aws
diff --git a/Diff for: ‎CHANGELOG.md
+28 b/Diff for: ‎CHANGELOG.md
+28
diff --git a/Diff for: ‎packages/@aws-cdk/aws-appsync/lib/data-source.ts
+2-1 b/Diff for: ‎packages/@aws-cdk/aws-appsync/lib/data-source.ts
+2-1
diff --git a/Diff for: ‎packages/@aws-cdk/aws-appsync/test/appsync-lambda.test.ts
+36 b/Diff for: ‎packages/@aws-cdk/aws-appsync/test/appsync-lambda.test.ts
+36
diff --git a/Diff for: ‎packages/@aws-cdk/aws-iotevents/README.md
+13 b/Diff for: ‎packages/@aws-cdk/aws-iotevents/README.md
+13
diff --git a/Diff for: ‎packages/@aws-cdk/aws-iotevents/lib/detector-model.ts
+2-2 b/Diff for: ‎packages/@aws-cdk/aws-iotevents/lib/detector-model.ts
+2-2
diff --git a/Diff for: ‎packages/@aws-cdk/aws-iotevents/lib/expression.ts
+5-5 b/Diff for: ‎packages/@aws-cdk/aws-iotevents/lib/expression.ts
+5-5
diff --git a/Diff for: ‎packages/@aws-cdk/aws-iotevents/lib/input.ts
+67-10 b/Diff for: ‎packages/@aws-cdk/aws-iotevents/lib/input.ts
+67-10
diff --git a/Diff for: ‎packages/@aws-cdk/aws-iotevents/lib/state.ts
+5-5 b/Diff for: ‎packages/@aws-cdk/aws-iotevents/lib/state.ts
+5-5
@@ -2,6 +2,34 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.143.0](https://github.com/aws/aws-cdk/compare/v1.142.0...v1.143.0) (2022-02-02)
+
+
+### Features
+
+* **amplify:** support performance mode in Branch ([#18598](https://github.com/aws/aws-cdk/issues/18598)) ([bdeb8eb](https://github.com/aws/aws-cdk/commit/bdeb8eb604f5012ce3180d2f6d887fed1834e4f4)), closes [#18557](https://github.com/aws/aws-cdk/issues/18557)
+* **cfnspec:** cloudformation spec v54.0.0 ([#18764](https://github.com/aws/aws-cdk/issues/18764)) ([71601c1](https://github.com/aws/aws-cdk/commit/71601c115a6460b4532a34c83100ae70a476fad2))
+* **cloudwatch-actions:** add ssm opsitem action for cloudwatch alarm  ([#16923](https://github.com/aws/aws-cdk/issues/16923)) ([9380885](https://github.com/aws/aws-cdk/commit/93808851415bff269418f28d9de3c61727e143d3)), closes [#16861](https://github.com/aws/aws-cdk/issues/16861)
+* **dynamodb:** allow setting TableClass for a Table ([#18719](https://github.com/aws/aws-cdk/issues/18719)) ([73a889e](https://github.com/aws/aws-cdk/commit/73a889eba85d0aa542ac96a1124f3ae4f1d351bc)), closes [#18718](https://github.com/aws/aws-cdk/issues/18718)
+* **ec2:** support KMS keys for block device mappings for both instances and launch templates ([#18326](https://github.com/aws/aws-cdk/issues/18326)) ([17dbe5f](https://github.com/aws/aws-cdk/commit/17dbe5f476ac1ccc0c0e6a0905b0de5ae6186704)), closes [#18309](https://github.com/aws/aws-cdk/issues/18309)
+* **ecr:** add server-side encryption configuration  ([#16966](https://github.com/aws/aws-cdk/issues/16966)) ([c46acd5](https://github.com/aws/aws-cdk/commit/c46acd5f13442c43d0c2ed339e3091dd46002741)), closes [#15400](https://github.com/aws/aws-cdk/issues/15400) [#15571](https://github.com/aws/aws-cdk/issues/15571)
+* **ecs:** expose image name in container definition ([#17793](https://github.com/aws/aws-cdk/issues/17793)) ([1947d7c](https://github.com/aws/aws-cdk/commit/1947d7cc809fda0765bee3dbb2286190ec2847f7))
+* **fsx:** add support for FSx Lustre Persistent_2 deployment type ([#18626](https://github.com/aws/aws-cdk/issues/18626)) ([6036d99](https://github.com/aws/aws-cdk/commit/6036d9927bb3607e31a57361bf304976ff1891f7))
+* **iot:** add Action to republish MQTT messages to another MQTT topic ([#18661](https://github.com/aws/aws-cdk/issues/18661)) ([7ac1215](https://github.com/aws/aws-cdk/commit/7ac121546776cae972bbfb89c2a11949762e7c47))
