chore(release): 2.196.0 #34452

aws-cdk-automation · 2025-05-13T22:41:24Z

### Reason for this change This builds on #34054. Apparently for a domain name to have IPv4 and IPv6 support, the `AWS::ApiGatewayV2::DomainName.DomainNameConfiguration` also needs to set `IpAddressType`. This is distinct from the settings on the `AWS::ApiGatewayV2::API` itself. ### Description of changes This adds the [`ipAddressType` property][ipaddresstype] for `DomainNameConfiguration`. [ipaddresstype]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigatewayv2-domainname-domainnameconfiguration.html#cfn-apigatewayv2-domainname-domainnameconfiguration-ipaddresstype ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Unit & Integration tests have been added. These are the first tests for `DomainName` for HTTP APIs and leverage the tooling for custom domains in integ tests. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) Closes #34252 ### Reason for this change ### Description of changes add SYNTHETICS_PYTHON_SELENIUM_5_0 and SYNTHETICS_PYTHON_SELENIUM_5_1 https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Library_python_selenium.html ### Description of how you validated changes Unit tests (passing): ``` cd packages/aws-cdk-lib yarn test aws-synthetics ``` Integration tests (failing with "Could not unzip uploaded file. Please check your file, then try to upload again" and snapshots aren't generating for me to commit): ``` cd packages/@aws-cdk-testing/framework-integ yarn integ test/aws-synthetics/test/integ.canary.js --update-on-failed ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) Closes #<issue number here>. None ### Reason for this change security-guardian runs and fails for chore(release) pr like [PR-34383](#34383). the PRs which are a part of this release would have already gone through the checks. ### Description of changes checks if the PR title has `chore(release)` and skips execution ### Describe any new or updated permissions being added ### Description of how you validated changes ### Checklist - [ x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.195.0/CHANGELOG.md)

### Issue # (if applicable) N/A ### Reason for this change The integ tests changed in this PR are failing the yarn upgrade job: #34378 This is because recommended value of the `createNewPoliciesWithAddToRolePolicy` feature flag changed in the `integ-runner` package: aws/aws-cdk-cli@4bd6149#diff-cc2aa6328f725cd5a81d9ded74633857d38594c65a715e3411b80ec52ca5cdacR68 So making this PR specifically for upgrading `@aws-cdk/integ-runner` and updating the snapshots required by it. ### Description of changes Upgraded `@aws-cdk/integ-runner`, then updated the snapshots ### Description of how you validated changes There is no actual code change to CDK constructs. Checked the snapshots and see expected changes resulted from feature flag value being changed. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) N/A ### Reason for this change Upgrading `@aws-cdk/asset-awscli-v1` always require snapshot updates. This is causing the auto yarn upgrade PRs to always require human intervention. Excluding `@aws-cdk/asset-awscli-v1` so other dependency upgrades are not blocked. ### Description of changes See title ### Describe any new or updated permissions being added None ### Description of how you validated changes Ran the workflow in my own repo and confirmed it didn't upgrade `@aws-cdk/asset-awscli-v1` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…#34231) Closes #34220 ### Reason for this change `QueueProcessingFargateService` supports the ECS deployment circuit breaker, but doesn't currently offer any way to configure the health check grace period used by the circuit breaker, as `FargateService` does. This PR rectifies that discrepancy. ### Description of changes Added the `healthCheckGracePeriod` property to `QueueProcessingFargateService`, matching the corresponding property on `FargateService`. ### Describe any new or updated permissions being added None. ### Description of how you validated changes I've added a unit test to verify that the property is passed to the underlying `FargateService`. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) N/A ### Reason for this change This is follow up of #34395 I did not realize I need to pin the version in `package.json` as well to make the job skip upgrading `@aws-cdk/asset-awscli-v1` ### Description of changes ### Describe any new or updated permissions being added ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.

…ourceType enum (#34409) ### Reason for this change `NONE` should not be a supported enum value in CDK ### Description of changes Exclude`NONE` enum value for appsync `AppSyncDataSourceType` enum ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This PR updates the enum values for appsync.

…Lambda target groups (#34298) ### Issue # (if applicable) None ### Reason for this change We can set a multi-value headers property for a lambda target group from cloudformation, but this was not supported in the AWS CDK L2 construct. ### Description of changes Add multiValueHeadersEnabled property to ApplicationTargetGroupProps and set it in the ApplicationTargetGroup constructor. ### Describe any new or updated permissions being added None ### Description of how you validated changes Added both unit and integration tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…34229) ### Issue # (if applicable) None ### Reason for this change AWS S3 Tables supports for server side encryption by customer managed KMS keys. https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-kms-encryption.html And cloudformation have supported for this feature. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3tables-tablebucket-encryptionconfiguration.html ### Description of changes - Add `kmsKey` prop to `TableBucketProps` - Add kms key resource policy which enables S3 Tables to execute automatic table maintenance - https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-kms-permissions.html ### Describe any new or updated permissions being added Add resource policy to the kms key. ```ts // add resource policy to the encryption key // see https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-kms-permissions.html#tables-kms-maintenance-permissions props?.kmsKey?.addToResourcePolicy( new iam.PolicyStatement({ actions: ['kms:Decrypt', 'kms:GenerateDataKey'], resources: ['*'], effect: iam.Effect.ALLOW, principals: [new iam.ServicePrincipal('maintenance.s3tables.amazonaws.com')], conditions: { StringLike: { 'kms:EncryptionContext:aws:s3:arn': `${Stack.of(this).formatArn({ service: 's3tables', resource: 'bucket', resourceName: props.tableBucketName, })}/*`, }, }, }), ); ``` ### Description of how you validated changes Add both unit and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…omputeType` enum (#34412) ### Reason for this change `CUSTOM_INSTANCE_TYPE` value cannot be supported without additional logic. See https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-compute-types.html * For the AWS CLI, run the create-fleet or update-fleet command, specifying the value of computeType to `CUSTOM_INSTANCE_TYPE` and the ComputeConfiguration instanceType to the specified instance type. For more information, see [create-fleet](https://docs.aws.amazon.com/cli/latest/reference/codebuild/create-fleet.html) or [update-fleet](https://docs.aws.amazon.com/cli/latest/reference/codebuild/update-fleet.html). * For the AWS SDKs, call the equivalent of the CreateFleet or UpdateFleet operation for your target programming language, specifying the value of computeType to `CUSTOM_INSTANCE_TYPE` and the ComputeConfiguration instanceType to the specified instance type. For more information, see the [AWS SDKs and tools reference](https://docs.aws.amazon.com/codebuild/latest/userguide/sdk-ref.html). ### Description of changes Exclude CUSTOM_INSTANCE_TYPE from codebuild ComputeType enum ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Update the list of regions where the CDK deploys the `AWS::CDK::Metadata` resource.

