Merge branch 'main' into fix/glue-alpha/inconsistent-workflow-addconditionaltrigger-casing

Author: mergify[bot]

packages/aws-cdk-lib/aws-events-targets/test/lambda/lambda.test.ts

@@ -320,13 +320,9 @@ test('must display a warning when using a Dead Letter Queue from another account
 
   Template.fromStack(stack1).resourceCountIs('AWS::SQS::QueuePolicy', 0);
 
-  Annotations.fromStack(stack1).hasWarning('/Stack1/Rule', Match.objectLike({
-    'Fn::Join': Match.arrayWith([
-      Match.arrayWith([
-        'Cannot add a resource policy to your dead letter queue associated with rule ',
-      ]),
-    ]),
-  }));
+  Annotations.fromStack(stack1).hasWarning('/Stack1/Rule', Match.stringLikeRegexp(
+    'Cannot add a resource policy to your dead letter queue associated with rule \\${Token\\[TOKEN\\.[0-9]+\\]} because the queue is in a different account\\. You must add the resource policy manually to the dead letter queue in account 444455556666\\. \\[ack: @aws-cdk/aws-events-targets:manuallyAddDLQResourcePolicy\\]',
+  ));
 });
 
 test('specifying retry policy', () => {

packages/aws-cdk-lib/aws-lambda/test/function.test.ts

@@ -254,22 +254,7 @@ describe('function', () => {
 
       expect(getWarnings(app.synth())).toEqual([
         {
-          message: {
-            'Fn::Join': [
-              '',
-              [
-                'addPermission() has no effect on a Lambda Function with region=us-west-2, account=123456789012, in a Stack with region=',
-                {
-                  Ref: 'AWS::Region',
-                },
-                ', account=',
-                {
-                  Ref: 'AWS::AccountId',
-                },
-                '. Suppress this warning if this is is intentional, or pass sameEnvironment=true to fromFunctionAttributes() if you would like to add the permissions. [ack: UnclearLambdaEnvironment]',
-              ],
-            ],
-          },
+          message: expect.stringMatching(/^addPermission\(\) has no effect on a Lambda Function with region=us-west-2, account=123456789012, in a Stack with region=\${Token\[AWS\.Region\.\d+]}, account=\${Token\[AWS\.AccountId\.\d+]}. Suppress this warning if this is is intentional, or pass sameEnvironment=true to fromFunctionAttributes\(\) if you would like to add the permissions\. \[ack: UnclearLambdaEnvironment]$/),
           path: '/Default/Imported',
         },
       ]);

packages/aws-cdk-lib/aws-s3-notifications/test/queue.test.ts

@@ -109,15 +109,7 @@ test('if the queue is encrypted with a imported kms key, printout warning', () =
 
   bucket.addObjectCreatedNotification(new notif.SqsDestination(queue));
 
-  Annotations.fromStack(stack).hasWarning('/Default/ImportedKey', `Can not change key policy of imported kms key. Ensure that your key policy contains the following permissions: \n${JSON.stringify({
-    Action: [
-      'kms:GenerateDataKey*',
-      'kms:Decrypt',
-    ],
-    Effect: 'Allow',
-    Principal: {
-      Service: 's3.amazonaws.com',
-    },
-    Resource: '*',
-  }, null, 2)} [ack: @aws-cdk/aws-s3-notifications:sqsKMSPermissionsNotAdded]`);
+  Annotations.fromStack(stack).hasWarning('/Default/ImportedKey', Match.stringLikeRegexp(
+    'Can not change key policy of imported kms key\\. Ensure that your key policy contains the following permissions: \\n\\{\\n  "Action": \\[\\n    "kms:GenerateDataKey\\*",\\n    "kms:Decrypt"\\n  \\],\\n  "Effect": "Allow",\\n  "Principal": \\{\\n    "Service": "\\${Token\\[s3\\.amazonaws\\.com\\.[0-9]+\\]}"\\n  \\},\\n  "Resource": "\\*"\\n\\} \\[ack: @aws-cdk/aws-s3-notifications:sqsKMSPermissionsNotAdded\\]',
+  ));
 });

packages/aws-cdk-lib/aws-s3/test/notification.test.ts

@@ -162,9 +162,13 @@ describe('notification', () => {
     });
 