+
+
+### Bug Fixes
+
+* **core:** correctly reference versionless secure parameters ([#18730](https://github.com/aws/aws-cdk/issues/18730)) ([9f6e10e](https://github.com/aws/aws-cdk/commit/9f6e10ed0a751c06fe0cc1d79f38d5fb4b686087)), closes [#18729](https://github.com/aws/aws-cdk/issues/18729)
+* **ec2:** `UserData.addSignalOnExitCommand` does not work in combination with `userDataCausesReplacement` ([#18726](https://github.com/aws/aws-cdk/issues/18726)) ([afdc550](https://github.com/aws/aws-cdk/commit/afdc550ee372dd25d9d2eef81a545da1e923f796)), closes [#12749](https://github.com/aws/aws-cdk/issues/12749)
+* **vpc:** Vpc.fromLookup should throw if subnet group name tag is explicitly given and does not exist ([#18714](https://github.com/aws/aws-cdk/issues/18714)) ([13e1c7f](https://github.com/aws/aws-cdk/commit/13e1c7f10b81fc350953fe69fcccb61ff5aa9c1e)), closes [#13962](https://github.com/aws/aws-cdk/issues/13962)
+
+
+### Reverts
+
+* "chore(cloudfront): encryption and enforceSSL on distribution s3 loggingBucket ([#18264](https://github.com/aws/aws-cdk/issues/18264))" ([#18772](https://github.com/aws/aws-cdk/issues/18772)) ([121e4a1](https://github.com/aws/aws-cdk/commit/121e4a1dec13d31644f6176d0a1d703952dc1ba3)), closes [#18271](https://github.com/aws/aws-cdk/issues/18271) [/docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-S3](https://github.com/aws//docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html/issues/AWS-logs-infrastructure-S3) [#18676](https://github.com/aws/aws-cdk/issues/18676)
+* "chore(ec2): enforceSSL on flowLog s3 bucket ([#18271](https://github.com/aws/aws-cdk/issues/18271))" ([#18770](https://github.com/aws/aws-cdk/issues/18770)) ([a2eb092](https://github.com/aws/aws-cdk/commit/a2eb092b2b468bffa2acde9b98ca34cefa3e48f1)), closes [/docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-S3](https://github.com/aws//docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html/issues/AWS-logs-infrastructure-S3) [#18676](https://github.com/aws/aws-cdk/issues/18676)
+
 ## [1.142.0](https://github.com/aws/aws-cdk/compare/v1.141.0...v1.142.0) (2022-01-28)
 
 
 
@@ -111,7 +111,8 @@ export abstract class BaseDataSource extends CoreConstruct {
     if (extended.type !== 'NONE') {
       this.serviceRole = props.serviceRole || new Role(this, 'ServiceRole', { assumedBy: new ServicePrincipal('appsync') });
     }
-    const name = props.name ?? id;
+    // Replace unsupported characters from DataSource name. The only allowed pattern is: {[_A-Za-z][_0-9A-Za-z]*}
+    const name = (props.name ?? id).replace(/[\W]+/g, '');
     this.ds = new CfnDataSource(this, 'Resource', {
       apiId: props.api.apiId,
       name: name,
 
@@ -65,6 +65,42 @@ describe('Lambda Data Source configuration', () => {
     });
   });
 
+  test('appsync sanitized datasource name from unsupported characters', () => {
+    const badCharacters = [...'!@#$%^&*()+-=[]{}\\|;:\'",<>?/'];
+
+    badCharacters.forEach((badCharacter) => {
+      // WHEN
+      const newStack = new cdk.Stack();
+      const graphqlapi = new appsync.GraphqlApi(newStack, 'baseApi', {
+        name: 'api',
+        schema: appsync.Schema.fromAsset(path.join(__dirname, 'appsync.test.graphql')),
+      });
+      const dummyFunction = new lambda.Function(newStack, 'func', {