…34417) ### Reason for this change Scope down permissions for the `pr-linter-exemption-labeler` workflow so it only has write permissions on pull requests. ### Description of changes Added `permissions` key to workflow file, similar to https://github.com/aws/aws-cdk/blob/main/.github/workflows/close-stale-prs.yml#L10-L11 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…upported (#34420) ### Reason for this change Improve clarity by declaring where the no-throw-default-error rule is not yet supported, instead of where it is supported. This allows us to gradually reduce this list as we make progress. ### Description of changes Modified the ESLint configuration to use a negative pattern approach for the no-throw-default-error rule, making it clearer which areas still need work. ### Description of how you validated changes Verified that the ESLint configuration works as expected with the updated patterns. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) N/A ### Reason for this change The L2 construct of Route 53 resource record set did not have a property `cidrRoutingConfig`. It was always necessary to set this prop via the L1 Construct when configuring IP-based routing. ### Description of changes - added `cidrRoutingConfig` to `RecordSetProps` - fixed logic in `RecordSet` constructor ### Describe any new or updated permissions being added None ### Description of how you validated changes I added new unit test and integration test. - cidr-routing-config.test.ts - integ.cidr-routing-config.ts ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue Relates to #32569 ### Reason for this change untyped Errors are not recommended ### Description of changes `ValidationError`s everywhere ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…errors (#34432) ### Issue Relates to #32569 ### Reason for this change untyped Errors are not recommended ### Description of changes `ValidationError`s everywhere ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…rrors (#34435) v-### Issue Relates to #32569 ### Reason for this change untyped Errors are not recommended ### Description of changes `ValidationError`s everywhere ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…rs (#34438) ### Issue Relates to #32569 ### Reason for this change untyped Errors are not recommended ### Description of changes `ValidationError`s everywhere ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ors (#34430) ### Issue Relates to #32569 ### Reason for this change untyped Errors are not recommended ### Description of changes `ValidationError`s everywhere ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ind feature flag (#34377) ### Issue # (if applicable) Closes NA. ### Reason for this change Align resource ids and tag changes in Subnetv2 and VPCv2 constructs to allow a migration path for customers. ### Description of changes - Add a new feature flag to keep the resource reference same as VPCv1 and prevent replacement of resources. - Change id references from `Get::Att` to `Ref` for VPC, RouteTargetId, NatGW, IGW and RouteTable. - Align subnet and IGW tag. ### Describe any new or updated permissions being added NA ### Description of how you validated changes Added unit test and integration test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… intervention (#34415) ### Issue # (if applicable) N/A ### Reason for this change Follow up of #34395 and #34399. In those PRs, I excluded `@aws-cdk/asset-awscli-v1` for auto-upgrade because upgrading this package always requires manual update to the integ test snapshots, which means blocking the upgrade of the other dependencies that do not need snapshot updates. So making this new GH workflow to upgrade `@aws-cdk/asset-awscli-v1` specifically. ### Description of changes The new workflow is pretty much the same as the existing Yarn Upgrade [workflow](https://github.com/aws/aws-cdk/blob/main/.github/workflows/yarn-upgrade.yml) but with a few tweaks so the upgrade job targets `@aws-cdk/asset-awscli-v1` only. Feedback from #34410 is also covered in this revision. ### Describe any new or updated permissions being added None ### Description of how you validated changes Tested the workflow in my own fork: https://github.com/samson-keung/aws-cdk/actions/runs/14940393163/job/41976513475 and it created samson-keung#3 (Note that the workflow failed only because it could not add labels to the PR. This is a token permission issue in my testing set up so it shouldn't be a problem in the `aws-cdk` repo.) ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This PR updates the CDK enum mapping file.

) ### Reason for this change This implements this RFC: https://github.com/aws/aws-cdk-rfcs/blob/main/text/0693-property-injection.md ### Description of changes This PR contains these changes: * 122 Constructs that are decorated with propertyInjectable. * App, Stage, and Stack can specify propertyInjectors - a list of IPropertyInjector * Logic to find the correct Construct Property Injector during instantiation. * ConstructsUpdater makes all L2 Constructs propertyInjectable. * Add a test case showing Property Injectors applied to an L2 Construct inherited from another L2 Construct. ### Describe any new or updated permissions being added No new IAM permission. ### Description of how you validated changes Added unit tests and integ tests. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

