chore(release): 2.201.0 #34706
Merged
chore(release): 2.201.0 #34706
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
aws-cdk-automation
added
the
pr/needs-community-review
#34256) ### Issue # (if applicable) N/A ### Reason for this change Missing property. ### Description of changes Add kmsKey property to AppConfig Hosted Configuration ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Add a unit test and an integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change Synthetics now supports for node-playwright 2.0 runtime https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Library_nodejs_playwright.html ### Description of changes - Add node-playwright 2.0 runtime ### Describe any new or updated permissions being added None ### Description of how you validated changes update both unit and integ test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…perty (#34539) ### Issue # (if applicable) Closes #32318 ### Reason for this change [outputConfigCommand](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_eks.Cluster.html#outputconfigcommand) is true by default. https://github.com/aws/aws-cdk/blob/7538a8431290fe76d9ad6bbf80977eb2cb17e007/packages/aws-cdk-lib/aws-eks/lib/cluster.ts#L506-L513 But if `mastersRole` is not specified, command will not be output because the output command will not be useful as it won't have the necessary role. https://github.com/aws/aws-cdk/blob/7538a8431290fe76d9ad6bbf80977eb2cb17e007/packages/aws-cdk-lib/aws-eks/lib/cluster.ts#L1845 ### Description of changes - Add `mastersRole` requirement to `outputConfigCommand` property. The requirement for `mastersRole` is already documented. https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_eks-readme.html#masters-role > If you do not specify it, you won't have access to the cluster from outside of the CDK application. - Add warning if `outputConfigCommand` is `true` and `mastersRole` is not specified ### Describe any new or updated permissions being added None ### Description of how you validated changes Pass unit test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…G guide (#34622) ### Issue # (if applicable) #34612 Closes #<issue number here>. ### Reason for this change Adding details on Feature flag fields in contributing guide. ### Description of changes ### Describe any new or updated permissions being added N/A ### Description of how you validated changes N/A ### Checklist - [ x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change
New MariaDB versions are available.
Note: Link to the release note will be available later.
### Description of changes
```console
$ aws --region us-east-1 rds describe-db-engine-versions --engine mariadb --query 'DBEngineVersions[].EngineVersion'
[
"10.5.20",
"10.5.21",
"10.5.22",
"10.5.23",
"10.5.24",
"10.5.25",
"10.5.26",
"10.5.27",
"10.5.28",
"10.5.29",
"10.6.13",
"10.6.14",
"10.6.15",
"10.6.16",
"10.6.17",
"10.6.18",
"10.6.19",
"10.6.20",
"10.6.21",
"10.6.22",
"10.11.4",
"10.11.5",
"10.11.6",
"10.11.7",
"10.11.8",
"10.11.9",
"10.11.10",
"10.11.11",
"10.11.13",
"11.4.3",
"11.4.4",
"11.4.5",
"11.4.7"
]
```
### Describe any new or updated permissions being added
N/A
### Description of how you validated changes
Added versions to unit test.
### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
#34626) ### Issue # (if applicable) Closes #34624. ### Reason for this change Correcting the description of the `userData` property in the EC2 launch template construct properties. ### Description of changes Updated the documentation to match the corresponding [Cloudformation documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-ec2-launchtemplate-launchtemplatedata.html#cfn-ec2-launchtemplate-launchtemplatedata-userdata) for `userData`. While the Cloudformation doc also specifies providing a base64-encoded value, this is [performed by the CDK code](https://github.com/aws/aws-cdk/blob/aa97e61140a4aac8531ac71521bde8bcdcbad573/packages/aws-cdk-lib/aws-ec2/lib/launch-template.ts#L690). The `userData` input structure is enforced by the `UserData` type, so no specific formatting instructions are necessary. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Executed the build and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change AWS EBS now supports for specifying [volume initialization rate](https://docs.aws.amazon.com/ebs/latest/userguide/initalize-volume.html#volume-initialization-rate) but AWS CDK cannot configure this parameter. ### Description of changes - Add `volumeInitializationRate` to `VolumeProps` ### Describe any new or updated permissions being added none ### Description of how you validated changes Add both unit and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
### Issue Closes #32569 ### Description of changes Throw typed errors everywhere. This introduced a new error type `ExecutionError` that is meant for failures from external scripts or code. ### Describe any new or updated permissions being added n/a ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…#31586) ### Issue # (if applicable) Closes #26982 ### Reason for this change The ContextProvider mechanism and various "lookup" functions of a number of constructs support caching resolved values in the cdk.context.json. The context keys are constructed from the parameters of the lookup, which for lookup functions means whenever a resource with the same parameters is resolved, it is resolved as the same value across the entire app. However when a value may change over time, the user may wish to use the latest value when creating creating a new reference to the construct, effectively tying the cached context value to the scope - this patch enables this. The primary use case is looking up an AMI parameter for a "stateful" EC2 instance. Currently if you specify cachedInContext, any future images created would use the same cached AMI, and updating the value would require updating all usages of the image across the entire app. ### Description of changes Adds an `additionalCacheKey` parameter/property to multiple areas of the CDK where lookups can be cached ### Description of how you validated changes Unit + integration tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change Fix small typo found when reading the docs :p *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…#34596) Reopen #33883 The cyclic dependency issue #34592 should be resolved before merging this PR again. ### Issue # (if applicable) Related to #33757. ### Reason for this change `FlowLogDestination.toKinesisDataFirehoseDestination()` includes the former service name Kinesis and receives the string ARN. Also, cross-account log delivery needs an IAM role. https://docs.aws.amazon.com/vpc/latest/userguide/firehose-cross-account-delivery.html ### Description of changes - Added `FlowLogDestination.toFirehose()` with an optional IAM role. - Deprecate `toKinesisDataFirehoseDestination()` Note: CDK cannot create the IAM role for cross-account delivery because the VPC ARN is needed but FlowLog construct doesn't know it. ### Describe any new or updated permissions being added N/A - Users must specify IAM roles for cross account delivery. ### Description of how you validated changes Unit tests and integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change When doing a fresh clone of the repo we get: ``` Encountered 5 files that should have been pointers, but weren't: packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/asset.8a84a8f465fbe0c48af2c256847ec9abfe095d23781b749728b998315f3ad732.zip packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-addon.js.snapshot/asset.12157b27d30ab71eb24ae65825f672ba5cc2c09dbb1703cd7adfcff3aeaca136.zip packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-addon.js.snapshot/asset.6094cb0ff874f89ab5ab24fb6b9417df0fdeb6966645f90c88ec1d7e28130112.zip packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-addon.js.snapshot/asset.93d96d34e0d3cd20eb082652b91012b131bdc34fcf2bc16eb4170e04772fddb1.zip packages/@aws-cdk-testing/framework-integ/test/aws-synthetics/test/integ.canary.js.snapshot/asset.b1b777dcb79a2fa2790059927207d10bf5f4747d6dd1516e2780726d9d6fa820.zip ``` This can be verified with: `git lfs fsck` which. give the same problematic 5 files. ### Description of changes Ran `git lfs migrate import --no-rewrite <path to the 5 files>`. ### Description of how you validated changes Ran `git lfs fsck`, no more errors. