chore(release): 2.202.0 #34769
Closed
chore(release): 2.202.0 #34769
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#34256) ### Issue # (if applicable) N/A ### Reason for this change Missing property. ### Description of changes Add kmsKey property to AppConfig Hosted Configuration ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Add a unit test and an integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…en not set (#34613) ### Issue #34612 Closes #34612 ### Reason for this change `USE_CDK_MANAGED_LAMBDA_LOGGROUP` makes CDK create a new log group. This is not backwards compatible with older CDK versions where the log group already exists. ### Description of changes Change the default flag value to false ### Describe any new or updated permissions being added None ### Description of how you validated changes Ran integ tests ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change Synthetics now supports for node-playwright 2.0 runtime https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Library_nodejs_playwright.html ### Description of changes - Add node-playwright 2.0 runtime ### Describe any new or updated permissions being added None ### Description of how you validated changes update both unit and integ test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…perty (#34539) ### Issue # (if applicable) Closes #32318 ### Reason for this change [outputConfigCommand](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_eks.Cluster.html#outputconfigcommand) is true by default. https://github.com/aws/aws-cdk/blob/7538a8431290fe76d9ad6bbf80977eb2cb17e007/packages/aws-cdk-lib/aws-eks/lib/cluster.ts#L506-L513 But if `mastersRole` is not specified, command will not be output because the output command will not be useful as it won't have the necessary role. https://github.com/aws/aws-cdk/blob/7538a8431290fe76d9ad6bbf80977eb2cb17e007/packages/aws-cdk-lib/aws-eks/lib/cluster.ts#L1845 ### Description of changes - Add `mastersRole` requirement to `outputConfigCommand` property. The requirement for `mastersRole` is already documented. https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_eks-readme.html#masters-role > If you do not specify it, you won't have access to the cluster from outside of the CDK application. - Add warning if `outputConfigCommand` is `true` and `mastersRole` is not specified ### Describe any new or updated permissions being added None ### Description of how you validated changes Pass unit test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…G guide (#34622) ### Issue # (if applicable) #34612 Closes #<issue number here>. ### Reason for this change Adding details on Feature flag fields in contributing guide. ### Description of changes ### Describe any new or updated permissions being added N/A ### Description of how you validated changes N/A ### Checklist - [ x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change
New MariaDB versions are available.
Note: Link to the release note will be available later.
### Description of changes
```console
$ aws --region us-east-1 rds describe-db-engine-versions --engine mariadb --query 'DBEngineVersions[].EngineVersion'
[
"10.5.20",
"10.5.21",
"10.5.22",
"10.5.23",
"10.5.24",
"10.5.25",
"10.5.26",
"10.5.27",
"10.5.28",
"10.5.29",
"10.6.13",
"10.6.14",
"10.6.15",
"10.6.16",
"10.6.17",
"10.6.18",
"10.6.19",
"10.6.20",
"10.6.21",
"10.6.22",
"10.11.4",
"10.11.5",
"10.11.6",
"10.11.7",
"10.11.8",
"10.11.9",
"10.11.10",
"10.11.11",
"10.11.13",
"11.4.3",
"11.4.4",
"11.4.5",
"11.4.7"
]
```
### Describe any new or updated permissions being added
N/A
### Description of how you validated changes
Added versions to unit test.
### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
#34626) ### Issue # (if applicable) Closes #34624. ### Reason for this change Correcting the description of the `userData` property in the EC2 launch template construct properties. ### Description of changes Updated the documentation to match the corresponding [Cloudformation documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-ec2-launchtemplate-launchtemplatedata.html#cfn-ec2-launchtemplate-launchtemplatedata-userdata) for `userData`. While the Cloudformation doc also specifies providing a base64-encoded value, this is [performed by the CDK code](https://github.com/aws/aws-cdk/blob/aa97e61140a4aac8531ac71521bde8bcdcbad573/packages/aws-cdk-lib/aws-ec2/lib/launch-template.ts#L690). The `userData` input structure is enforced by the `UserData` type, so no specific formatting instructions are necessary. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Executed the build and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change AWS EBS now supports for specifying [volume initialization rate](https://docs.aws.amazon.com/ebs/latest/userguide/initalize-volume.html#volume-initialization-rate) but AWS CDK cannot configure this parameter. ### Description of changes - Add `volumeInitializationRate` to `VolumeProps` ### Describe any new or updated permissions being added none ### Description of how you validated changes Add both unit and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
### Issue Closes #32569 ### Description of changes Throw typed errors everywhere. This introduced a new error type `ExecutionError` that is meant for failures from external scripts or code. ### Describe any new or updated permissions being added n/a ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…#31586) ### Issue # (if applicable) Closes #26982 ### Reason for this change The ContextProvider mechanism and various "lookup" functions of a number of constructs support caching resolved values in the cdk.context.json. The context keys are constructed from the parameters of the lookup, which for lookup functions means whenever a resource with the same parameters is resolved, it is resolved as the same value across the entire app. However when a value may change over time, the user may wish to use the latest value when creating creating a new reference to the construct, effectively tying the cached context value to the scope - this patch enables this. The primary use case is looking up an AMI parameter for a "stateful" EC2 instance. Currently if you specify cachedInContext, any future images created would use the same cached AMI, and updating the value would require updating all usages of the image across the entire app. ### Description of changes Adds an `additionalCacheKey` parameter/property to multiple areas of the CDK where lookups can be cached ### Description of how you validated changes Unit + integration tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change Fix small typo found when reading the docs :p *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…#34596) Reopen #33883 The cyclic dependency issue #34592 should be resolved before merging this PR again. ### Issue # (if applicable) Related to #33757. ### Reason for this change `FlowLogDestination.toKinesisDataFirehoseDestination()` includes the former service name Kinesis and receives the string ARN. Also, cross-account log delivery needs an IAM role. https://docs.aws.amazon.com/vpc/latest/userguide/firehose-cross-account-delivery.html ### Description of changes - Added `FlowLogDestination.toFirehose()` with an optional IAM role. - Deprecate `toKinesisDataFirehoseDestination()` Note: CDK cannot create the IAM role for cross-account delivery because the VPC ARN is needed but FlowLog construct doesn't know it. ### Describe any new or updated permissions being added N/A - Users must specify IAM roles for cross account delivery. ### Description of how you validated changes Unit tests and integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change When doing a fresh clone of the repo we get: ``` Encountered 5 files that should have been pointers, but weren't: packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/asset.8a84a8f465fbe0c48af2c256847ec9abfe095d23781b749728b998315f3ad732.zip packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-addon.js.snapshot/asset.12157b27d30ab71eb24ae65825f672ba5cc2c09dbb1703cd7adfcff3aeaca136.zip packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-addon.js.snapshot/asset.6094cb0ff874f89ab5ab24fb6b9417df0fdeb6966645f90c88ec1d7e28130112.zip packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-addon.js.snapshot/asset.93d96d34e0d3cd20eb082652b91012b131bdc34fcf2bc16eb4170e04772fddb1.zip packages/@aws-cdk-testing/framework-integ/test/aws-synthetics/test/integ.canary.js.snapshot/asset.b1b777dcb79a2fa2790059927207d10bf5f4747d6dd1516e2780726d9d6fa820.zip ``` This can be verified with: `git lfs fsck` which. give the same problematic 5 files. ### Description of changes Ran `git lfs migrate import --no-rewrite <path to the 5 files>`. ### Description of how you validated changes Ran `git lfs fsck`, no more errors. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
) ### Issue # (if applicable) Closes #33584. ### Reason for this change AWS CodePipeline introduces a new action to deploy to Amazon Elastic Compute Cloud (EC2). https://aws.amazon.com/about-aws/whats-new/2025/02/aws-codepipeline-native-ec2-deployment-support/ ### Description of changes Added the `Ec2DeployAction` action class and corresponding helpers. - `Ec2InstanceType` - specify instance type: EC2 or SSM_MANAGED_NODE - `Ec2DeploySpecification` - choose deploy specification: inline or DeploySpec (not yet included) - `Ec2MaxInstances` - specify maxBatch and maxError configuration #### Usage ```ts new cpactions.Ec2DeployAction({ actionName: 'EC2', input: buildOutput, // specify instance type instanceType: cpactions.Ec2InstanceType.EC2, // REQUIRED // specify tag key and value, not ec2.IInstance instanceTagKey: 'Target', // REQUIRED instanceTagValue: 'DeployTarget', // deploy specifications deploySpecifications: cpactions.Ec2DeploySpecifications.inline({ targetDirectory: '/home/ec2-user/deploy', // REQUIRED preScript: 'hooks/pre-script', postScript: 'hooks/post-script', // REQUIRED }), // the action will detach and attach instances from/to target groups targetGroups: [myTargetGroup], // the number or percentage of instances that can deploy in parallel maxBatch: cpactions.Ec2MaxInstances.target(2), maxError: cpactions.Ec2MaxInstances.percent(50), }); ``` ### Describe any new or updated permissions being added `Ec2DeployAction` adds permissions based on CodePipeline documentation: https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-EC2Deploy.html#action-reference-EC2Deploy-permissions-action For details of actions, resource, and condition keys, see the Service Authorization Reference: [EC2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html), [ELBv2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselasticloadbalancingv2.html), [SSM](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html) ### Description of how you validated changes Unit tests and an integ test. The integ test also asserts pipeline execution. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable): Bedrock L2 Construct Closes #<issue number here> [ Issue - 686](aws/aws-cdk-rfcs#686) ### Reason for this change - New Feature , Adding bedrock L2 construct. [RFC 888](aws/aws-cdk-rfcs#688) ### Description of changes Bedrock L2 Construct with following features 1. Agent core functionality (agent.ts) 2. Agent aliases (agent-alias.ts) 3. Action groups (action-group.ts) 4. Agent collaboration (agent-collaborator.ts) 5. Memory configuration (memory.ts) 6. Custom orchestration (orchestration.ts) 7. Prompt overrides (prompt-override.ts) 8. API schemas and executors (api-schema.ts, api-executor.ts) Integration Tests (integ.agent.ts): Tests the creation of a basic Bedrock Agent with default values Verifies the agent creation with foundationModel, instruction, and forceDelete settings Unit Tests for agent.test.ts, agent-collaborator.test.ts,api-executor.test.ts,memory.test.ts,prompt-override.test.ts ### Describe any new or updated permissions being added I am roles for Agent , Knowledgebase, guardrails, inference profiles, prompts. ### Description of how you validated changes Created CDK APP in the repo and deployed the stack. TODO : Unit and Integration test ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… practices (#34638) ### Issue # (if applicable) Closes #34637 . ### Reason for this change See description of issue #34637. ### Description of changes Do not directly pass the `events.OnEventOptions` object directly to the `RuleProps` but rather create an object mapping the needed properties. ### Describe any new or updated permissions being added NA ### Description of how you validated changes Build module and ran existing integ test. No need to add additional testing. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ntifier` (#33982) ### Issue # (if applicable) Closes #33889 ### Reason for this change https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_RestoreFromMultiAZDBClusterSnapshot.html ### Description of changes - `DatabaseInstanceFromSnapshot` support `clusterSnapshotIdentifier` - `clusterSnapshotIdentifier` and `snapshotIdentifier` are mutually exclusive, one must be specified ### Description of how you validated changes Unit + Integ ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #30792 ### Reason for this change The feature enables support to create clusters without the default networking add-ons ### Description of changes ### Describe any new or updated permissions being added Added the prop bootstrapSelfManagedAddons to the cluster and incremented the eks client version. Also validated that existing if bootstrapSelfManagedAddons is undefined to true or vice versa does not replace the cluster as the default is `true`. ### Description of how you validated changes Validated the changes against an existing cluster and made sure it is not replaced unless the change is from true to false or vice versa. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…elector (#34625) ### Issue Closes #34538. ### Reason for this change In the current implementation `itemSelector` must be an object type `Mapping[str, Any]`, but Step Functions supports both object mappings and JSONata expressions as strings. See the [Amazon States Language](https://states-language.net/spec.html#map-state) specification: > A JSONata Map State MAY have an "ItemSelector" field, whose value MUST be a JSON text, or a JSONata string that evaluates to a JSON text. ### Description of changes This PR adds a new field `jsonataItemSelector` of type `string` to support this use case. This new field is mutually exclusive with `itemSelector` (and `parameters` as it is already mutually exclusive with `itemSelector` and deprecated). During synthesis, if `jsonataItemSelector` is used, then it will be used to render the `ItemSelector` in the cloudformation template. I considered creating a class like the [ProvideItems](https://github.com/aws/aws-cdk/blob/ed08f3f0b8ecd79a2fa5e804acc73a9ff23eab80/packages/aws-cdk-lib/aws-stepfunctions/lib/states/map-base.ts#L60-L77) class, however this would have been a breaking change for existing users. ### Describe any new or updated permissions being added None. ### Description of how you validated changes Added unit tests and an integration test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…33802) ### Issue # (if applicable) Closes #33249 ### Reason for this change CloudFront doesn't support resource-level permission for some permission as per [Actions, resources, and condition keys for Amazon CloudFront](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudfront.html) ### Description of changes Use wildcard(*) when grant some cloudfront permission ### Describe any new or updated permissions being added Use wildcard(*) when grant some cloudfront permission ### Description of how you validated changes Unit + Integ ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…34173) ### Issue # (if applicable) Closes #32280. Closes #32563. ### Reason for this change Aurora Serverless v2 DB instances can specify the time period of inactivity before auto-pause. https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless-v2-auto-pause.html ### Description of changes Added the `serverlessV2AutoPauseDuration` prop for `DatabaseCluster`. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Added unit tests and an integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Library_python_selenium.html ### Description of changes - Add selenium 6.0 runtime ### Describe any new or updated permissions being added None ### Description of how you validated changes Unit + Integ ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change AWS CloudWatch synthetics supports for [performing safe canary update](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/performing-safe-canary-upgrades.html#performing-safe-canary-upgrades-limitations). This feature cannot be configurable from AWS CDK L2 construct. ### Description of changes - Add `dryRunAndUpdate` prop to `canaryProps` - Add runtime validation - syn-nodejs-puppeteer-10.0+ - syn-nodejs-playwright-2.0+ - syn-python-selenium-5.1+ ### Describe any new or updated permissions being added None ### Description of how you validated changes Add both unit and integ tets. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… dimension map (#34648) ### Issue # (if applicable) Closes #34643 ### Reason for this change When the metric filter is created, you can specify the dimension map for the metric. When you extract the metric out of the metric filter, the extracted metric will not include the dimension map, and you will be forced to manually add it to the metric. ### Description of changes This PR preserves the dimension map used when creating the metric filter and then applies it back when extracting the metric using the `MetricFilter.metric()` API. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Added new unit and integration test that verify the extracted metric still includes the original dimension map used when creating the metric filter. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…rsions 11.22-rds.20250508 and 12.22-rds.20250508 (#34598) ### Issue # (if applicable) None ### Reason for this change - https://aws.amazon.com/about-aws/whats-new/2025/05/amazon-rds-mariadb-community-mariadb-minor-versions/ - https://aws.amazon.com/about-aws/whats-new/2025/06/amazon-rds-postgresql-extended-support-versions-r2-11-22-rds-20250508-12-22-rds-20250508/ ### Description of changes RDS mariadb add versions 10.5.29 and 10.6.22 ### Description of how you validated changes ```console $ aws rds describe-db-engine-versions --engine mariadb --output table --query 'DBEngineVersions[*].{Engine:Engine,EngineVersion:EngineVersion}' ------------------------------ | DescribeDBEngineVersions | +----------+-----------------+ | Engine | EngineVersion | +----------+-----------------+ | mariadb | 10.5.20 | | mariadb | 10.5.21 | | mariadb | 10.5.22 | | mariadb | 10.5.23 | | mariadb | 10.5.24 | | mariadb | 10.5.25 | | mariadb | 10.5.26 | | mariadb | 10.5.27 | | mariadb | 10.5.28 | | mariadb | 10.5.29 | | mariadb | 10.6.13 | | mariadb | 10.6.14 | | mariadb | 10.6.15 | | mariadb | 10.6.16 | | mariadb | 10.6.17 | | mariadb | 10.6.18 | | mariadb | 10.6.19 | | mariadb | 10.6.20 | | mariadb | 10.6.21 | | mariadb | 10.6.22 | $ aws rds describe-db-engine-versions --engine postgres --output table --query 'DBEngineVersions[*].{Engine:Engine,EngineVersion:EngineVersion}' ------------------------------------ | DescribeDBEngineVersions | +-----------+----------------------+ | Engine | EngineVersion | +-----------+----------------------+ | postgres | 11.22 | | postgres | 11.22-rds.20240418 | | postgres | 11.22-rds.20240509 | | postgres | 11.22-rds.20240808 | | postgres | 11.22-rds.20241121 | | postgres | 11.22-rds.20250220 | | postgres | 11.22-rds.20250508 | | postgres | 12.20 | | postgres | 12.22 | | postgres | 12.22-rds.20250220 | | postgres | 12.22-rds.20250508 | | postgres | 13.15 | ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ature flag) (#34237) This uses the kms:ResourceAliases condition to add statements allowing the methods to the principal of the grant. ### Issue # Closes #22697 ### Reason for this change When using KMS keys cross stacks, it's sometimes difficult to pass KMS key IDs as they are only generated after deployment, however KMS key aliases could be passed instead and most services accept them. Some constructs that accept a KMS Alias, use .grant methods to add permissions to the role that interacts with the KMS key. Before this PR, the .grant methods of Alias.fromAliasName were not implemented. ### Description of changes This PR implements .grant methods for aliases imported via kms.Alias.fromAliasName so when passed to another a L2 construct that uses .grant methods, the required permissions are added to the role. The added statements will contain a kms:ResourceAliases condition that only allows access to the particular KMS key alias name. Couple of examples where this is useful: - Codepipeline construct accepts a S3 bucket for storing artifacts. If this S3 bucket was imported with the KMS key alias being imported as well via kms.Alias.fromAliasName, then this change results in the necessary permission being automatically added to the Codepipeline roles. - When .grant methods of imported SNS topics or SQS queues with imported KMS key alias for publishers are used, the necessary permission are added to the publisher roles. ### Describe any new or updated permissions being added .grant methods of Alias.fromAliasName now results in new statements with kms:ResourceAliases condition for that alias. ### Description of how you validated changes Added unit tests and integration tests: - `packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.alias-from-alias-name.ts` - `packages/aws-cdk-lib/aws-kms/test/alias.test.ts` Deployed my personal project which used Pipelines constructs with imported bucket and kms key from alias and now my pipeline role has correct permissions. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Ran npm-check-updates and yarn upgrade for the following dependencies: ``` @aws-cdk/asset-awscli-v1 ``` Checkout this branch and run integration tests locally to update snapshots. ``` (cd packages/@aws-cdk-testing/framework-integ && yarn integ --update-on-failed) ``` See https://www.npmjs.com/package/@aws-cdk/integ-runner for more integ runner options.
