chore(release): 2.196.0 #34471
Merged
chore(release): 2.196.0 #34471
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Reason for this change This builds on #34054. Apparently for a domain name to have IPv4 and IPv6 support, the `AWS::ApiGatewayV2::DomainName.DomainNameConfiguration` also needs to set `IpAddressType`. This is distinct from the settings on the `AWS::ApiGatewayV2::API` itself. ### Description of changes This adds the [`ipAddressType` property][ipaddresstype] for `DomainNameConfiguration`. [ipaddresstype]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigatewayv2-domainname-domainnameconfiguration.html#cfn-apigatewayv2-domainname-domainnameconfiguration-ipaddresstype ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Unit & Integration tests have been added. These are the first tests for `DomainName` for HTTP APIs and leverage the tooling for custom domains in integ tests. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #34252 ### Reason for this change ### Description of changes add SYNTHETICS_PYTHON_SELENIUM_5_0 and SYNTHETICS_PYTHON_SELENIUM_5_1 https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Library_python_selenium.html ### Description of how you validated changes Unit tests (passing): ``` cd packages/aws-cdk-lib yarn test aws-synthetics ``` Integration tests (failing with "Could not unzip uploaded file. Please check your file, then try to upload again" and snapshots aren't generating for me to commit): ``` cd packages/@aws-cdk-testing/framework-integ yarn integ test/aws-synthetics/test/integ.canary.js --update-on-failed ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #<issue number here>. None ### Reason for this change security-guardian runs and fails for chore(release) pr like [PR-34383](#34383). the PRs which are a part of this release would have already gone through the checks. ### Description of changes checks if the PR title has `chore(release)` and skips execution ### Describe any new or updated permissions being added ### Description of how you validated changes ### Checklist - [ x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) N/A ### Reason for this change The integ tests changed in this PR are failing the yarn upgrade job: #34378 This is because recommended value of the `createNewPoliciesWithAddToRolePolicy` feature flag changed in the `integ-runner` package: aws/aws-cdk-cli@4bd6149#diff-cc2aa6328f725cd5a81d9ded74633857d38594c65a715e3411b80ec52ca5cdacR68 So making this PR specifically for upgrading `@aws-cdk/integ-runner` and updating the snapshots required by it. ### Description of changes Upgraded `@aws-cdk/integ-runner`, then updated the snapshots ### Description of how you validated changes There is no actual code change to CDK constructs. Checked the snapshots and see expected changes resulted from feature flag value being changed. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) N/A ### Reason for this change Upgrading `@aws-cdk/asset-awscli-v1` always require snapshot updates. This is causing the auto yarn upgrade PRs to always require human intervention. Excluding `@aws-cdk/asset-awscli-v1` so other dependency upgrades are not blocked. ### Description of changes See title ### Describe any new or updated permissions being added None ### Description of how you validated changes Ran the workflow in my own repo and confirmed it didn't upgrade `@aws-cdk/asset-awscli-v1` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…#34231) Closes #34220 ### Reason for this change `QueueProcessingFargateService` supports the ECS deployment circuit breaker, but doesn't currently offer any way to configure the health check grace period used by the circuit breaker, as `FargateService` does. This PR rectifies that discrepancy. ### Description of changes Added the `healthCheckGracePeriod` property to `QueueProcessingFargateService`, matching the corresponding property on `FargateService`. ### Describe any new or updated permissions being added None. ### Description of how you validated changes I've added a unit test to verify that the property is passed to the underlying `FargateService`. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) N/A ### Reason for this change This is follow up of #34395 I did not realize I need to pin the version in `package.json` as well to make the job skip upgrading `@aws-cdk/asset-awscli-v1` ### Description of changes ### Describe any new or updated permissions being added ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
…ourceType enum (#34409) ### Reason for this change `NONE` should not be a supported enum value in CDK ### Description of changes Exclude`NONE` enum value for appsync `AppSyncDataSourceType` enum ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This PR updates the enum values for appsync.