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
) ### Issue # (if applicable) Closes #33584. ### Reason for this change AWS CodePipeline introduces a new action to deploy to Amazon Elastic Compute Cloud (EC2). https://aws.amazon.com/about-aws/whats-new/2025/02/aws-codepipeline-native-ec2-deployment-support/ ### Description of changes Added the `Ec2DeployAction` action class and corresponding helpers. - `Ec2InstanceType` - specify instance type: EC2 or SSM_MANAGED_NODE - `Ec2DeploySpecification` - choose deploy specification: inline or DeploySpec (not yet included) - `Ec2MaxInstances` - specify maxBatch and maxError configuration #### Usage ```ts new cpactions.Ec2DeployAction({ actionName: 'EC2', input: buildOutput, // specify instance type instanceType: cpactions.Ec2InstanceType.EC2, // REQUIRED // specify tag key and value, not ec2.IInstance instanceTagKey: 'Target', // REQUIRED instanceTagValue: 'DeployTarget', // deploy specifications deploySpecifications: cpactions.Ec2DeploySpecifications.inline({ targetDirectory: '/home/ec2-user/deploy', // REQUIRED preScript: 'hooks/pre-script', postScript: 'hooks/post-script', // REQUIRED }), // the action will detach and attach instances from/to target groups targetGroups: [myTargetGroup], // the number or percentage of instances that can deploy in parallel maxBatch: cpactions.Ec2MaxInstances.target(2), maxError: cpactions.Ec2MaxInstances.percent(50), }); ``` ### Describe any new or updated permissions being added `Ec2DeployAction` adds permissions based on CodePipeline documentation: https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-EC2Deploy.html#action-reference-EC2Deploy-permissions-action For details of actions, resource, and condition keys, see the Service Authorization Reference: [EC2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html), [ELBv2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselasticloadbalancingv2.html), [SSM](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html) ### Description of how you validated changes Unit tests and an integ test. The integ test also asserts pipeline execution. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable): Bedrock L2 Construct Closes #<issue number here> [ Issue - 686](aws/aws-cdk-rfcs#686) ### Reason for this change - New Feature , Adding bedrock L2 construct. [RFC 888](aws/aws-cdk-rfcs#688) ### Description of changes Bedrock L2 Construct with following features 1. Agent core functionality (agent.ts) 2. Agent aliases (agent-alias.ts) 3. Action groups (action-group.ts) 4. Agent collaboration (agent-collaborator.ts) 5. Memory configuration (memory.ts) 6. Custom orchestration (orchestration.ts) 7. Prompt overrides (prompt-override.ts) 8. API schemas and executors (api-schema.ts, api-executor.ts) Integration Tests (integ.agent.ts): Tests the creation of a basic Bedrock Agent with default values Verifies the agent creation with foundationModel, instruction, and forceDelete settings Unit Tests for agent.test.ts, agent-collaborator.test.ts,api-executor.test.ts,memory.test.ts,prompt-override.test.ts ### Describe any new or updated permissions being added I am roles for Agent , Knowledgebase, guardrails, inference profiles, prompts. ### Description of how you validated changes Created CDK APP in the repo and deployed the stack. TODO : Unit and Integration test ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… practices (#34638) ### Issue # (if applicable) Closes #34637 . ### Reason for this change See description of issue #34637. ### Description of changes Do not directly pass the `events.OnEventOptions` object directly to the `RuleProps` but rather create an object mapping the needed properties. ### Describe any new or updated permissions being added NA ### Description of how you validated changes Build module and ran existing integ test. No need to add additional testing. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ntifier` (#33982) ### Issue # (if applicable) Closes #33889 ### Reason for this change https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_RestoreFromMultiAZDBClusterSnapshot.html ### Description of changes - `DatabaseInstanceFromSnapshot` support `clusterSnapshotIdentifier` - `clusterSnapshotIdentifier` and `snapshotIdentifier` are mutually exclusive, one must be specified ### Description of how you validated changes Unit + Integ ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #30792 ### Reason for this change The feature enables support to create clusters without the default networking add-ons ### Description of changes ### Describe any new or updated permissions being added Added the prop bootstrapSelfManagedAddons to the cluster and incremented the eks client version. Also validated that existing if bootstrapSelfManagedAddons is undefined to true or vice versa does not replace the cluster as the default is `true`. ### Description of how you validated changes Validated the changes against an existing cluster and made sure it is not replaced unless the change is from true to false or vice versa. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…elector (#34625) ### Issue Closes #34538. ### Reason for this change In the current implementation `itemSelector` must be an object type `Mapping[str, Any]`, but Step Functions supports both object mappings and JSONata expressions as strings. See the [Amazon States Language](https://states-language.net/spec.html#map-state) specification: > A JSONata Map State MAY have an "ItemSelector" field, whose value MUST be a JSON text, or a JSONata string that evaluates to a JSON text. ### Description of changes This PR adds a new field `jsonataItemSelector` of type `string` to support this use case. This new field is mutually exclusive with `itemSelector` (and `parameters` as it is already mutually exclusive with `itemSelector` and deprecated). During synthesis, if `jsonataItemSelector` is used, then it will be used to render the `ItemSelector` in the cloudformation template. I considered creating a class like the [ProvideItems](https://github.com/aws/aws-cdk/blob/ed08f3f0b8ecd79a2fa5e804acc73a9ff23eab80/packages/aws-cdk-lib/aws-stepfunctions/lib/states/map-base.ts#L60-L77) class, however this would have been a breaking change for existing users. ### Describe any new or updated permissions being added None. ### Description of how you validated changes Added unit tests and an integration test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…33802) ### Issue # (if applicable) Closes #33249 ### Reason for this change CloudFront doesn't support resource-level permission for some permission as per [Actions, resources, and condition keys for Amazon CloudFront](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudfront.html) ### Description of changes Use wildcard(*) when grant some cloudfront permission ### Describe any new or updated permissions being added Use wildcard(*) when grant some cloudfront permission ### Description of how you validated changes Unit + Integ ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…34173) ### Issue # (if applicable) Closes #32280. Closes #32563. ### Reason for this change Aurora Serverless v2 DB instances can specify the time period of inactivity before auto-pause. https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless-v2-auto-pause.html ### Description of changes Added the `serverlessV2AutoPauseDuration` prop for `DatabaseCluster`. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Added unit tests and an integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Library_python_selenium.html ### Description of changes - Add selenium 6.0 runtime ### Describe any new or updated permissions being added None ### Description of how you validated changes Unit + Integ ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change AWS CloudWatch synthetics supports for [performing safe canary update](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/performing-safe-canary-upgrades.html#performing-safe-canary-upgrades-limitations). This feature cannot be configurable from AWS CDK L2 construct. ### Description of changes - Add `dryRunAndUpdate` prop to `canaryProps` - Add runtime validation - syn-nodejs-puppeteer-10.0+ - syn-nodejs-playwright-2.0+ - syn-python-selenium-5.1+ ### Describe any new or updated permissions being added None ### Description of how you validated changes Add both unit and integ tets. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… dimension map (#34648) ### Issue # (if applicable) Closes #34643 ### Reason for this change When the metric filter is created, you can specify the dimension map for the metric. When you extract the metric out of the metric filter, the extracted metric will not include the dimension map, and you will be forced to manually add it to the metric. ### Description of changes This PR preserves the dimension map used when creating the metric filter and then applies it back when extracting the metric using the `MetricFilter.metric()` API. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Added new unit and integration test that verify the extracted metric still includes the original dimension map used when creating the metric filter. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…rsions 11.22-rds.20250508 and 12.22-rds.20250508 (#34598) ### Issue # (if applicable) None ### Reason for this change - https://aws.amazon.com/about-aws/whats-new/2025/05/amazon-rds-mariadb-community-mariadb-minor-versions/ - https://aws.amazon.com/about-aws/whats-new/2025/06/amazon-rds-postgresql-extended-support-versions-r2-11-22-rds-20250508-12-22-rds-20250508/ ### Description of changes RDS mariadb add versions 10.5.29 and 10.6.22 ### Description of how you validated changes ```console $ aws rds describe-db-engine-versions --engine mariadb --output table --query 'DBEngineVersions[*].{Engine:Engine,EngineVersion:EngineVersion}' ------------------------------ | DescribeDBEngineVersions | +----------+-----------------+ | Engine | EngineVersion | +----------+-----------------+ | mariadb | 10.5.20 | | mariadb | 10.5.21 | | mariadb | 10.5.22 | | mariadb | 10.5.23 | | mariadb | 10.5.24 | | mariadb | 10.5.25 | | mariadb | 10.5.26 | | mariadb | 10.5.27 | | mariadb | 10.5.28 | | mariadb | 10.5.29 | | mariadb | 10.6.13 | | mariadb | 10.6.14 | | mariadb | 10.6.15 | | mariadb | 10.6.16 | | mariadb | 10.6.17 | | mariadb | 10.6.18 | | mariadb | 10.6.19 | | mariadb | 10.6.20 | | mariadb | 10.6.21 | | mariadb | 10.6.22 | $ aws rds describe-db-engine-versions --engine postgres --output table --query 'DBEngineVersions[*].{Engine:Engine,EngineVersion:EngineVersion}' ------------------------------------ | DescribeDBEngineVersions | +-----------+----------------------+ | Engine | EngineVersion | +-----------+----------------------+ | postgres | 11.22 | | postgres | 11.22-rds.20240418 | | postgres | 11.22-rds.20240509 | | postgres | 11.22-rds.20240808 | | postgres | 11.22-rds.20241121 | | postgres | 11.22-rds.20250220 | | postgres | 11.22-rds.20250508 | | postgres | 12.20 | | postgres | 12.22 | | postgres | 12.22-rds.20250220 | | postgres | 12.22-rds.20250508 | | postgres | 13.15 | ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-amazonmq │ └ resources │ └[~] resource AWS::AmazonMQ::Broker │ └ types │ └[~] type User │ └ properties │ └ JolokiaApiAccess: (documentation changed) ├[~] service aws-apigateway │ └ resources │ ├[~] resource AWS::ApiGateway::DomainName │ │ ├ properties │ │ │ └ RoutingMode: (documentation changed) │ │ └ attributes │ │ └ DomainNameArn: (documentation changed) │ └[~] resource AWS::ApiGateway::DomainNameV2 │ └ properties │ └ RoutingMode: (documentation changed) ├[~] service aws-apigatewayv2 │ └ resources │ ├[~] resource AWS::ApiGatewayV2::DomainName │ │ └ properties │ │ └ RoutingMode: (documentation changed) │ └[~] resource AWS::ApiGatewayV2::RoutingRule │ ├ - documentation: Schema for AWS::ApiGatewayV2::RoutingRule │ │ + documentation: Represents a routing rule. When the incoming request to a domain name matches the conditions for a rule, API Gateway invokes a stage of a target API. Supported only for REST APIs. │ ├ properties │ │ ├ Actions: (documentation changed) │ │ ├ Conditions: (documentation changed) │ │ ├ DomainNameArn: (documentation changed) │ │ └ Priority: (documentation changed) │ ├ attributes │ │ ├ RoutingRuleArn: (documentation changed) │ │ └ RoutingRuleId: (documentation changed) │ └ types │ ├[~] type Action │ │ ├ - documentation: undefined │ │ │ + documentation: Represents a routing rule action. The only supported action is `invokeApi` . │ │ └ properties │ │ └ InvokeApi: (documentation changed) │ ├[~] type ActionInvokeApi │ │ ├ - documentation: undefined │ │ │ + documentation: Represents an InvokeApi action. │ │ └ properties │ │ ├ ApiId: (documentation changed) │ │ ├ Stage: (documentation changed) │ │ └ StripBasePath: (documentation changed) │ ├[~] type Condition │ │ ├ - documentation: undefined │ │ │ + documentation: Represents a condition. Conditions can contain up to two `matchHeaders` conditions and one `matchBasePaths` conditions. API Gateway evaluates header conditions and base path conditions together. You can only use AND between header and base path conditions. │ │ └ properties │ │ ├ MatchBasePaths: (documentation changed) │ │ └ MatchHeaders: (documentation changed) │ ├[~] type MatchBasePaths │ │ ├ - documentation: undefined │ │ │ + documentation: Represents a `MatchBasePaths` condition. │ │ └ properties │ │ └ AnyOf: (documentation changed) │ ├[~] type MatchHeaders │ │ ├ - documentation: undefined │ │ │ + documentation: Represents a `MatchHeaders` condition. │ │ └ properties │ │ └ AnyOf: (documentation changed) │ └[~] type MatchHeaderValue │ ├ - documentation: undefined │ │ + documentation: Represents a `MatchHeaderValue` . │ └ properties │ ├ Header: (documentation changed) │ └ ValueGlob: (documentation changed) ├[~] service aws-autoscaling │ └ resources │ ├[~] resource AWS::AutoScaling::AutoScalingGroup │ │ ├ properties │ │ │ └ PlacementGroup: (documentation changed) │ │ └ types │ │ ├[~] type InstanceRequirements │ │ │ └ properties │ │ │ ├ BaselineEbsBandwidthMbps: (documentation changed) │ │ │ ├ BurstablePerformance: (documentation changed) │ │ │ ├ CpuManufacturers: (documentation changed) │ │ │ ├ InstanceGenerations: (documentation changed) │ │ │ └ LocalStorage: (documentation changed) │ │ └[~] type LaunchTemplateOverrides │ │ └ properties │ │ └ InstanceType: (documentation changed) │ └[~] resource AWS::AutoScaling::LaunchConfiguration │ ├ properties │ │ ├ BlockDeviceMappings: (documentation changed) │ │ ├ EbsOptimized: (documentation changed) │ │ ├ ImageId: (documentation changed) │ │ ├ InstanceType: (documentation changed) │ │ ├ KernelId: (documentation changed) │ │ ├ KeyName: (documentation changed) │ │ └ RamDiskId: (documentation changed) │ └ types │ └[~] type BlockDeviceMapping │ └ properties │ └ DeviceName: (documentation changed) ├[~] service aws-bedrock │ └ resources │ ├[~] resource AWS::Bedrock::Flow │ │ └ types │ │ ├[+] type FieldForReranking │ │ │ ├ documentation: Field name for reranking │ │ │ │ name: FieldForReranking │ │ │ └ properties │ │ │ └ FieldName: string (required) │ │ ├[~] type FlowNodeConfiguration │ │ │ └ properties │ │ │ ├[+] Loop: LoopFlowNodeConfiguration │ │ │ ├[+] LoopController: LoopControllerFlowNodeConfiguration │ │ │ └[+] LoopInput: json │ │ ├[~] type FlowNodeInput │ │ │ └ properties │ │ │ └[+] Category: string │ │ ├[~] type KnowledgeBaseFlowNodeConfiguration │ │ │ └ properties │ │ │ ├[+] InferenceConfiguration: PromptInferenceConfiguration │ │ │ ├[+] NumberOfResults: number │ │ │ ├[+] OrchestrationConfiguration: KnowledgeBaseOrchestrationConfiguration │ │ │ ├[+] PromptTemplate: KnowledgeBasePromptTemplate │ │ │ └[+] RerankingConfiguration: VectorSearchRerankingConfiguration │ │ ├[+] type KnowledgeBaseOrchestrationConfiguration │ │ │ ├ name: KnowledgeBaseOrchestrationConfiguration │ │ │ └ properties │ │ │ ├ PromptTemplate: KnowledgeBasePromptTemplate │ │ │ ├ InferenceConfig: PromptInferenceConfiguration │ │ │ ├ AdditionalModelRequestFields: json │ │ │ └ PerformanceConfig: PerformanceConfiguration │ │ ├[+] type KnowledgeBasePromptTemplate │ │ │ ├ documentation: Knowledge Base Prompt template │ │ │ │ name: KnowledgeBasePromptTemplate │ │ │ └ properties │ │ │ └ TextPromptTemplate: string (required) │ │ ├[+] type LoopControllerFlowNodeConfiguration │ │ │ ├ documentation: Configuration for the LoopController node, which manages loop execution │ │ │ │ name: LoopControllerFlowNodeConfiguration │ │ │ └ properties │ │ │ ├ ContinueCondition: FlowCondition (required) │ │ │ └ MaxIterations: number (default=10) │ │ ├[+] type LoopFlowNodeConfiguration │ │ │ ├ documentation: Loop node config, contains loop's internal definition │ │ │ │ name: LoopFlowNodeConfiguration │ │ │ └ properties │ │ │ └ Definition: FlowDefinition (required) │ │ ├[+] type MetadataConfigurationForReranking │ │ │ ├ name: MetadataConfigurationForReranking │ │ │ └ properties │ │ │ ├ SelectionMode: string (required) │ │ │ └ SelectiveModeConfiguration: RerankingMetadataSelectiveModeConfiguration │ │ ├[+] type PerformanceConfiguration │ │ │ ├ name: PerformanceConfiguration │ │ │ └ properties │ │ │ └ Latency: string │ │ ├[+] type RerankingMetadataSelectiveModeConfiguration │ │ │ ├ name: RerankingMetadataSelectiveModeConfiguration │ │ │ └ properties │ │ │ ├ FieldsToInclude: Array<FieldForReranking> │ │ │ └ FieldsToExclude: Array<FieldForReranking> │ │ ├[+] type VectorSearchBedrockRerankingConfiguration │ │ │ ├ name: VectorSearchBedrockRerankingConfiguration │ │ │ └ properties │ │ │ ├ ModelConfiguration: VectorSearchBedrockRerankingModelConfiguration (required) │ │ │ ├ NumberOfRerankedResults: number │ │ │ └ MetadataConfiguration: MetadataConfigurationForReranking │ │ ├[+] type VectorSearchBedrockRerankingModelConfiguration │ │ │ ├ name: VectorSearchBedrockRerankingModelConfiguration │ │ │ └ properties │ │ │ ├ ModelArn: string (required) │ │ │ └ AdditionalModelRequestFields: json │ │ └[+] type VectorSearchRerankingConfiguration │ │ ├ name: VectorSearchRerankingConfiguration │ │ └ properties │ │ ├ Type: string (required) │ │ └ BedrockRerankingConfiguration: VectorSearchBedrockRerankingConfiguration │ └[~] resource AWS::Bedrock::FlowVersion │ └ types │ ├[+] type FieldForReranking │ │ ├ documentation: Field name for reranking │ │ │ name: FieldForReranking │ │ └ properties │ │ └ FieldName: string (required) │ ├[~] type FlowNodeConfiguration │ │ └ properties │ │ ├[+] Loop: LoopFlowNodeConfiguration │ │ ├[+] LoopController: LoopControllerFlowNodeConfiguration │ │ └[+] LoopInput: json │ ├[~] type KnowledgeBaseFlowNodeConfiguration │ │ └ properties │ │ ├[+] InferenceConfiguration: PromptInferenceConfiguration │ │ ├[+] NumberOfResults: number │ │ ├[+] OrchestrationConfiguration: KnowledgeBaseOrchestrationConfiguration │ │ ├[+] PromptTemplate: KnowledgeBasePromptTemplate │ │ └[+] RerankingConfiguration: VectorSearchRerankingConfiguration │ ├[+] type KnowledgeBaseOrchestrationConfiguration │ │ ├ name: KnowledgeBaseOrchestrationConfiguration │ │ └ properties │ │ ├ PromptTemplate: KnowledgeBasePromptTemplate │ │ ├ InferenceConfig: PromptInferenceConfiguration │ │ ├ AdditionalModelRequestFields: json │ │ └ PerformanceConfig: PerformanceConfiguration │ ├[+] type KnowledgeBasePromptTemplate │ │ ├ documentation: Knowledge Base Prompt template │ │ │ name: KnowledgeBasePromptTemplate │ │ └ properties │ │ └ TextPromptTemplate: string (required) │ ├[+] type LoopControllerFlowNodeConfiguration │ │ ├ documentation: Configuration for the LoopController node, which manages loop execution │ │ │ name: LoopControllerFlowNodeConfiguration │ │ └ properties │ │ ├ ContinueCondition: FlowCondition (required) │ │ └ MaxIterations: number (default=10) │ ├[+] type LoopFlowNodeConfiguration │ │ ├ documentation: Loop node config, contains loop's internal definition │ │ │ name: LoopFlowNodeConfiguration │ │ └ properties │ │ └ Definition: FlowDefinition (required) │ ├[+] type MetadataConfigurationForReranking │ │ ├ name: MetadataConfigurationForReranking │ │ └ properties │ │ ├ SelectionMode: string (required) │ │ └ SelectiveModeConfiguration: RerankingMetadataSelectiveModeConfiguration │ ├[+] type PerformanceConfiguration │ │ ├ name: PerformanceConfiguration │ │ └ properties │ │ └ Latency: string │ ├[+] type RerankingMetadataSelectiveModeConfiguration │ │ ├ name: RerankingMetadataSelectiveModeConfiguration │ │ └ properties │ │ ├ FieldsToInclude: Array<FieldForReranking> │ │ └ FieldsToExclude: Array<FieldForReranking> │ ├[+] type VectorSearchBedrockRerankingConfiguration │ │ ├ name: VectorSearchBedrockRerankingConfiguration │ │ └ properties │ │ ├ ModelConfiguration: VectorSearchBedrockRerankingModelConfiguration (required) │ │ ├ NumberOfRerankedResults: number │ │ └ MetadataConfiguration: MetadataConfigurationForReranking │ ├[+] type VectorSearchBedrockRerankingModelConfiguration │ │ ├ name: VectorSearchBedrockRerankingModelConfiguration │ │ └ properties │ │ ├ ModelArn: string (required) │ │ └ AdditionalModelRequestFields: json │ └[+] type VectorSearchRerankingConfiguration │ ├ name: VectorSearchRerankingConfiguration │ └ properties │ ├ Type: string (required) │ └ BedrockRerankingConfiguration: VectorSearchBedrockRerankingConfiguration ├[~] service aws-cloudtrail │ └ resources │ └[~] resource AWS::CloudTrail::EventDataStore │ ├ properties │ │ ├[+] ContextKeySelectors: Array<ContextKeySelector> │ │ └[+] MaxEventSize: string │ └ types │ └[+] type ContextKeySelector │ ├ documentation: An object that contains information types to be included in CloudTrail enriched events. │ │ name: ContextKeySelector │ └ properties │ ├ Type: string (required) │ └ Equals: Array<string> (required) ├[~] service aws-cloudwatch │ └ resources │ └[~] resource AWS::CloudWatch::InsightRule │ └ properties │ └ ApplyOnTransformedLogs: (documentation changed) ├[~] service aws-datasync │ └ resources │ ├[~] resource AWS::DataSync::LocationAzureBlob │ │ ├ - documentation: Creates a transfer *location* for a Microsoft Azure Blob Storage container. AWS DataSync can use this location as a transfer source or destination. │ │ │ Before you begin, make sure you know [how DataSync accesses Azure Blob Storage](https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access) and works with [access tiers](https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access-tiers) and [blob types](https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#blob-types) . You also need a [DataSync agent](https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-creating-agent) that can connect to your container. │ │ │ + documentation: Creates a transfer *location* for a Microsoft Azure Blob Storage container. AWS DataSync can use this location as a transfer source or destination. You can make transfers with or without a [DataSync agent](https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-creating-agent) that connects to your container. │ │ │ Before you begin, make sure you know [how DataSync accesses Azure Blob