+        code: lambda.Code.fromAsset(path.join(__dirname, 'verify/iam-query')),
+        handler: 'iam-query.handler',
+        runtime: lambda.Runtime.NODEJS_12_X,
+      });
+      graphqlapi.addLambdaDataSource(`data-${badCharacter}-source`, dummyFunction);
+
+      // THEN
+      Template.fromStack(newStack).hasResourceProperties('AWS::AppSync::DataSource', {
+        Type: 'AWS_LAMBDA',
+        Name: 'datasource',
+      });
+    });
+  });
+
+  test('appsync leaves underscore untouched in datasource name', () => {
+    // WHEN
+    api.addLambdaDataSource('data_source', func);
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::AppSync::DataSource', {
+      Type: 'AWS_LAMBDA',
+      Name: 'data_source',
+    });
+  });
+
   test('appsync errors when creating multiple lambda data sources with no configuration', () => {
     // THEN
     expect(() => {
 
@@ -70,3 +70,16 @@ new iotevents.DetectorModel(this, 'MyDetectorModel', {
   initialState: onlineState,
 });
 ```
+
+To grant permissions to put messages in the input,
+you can use the `grantWrite()` method:
+
+```ts
+import * as iam from '@aws-cdk/aws-iam';
+import * as iotevents from '@aws-cdk/aws-iotevents';
+
+declare const grantable: iam.IGrantable;
+const input = iotevents.Input.fromInputName(this, 'MyInput', 'my_input');
+
+input.grantWrite(grantable);
+```
@@ -5,7 +5,7 @@ import { CfnDetectorModel } from './iotevents.generated';
 import { State } from './state';
 
 /**
- * Represents an AWS IoT Events detector model
+ * Represents an AWS IoT Events detector model.
  */
 export interface IDetectorModel extends IResource {
   /**
@@ -33,7 +33,7 @@ export enum EventEvaluation {
 }
 
 /**
- * Properties for defining an AWS IoT Events detector model
+ * Properties for defining an AWS IoT Events detector model.
  */
 export interface DetectorModelProps {
   /**
 
@@ -1,12 +1,12 @@
 import { IInput } from './input';
 
 /**
- * Expression for events in Detector Model state
+ * Expression for events in Detector Model state.
  * @see https://docs.aws.amazon.com/iotevents/latest/developerguide/iotevents-expressions.html
  */
 export abstract class Expression {
   /**
-   * Create a expression from the given string
+   * Create a expression from the given string.
    */
   public static fromString(value: string): Expression {
     return new StringExpression(value);
@@ -28,14 +28,14 @@ export abstract class Expression {
   }
 
   /**
-   * Create a expression for the Equal operator
+   * Create a expression for the Equal operator.
    */
   public static eq(left: Expression, right: Expression): Expression {
     return new BinaryOperationExpression(left, '==', right);
   }
 
   /**
-   * Create a expression for the AND operator
+   * Create a expression for the AND operator.
    */
   public static and(left: Expression, right: Expression): Expression {
     return new BinaryOperationExpression(left, '&&', right);
@@ -45,7 +45,7 @@ export abstract class Expression {
   }
 
   /**
-   * this is called to evaluate the expression
+   * This is called to evaluate the expression.
    */
   public abstract evaluate(): string;
 }
 
@@ -1,24 +1,66 @@
-import { Resource, IResource } from '@aws-cdk/core';
+import * as iam from '@aws-cdk/aws-iam';
+import { Resource, IResource, Aws } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnInput } from './iotevents.generated';
 
 /**
- * Represents an AWS IoT Events input
+ * Represents an AWS IoT Events input.