In #34478, we made sure that `tree.json` would not exceed 512MB, by splitting parts of the construct tree to separate files. The method we chose led to a lot of files. In this PR we are combining the various small subtrees into larger "forest" files. Since there are no official readers for the new file format yet, we're not losing a lot of effort by changing the format. The protocol is that if `treeId` is set in a subtree reference, the target file is a forest file, otherwise it's a tree file. Closes #34627. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
) Bumps [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact) from 10 to 11. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/dawidd6/action-download-artifact/releases">dawidd6/action-download-artifact's releases</a>.</em></p> <blockquote> <h2>v11</h2> <p><strong>Full Changelog</strong>: <a href="https://github.com/dawidd6/action-download-artifact/compare/v10...v11">https://github.com/dawidd6/action-download-artifact/compare/v10...v11</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/dawidd6/action-download-artifact/commit/ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5"><code>ac66b43</code></a> node_modules: upgrade</li> <li><a href="https://github.com/dawidd6/action-download-artifact/commit/9b54a0a70c3d482a3d96da8a2f9fc08d0209c9ae"><code>9b54a0a</code></a> Update README.md</li> <li>See full diff in <a href="https://github.com/dawidd6/action-download-artifact/compare/v10...v11">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
### Issue # (if applicable) Relates #34520 ### Reason for this change https://aws.amazon.com/about-aws/whats-new/2025/05/amazon-eks-distro-kubernetes-version-1-33/ ### Description of changes - As instructed by #33339 (comment) ### Describe any new or updated permissions being added ### Description of how you validated changes ```ts import * as ec2 from 'aws-cdk-lib/aws-ec2'; import * as iam from 'aws-cdk-lib/aws-iam'; import { App, Stack } from 'aws-cdk-lib'; import { KubectlV33Layer } from '@aws-cdk/lambda-layer-kubectl-v33'; import * as eks from 'aws-cdk-lib/aws-eks'; import { Construct } from 'constructs'; export class EksClusterLatestVersion extends Stack { constructor(scope: Construct, id: string) { super(scope, id); const vpc = new ec2.Vpc(this, 'Vpc', { natGateways: 1 }); const mastersRole = new iam.Role(this, 'Role', { assumedBy: new iam.AccountRootPrincipal(), }); const cluster = new eks.Cluster(this, 'Cluster', { vpc, mastersRole, version: eks.KubernetesVersion.V1_33, kubectlLayer: new KubectlV33Layer(this, 'KubectlLayer'), defaultCapacity: 0, }); cluster.addNodegroupCapacity('MNG_AL2023_X86_64_STANDARD', { amiType: eks.NodegroupAmiType.AL2023_X86_64_STANDARD, }); } } const app = new App(); new EksClusterLatestVersion(app, 'v33-stack'); ``` ```console $ kubectl get no NAME STATUS ROLES AGE VERSION ip-10-0-156-223.ec2.internal Ready <none> 32m v1.33.0-eks-802817d ip-10-0-240-123.ec2.internal Ready <none> 32m v1.33.0-eks-802817d $ kubectl get po --all-namespaces NAMESPACE NAME READY STATUS RESTARTS AGE kube-system aws-node-q96bx 2/2 Running 0 32m kube-system aws-node-smkp7 2/2 Running 0 32m kube-system coredns-5d849c4789-5wd79 1/1 Running 0 36m kube-system coredns-5d849c4789-rwklp 1/1 Running 0 36m kube-system kube-proxy-4nmx8 1/1 Running 0 32m kube-system kube-proxy-jg778 1/1 Running 0 32m ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…osity is needed for opensearch access policy custom resource (#34701) ### Issue # (if applicable) Closes #29093 ### Reason for this change Opensearch access policy defined via `OpenSearchAccessPolicy` (custom-resource) return failures in case of large policy documents, even if the policy change is successful Issue comes for the CFN limit of 4k on the response size ### Description of changes Added an optional parameter `verboseOutput` in `OpenSearchAccessPolicyProps` to allow users of the custom resource to optionally toggle on/off the verbose option : On turning it `false` only `["DomainConfig.AccessPolicies.Status.State", "DomainConfig.AccessPolicies.Status.UpdateVersion"]` are shown ***NOTE : Default behavior of verbose output is retained*** ### Describe any new or updated permissions being added NONE ### Description of how you validated changes - Adding unit tests for the changes ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Related to #15301. ### Reason for this change Users wanted a more detailed guide on how to update the `encodedKey`. ### Description of changes Add an example to show how to update the key, replaced `logical id` by `id` for more clarity. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change Add some interface vpc endpoints missing in cdk. ### Description of changes Added below services. - shield - shield-fips - sqs-fips - sts-fips ### Description of how you validated changes Excuted CLI below `$ aws ec2 describe-vpc-endpoint-services --filters Name=service-type,Values=Interface Name=owner,Values=amazon --region us-east-1 --query ServiceNames` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…g grant methods for the `Bucket` resource (#34733) ### Issue # (if applicable) Closes #34545 . ### Reason for this change Current behavior in some `grant` methods for the `Bucket` resource might cause confusion and be seen as a bug. ### Description of changes Added more details on the policy specifics, explaining why the current behavior is like that, and added additional resources if the implementer needs to restrict even more their permissions. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes N/A. Just documentation being updated. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This PR updates the CDK enum mapping file.