Storage](https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access) and works with [access tiers](https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#azure-blob-access-tiers) and [blob types](https://docs.aws.amazon.com/datasync/latest/userguide/creating-azure-blob-location.html#blob-types) . │ │ ├ properties │ │ │ ├ AgentArns: (documentation changed) │ │ │ ├ AzureBlobSasConfiguration: (documentation changed) │ │ │ ├ CmkSecretConfig: (documentation changed) │ │ │ └ CustomSecretConfig: (documentation changed) │ │ ├ attributes │ │ │ └ CmkSecretConfig.SecretArn: (documentation changed) │ │ └ types │ │ ├[~] type CmkSecretConfig │ │ │ ├ - documentation: Specifies configuration information for a DataSync-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location, and a customer-managed AWS KMS key. │ │ │ │ + documentation: Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key . │ │ │ │ > You can use either `CmkSecretConfig` or `CustomSecretConfig` to provide credentials for a `CreateLocation` request. Do not provide both parameters for the same request. │ │ │ └ properties │ │ │ ├ KmsKeyArn: (documentation changed) │ │ │ └ SecretArn: (documentation changed) │ │ ├[~] type CustomSecretConfig │ │ │ ├ - documentation: Specifies configuration information for a customer-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location, and an IAM role that DataSync can assume and access the customer-managed secret. │ │ │ │ + documentation: Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text. This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret. │ │ │ │ > You can use either `CmkSecretConfig` or `CustomSecretConfig` to provide credentials for a `CreateLocation` request. Do not provide both parameters for the same request. │ │ │ └ properties │ │ │ ├ SecretAccessRoleArn: (documentation changed) │ │ │ └ SecretArn: (documentation changed) │ │ └[~] type ManagedSecretConfig │ │ └ - documentation: Specifies configuration information for a DataSync-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location. DataSync uses the default AWS-managed KMS key to encrypt this secret in AWS Secrets Manager. │ │ + documentation: Specifies configuration information for a DataSync-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location. DataSync uses the default AWS -managed KMS key to encrypt this secret in AWS Secrets Manager . │ ├[~] resource AWS::DataSync::LocationObjectStorage │ │ ├ properties │ │ │ ├ AgentArns: (documentation changed) │ │ │ ├ CmkSecretConfig: (documentation changed) │ │ │ ├ CustomSecretConfig: (documentation changed) │ │ │ ├ SecretKey: (documentation changed) │ │ │ └ ServerProtocol: (documentation changed) │ │ ├ attributes │ │ │ └ CmkSecretConfig.SecretArn: (documentation changed) │ │ └ types │ │ ├[~] type CmkSecretConfig │ │ │ ├ - documentation: Specifies configuration information for a DataSync-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location, and a customer-managed AWS KMS key. │ │ │ │ + documentation: Specifies configuration information for a DataSync-managed secret, such as an authentication token or secret key that DataSync uses to access a specific storage location, with a customer-managed AWS KMS key . │ │ │ │ > You can use either `CmkSecretConfig` or `CustomSecretConfig` to provide credentials for a `CreateLocation` request. Do not provide both parameters for the same request. │ │ │ └ properties │ │ │ ├ KmsKeyArn: (documentation changed) │ │ │ └ SecretArn: (documentation changed) │ │ ├[~] type CustomSecretConfig │ │ │ ├ - documentation: Specifies configuration information for a customer-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location, and an IAM role that DataSync can assume and access the customer-managed secret. │ │ │ │ + documentation: Specifies configuration information for a customer-managed Secrets Manager secret where a storage location authentication token or secret key is stored in plain text. This configuration includes the secret ARN, and the ARN for an IAM role that provides access to the secret. │ │ │ │ > You can use either `CmkSecretConfig` or `CustomSecretConfig` to provide credentials for a `CreateLocation` request. Do not provide both parameters for the same request. │ │ │ └ properties │ │ │ ├ SecretAccessRoleArn: (documentation changed) │ │ │ └ SecretArn: (documentation changed) │ │ └[~] type ManagedSecretConfig │ │ └ - documentation: Specifies configuration information for a DataSync-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location. DataSync uses the default AWS-managed KMS key to encrypt this secret in AWS Secrets Manager. │ │ + documentation: Specifies configuration information for a DataSync-managed secret, such as an authentication token or set of credentials that DataSync uses to access a specific transfer location. DataSync uses the default AWS -managed KMS key to encrypt this secret in AWS Secrets Manager . │ ├[~] resource AWS::DataSync::LocationSMB │ │ └ properties │ │ ├ AuthenticationType: (documentation changed) │ │ ├ DnsIpAddresses: (documentation changed) │ │ ├ KerberosKeytab: (documentation changed) │ │ ├ KerberosKrb5Conf: (documentation changed) │ │ └ KerberosPrincipal: (documentation changed) │ └[~] resource AWS::DataSync::Task │ ├ properties │ │ ├ TaskMode: (documentation changed) │ │ └ TaskReportConfig: (documentation changed) │ └ types │ ├[~] type Deleted │ │ ├ - documentation: The reporting level for the deleted section of your DataSync task report. │ │ │ + documentation: Specifies the level of reporting for the files, objects, and directories that Datasync attempted to delete in your destination location. This only applies if you configure your task to delete data in the destination that isn't in the source. │ │ └ properties │ │ └ ReportLevel: (documentation changed) │ ├[~] type Destination │ │ └ - documentation: Specifies where DataSync uploads your [task report](https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html) . │ │ + documentation: Specifies where DataSync uploads your task report. │ ├[~] type ManifestConfigSourceS3 │ │ ├ - documentation: Specifies the S3 bucket where you're hosting the manifest that you want AWS DataSync to use. For more information and configuration examples, see [Specifying what DataSync transfers by using a manifest](https://docs.aws.amazon.com/datasync/latest/userguide/transferring-with-manifest.html) . │ │ │ + documentation: Specifies the S3 bucket where you're hosting the manifest that you want AWS DataSync to use. │ │ └ properties │ │ ├ BucketAccessRoleArn: (documentation changed) │ │ ├ ManifestObjectPath: (documentation changed) │ │ └ ManifestObjectVersionId: (documentation changed) │ ├[~] type Overrides │ │ ├ - documentation: Customizes the reporting level for aspects of your task report. For example, your report might generally only include errors, but you could specify that you want a list of successes and errors just for the files that DataSync attempted to delete in your destination location. │ │ │ + documentation: Customizes the reporting level for aspects of your task report. For example, your report might generally only include errors, but you could specify that you want a list of successes and errors just for the files that Datasync attempted to delete in your destination location. │ │ └ properties │ │ ├ Deleted: (documentation changed) │ │ ├ Skipped: (documentation changed) │ │ ├ Transferred: (documentation changed) │ │ └ Verified: (documentation changed) │ ├[~] type Skipped │ │ ├ - documentation: The reporting level for the skipped section of your DataSync task report. │ │ │ + documentation: Specifies the level of reporting for the files, objects, and directories that Datasync attempted to skip during your transfer. │ │ └ properties │ │ └ ReportLevel: (documentation changed) │ ├[~] type Source │ │ ├ - documentation: Specifies the manifest that you want AWS DataSync to use and where it's