
+    const cluster = new rds.DatabaseCluster(stack, 'Database', {
+      engine: rds.DatabaseClusterEngine.auroraPostgres({ version: '10.7' }),
+      masterUser: { username: 'admin' },
+      instanceProps: {
+        instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.SMALL),
+        vpc,
+      },
+    });
+
+    // WHEN
+    test.throws(() => {
+      new rds.DatabaseProxy(stack, 'Proxy', {
+        proxyTarget: rds.ProxyTarget.fromCluster(cluster),
+        secrets: [], // No secret
+        vpc,
+      });
+    }, 'One or more secrets are required.');
+
+    test.done();
+  },
 };

packages/@aws-cdk/aws-stepfunctions-tasks/README.md

@@ -623,6 +623,19 @@ new tasks.LambdaInvoke(this, 'Invoke and set function response as task output',
 });
 ```
 
+If you want to combine the input and the Lambda function response you can use
+the `payloadResponseOnly` property and specify the `resultPath`. This will put the
+Lambda function ARN directly in the "Resource" string, but it conflicts with the
+integrationPattern, invocationType, clientContext, and qualifier properties.
+
+```ts
+new tasks.LambdaInvoke(this, 'Invoke and combine function response with task input', {
+  lambdaFunction: myLambda,
+  payloadResponseOnly: true,
+  resultPath: '$.myLambda',
+});
+```
+
 You can have Step Functions pause a task, and wait for an external process to
 return a task token. Read more about the [callback pattern](https://docs.aws.amazon.com/step-functions/latest/dg/callback-task-sample-sqs.html#call-back-lambda-example)
 

packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke.ts

@@ -46,6 +46,17 @@ export interface LambdaInvokeProps extends sfn.TaskStateBaseProps {
    * @default - Version or alias inherent to the `lambdaFunction` object.
    */
   readonly qualifier?: string;
+
+  /**
+   * Invoke the Lambda in a way that only returns the payload response without additional metadata.
+   *
+   * The `payloadResponseOnly` property cannot be used if `integrationPattern`, `invocationType`,
+   * `clientContext`, or `qualifier` are specified.
+   * It always uses the REQUEST_RESPONSE behavior.
+   *
+   * @default false
+   */
+  readonly payloadResponseOnly?: boolean;
 }
 
 /**
@@ -76,6 +87,13 @@ export class LambdaInvoke extends sfn.TaskStateBase {
       throw new Error('Task Token is required in `payload` for callback. Use JsonPath.taskToken to set the token.');
     }
 
+    if (props.payloadResponseOnly &&
+      (props.integrationPattern || props.invocationType || props.clientContext || props.qualifier)) {
+      throw new Error(
+        "The 'payloadResponseOnly' property cannot be used if 'integrationPattern', 'invocationType', 'clientContext', or 'qualifier' are specified.",
+      );
+    }
+
     this.taskMetrics = {
       metricPrefixSingular: 'LambdaFunction',
       metricPrefixPlural: 'LambdaFunctions',
@@ -100,16 +118,23 @@ export class LambdaInvoke extends sfn.TaskStateBase {
    * @internal
    */
   protected _renderTask(): any {
-    return {
-      Resource: integrationResourceArn('lambda', 'invoke', this.integrationPattern),
-      Parameters: sfn.FieldUtils.renderObject({
-        FunctionName: this.props.lambdaFunction.functionArn,
-        Payload: this.props.payload ? this.props.payload.value : sfn.TaskInput.fromDataAt('$').value,
-        InvocationType: this.props.invocationType,
-        ClientContext: this.props.clientContext,
-        Qualifier: this.props.qualifier,
-      }),
-    };
+    if (this.props.payloadResponseOnly) {
+      return {
+        Resource: this.props.lambdaFunction.functionArn,
+        ...this.props.payload && { Parameters: sfn.FieldUtils.renderObject(this.props.payload.value) },
+      };
+    } else {
+      return {
+        Resource: integrationResourceArn('lambda', 'invoke', this.integrationPattern),
+        Parameters: sfn.FieldUtils.renderObject({
+          FunctionName: this.props.lambdaFunction.functionArn,
+          Payload: this.props.payload ? this.props.payload.value : sfn.TaskInput.fromDataAt('$').value,
+          InvocationType: this.props.invocationType,
+          ClientContext: this.props.clientContext,
+          Qualifier: this.props.qualifier,
+        }),
+      };
+    }
   }
 }