…Lambda target groups (#34298) ### Issue # (if applicable) None ### Reason for this change We can set a multi-value headers property for a lambda target group from cloudformation, but this was not supported in the AWS CDK L2 construct. ### Description of changes Add multiValueHeadersEnabled property to ApplicationTargetGroupProps and set it in the ApplicationTargetGroup constructor. ### Describe any new or updated permissions being added None ### Description of how you validated changes Added both unit and integration tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…34229) ### Issue # (if applicable) None ### Reason for this change AWS S3 Tables supports for server side encryption by customer managed KMS keys. https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-kms-encryption.html And cloudformation have supported for this feature. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3tables-tablebucket-encryptionconfiguration.html ### Description of changes - Add `kmsKey` prop to `TableBucketProps` - Add kms key resource policy which enables S3 Tables to execute automatic table maintenance - https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-kms-permissions.html ### Describe any new or updated permissions being added Add resource policy to the kms key. ```ts // add resource policy to the encryption key // see https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-kms-permissions.html#tables-kms-maintenance-permissions props?.kmsKey?.addToResourcePolicy( new iam.PolicyStatement({ actions: ['kms:Decrypt', 'kms:GenerateDataKey'], resources: ['*'], effect: iam.Effect.ALLOW, principals: [new iam.ServicePrincipal('maintenance.s3tables.amazonaws.com')], conditions: { StringLike: { 'kms:EncryptionContext:aws:s3:arn': `${Stack.of(this).formatArn({ service: 's3tables', resource: 'bucket', resourceName: props.tableBucketName, })}/*`, }, }, }), ); ``` ### Description of how you validated changes Add both unit and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…omputeType` enum (#34412) ### Reason for this change `CUSTOM_INSTANCE_TYPE` value cannot be supported without additional logic. See https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-compute-types.html * For the AWS CLI, run the create-fleet or update-fleet command, specifying the value of computeType to `CUSTOM_INSTANCE_TYPE` and the ComputeConfiguration instanceType to the specified instance type. For more information, see [create-fleet](https://docs.aws.amazon.com/cli/latest/reference/codebuild/create-fleet.html) or [update-fleet](https://docs.aws.amazon.com/cli/latest/reference/codebuild/update-fleet.html). * For the AWS SDKs, call the equivalent of the CreateFleet or UpdateFleet operation for your target programming language, specifying the value of computeType to `CUSTOM_INSTANCE_TYPE` and the ComputeConfiguration instanceType to the specified instance type. For more information, see the [AWS SDKs and tools reference](https://docs.aws.amazon.com/codebuild/latest/userguide/sdk-ref.html). ### Description of changes Exclude CUSTOM_INSTANCE_TYPE from codebuild ComputeType enum ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Update the list of regions where the CDK deploys the `AWS::CDK::Metadata` resource.
…34417) ### Reason for this change Scope down permissions for the `pr-linter-exemption-labeler` workflow so it only has write permissions on pull requests. ### Description of changes Added `permissions` key to workflow file, similar to https://github.com/aws/aws-cdk/blob/main/.github/workflows/close-stale-prs.yml#L10-L11 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…upported (#34420) ### Reason for this change Improve clarity by declaring where the no-throw-default-error rule is not yet supported, instead of where it is supported. This allows us to gradually reduce this list as we make progress. ### Description of changes Modified the ESLint configuration to use a negative pattern approach for the no-throw-default-error rule, making it clearer which areas still need work. ### Description of how you validated changes Verified that the ESLint configuration works as expected with the updated patterns. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…34422) Bumps [step-security/changed-files](https://github.com/step-security/changed-files) from 45.0.1 to 46.0.5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/step-security/changed-files/releases">step-security/changed-files's releases</a>.</em></p> <blockquote> <h2>v46.0.5</h2> <h2>What's Changed</h2> <ul> <li>[StepSecurity] ci: Harden GitHub Actions by <a href="https://github.com/step-security-bot"><code>@step-security-bot</code></a> in <a href="https://redirect.github.com/step-security/changed-files/pull/15">step-security/changed-files#15</a></li> <li>[StepSecurity] Apply security best practices by <a href="https://github.com/step-security-bot"><code>@step-security-bot</code></a> in <a href="https://redirect.github.com/step-security/changed-files/pull/47">step-security/changed-files#47</a></li> <li>cherry pick and guard dog workflow added by <a href="https://github.com/Raj-StepSecurity"><code>@Raj-StepSecurity</code></a> in <a href="https://redirect.github.com/step-security/changed-files/pull/48">step-security/changed-files#48</a></li> <li>chore: Cherry-picked changes from upstream by <a href="https://github.com/github-actions"><code>@github-actions</code></a> in <a