hosted. For more information and configuration examples, see [Specifying what DataSync transfers by using a manifest](https://docs.aws.amazon.com/datasync/latest/userguide/transferring-with-manifest.html) . │ │ │ + documentation: Specifies the manifest that you want DataSync to use and where it's hosted. │ │ └ properties │ │ └ S3: (documentation changed) │ ├[~] type TaskReportConfigDestinationS3 │ │ ├ - documentation: Specifies the Amazon S3 bucket where DataSync uploads your [task report](https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html) . │ │ │ + documentation: Specifies the Amazon S3 bucket where DataSync uploads your task report. │ │ └ properties │ │ ├ BucketAccessRoleArn: (documentation changed) │ │ └ S3BucketArn: (documentation changed) │ ├[~] type TaskSchedule │ │ └ properties │ │ └ Status: (documentation changed) │ ├[~] type Transferred │ │ ├ - documentation: The reporting level for the transferred section of your DataSync task report. │ │ │ + documentation: Specifies the level of reporting for the files, objects, and directories that Datasync attempted to transfer. │ │ └ properties │ │ └ ReportLevel: (documentation changed) │ └[~] type Verified │ ├ - documentation: The reporting level for the verified section of your DataSync task report. │ │ + documentation: Specifies the level of reporting for the files, objects, and directories that Datasync attempted to verify at the end of your transfer. This only applies if you configure your task to verify data during and after the transfer (which Datasync does by default) │ └ properties │ └ ReportLevel: (documentation changed) ├[~] service aws-datazone │ └ resources │ └[~] resource AWS::DataZone::ProjectProfile │ ├ properties │ │ ├[-] AllowedDesignations: Array<DesignationConfiguration> │ │ ├[-] ChangeLog: string │ │ ├ Description: (documentation changed) │ │ ├ Name: (documentation changed) │ │ ├[-] ProjectScopes: Array<ProjectScope> │ │ └ Status: (documentation changed) │ ├ attributes │ │ ├ CreatedAt: (documentation changed) │ │ ├ CreatedBy: (documentation changed) │ │ ├ DomainId: (documentation changed) │ │ ├ DomainUnitId: (documentation changed) │ │ ├ Id: (documentation changed) │ │ └ LastUpdatedAt: (documentation changed) │ └ types │ ├[-] type DesignationConfiguration │ │ ├ name: DesignationConfiguration │ │ └ properties │ │ └ DesignationId: string (required) │ └[-] type ProjectScope │ ├ name: ProjectScope │ └ properties │ ├ Policy: string │ └ Name: string (required) ├[~] service aws-deadline │ └ resources │ └[~] resource AWS::Deadline::Fleet │ └ types │ └[~] type ServiceManagedEc2FleetConfiguration │ └ properties │ └[+] StorageProfileId: string ├[~] service aws-dsql │ └ resources │ └[~] resource AWS::DSQL::Cluster │ ├ - documentation: The CreateCluster API allows you to create both single-region clusters and multi-Region clusters. With the addition of the *multiRegionProperties* parameter, you can create a cluster with witness Region support and establish peer relationships with clusters in other Regions during creation. │ │ > Creating multi-Region clusters requires additional IAM permissions beyond those needed for single-Region clusters, as detailed in the *Required permissions* section below. │ │ *Required permissions* │ │ - **dsql:CreateCluster** - Required to create a cluster. │ │ Resources: `arn:aws:dsql:region:account-id:cluster/*` │ │ - **dsql:TagResource** - Permission to add tags to a resource. │ │ Resources: `arn:aws:dsql:region:account-id:cluster/*` │ │ - **dsql:PutMultiRegionProperties** - Permission to configure multi-region properties for a cluster. │ │ Resources: `arn:aws:dsql:region:account-id:cluster/*` │ │ - **dsql:AddPeerCluster** - When specifying `multiRegionProperties.clusters` , permission to add peer clusters. │ │ Resources: │ │ - Local cluster: `arn:aws:dsql:region:account-id:cluster/*` │ │ - Each peer cluster: exact ARN of each specified peer cluster │ │ - **dsql:PutWitnessRegion** - When specifying `multiRegionProperties.witnessRegion` , permission to set a witness Region. This permission is checked both in the cluster Region and in the witness Region. │ │ Resources: `arn:aws:dsql:region:account-id:cluster/*` │ │ Condition Keys: `dsql:WitnessRegion` (matching the specified witness region) │ │ > - The witness Region specified in `multiRegionProperties.witnessRegion` cannot be the same as the cluster's Region. │ │ + documentation: The CreateCluster API allows you to create both single-Region clusters and multi-Region clusters. With the addition of the *multiRegionProperties* parameter, you can create a cluster with witness Region support and establish peer relationships with clusters in other Regions during creation. │ │ > Creating multi-Region clusters requires additional IAM permissions beyond those needed for single-Region clusters, as detailed in the *Required permissions* section below. │ │ *Required permissions* │ │ - **dsql:CreateCluster** - Required to create a cluster. │ │ Resources: `arn:aws:dsql:region:account-id:cluster/*` │ │ - **dsql:TagResource** - Permission to add tags to a resource. │ │ Resources: `arn:aws:dsql:region:account-id:cluster/*` │ │ - **dsql:PutMultiRegionProperties** - Permission to configure multi-Region properties for a cluster. │ │ Resources: `arn:aws:dsql:region:account-id:cluster/*` │ │ - **dsql:AddPeerCluster** - When specifying `multiRegionProperties.clusters` , permission to add peer clusters. │ │ Resources: │ │ - Local cluster: `arn:aws:dsql:region:account-id:cluster/*` │ │ - Each peer cluster: exact ARN of each specified peer cluster │ │ - **dsql:PutWitnessRegion** - When specifying `multiRegionProperties.witnessRegion` , permission to set a witness Region. This permission is checked both in the cluster Region and in the witness Region. │ │ Resources: `arn:aws:dsql:region:account-id:cluster/*` │ │ Condition Keys: `dsql:WitnessRegion` (matching the specified witness region) │ │ > - The witness Region specified in `multiRegionProperties.witnessRegion` cannot be the same as the cluster's Region. │ ├ properties │ │ └[+] MultiRegionProperties: MultiRegionProperties │ └ types │ └[+] type MultiRegionProperties │ ├ documentation: Defines the structure for multi-Region cluster configurations, containing the witness region and linked cluster settings. │ │ name: MultiRegionProperties │ └ properties │ ├ WitnessRegion: string │ └ Clusters: Array<string> ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::EC2Fleet │ │ └ types │ │ ├[+] type BlockDeviceMapping │ │ │ ├ name: BlockDeviceMapping │ │ │ └ properties │ │ │ ├ DeviceName: string │ │ │ ├ Ebs: EbsBlockDevice │ │ │ ├ NoDevice: string │ │ │ └ VirtualName: string │ │ ├[+] type EbsBlockDevice │ │ │ ├ name: EbsBlockDevice │ │ │ └ properties │ │ │ ├ DeleteOnTermination: boolean │ │ │ ├ Encrypted: boolean │ │ │ ├ Iops: integer │ │ │ ├ KmsKeyId: string │ │ │ ├ SnapshotId: string │ │ │ ├ VolumeSize: integer │ │ │ └ VolumeType: string │ │ └[~] type FleetLaunchTemplateOverridesRequest │ │ └ properties │ │ └[+] BlockDeviceMappings: Array<BlockDeviceMapping> │ └[~] resource AWS::EC2::TrafficMirrorFilter │ └ attributes │ └ Id: (documentation changed) ├[~] service aws-ecs │ └ resources │ └[~] resource AWS::ECS::TaskDefinition │ └ types │ └[~] type ContainerDefinition │ └ properties │ └ DependsOn: (documentation changed) ├[~] service aws-elasticloadbalancingv2 │ └ resources │ └[~] resource AWS::ElasticLoadBalancingV2::TargetGroup │ └ types │ └[~] type TargetGroupAttribute │ └ properties │ └ Key: (documentation changed) ├[~] service aws-emr │ └ resources │ └[~] resource AWS::EMR::Cluster │ └ types │ └[~] type ManagedScalingPolicy │ └ properties │ ├ ScalingStrategy: (documentation changed) │ └ UtilizationPerformanceIndex: (documentation changed) ├[+] service aws-evs │ ├ capitalized: EVS │ │ cloudFormationNamespace: AWS::EVS │ │ name: aws-evs │ │ shortName: evs │ └ resources │ └ resource AWS::EVS::Environment │ ├ name: Environment │ │ cloudFormationType: AWS::EVS::Environment │ │ documentation: An environment created within the EVS service │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ ├ properties │ │ ├ EnvironmentName: string (immutable) │ │ ├ KmsKeyId: string (immutable) │ │ ├ VpcId: string (required, immutable) │ │ ├ ServiceAccessSubnetId: string (required, immutable) │ │ ├ VcfVersion: string (required, immutable) │ │ ├ TermsAccepted: boolean (required, immutable) │ │ ├ LicenseInfo: LicenseInfo (required, immutable) │ │ ├ InitialVlans: InitialVlans │ │ ├ Hosts: Array<HostInfoForCreate> │ │ ├ ConnectivityInfo: ConnectivityInfo (required, immutable) │ │ ├ VcfHostnames: VcfHostnames (required, immutable) │ │ ├ SiteId: string (required, immutable) │ │ ├ ServiceAccessSecurityGroups: ServiceAccessSecurityGroups (immutable) │ │ └ Tags: Array<tag> │ ├ attributes │ │ ├ EnvironmentId: string │ │ ├ Checks: Array<Check> │ │ ├ EnvironmentArn: string │ │ ├ Credentials: Array<Secret> │ │ ├ EnvironmentState: string │ │ ├ StateDetails: string │ │ ├ CreatedAt: string │ │ └ ModifiedAt: string │ └ types │ ├ type Check │ │ ├ name: Check │ │ └ properties │ │ ├ Type: string (required) │ │ ├ Result: string (required) │ │ └ ImpairedSince: string │ ├ type ConnectivityInfo │ │ ├ name: ConnectivityInfo │ │ └ properties │ │ └ PrivateRouteServerPeerings: Array<string> (required) │ ├ type HostInfoForCreate │ │ ├ name: HostInfoForCreate │ │ └ properties │ │ ├ HostName: string (required) │ │ ├ KeyName: string (required) │ │ ├ InstanceType: string (required) │ │ ├ PlacementGroupId: string │ │ └ DedicatedHostId: string │ ├ type InitialVlanInfo │ │ ├ name: InitialVlanInfo │ │ └ properties │ │ └ Cidr: string (required) │ ├ type InitialVlans │ │ ├ documentation: The initial Vlan configuration only required upon creation. Modification after creation will have no effect │ │ │ name: InitialVlans │ │ └ properties │ │ ├ VmkManagement: InitialVlanInfo (required) │ │ ├ VmManagement: InitialVlanInfo (required) │ │ ├ VMotion: InitialVlanInfo (required) │ │ ├ VSan: InitialVlanInfo (required) │ │ ├ VTep: InitialVlanInfo (required) │ │ ├ EdgeVTep: InitialVlanInfo (required) │ │ ├ NsxUpLink: InitialVlanInfo (required) │ │ ├ Hcx: InitialVlanInfo (required) │ │ ├ ExpansionVlan1: InitialVlanInfo (required) │ │ └ ExpansionVlan2: InitialVlanInfo (required) │ ├ type LicenseInfo │ │ ├ documentation: The license information for an EVS environment │ │ │ name: LicenseInfo │ │ └ properties │ │ ├ SolutionKey: string (required) │ │ └ VsanKey: string (required) │ ├ type Secret │ │ ├ name: Secret │ │ └ properties │ │ └ SecretArn: string │ ├ type ServiceAccessSecurityGroups │ │ ├ name: ServiceAccessSecurityGroups │ │ └ properties │ │ └ SecurityGroups: Array<string> │ └ type VcfHostnames │ ├ name: VcfHostnames │ └ properties │ ├ VCenter: string (required) │ ├ Nsx: string (required) │ ├ NsxManager1: string (required) │ ├ NsxManager2: string (required) │ ├ NsxManager3: string (required) │ ├ NsxEdge1: string (required) │ ├ NsxEdge2: string (required) │ ├ SddcManager: string (required) │ └ CloudBuilder: string (required) ├[~] service aws-fsx │ └ resources │ └[~] resource AWS::FSx::FileSystem │ ├ properties │ │ └ StorageType: (documentation changed) │ └ types │ ├[~] type LustreConfiguration │ │ └ properties │ │ └ DeploymentType: (documentation changed) │ └[~] type ReadCacheConfiguration │ └ - documentation: The configuration for the optional provisioned SSD read cache on file systems that use the Intelligent-Tiering storage class. │ + documentation: The configuration for the optional provisioned SSD read cache on Amazon FSx for OpenZFS file systems that use the Intelligent-Tiering storage class. ├[~] service aws-lambda │ └ resources │ ├[~] resource AWS::Lambda::EventInvokeConfig │ │ └ types │ │ └[~] type OnFailure │ │ └ - documentation: A destination for events that failed processing. │ │ + documentation: A destination for events that failed processing. See [Capturing records of Lambda asynchronous invocations](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async-retain-records.html) for more information. │ └[~] resource AWS::Lambda::EventSourceMapping │ └ types │ ├[~] type OnFailure │ │ └ - documentation: A destination for events that failed processing. │ │ + documentation: A destination for events that failed processing. See [Capturing records of Lambda asynchronous invocations](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async-retain-records.html) for more information. │ └[~] type SelfManagedKafkaEventSourceConfig │ └ properties │ └ ConsumerGroupId: (documentation changed) ├[~] service aws-lightsail │ └ resources │ └[~] resource AWS::Lightsail::InstanceSnapshot │ ├ - documentation: Resource Type definition for AWS::Lightsail::InstanceSnapshot │ │ + documentation: Describes an instance snapshot. │ ├ properties │ │ ├ InstanceName: (documentation changed) │ │ └ Tags: (documentation changed) │ └ attributes │ ├ Arn: (documentation changed) │ ├ FromInstanceArn: (documentation changed) │ ├ ResourceType: (documentation changed) │ ├ SizeInGb: (documentation changed) │ └ SupportCode: (documentation changed) ├[~] service aws-mediapackage │ └ resources │ └[~] resource AWS::MediaPackage::Asset │ └ properties │ ├ Id: - string (required) │ │ + string (required, immutable) │ └ Tags: - Array<tag> │ + Array<tag> (immutable) ├[~] service aws-networkfirewall │ └ resources │ └[+] resource AWS::NetworkFirewall::VpcEndpointAssociation │ ├ name: VpcEndpointAssociation │ │ cloudFormationType: AWS::NetworkFirewall::VpcEndpointAssociation │ │ documentation: Resource type definition for AWS::NetworkFirewall::VpcEndpointAssociation │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ ├ properties │ │ ├ Description: string (immutable) │ │ ├ FirewallArn: string (required, immutable) │ │ ├ VpcId: string (required, immutable) │ │ ├ SubnetMapping: SubnetMapping (required, immutable) │ │ └ Tags: Array<tag> │ ├ attributes │ │ ├ VpcEndpointAssociationArn: string │ │ ├ VpcEndpointAssociationId: string │ │ └ EndpointId: string │ └ types │ └ type SubnetMapping │ ├ name: SubnetMapping │ └ properties │ ├ SubnetId: string (required) │ └ IPAddressType: string ├[~] service aws-rds │ └ resources │ ├[~] resource AWS::RDS::DBProxyTargetGroup │ │ └ types │ │ └[~] type ConnectionPoolConfigurationInfoFormat │ │ └ properties │ │ ├ ConnectionBorrowTimeout: (documentation changed) │ │ └ InitQuery: (documentation changed) │ └[~] resource AWS::RDS::DBShardGroup │ └ properties │ └ ComputeRedundancy: (documentation changed) ├[~] service aws-s3 │ └ resources │ └[~] resource AWS::S3::Bucket │ └ types │ └[~] type RoutingRuleCondition │ └ properties │ └ KeyPrefixEquals: (documentation changed) ├[~] service aws-transfer │ └ resources │ └[~] resource AWS::Transfer::User │ └ properties │ └ HomeDirectory: (documentation changed) ├[~] service aws-verifiedpermissions │ └ resources │ └[~] resource AWS::VerifiedPermissions::PolicyStore │ ├ properties │ │ └ DeletionProtection: (documentation changed) │ └ types │ └[~] type DeletionProtection │ ├ - documentation: undefined │ │ + documentation: Specifies whether the policy store can be deleted. │ └ properties │ └ Mode: (documentation changed) └[~] service aws-wafv2 └ resources └[~] resource AWS::WAFv2::WebACL └ properties └[+] OnSourceDDoSProtectionConfig: json ```
### Reason for this change Update the .NET requirements in documentation, previously only upgrading the templates. #32894 ### Description of changes * Update documentation regarding the minimum .NET version ### Describe any new or updated permissions being added N/A ### Description of how you validated changes N/A ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable)
None
### Reason for this change
AWS supports interface VPC endpoint for DSQL but AWS CDK does not sopport this.