     // THEN - Following is warning thrown as a part of fix in : https://github.com/aws/aws-cdk/pull/31212
-    const warningMessage = { 'Fn::Join': ['', ["Can't combine imported IManagedPolicy: arn:", { Ref: 'AWS::Partition' }, ':iam::aws:policy/service-role/AWSLambdaBasicExecutionRole to imported role IRole: DevsNotAllowedToTouch. Use ManagedPolicy directly. [ack: @aws-cdk/aws-iam:IRoleCantBeUsedWithIManagedPolicy]']] };
-    const warningFromStack = Annotations.fromStack(stack).findWarning('*', {});
-    expect(warningFromStack[0].entry.data).toEqual(warningMessage);
+    const warningMessage = /Can't combine imported IManagedPolicy: arn:\${Token\[AWS\.Partition\.\d+\]}:iam::aws:policy\/service-role\/AWSLambdaBasicExecutionRole to imported role IRole: DevsNotAllowedToTouch\. Use ManagedPolicy directly\. \[ack: @aws-cdk\/aws-iam:IRoleCantBeUsedWithIManagedPolicy\]/;
+    const warningFromStack = Annotations.fromStack(stack).findWarning('*',
+      Match.stringLikeRegexp(
+        '@aws-cdk/aws-iam:IRoleCantBeUsedWithIManagedPolicy',
+      ),
+    );
+    expect(warningFromStack[0].entry.data).toEqual(expect.stringMatching(warningMessage));
   });
 
   test('If `Role` is provided, PutBucketNotification, GetBucketNotification will be added along with `service-role/AWSLambdaBasicExecutionRole`', () => {

packages/aws-cdk-lib/core/lib/stack-synthesizers/_shared.ts

@@ -100,7 +100,23 @@ function collectStackMetadata(stack: Stack) {
 
     if (node.node.metadata.length > 0) {
       // Make the path absolute
-      output[Node.PATH_SEP + node.node.path] = node.node.metadata.map(md => stack.resolve(md) as cxschema.MetadataEntry);
+      output[Node.PATH_SEP + node.node.path] = node.node.metadata.map(md => {
+        // If Annotations include a token, the message is resolved and output as `[object Object]` after synth
+        // because the message will be object type using 'Ref' or 'Fn::Join'.
+        // It would be easier for users to understand if the message from Annotations were output in token form,
+        // rather than in `[object Object]` or the object type.
+        // Therefore, we don't resolve the message if it's from Annotations.
+        if ([
+          cxschema.ArtifactMetadataEntryType.ERROR,
+          cxschema.ArtifactMetadataEntryType.WARN,
+          cxschema.ArtifactMetadataEntryType.INFO,
+        ].includes(md.type as cxschema.ArtifactMetadataEntryType)) {
+          return md;
+        }
+
+        const resolved = stack.resolve(md);
+        return resolved as cxschema.MetadataEntry;
+      });
     }
 
     for (const child of node.node.children) {

packages/aws-cdk-lib/core/test/annotations.test.ts

@@ -129,4 +129,22 @@ describe('annotations', () => {
     // THEN
     expect(getWarnings(app.synth())).toEqual([]);
   });
+
+  test('don\'t resolve the message if tokens are included', () => {
+    // GIVEN
+    const app = new App();
+    const stack = new Stack(app, 'S1');
+    const c1 = new Construct(stack, 'C1');
+
+    // WHEN
+    Annotations.of(c1).addWarningV2('MESSAGE', `stackId: ${stack.stackId}`);
+
+    // THEN
+    expect(getWarnings(app.synth())).toEqual([
+      {
+        path: '/S1/C1',
+        message: expect.stringMatching(/stackId: \${Token\[AWS::StackId\.\d+\]} \[ack: MESSAGE\]/),
+      },
+    ]);
+  });
 });