@see

…under feature flag) (#33702) V3 but I think we got there ### Issue # Closes #32811 ### Reason for this change By default when you create an s3 bucket, all public access is already blocked. However if you then use CDK to specify 1 or more access point you want to unblock, all undefined block types will be auto set to false, and when it deploys you will see everything uncheck even if you only wanted to uncheck 1 thing. So to fix this we should instead default all values to true when at least 1 option is specified, to mimic to experience when a user in the console unchecks the boxes. ### Description of changes deprecating `BLOCK_ACLS` method of `BlockPublicAccess`. Adding `BLOCK_ACLS_ONLY`. ``` public static readonly BLOCK_ACLS_ONLY = new BlockPublicAccess({ blockPublicAcls: true, blockPublicPolicy: false, ignorePublicAcls: true, restrictPublicBuckets: false, }); ``` This is just a general revamp to match what the feature will bring, it's separate from the feature itself. The point being that for any shortcut methods like this, we should be specifying all 4 options to ensure the default true behavior remains. Created function `setBlockPublicAccessDefaults()` ``` /** * Function to set the blockPublicAccessOptions to a true default if not defined. * If no blockPublicAccessOptions are specified at all, this is already the case as an s3 default in aws * @see https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html */ private setBlockPublicAccessDefaults(blockPublicAccessOptions: BlockPublicAccessOptions) { return { blockPublicAcls: blockPublicAccessOptions.blockPublicAcls ?? true, blockPublicPolicy: blockPublicAccessOptions.blockPublicPolicy ?? true, ignorePublicAcls: blockPublicAccessOptions.ignorePublicAcls ?? true, restrictPublicBuckets: blockPublicAccessOptions.restrictPublicBuckets ?? true, }; } ``` but this method is only called if the FF is enabled ``` let blockPublicAccess: BlockPublicAccessOptions | undefined = props.blockPublicAccess; if (props.blockPublicAccess && FeatureFlags.of(this).isEnabled(cxapi.S3_BLOCK_PUBLIC_ACCESS_OPTION_AUTO_TRUE)) { blockPublicAccess = this.setBlockPublicAccessDefaults(props.blockPublicAccess); } ``` Of course the FF itself was added. ### Description of how you validated changes Added tests that are duplicates of others, just testing for both behaviors with and without the FF. ``` describe('bucket with custom block public access setting', () => { ... test('S3_BLOCK_PUBLIC_ACCESS_OPTION_AUTO_TRUE Enabled', () => { const app = new cdk.App({ context: { [cxapi.S3_BLOCK_PUBLIC_ACCESS_OPTION_AUTO_TRUE]: true, }, }); const stack = new cdk.Stack(app); new s3.Bucket(stack, 'MyBucket', { blockPublicAccess: new s3.BlockPublicAccess({ restrictPublicBuckets: false }), }); Template.fromStack(stack).templateMatches({ 'Resources': { 'MyBucketF68F3FF0': { 'Type': 'AWS::S3::Bucket', 'Properties': { 'PublicAccessBlockConfiguration': { 'BlockPublicAcls': true, 'BlockPublicPolicy': true, 'IgnorePublicAcls': true, 'RestrictPublicBuckets': false, }, }, 'DeletionPolicy': 'Retain', 'UpdateReplacePolicy': 'Retain', }, }, }); }); ``` ``` describe('bucket with custom block public access setting', () => { ... test('S3_BLOCK_PUBLIC_ACCESS_OPTION_AUTO_TRUE Enabled', () => { const app = new cdk.App({ context: { [cxapi.S3_BLOCK_PUBLIC_ACCESS_OPTION_AUTO_TRUE]: true, }, }); const stack = new cdk.Stack(app); new s3.Bucket(stack, 'MyBucket', { blockPublicAccess: new s3.BlockPublicAccess({ restrictPublicBuckets: false }), }); Template.fromStack(stack).templateMatches({ 'Resources': { 'MyBucketF68F3FF0': { 'Type': 'AWS::S3::Bucket', 'Properties': { 'PublicAccessBlockConfiguration': { 'BlockPublicAcls': true, 'BlockPublicPolicy': true, 'IgnorePublicAcls': true, 'RestrictPublicBuckets': false, }, }, 'DeletionPolicy': 'Retain', 'UpdateReplacePolicy': 'Retain', }, }, }); }); ``` Also added an integ that just tests different combinations of the blocking. https://github.com/aws/aws-cdk/blob/51ffe2112e048f5866e5c0d811377b4deca7920d/packages/%40aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-block-access.ts#L1-L42 There was no `BlockPublicAccess` integ before so I did not add the context for the FF disabled anywhere. The tests should still be working since it's not used that often. But if the team needs me to, I can add a 2nd integ with the old behavior ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) N/A ### Reason for this change Add SNS as a Pipes target. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…33793) ### Issue # (if applicable) Closes #32687 ### Description of changes Stepfunctions DistributedMap `ResultWriter` support JSONPath bucket ### Describe any new or updated permissions being added When using JSONpath/JSONata, use wildcard(*) for these permissions: ```ts 's3:PutObject', 's3:GetObject', 's3:ListMultipartUploadParts', 's3:AbortMultipartUpload', ``` ### Description of how you validated changes Unit + Integration ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) Closes #32791 . ### Reason for this change Keep concordence in arguments for cloudformation and cdk for the state parallel: https://docs.aws.amazon.com/step-functions/latest/dg/state-parallel.html ### Description of changes Add parameters to `ParallelJsonPathOptions` for `ParallelProps`. ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…errors (#34436) ### Issue Relates to #32569 ### Reason for this change untyped Errors are not recommended ### Description of changes `ValidationError`s everywhere ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…rs (#34429) ### Issue Relates to #32569 ### Reason for this change untyped Errors are not recommended ### Description of changes `ValidationError`s everywhere ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…34434) ### Issue Relates to #32569 ### Reason for this change untyped Errors are not recommended ### Description of changes `ValidationError`s everywhere ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue Relates to #32569 ### Reason for this change untyped Errors are not recommended ### Description of changes `ValidationError`s everywhere ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…errors (#34426) ### Issue Relates to #32569 ### Reason for this change untyped Errors are not recommended ### Description of changes `ValidationError`s everywhere ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) Closes #33958 ### Reason for this change Duplicate id of alarm of multiple StepScalingPolicy ### Description of changes Update Lambda permission prefix to use `Names.uniqueId` Considering this requires resource destruction, please let me know if i need a feature flag for the fix. As there was another feature flag in the exact same place. ### Description of how you validated changes Unit + Integ ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) N/A ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…5.13, 14.18, 13.21 (#34446) ### Issue # (if applicable) None ### Reason for this change - https://aws.amazon.com/about-aws/whats-new/2025/05/amazon-aurora-postgresql-limitless-database-postgresql-16-8/ - https://aws.amazon.com/about-aws/whats-new/2025/05/amazon-rds-postgresql-supports-new-minor-versions/ ### Description of changes Postgres - Aurora add 16.8-limitless - RDS add 17.5, 16.9, 15.13, 14.18, 13.21 - RDS deprecate 12.15 > 12.21, 13.14 ### Description of how you validated changes Integ + cli ```console $ aws rds describe-db-engine-versions --engine postgres --output table --query 'DBEngineVersions[*].{Engine:Engine,EngineVersion:EngineVersion}' ------------------------------------ | DescribeDBEngineVersions | +-----------+----------------------+ | Engine | EngineVersion | +-----------+----------------------+ | postgres | 11.22 | | postgres | 11.22-rds.20240418 | | postgres | 11.22-rds.20240509 | | postgres | 11.22-rds.20240808 | | postgres | 11.22-rds.20241121 | | postgres | 11.22-rds.20250220 | | postgres | 12.22 | | postgres | 12.22-rds.20250220 | | postgres | 13.15 | | postgres | 13.16 | | postgres | 13.17 | | postgres | 13.18 | | postgres | 13.19 | | postgres | 13.20 | | postgres | 13.21 | | postgres | 14.12 | | postgres | 14.13 | | postgres | 14.14 | | postgres | 14.15 | | postgres | 14.16 | | postgres | 14.17 | | postgres | 14.18 | | postgres | 15.7 | | postgres | 15.8 | | postgres | 15.9 | | postgres | 15.10 | | postgres | 15.11 | | postgres | 15.12 | | postgres | 15.13 | | postgres | 16.3 | | postgres | 16.4 | | postgres | 16.5 | | postgres | 16.6 | | postgres | 16.7 | | postgres | 16.8 | | postgres | 16.9 | | postgres | 17.1 | | postgres | 17.2 | | postgres | 17.3 | | postgres | 17.4 | | postgres | 17.5 | ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…34425) Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-amazonmq │ └ resources │ └[~] resource AWS::AmazonMQ::Broker │ └ types │ └[~] type User │ └ properties │ └ JolokiaApiAccess: (documentation changed) ├[~] service aws-apigateway │ └ resources │ ├[~] resource AWS::ApiGateway::DomainName │ │ └ attributes │ │ └[+] DomainNameArn: string │ └[~] resource AWS::ApiGateway::DomainNameV2 │ └ types │ └[~] type EndpointConfiguration │ └ properties │ └ IpAddressType: (documentation changed) ├[~] service aws-backup │ └ resources │ ├[~] resource AWS::Backup::BackupPlan │ │ └ types │ │ ├[~] type BackupRuleResourceType │ │ │ └ properties │ │ │ └ IndexActions: (documentation changed) │ │ ├[~] type IndexActionsResourceType │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Specifies index actions. │ │ │ └ properties │ │ │ └ ResourceTypes: (documentation changed) │ │ └[~] type LifecycleResourceType │ │ └ properties │ │ ├ DeleteAfterDays: (documentation changed) │ │ └ MoveToColdStorageAfterDays: (documentation changed) │ └[~] resource AWS::Backup::LogicallyAirGappedBackupVault │ └ attributes │ ├ BackupVaultArn: (documentation changed) │ ├ EncryptionKeyArn: (documentation changed) │ ├ VaultState: (documentation changed) │ └ VaultType: (documentation changed) ├[~] service aws-bedrock │ └ resources │ ├[~] resource AWS::Bedrock::Agent │ │ └ types │ │ ├[~] type CustomOrchestration │ │ │ └ - documentation: Details of custom orchestration. │ │ │ + documentation: Contains details of the custom orchestration configured for the agent. │ │ └[~] type OrchestrationExecutor │ │ └ - documentation: Contains details about the Lambda function containing the orchestration logic carried out upon invoking the custom orchestration. │ │ + documentation: The structure of the executor invoking the actions in custom orchestration. │ ├[~] resource AWS::Bedrock::Flow │ │ └ types │ │ └[~] type FlowNodeConfiguration │ │ └ properties │ │ ├ Condition: (documentation changed) │ │ ├ Retrieval: (documentation changed) │ │ └ Storage: (documentation changed) │ ├[~] resource AWS::Bedrock::FlowVersion │ │ └ types │ │ └[~] type FlowNodeConfiguration │ │ └ properties │ │ ├ Condition: (documentation changed) │ │ ├ Retrieval: (documentation changed) │ │ └ Storage: (documentation changed) │ └[+] resource AWS::Bedrock::IntelligentPromptRouter │ ├ name: IntelligentPromptRouter │ │ cloudFormationType: AWS::Bedrock::IntelligentPromptRouter │ │ documentation: Definition of AWS::Bedrock::IntelligentPromptRouter Resource Type │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ ├ properties │ │ ├ Description: string (immutable) │ │ ├ FallbackModel: PromptRouterTargetModel (required, immutable) │ │ ├ Models: Array<PromptRouterTargetModel> (required, immutable) │ │ ├ PromptRouterName: string (required, immutable) │ │ ├ RoutingCriteria: RoutingCriteria (required, immutable) │ │ └ Tags: Array<tag> │ ├ attributes │ │ ├ CreatedAt: string │ │ ├ PromptRouterArn: string │ │ ├ Status: string │ │ ├ Type: string │ │ └ UpdatedAt: string │ └ types │ ├ type PromptRouterTargetModel │ │ ├ documentation: The target model for a prompt router. │ │ │ name: PromptRouterTargetModel │ │ └ properties │ │ └ ModelArn: string (required) │ └ type RoutingCriteria │ ├ documentation: Routing criteria for a prompt router. │ │ name: RoutingCriteria │ └ properties │ └ ResponseQualityDifference: number (required) ├[~] service aws-budgets │ └ resources │ └[~] resource AWS::Budgets::Budget │ └ types │ ├[~] type BudgetData │ │ └ properties │ │ ├[+] FilterExpression: Expression │ │ └[+] Metrics: Array<string> │ ├[+] type CostCategoryValues │ │ ├ documentation: The cost