  */
 export interface IInput extends IResource {
   /**
-   * The name of the input
+   * The name of the input.
+   *
    * @attribute
    */
   readonly inputName: string;
+
+  /**
+   * The ARN of the input.
+   *
+   * @attribute
+   */
+  readonly inputArn: string;
+
+  /**
+   * Grant write permissions on this input and its contents to an IAM principal (Role/Group/User).
+   *
+   * @param grantee the principal
+   */
+  grantWrite(grantee: iam.IGrantable): iam.Grant
+
+  /**
+   * Grant the indicated permissions on this input to the given IAM principal (Role/Group/User).
+   *
+   * @param grantee the principal
+   * @param actions the set of actions to allow (i.e. "iotevents:BatchPutMessage")
+   */
+  grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant
+}
+
+abstract class InputBase extends Resource implements IInput {
+  public abstract readonly inputName: string;
+
+  public abstract readonly inputArn: string;
+
+  public grantWrite(grantee: iam.IGrantable) {
+    return this.grant(grantee, 'iotevents:BatchPutMessage');
+  }
+
+  public grant(grantee: iam.IGrantable, ...actions: string[]) {
+    return iam.Grant.addToPrincipal({
+      grantee,
+      actions,
+      resourceArns: [this.inputArn],
+    });
+  }
 }
 
 /**
- * Properties for defining an AWS IoT Events input
+ * Properties for defining an AWS IoT Events input.
  */
 export interface InputProps {
   /**
-   * The name of the input
+   * The name of the input.
    *
    * @default - CloudFormation will generate a unique name of the input
    */
@@ -37,19 +79,25 @@ export interface InputProps {
 /**
  * Defines an AWS IoT Events input in this stack.
  */
-export class Input extends Resource implements IInput {
+export class Input extends InputBase {
   /**
-   * Import an existing input
+   * Import an existing input.
    */
   public static fromInputName(scope: Construct, id: string, inputName: string): IInput {
-    class Import extends Resource implements IInput {
+    return new class Import extends InputBase {
       public readonly inputName = inputName;
-    }
-    return new Import(scope, id);
+      public readonly inputArn = this.stack.formatArn({
+        service: 'iotevents',
+        resource: 'input',
+        resourceName: inputName,
+      });
+    }(scope, id);
   }
 
   public readonly inputName: string;
 
+  public readonly inputArn: string;
+
   constructor(scope: Construct, id: string, props: InputProps) {
     super(scope, id, {
       physicalName: props.inputName,
@@ -67,5 +115,14 @@ export class Input extends Resource implements IInput {
     });
 
     this.inputName = this.getResourceNameAttribute(resource.ref);
+    this.inputArn = this.getResourceArnAttribute(arnForInput(resource.ref), {
+      service: 'iotevents',
+      resource: 'input',
+      resourceName: this.physicalName,
+    });
   }
 }
+
+function arnForInput(inputName: string): string {
+  return `arn:${Aws.PARTITION}:iotevents:${Aws.REGION}:${Aws.ACCOUNT_ID}:input/${inputName}`;
+}
@@ -2,7 +2,7 @@ import { Event } from './event';
 import { CfnDetectorModel } from './iotevents.generated';
 
 /**
- * Properties for defining a state of a detector
+ * Properties for defining a state of a detector.
  */
 export interface StateProps {
   /**
@@ -20,11 +20,11 @@ export interface StateProps {
 }
 
 /**
- * Defines a state of a detector
+ * Defines a state of a detector.
  */
 export class State {
   /**
-   * The name of the state
+   * The name of the state.
    */
   public readonly stateName: string;
 
@@ -33,7 +33,7 @@ export class State {
   }
 
   /**
-   * Return the state property JSON
+   * Return the state property JSON.
    *
    * @internal
    */
@@ -46,7 +46,7 @@ export class State {
   }
 
   /**
-   * returns true if this state has at least one condition via events
+   * Returns true if this state has at least one condition via events.
    *
    * @internal
    */