href="https://redirect.github.com/step-security/changed-files/pull/52">step-security/changed-files#52</a></li> <li>chore: Cherry-picked changes from upstream by <a href="https://github.com/github-actions"><code>@github-actions</code></a> in <a href="https://redirect.github.com/step-security/changed-files/pull/53">step-security/changed-files#53</a></li> <li>fix: Security updates by <a href="https://github.com/github-actions"><code>@github-actions</code></a> in <a href="https://redirect.github.com/step-security/changed-files/pull/54">step-security/changed-files#54</a></li> <li>ci: remove unnecessary workflows/ steps by <a href="https://github.com/Raj-StepSecurity"><code>@Raj-StepSecurity</code></a> in <a href="https://redirect.github.com/step-security/changed-files/pull/57">step-security/changed-files#57</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/step-security-bot"><code>@step-security-bot</code></a> made their first contribution in <a href="https://redirect.github.com/step-security/changed-files/pull/15">step-security/changed-files#15</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/changed-files/compare/v45...v46.0.5">https://github.com/step-security/changed-files/compare/v45...v46.0.5</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/step-security/changed-files/commit/95b56dadb92a30ca9036f16423fd3c088a71ee94"><code>95b56da</code></a> ci: remove unnecessary workflows/ steps (<a href="https://redirect.github.com/step-security/changed-files/issues/57">#57</a>)</li> <li><a href="https://github.com/step-security/changed-files/commit/60058f667cc7707fd4198f1cd32d9dbe93e0b0a7"><code>60058f6</code></a> unused workflows/steps deleted</li> <li><a href="https://github.com/step-security/changed-files/commit/eb71416421613e432d9cb9e026868001883b9d45"><code>eb71416</code></a> revert workflow changes</li> <li><a href="https://github.com/step-security/changed-files/commit/e152d5b0d475d9b410672af2f26bf033cda0e624"><code>e152d5b</code></a> fix: Security updates (<a href="https://redirect.github.com/step-security/changed-files/issues/54">#54</a>)</li> <li><a href="https://github.com/step-security/changed-files/commit/a373b15ee439fc2695250d75d993aeca6fe614c4"><code>a373b15</code></a> chore: Cherry-picked changes from upstream (<a href="https://redirect.github.com/step-security/changed-files/issues/53">#53</a>)</li> <li><a href="https://github.com/step-security/changed-files/commit/f2de462e2f68445b8126fb2b0cb797d96302f0b9"><code>f2de462</code></a> chore: Cherry-picked changes from upstream (<a href="https://redirect.github.com/step-security/changed-files/issues/52">#52</a>)</li> <li><a href="https://github.com/step-security/changed-files/commit/31ad786ff11c9d4b819ef5cd7a5c4c23dc4da1ba"><code>31ad786</code></a> cherry pick and guard dog workflow added (<a href="https://redirect.github.com/step-security/changed-files/issues/48">#48</a>)</li> <li><a href="https://github.com/step-security/changed-files/commit/98d7c4723056ec07e7a53f179bbed417a08a3510"><code>98d7c47</code></a> [StepSecurity] Apply security best practices (<a href="https://redirect.github.com/step-security/changed-files/issues/47">#47</a>)</li> <li><a href="https://github.com/step-security/changed-files/commit/52f756978519f427e38a119d8c4f0c8f549d1402"><code>52f7569</code></a> Merge pull request <a href="https://redirect.github.com/step-security/changed-files/issues/15">#15</a> from step-security-bot/stepsecurity_remediation_174250...</li> <li><a href="https://github.com/step-security/changed-files/commit/cdb3cdada10c041ca9f6970ef1fb8005cd5f808c"><code>cdb3cda</code></a> [StepSecurity] ci: Harden GitHub Actions</li> <li>See full diff in <a href="https://github.com/step-security/changed-files/compare/3dbe17c78367e7d60f00d78ae6781a35be47b4a1...95b56dadb92a30ca9036f16423fd3c088a71ee94">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
### Issue # (if applicable) N/A ### Reason for this change The L2 construct of Route 53 resource record set did not have a property `cidrRoutingConfig`. It was always necessary to set this prop via the L1 Construct when configuring IP-based routing. ### Description of changes - added `cidrRoutingConfig` to `RecordSetProps` - fixed logic in `RecordSet` constructor ### Describe any new or updated permissions being added None ### Description of how you validated changes I added new unit test and integration test. - cidr-routing-config.test.ts - integ.cidr-routing-config.ts ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue Relates to #32569 ### Reason for this change untyped Errors are not recommended ### Description of changes `ValidationError`s everywhere ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue Relates to #32569 ### Reason for this change untyped Errors are not recommended ### Description of changes `ValidationError`s everywhere ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…errors (#34432) ### Issue Relates to #32569 ### Reason for this change untyped Errors are not recommended ### Description of changes `ValidationError`s everywhere ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…rrors (#34435) v-### Issue Relates to #32569 ### Reason for this change untyped Errors are not recommended ### Description of changes `ValidationError`s everywhere ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…rs (#34438) ### Issue Relates to #32569 ### Reason for this change untyped Errors are not recommended ### Description