category values used for filtering the costs. │ │ │ name: CostCategoryValues │ │ └ properties │ │ ├ Values: Array<string> │ │ ├ Key: string │ │ └ MatchOptions: Array<string> │ ├[+] type Expression │ │ ├ documentation: Use Expression to filter in various Budgets APIs. │ │ │ name: Expression │ │ └ properties │ │ ├ Not: Expression │ │ ├ Or: Array<Expression> │ │ ├ And: Array<Expression> │ │ ├ Dimensions: ExpressionDimensionValues │ │ ├ CostCategories: CostCategoryValues │ │ └ Tags: TagValues │ ├[+] type ExpressionDimensionValues │ │ ├ documentation: Contains the specifications for the filters to use for your request. │ │ │ name: ExpressionDimensionValues │ │ └ properties │ │ ├ Values: Array<string> │ │ ├ Key: string │ │ └ MatchOptions: Array<string> │ └[+] type TagValues │ ├ documentation: The values that are available for a tag. │ │ name: TagValues │ └ properties │ ├ Values: Array<string> │ ├ Key: string │ └ MatchOptions: Array<string> ├[~] service aws-cleanrooms │ └ resources │ └[~] resource AWS::CleanRooms::Collaboration │ └ properties │ └ AnalyticsEngine: - string (immutable) │ + string ├[~] service aws-cognito │ └ resources │ ├[~] resource AWS::Cognito::ManagedLoginBranding │ │ └ properties │ │ └ ClientId: (documentation changed) │ └[~] resource AWS::Cognito::UserPoolClient │ ├ properties │ │ └ RefreshTokenRotation: (documentation changed) │ └ types │ └[~] type RefreshTokenRotation │ ├ - documentation: undefined │ │ + documentation: The configuration of your app client for refresh token rotation. When enabled, your app client issues new ID, access, and refresh tokens when users renew their sessions with refresh tokens. When disabled, token refresh issues only ID and access tokens. │ └ properties │ ├ Feature: (documentation changed) │ └ RetryGracePeriodSeconds: (documentation changed) ├[~] service aws-datazone │ └ resources │ ├[~] resource AWS::DataZone::Domain │ │ ├ properties │ │ │ └ ServiceRole: (documentation changed) │ │ ├ attributes │ │ │ └ RootDomainUnitId: (documentation changed) │ │ └ types │ │ └[~] type SingleSignOn │ │ └ properties │ │ └ IdcInstanceArn: (documentation changed) │ ├[~] resource AWS::DataZone::DomainUnit │ │ ├ - documentation: A domain unit enables you to easily organize your assets and other domain entities under specific business units and teams. │ │ │ + documentation: The summary of the domain unit. │ │ ├ properties │ │ │ └ DomainIdentifier: (documentation changed) │ │ └ attributes │ │ ├ CreatedAt: (documentation changed) │ │ └ DomainId: (documentation changed) │ └[+] resource AWS::DataZone::Owner │ ├ name: Owner │ │ cloudFormationType: AWS::DataZone::Owner │ │ documentation: The owner that you want to add to the entity. │ ├ properties │ │ ├ EntityType: string (required, immutable) │ │ ├ Owner: OwnerProperties (required, immutable) │ │ ├ EntityIdentifier: string (required, immutable) │ │ └ DomainIdentifier: string (required, immutable) │ └ types │ ├ type OwnerGroupProperties │ │ ├ documentation: The properties of the domain unit owners group. │ │ │ name: OwnerGroupProperties │ │ └ properties │ │ └ GroupIdentifier: string │ ├ type OwnerProperties │ │ ├ documentation: The properties of a domain unit's owner. │ │ │ name: OwnerProperties │ │ └ properties │ │ ├ Group: OwnerGroupProperties │ │ └ User: OwnerUserProperties │ └ type OwnerUserProperties │ ├ documentation: The properties of the owner user. │ │ name: OwnerUserProperties │ └ properties │ └ UserIdentifier: string ├[~] service aws-docdb │ └ resources │ └[~] resource AWS::DocDB::DBCluster │ └ properties │ └ EngineVersion: (documentation changed) ├[~] service aws-dsql │ └ resources │ └[~] resource AWS::DSQL::Cluster │ ├ - documentation: Resource Type definition for AWS::DSQL::Cluster │ │ + documentation: Creates a cluster in Amazon Aurora DSQL. │ ├ properties │ │ ├ DeletionProtectionEnabled: (documentation changed) │ │ └ Tags: (documentation changed) │ └ attributes │ ├ CreationTime: (documentation changed) │ ├ Identifier: (documentation changed) │ ├ ResourceArn: (documentation changed) │ ├ Status: (documentation changed) │ └ VpcEndpointServiceName: (documentation changed) ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::ClientVpnEndpoint │ │ ├ properties │ │ │ ├ ClientRouteEnforcementOptions: (documentation changed) │ │ │ └ DisconnectOnSessionTimeout: (documentation changed) │ │ └ types │ │ └[~] type ClientRouteEnforcementOptions │ │ ├ - documentation: undefined │ │ │ + documentation: Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN. This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel. │ │ │ Client Route Enforcement works by monitoring the route table of a connected device for routing policy changes to the VPN connection. If the feature detects any VPN routing policy modifications, it will automatically force an update to the route table, reverting it back to the expected route configurations. │ │ └ properties │ │ └ Enforced: (documentation changed) │ ├[~] resource AWS::EC2::NetworkInsightsAnalysis │ │ └ properties │ │ └[+] FilterOutArns: Array<string> (immutable) │ ├[~] resource AWS::EC2::TransitGateway │ │ └ properties │ │ ├ DefaultRouteTableAssociation: (documentation changed) │ │ └ DefaultRouteTablePropagation: (documentation changed) │ └[~] resource AWS::EC2::Volume │ └ properties │ └[+] VolumeInitializationRate: integer ├[~] service aws-ecs │ └ resources │ └[~] resource AWS::ECS::Service │ └ types │ └[~] type ServiceManagedEBSVolumeConfiguration │ └ properties │ └[+] VolumeInitializationRate: integer ├[~] service aws-elasticloadbalancingv2 │ └ resources │ ├[~] resource AWS::ElasticLoadBalancingV2::Listener │ │ └ properties │ │ └ SslPolicy: (documentation changed) │ └[~] resource AWS::ElasticLoadBalancingV2::LoadBalancer │ └ properties │ ├ EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic: (documentation changed) │ └ Ipv4IpamPoolId: (documentation changed) ├[~] service aws-imagebuilder │ └ resources │ └[~] resource AWS::ImageBuilder::ImageRecipe │ ├ - documentation: An Image Builder image recipe is a document that defines the base image and the components to be applied to the base image to produce the desired configuration for the output image. You