### Reason for this change A new Github action to check for LFS files was added and users without LFS cannot have their PR pass this test if they updated an integ test. ### Description of changes Add instructions on how to check if git lfs is installed, how to install it and fix the problematic files. ### Description of how you validated changes Helped a contributor make the test pass on his PR. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`
**L1 CloudFormation resource definition changes:**
```
├[~] service aws-athena
│ └ resources
│ └[~] resource AWS::Athena::WorkGroup
│ └ types
│ ├[~] type ManagedQueryResultsConfiguration
│ │ ├ - documentation: The configuration for the managed query results and encryption option. ResultConfiguration and ManagedQueryResultsConfiguration cannot be set at the same time
│ │ │ + documentation: The configuration for storing results in Athena owned storage, which includes whether this feature is enabled; whether encryption configuration, if any, is used for encrypting query results.
│ │ └ properties
│ │ ├ Enabled: (documentation changed)
│ │ └ EncryptionConfiguration: (documentation changed)
│ └[~] type WorkGroupConfiguration
│ └ properties
│ └ ManagedQueryResultsConfiguration: (documentation changed)
├[~] service aws-customerprofiles
│ └ resources
│ ├[~] resource AWS::CustomerProfiles::CalculatedAttributeDefinition
│ │ ├ properties
│ │ │ └ UseHistoricalData: (documentation changed)
│ │ └ attributes
│ │ └ Status: (documentation changed)
│ └[~] resource AWS::CustomerProfiles::ObjectType
│ ├ properties
│ │ └ MaxProfileObjectCount: (documentation changed)
│ └ attributes
│ └ MaxAvailableProfileObjectCount: (documentation changed)
├[~] service aws-ec2
│ └ resources
│ ├[~] resource AWS::EC2::EgressOnlyInternetGateway
│ │ ├ - tagInformation: undefined
│ │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ │ └ properties
│ │ └[+] Tags: Array<tag>
│ └[~] resource AWS::EC2::Subnet
│ ├ attributes
│ │ └[+] BlockPublicAccessStates: BlockPublicAccessStates
│ └ types
│ └[+] type BlockPublicAccessStates
│ ├ name: BlockPublicAccessStates
│ └ properties
│ └ InternetGatewayBlockMode: string
├[~] service aws-efs
│ └ resources
│ └[~] resource AWS::EFS::MountTarget
│ └ properties
│ ├ IpAddressType: (documentation changed)
│ └ Ipv6Address: (documentation changed)
├[~] service aws-eks
│ └ resources
│ ├[~] resource AWS::EKS::Addon
│ │ ├ properties
│ │ │ └ PodIdentityAssociations: (documentation changed)
│ │ └ types
│ │ └[~] type PodIdentityAssociation
│ │ └ properties
│ │ └ RoleArn: (documentation changed)
│ ├[~] resource AWS::EKS::Cluster
│ │ ├ properties
│ │ │ └ BootstrapSelfManagedAddons: (documentation changed)
│ │ └ types
│ │ ├[~] type RemoteNetworkConfig
│ │ │ └ properties
│ │ │ ├ RemoteNodeNetworks: (documentation changed)
│ │ │ └ RemotePodNetworks: (documentation changed)
│ │ ├[~] type RemoteNodeNetwork
│ │ │ ├ - documentation: A network CIDR that can contain hybrid nodes.
│ │ │ │ These CIDR blocks define the expected IP address range of the hybrid nodes that join the cluster. These blocks are typically determined by your network administrator.