of changes `ValidationError`s everywhere ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ors (#34430) ### Issue Relates to #32569 ### Reason for this change untyped Errors are not recommended ### Description of changes `ValidationError`s everywhere ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ind feature flag (#34377) ### Issue # (if applicable) Closes NA. ### Reason for this change Align resource ids and tag changes in Subnetv2 and VPCv2 constructs to allow a migration path for customers. ### Description of changes - Add a new feature flag to keep the resource reference same as VPCv1 and prevent replacement of resources. - Change id references from `Get::Att` to `Ref` for VPC, RouteTargetId, NatGW, IGW and RouteTable. - Align subnet and IGW tag. ### Describe any new or updated permissions being added NA ### Description of how you validated changes Added unit test and integration test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… intervention (#34415) ### Issue # (if applicable) N/A ### Reason for this change Follow up of #34395 and #34399. In those PRs, I excluded `@aws-cdk/asset-awscli-v1` for auto-upgrade because upgrading this package always requires manual update to the integ test snapshots, which means blocking the upgrade of the other dependencies that do not need snapshot updates. So making this new GH workflow to upgrade `@aws-cdk/asset-awscli-v1` specifically. ### Description of changes The new workflow is pretty much the same as the existing Yarn Upgrade [workflow](https://github.com/aws/aws-cdk/blob/main/.github/workflows/yarn-upgrade.yml) but with a few tweaks so the upgrade job targets `@aws-cdk/asset-awscli-v1` only. Feedback from #34410 is also covered in this revision. ### Describe any new or updated permissions being added None ### Description of how you validated changes Tested the workflow in my own fork: https://github.com/samson-keung/aws-cdk/actions/runs/14940393163/job/41976513475 and it created samson-keung#3 (Note that the workflow failed only because it could not add labels to the PR. This is a token permission issue in my testing set up so it shouldn't be a problem in the `aws-cdk` repo.) ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This PR updates the CDK enum mapping file.
) ### Reason for this change This implements this RFC: https://github.com/aws/aws-cdk-rfcs/blob/main/text/0693-property-injection.md ### Description of changes This PR contains these changes: * 122 Constructs that are decorated with propertyInjectable. * App, Stage, and Stack can specify propertyInjectors - a list of IPropertyInjector * Logic to find the correct Construct Property Injector during instantiation. * ConstructsUpdater makes all L2 Constructs propertyInjectable. * Add a test case showing Property Injectors applied to an L2 Construct inherited from another L2 Construct. ### Describe any new or updated permissions being added No new IAM permission. ### Description of how you validated changes Added unit tests and integ tests. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…espace (#34459) ### Reason for this change Schemas are not publicly available and this is no longer needed. ### Description of changes Remove temporary schema for AWS::AppSync::ChannelNamespace ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change This adds support for encryption settings for TableBucket including providing KMS keys for server side encryption. ### Description of changes L1 reference: [CfnTableBucket#encryptionConfiguration](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3tables.CfnTableBucket.html#encryptionconfiguration) Backwards compatible changes were made to the TableBucket construct in the following places: - TableBucketProps now include optional fields `encryption` and `encryptionKey` - grant methods now provide permissions to the bucket encryptionKey, if applicable - A new KMS key is created if the user provides KMS encryptionType but no key - Updated README with rosetta support #### Usage ```ts // Provide a user defined KMS Key: const key = new kms.Key(scope, 'UserKey', {}); const encryptedBucket = new TableBucket(scope, 'EncryptedTableBucket', { tableBucketName: 'table-bucket-1', encryption: TableBucketEncryption.KMS, encryptionKey: key, }); // This account principal will also receive kms:Decrypt access to the KMS key encryptedBucket.grantRead(new iam.AccountPrincipal('123456789012'), '*'); // If no key is provided, one will be created automatically const encryptedBucketAuto = new TableBucket(scope, 'EncryptedTableBucketAuto', { tableBucketName: 'table-bucket-2', encryption: TableBucketEncryption.KMS, }); // Use S3 managed server side encryption (default) const encryptedBucketDefault = new TableBucket(scope, 'EncryptedTableBucketDefault', { tableBucketName: 'table-bucket-3', encryption: TableBucketEncryption.S3_MANAGED, }); ``` ### Describe any new or updated permissions being added These permissions were added for KMS support: ```ts export const KEY_READ_ACCESS = [ 'kms:Decrypt', ]; export const KEY_WRITE_ACCESS = [ 'kms:Decrypt', 'kms:GenerateDataKey*', ]; ``` When grant methods are used, these policies are applied to the principal for the TableBucket's encryption key. For example, giving read access to an encrypted bucket without giving decrypt permissions to the bucket key will not be sufficient permissions for the principal to read the bucket data. ### Description of how you validated changes - Added unit test coverage for all possible scenarios of bucket encryption config, as well as all grant methods for each valid encryption config. - Added integration tests with snapshot and assertions. The assertions are currently disabled due to the aws-sdk version not supporting `GetTableBucketEncryptionCommand` but will be included once resolved. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