can use an image recipe to duplicate builds. Image Builder image recipes can be shared, branched, and edited using the console wizard, the AWS CLI , or the API. You can use image recipes with your version control software to maintain shareable versioned image recipes. │ │ + documentation: Creates a new image recipe. Image recipes define how images are configured, tested, and assessed. │ └ properties │ ├ Components: (documentation changed) │ ├ ParentImage: (documentation changed) │ └ Version: (documentation changed) ├[~] service aws-kinesis │ └ resources │ └[~] resource AWS::Kinesis::StreamConsumer │ └ - documentation: Use the AWS CloudFormation `AWS::Kinesis::StreamConsumer` resource to register a consumer with a Kinesis data stream. The consumer you register can then call [SubscribeToShard](https://docs.aws.amazon.com/kinesis/latest/APIReference/API_SubscribeToShard.html) to receive data from the stream using enhanced fan-out, at a rate of up to 2 MiB per second for every shard you subscribe to. This rate is unaffected by the total number of consumers that read from the same stream. │ You can register up to five consumers per stream. However, you can request a limit increase using the [Kinesis Data Streams limits form](https://docs.aws.amazon.com/support/v1?#/) . A given consumer can only be registered with one stream at a time. │ For more information, see [Using Consumers with Enhanced Fan-Out](https://docs.aws.amazon.com/streams/latest/dev/introduction-to-enhanced-consumers.html) . │ + documentation: Use the AWS CloudFormation `AWS::Kinesis::StreamConsumer` resource to register a consumer with a Kinesis data stream. The consumer you register can then call [SubscribeToShard](https://docs.aws.amazon.com/kinesis/latest/APIReference/API_SubscribeToShard.html) to receive data from the stream using enhanced fan-out, at a rate of up to 2 MiB per second for every shard you subscribe to. This rate is unaffected by the total number of consumers that read from the same stream. │ You can register up to 20 consumers per stream. However, you can request a limit increase using the [Kinesis Data Streams limits form](https://docs.aws.amazon.com/support/v1?#/) . A given consumer can only be registered with one stream at a time. │ For more information, see [Using Consumers with Enhanced Fan-Out](https://docs.aws.amazon.com/streams/latest/dev/introduction-to-enhanced-consumers.html) . ├[~] service aws-kinesisanalyticsv2 │ └ resources │ └[~] resource AWS::KinesisAnalyticsV2::Application │ ├ properties │ │ ├ ApplicationMaintenanceConfiguration: (documentation changed) │ │ └ RuntimeEnvironment: (documentation changed) │ └ types │ └[~] type ApplicationMaintenanceConfiguration │ ├ - documentation: Specifies the maintence window parameters for a Kinesis Data Analytics application. │ │ + documentation: Describes the maintenance configuration for the application. │ └ properties │ └ ApplicationMaintenanceWindowStartTime: (documentation changed) ├[~] service aws-lambda │ └ resources │ └[~] resource AWS::Lambda::Version │ └ types │ └[~] type RuntimePolicy │ ├ - documentation: Runtime Management Config of a function. │ │ + documentation: Sets the runtime management configuration for a function's version. For more information, see [Runtime updates](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-update.html) . │ └ properties │ ├ RuntimeVersionArn: (documentation changed) │ └ UpdateRuntimeOn: (documentation changed) ├[~] service aws-logs │ └ resources │ └[~] resource AWS::Logs::DeliveryDestination │ ├ properties │ │ └ DeliveryDestinationPolicy: - json │ │ + json ⇐ DestinationPolicy │ └ types │ └[+] type DestinationPolicy │ ├ name: DestinationPolicy │ └ properties │ ├ DeliveryDestinationName: string │ └ DeliveryDestinationPolicy: json ├[~] service aws-quicksight │ └ resources │ ├[~] resource AWS::QuickSight::Analysis │ │ └ types │ │ └[~] type ResourcePermission │ │ └ properties │ │ └ Principal: (documentation changed) │ ├[~] resource AWS::QuickSight::Dashboard │ │ ├ - documentation: Creates a dashboard from a template. To first create a template, see the `CreateTemplate` API operation. │ │ │ A dashboard is an entity in Amazon QuickSight that identifies Amazon QuickSight reports, created from analyses. You can share Amazon QuickSight dashboards. With the right permissions, you can create scheduled email reports from them. If you have the correct permissions, you can create a dashboard from a template that exists in a different AWS account . │ │ │ + documentation: Creates a dashboard from a template. To first create a template, see the `CreateTemplate` API operation. │ │ │ A dashboard is an entity in QuickSight that identifies QuickSight reports, created from analyses. You can share QuickSight dashboards. With the right permissions, you can create scheduled email reports from them. If you have the correct permissions, you can create a dashboard from a template that exists in a different AWS account . │ │ └ types │ │ └[~] type ResourcePermission │ │ └ properties │ │ └ Principal: (documentation changed) │ ├[~] resource AWS::QuickSight::DataSet │ │ └ types │ │ ├[~] type ColumnLevelPermissionRule │ │ │ └ properties │ │ │ └ Principals: (documentation changed) │ │ ├[~] type JoinKeyProperties │ │ │ └ properties │ │ │ └ UniqueKey: (documentation changed) │ │ └[~] type ResourcePermission │ │ └ properties │ │ └ Principal: (documentation changed) │ ├[~] resource AWS::QuickSight::DataSource │ │ └ types │ │ └[~] type ResourcePermission │ │ └ properties │ │ └ Principal: (documentation changed) │ ├[~] resource AWS::QuickSight::RefreshSchedule │ │ ├ - documentation: Creates a refresh schedule for a dataset in Amazon QuickSight . │ │ │ + documentation: Creates a refresh schedule for a dataset in QuickSight . │ │ └ types │ │ └[~] type RefreshScheduleMap │ │ └ properties │ │ └ RefreshType: (documentation changed) │ ├[~] resource AWS::QuickSight::Template │ │ ├ - documentation: Creates a template from an existing Amazon QuickSight analysis or template. You can use the resulting template to create a dashboard. │ │ │ A *template* is an entity in Amazon QuickSight that encapsulates the metadata required