### Description of changes
Add interface VPC endpoints
- `DSQL`
- `DSQL_FNH4`
### Describe any new or updated permissions being added
None
### Description of how you validated changes
```sh
$ aws ec2 describe-vpc-endpoint-services --filters "Name=service-name,Values=*dsql*" --region us-east-1 --query "ServiceNames[]"
[
"com.amazonaws.us-east-1.dsql",
"com.amazonaws.us-east-1.dsql-fnh4"
]
```
### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…e key (#34676) ### Issue # (if applicable) Related to #15301. ### Reason for this change The error message returned by cloudformation when trying to update a public key is not helping user diagnose that the updating of certain fields of a PublicKey is not supported. ### Description of changes Updated the doc to reflect that updating the fields is not allowed. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…34680) ### Issue # (if applicable) Closes #34678 ### Reason for this change opensearchservice now has [enableOpensearchMultiAzWithStandby](https://github.com/aws/aws-cdk/blob/ef0272442d415ff7c6d5943b15b5833e0ae2e1bd/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md?plain=1#L59) FF enabled by default, which means zoneAwareness has to be enabled across 3 AZs. This integ test is now failing without this PR and is blocking #34660 We need first fix this integ test before #34660 can continue. ### Description of changes - enable `zoneAwareness` - set correct `AvailabilityZoneCount` and other required props ### Describe any new or updated permissions being added ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…33879) ### Issue #33878 Closes #33878. ### Reason for this change Fix a bug in the JsonSchema interface. :rotating_light: _This is a breaking change, but should be acceptable, since the bug prevented use of the changed interface portion_ :rotating_light: ### Description of changes Changing the `JsonSchema.additionalItems` type from `JsonSchema[]` to `JsonSchema | boolean` to match [Json Schema Draft-04](https://json-schema.org/draft-04/schema). This enables deployment of API Gateway models that include the `additionalItems` property. ### Describe any new or updated permissions being added None ### Description of how you validated changes Added an integration test to validate that it fixes the deployment issue. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
Adds a clarification note that these properties are not strictly enforced at runtime, but are still required nonetheless. ### Issue #34645 Fixes #34645. ### Reason for this change [ECS docs](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size) was recently updated to state that the CPU/Memory property is not enforced on Windows platforms, but are still required nonetheless. ### Description of changes Add note to the CPU and memory property of Fargate task definitions. ### Describe any new or updated permissions being added No permissions added or updated. ### Description of how you validated changes No tests needed as this is a documentation change. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`
…penSearch domains (#34660) ## Description This PR fixes the issue where OpenSearch domains were not getting a default TLS security policy, causing inconsistent behavior between the CDK construct and the actual AWS service default. ### Previous behavior: - CDK construct: No `tlsSecurityPolicy` specified → `TLSSecurityPolicy.TLS_1_0` - AWS service: Defaults to TLS 1.2 when TLSSecurityPolicy is not specified in CloudFormation ### New behavior: - CDK construct: No `tlsSecurityPolicy` specified → CDK explicitly sets TLSSecurityPolicy: `Policy-Min-TLS-1-2-2019-07` - Result: Consistent TLS 1.2 behavior between CDK construct and AWS service ## Changes Made 1. Updated `domain.ts`: Modified the `DomainEndpointOptions` configuration to use `TLSSecurityPolicy.TLS_1_2` as the default when `props.tlsSecurityPolicy` is undefined: ```ts tlsSecurityPolicy: props.tlsSecurityPolicy ?? TLSSecurityPolicy.TLS_1_2, ``` 3. Added comprehensive tests: Created a new test suite covering: - Default TLS 1.2 behavior when no policy is specified - Explicit TLS policy values (1.0, 1.2, 1.2 PFS) - Interaction with enforceHttps setting - Backward compatibility scenarios 4. Add a new integ test that checks DomainEndpointOptions to include the expected `TLSSecurityPolicy` assertion, ensuring they reflect the new default behavior. ### Approach Rationale This approach is simpler and more predictable: - CDK-controlled defaults: We simply change the implicit default from TLS 1.0 to TLS 1.2, ensuring the default value is fully controlled by CDK even when undefined - Breaking change: This changes the default TLS security policy behavior and should be called out in release notes - Matches integration test expectations: Aligns with existing integration test assertions that expect `TLSSecurityPolicy: Policy-Min-TLS-1-2-2019-07` - Follows AWS best practices: TLS 1.2 is the recommended minimum security standard ### Testing - ✅ All existing OpenSearch domain tests pass (1,616 tests) - ✅ New comprehensive TLS security policy test suite - ✅ Integration test integ.opensearch.https.ts continues to pass - ✅ No linting issues ## Related Issues Closes #34658 ## Breaking Changes OpenSearch Domain TLS Security Policy Default Changed - The default TLS security policy for OpenSearch domains has changed from TLS 1.0 to TLS 1.2 - Impact: Domains created without an explicit tlsSecurityPolicy will now use TLS 1.2 instead of TLS 1.0 - Migration: If you require TLS 1.0 for backward compatibility, explicitly set `tlsSecurityPolicy: TLSSecurityPolicy.TLS_1_0` --- By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license
### Issue # (if applicable) N/A ### Reason for this change Missing property in L2 Construct. ### Description of changes Add `skew Protection` to `branch` construct. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Add a unit test and an integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
iankhou
added
pr/no-squash
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
vishaalmehrishi
removed
the
pr/do-not-merge
|
Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Comments on closed issues and PRs are hard for our team to see. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See CHANGELOG