) ### Issue # (if applicable) Relates to #30632 but does not close the issue. ### Reason for this change The cluster name can exceed 100 characters, which exceeds the limit for EKS. ### Description of changes - Check if the cluster name exceeds 100 characters - If it does, throw a validation error ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Added unit test ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ternetGateway (under feature flag) (#34437) ### Issue # (if applicable) Closes #30981. ### Reason for this change -> EgressOnlyInternetGateway was been created even without any private subnets ### Description of changes -> Fixed the condition that determins if a EgressOnlyInternetGateway will be created -> Added feature flag ### Describe any new or updated permissions being added N/A ### Description of how you validated changes I added two new unit tests that checks if EgressOnlyInternetGateway is created without a private subnet ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…34461) ### Issue # (if applicable) same as #34247 #34211 Closes #<issue number here>. ### Reason for this change collect workflow runs with limited permissions upload workflow runs on elevated permissions ### Description of changes ### Describe any new or updated permissions being added ### Description of how you validated changes ### Checklist - [ x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) N/A ### Reason for this change MSK supports Apache Kafka version 3.9. Ref: https://aws.amazon.com/about-aws/whats-new/2025/04/amazon-msk-apache-kafka-version-3-9/ ### Description of changes Add 3.9.x version. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Add unit tests and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable)
Closes #<issue number here>.
### Reason for this change
Manual changes to the `static-enum-mapping.json` would be overwritten the next time the workflow was run.
### Description of changes
Add a new file `manual-enum-mapping.json` that allows maintainers to add manual mappings that will be used over any matching mapping that the script calculates.
Manual mappings should be added in the form:
```
{
"serviceName": {
"CdkEnumName": {
"cdk_path": "path/to/cdkEnum",
"sdk_service": "serviceName",
"sdk_enum_name": "AwsEnumThatWeWantThisToMapTo",
"match_percentage": 1.0,
"manual": true
}
}
}
```
For example:
```
{
"ec2": {
"VpcEndpointIpAddressType": {
"cdk_path": "aws-cdk/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts",
"sdk_service": "ec2",
"sdk_enum_name": "IpAddressType",
"match_percentage": 1.0,
"manual": true
}
}
}
```
### Description of how you validated changes
Manual + unit testing
### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…injectable (#34463) ### Issue # (if applicable) N/A ### Reason for this change Release was failing because when metadata_updater job got executed to automatically mark L2 constructs as injectables, it failed to update some constructs because they do not follow the normal patterns of L2 constructors. ### Description of changes - Added skip logic to skip some L2 constructs from being marked as Injectables. - Applied the injectables logic manually to `RootResource` since it's constructor does not follow the common constructors pattern for L2s, and should support the injectable logic. - Skipped `lib/function-base.LatestVersion`, as in my opinion it does not need to support the injectable feature. The constructor does not accept any props, and so It does not support any injected property injection. - Added some changes to the metadata_updater tool itself to fix some linter errors. ### Description of how you validated changes executed the metadata_updater job locally to verify the generated L2 constructs. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Ran npm-check-updates and yarn upgrade for the following dependencies: ``` @aws-cdk/asset-awscli-v1 ``` Checkout this branch and run integration tests locally to update snapshots. ``` (cd packages/@aws-cdk-testing/framework-integ && yarn integ --update-on-failed) ``` See https://www.npmjs.com/package/@aws-cdk/integ-runner for more integ runner options.
### Issue # (if applicable) None ### Reason for this change Cloudformation supports for configuring HttpsPolicy for custom tracking domain in `ConfigurationSet` but AWS CDK cannot do this. https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-ses-configurationset-trackingoptions.html#cfn-ses-configurationset-trackingoptions-httpspolicy ### Description of changes - Define `HttpsPolicy` enum - Add `customTrackingHttpsPolicy` to `ConfigurationSetProps` ### Describe any new or updated permissions being added None ### Description of how you validated changes Add both unit and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws-cdk-automation
added
auto-approve
pr/no-squash
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Comments on closed issues and PRs are hard for our team to see. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See CHANGELOG