to create an analysis and that you can use to create s dashboard. A template adds a layer of abstraction by using placeholders to replace the dataset associated with the analysis. You can use templates to create dashboards by replacing dataset placeholders with datasets that follow the same schema that was used to create the source analysis and template. │ │ │ + documentation: Creates a template from an existing QuickSight analysis or template. You can use the resulting template to create a dashboard. │ │ │ A *template* is an entity in QuickSight that encapsulates the metadata required to create an analysis and that you can use to create s dashboard. A template adds a layer of abstraction by using placeholders to replace the dataset associated with the analysis. You can use templates to create dashboards by replacing dataset placeholders with datasets that follow the same schema that was used to create the source analysis and template. │ │ └ types │ │ └[~] type ResourcePermission │ │ └ properties │ │ └ Principal: (documentation changed) │ └[~] resource AWS::QuickSight::Theme │ └ types │ └[~] type ResourcePermission │ └ properties │ └ Principal: (documentation changed) ├[~] service aws-redshiftserverless │ └ resources │ └[~] resource AWS::RedshiftServerless::Workgroup │ ├ properties │ │ └ ConfigParameters: (documentation changed) │ └ types │ └[~] type ConfigParameter │ └ properties │ └ ParameterKey: (documentation changed) ├[~] service aws-sagemaker │ └ resources │ └[~] resource AWS::SageMaker::Domain │ └ types │ ├[~] type CodeEditorAppSettings │ │ └ properties │ │ └[+] BuiltInLifecycleConfigArn: string │ ├[+] type HiddenSageMakerImage │ │ ├ name: HiddenSageMakerImage │ │ └ properties │ │ ├ SageMakerImageName: string │ │ └ VersionAliases: Array<string> │ ├[~] type JupyterLabAppSettings │ │ └ properties │ │ └[+] BuiltInLifecycleConfigArn: string │ ├[~] type StudioWebPortalSettings │ │ └ properties │ │ ├[+] HiddenInstanceTypes: Array<string> │ │ └[+] HiddenSageMakerImageVersionAliases: Array<HiddenSageMakerImage> │ └[~] type UserSettings │ └ properties │ └[+] AutoMountHomeEFS: string ├[~] service aws-ses │ └ resources │ ├[~] resource AWS::SES::MailManagerRuleSet │ │ └ types │ │ └[~] type DeliverToQBusinessAction │ │ └ properties │ │ ├ ActionFailurePolicy: (documentation changed) │ │ └ RoleArn: (documentation changed) │ └[~] resource AWS::SES::ReceiptRule │ └ types │ └[~] type SNSAction │ ├ - documentation: When included in a receipt rule, this action publishes a notification to Amazon Simple Notification Service (Amazon SNS). This action includes a complete copy of the email content in the Amazon SNS notifications. Amazon SNS notifications for all other actions simply provide information about the email. They do not include the email content itself. │ │ If you own the Amazon SNS topic, you don't need to do anything to give Amazon SES permission to publish emails to it. However, if you don't own the Amazon SNS topic, you need to attach a policy to the topic to give Amazon SES permissions to access it. For information about giving permissions, see the [Amazon SES Developer Guide](https://docs.aws.amazon.com/ses/latest/dg/receiving-email-permissions.html) . │ │ > You can only publish emails that are 150 KB or less (including the header) to Amazon SNS. Larger emails bounce. If you anticipate emails larger than 150 KB, use the S3 action instead. │ │ For information about using a receipt rule to publish an Amazon SNS notification, see the [Amazon SES Developer Guide](https://docs.aws.amazon.com/ses/latest/dg/receiving-email-action-sns.html) . │ │ + documentation: The action to publish the email content to an Amazon SNS topic. When executed, this action will send the email as a notification to the specified SNS topic. │ └ properties │ ├ Encoding: (documentation changed) │ └ TopicArn: (documentation changed) ├[~] service aws-ssmcontacts │ └ resources │ └[~] resource AWS::SSMContacts::Contact │ ├ - tagInformation: undefined │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ └ properties │ └[+] Tags: Array<tag> ├[~] service aws-ssmguiconnect │ └ resources │ └[~] resource AWS::SSMGuiConnect::Preferences │ ├ - documentation: Definition of AWS::SSMGuiConnect::Preferences Resource Type │ │ + documentation: Specify new or changed connection recording preferences for your AWS Systems Manager GUI Connect connections. │ ├ properties │ │ └ ConnectionRecordingPreferences: (documentation changed) │ ├ attributes │ │ └ AccountId: (documentation changed) │ └ types │ └[~] type ConnectionRecordingPreferences │ └ - documentation: The set of preferences used for recording RDP connections in the requesting AWS account and AWS Region. This includes details such as which S3 bucket recordings are stored in. │ + documentation: The set of preferences used for recording RDP connections in the requesting AWS account and AWS Region . This includes details such as which S3 bucket recordings are stored in. ├[~] service aws-verifiedpermissions │ └ resources │ └[~] resource AWS::VerifiedPermissions::PolicyStore │ ├ - tagInformation: undefined │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ ├ properties │ │ ├[+] DeletionProtection: DeletionProtection │ │ └[+] Tags: Array<tag> │ └ types │ └[+] type DeletionProtection │ ├ name: DeletionProtection │ └ properties │ └ Mode: string (required, default="DISABLED") ├[~] service aws-vpclattice │ └ resources │ └[~] resource AWS::VpcLattice::ResourceConfiguration │ └ types │ └[~] type DnsResource │ └ properties │ └ IpAddressType: (documentation changed) └[~] service aws-wisdom └ resources └[~] resource AWS::Wisdom::AIAgent └ types ├[~] type AnswerRecommendationAIAgentConfiguration │ └ properties │ └ Locale: (documentation changed) └[~] type ManualSearchAIAgentConfiguration └ properties └ Locale: (documentation changed) ``` BREAKING CHANGE: Some L1 resources experienced breaking changes due to updated CloudFormation resources. Please check the notes for each specific module for more information. * **Logs**: The type of property `DeliveryDestinationPolicy` of resource `AWS::Logs::DeliveryDestination` changed to be `DestinationPolicy` instead of JSON.

aws-cdk-automation · 2025-05-13T23:11:42Z

AWS CodeBuild CI Report

CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
Commit ID: e1dfe6a
Result: SUCCEEDED
Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

github-actions · 2025-05-15T17:47:07Z

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

laurelmay and others added 30 commits May 7, 2025 18:38

Merge branch 'main' into merge-back/2.195.0

af99a77

chore(merge-back): 2.195.0 (#34388)

fdc8492

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.195.0/CHANGELOG.md)

chore: npm-check-updates && yarn upgrade (#34378)

c50cb87

Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.

chore(appsync): add new enum values for appsync (#34374)

c05a874

This PR updates the enum values for appsync.

feat(region-info): update Metadata regions (#34414)

957d8e3

Update the list of regions where the CDK deploys the `AWS::CDK::Metadata` resource.

chore(enum-updater): update enum static mapping (#34421)

10f10fe

This PR updates the CDK enum mapping file.

IkeNefcy and others added 14 commits May 13, 2025 04:22

chore(release): 2.196.0

e1dfe6a

aws-cdk-automation requested a review from a team as a code owner May 13, 2025 22:41

aws-cdk-automation added auto-approve pr/no-squash This PR should be merged instead of squash-merging it labels May 13, 2025

aws-cdk-automation requested a review from a team May 13, 2025 22:41

github-actions bot approved these changes May 13, 2025

View reviewed changes

github-actions bot added p2 labels May 13, 2025

chore: update analytics metadata blueprints

62ab01b

moelasmar added the pr/do-not-merge This PR should not be merged at this time. label May 13, 2025

moelasmar closed this May 15, 2025

github-actions bot locked as resolved and limited conversation to collaborators May 15, 2025

moelasmar deleted the bump/2.196.0 branch May 15, 2025 17:47

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(release): 2.196.0 #34452

chore(release): 2.196.0 #34452

Uh oh!

aws-cdk-automation commented May 13, 2025 •

edited

Loading

Uh oh!

aws-cdk-automation commented May 13, 2025

Uh oh!

github-actions bot commented May 15, 2025

Uh oh!

Uh oh!

chore(release): 2.196.0 #34452

chore(release): 2.196.0 #34452

Uh oh!

Conversation

aws-cdk-automation commented May 13, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

aws-cdk-automation commented May 13, 2025

AWS CodeBuild CI Report

Uh oh!

github-actions bot commented May 15, 2025

Uh oh!

Uh oh!

aws-cdk-automation commented May 13, 2025 •

edited

Loading