│ │ │ │ Enter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, `10.2.0.0/16` ).
│ │ │ │ It must satisfy the following requirements:
│ │ │ │ - Each block must be within an `IPv4` RFC-1918 network range. Minimum allowed size is /24, maximum allowed size is /8. Publicly-routable addresses aren't supported.
│ │ │ │ - Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.
│ │ │ │ - Each block must have a route to the VPC that uses the VPC CIDR blocks, not public IPs or Elastic IPs. There are many options including AWS Transit Gateway , AWS Site-to-Site VPN , or AWS Direct Connect .
│ │ │ │ - Each host must allow outbound connection to the EKS cluster control plane on TCP ports `443` and `10250` .
│ │ │ │ - Each host must allow inbound connection from the EKS cluster control plane on TCP port 10250 for logs, exec and port-forward operations.
│ │ │ │ - Each host must allow TCP and UDP network connectivity to and from other hosts that are running `CoreDNS` on UDP port `53` for service and pod DNS names.
│ │ │ │ + documentation: A network CIDR that can contain hybrid nodes.
│ │ │ │ These CIDR blocks define the expected IP address range of the hybrid nodes that join the cluster. These blocks are typically determined by your network administrator.
│ │ │ │ Enter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, `10.2.0.0/16` ).
│ │ │ │ It must satisfy the following requirements:
│ │ │ │ - Each block must be within an `IPv4` RFC-1918 network range. Minimum allowed size is /32, maximum allowed size is /8. Publicly-routable addresses aren't supported.
│ │ │ │ - Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.
│ │ │ │ - Each block must have a route to the VPC that uses the VPC CIDR blocks, not public IPs or Elastic IPs. There are many options including AWS Transit Gateway , AWS Site-to-Site VPN , or AWS Direct Connect .
│ │ │ │ - Each host must allow outbound connection to the EKS cluster control plane on TCP ports `443` and `10250` .
│ │ │ │ - Each host must allow inbound connection from the EKS cluster control plane on TCP port 10250 for logs, exec and port-forward operations.
│ │ │ │ - Each host must allow TCP and UDP network connectivity to and from other hosts that are running `CoreDNS` on UDP port `53` for service and pod DNS names.
│ │ │ └ properties
│ │ │ └ Cidrs: (documentation changed)
│ │ └[~] type RemotePodNetwork
│ │ ├ - documentation: A network CIDR that can contain pods that run Kubernetes webhooks on hybrid nodes.
│ │ │ These CIDR blocks are determined by configuring your Container Network Interface (CNI) plugin. We recommend the Calico CNI or Cilium CNI. Note that the Amazon VPC CNI plugin for Kubernetes isn't available for on-premises and edge locations.
│ │ │ Enter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, `10.2.0.0/16` ).
│ │ │ It must satisfy the following requirements:
│ │ │ - Each block must be within an `IPv4` RFC-1918 network range. Minimum allowed size is /24, maximum allowed size is /8. Publicly-routable addresses aren't supported.
│ │ │ - Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.
│ │ │ + documentation: A network CIDR that can contain pods that run Kubernetes webhooks on hybrid nodes.
│ │ │ These CIDR blocks are determined by configuring your Container Network Interface (CNI) plugin. We recommend the Calico CNI or Cilium CNI. Note that the Amazon VPC CNI plugin for Kubernetes isn't available for on-premises and edge locations.
│ │ │ Enter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, `10.2.0.0/16` ).
│ │ │ It must satisfy the following requirements:
│ │ │ - Each block must be within an `IPv4` RFC-1918 network range. Minimum allowed size is /32, maximum allowed size is /8. Publicly-routable addresses aren't supported.
│ │ │ - Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.
│ │ └ properties
│ │ └ Cidrs: (documentation changed)
│ └[~] resource AWS::EKS::PodIdentityAssociation
│ ├ properties
│ │ ├ DisableSessionTags: (documentation changed)
│ │ ├ Namespace: (documentation changed)
│ │ ├ RoleArn: (documentation changed)
│ │ └ TargetRoleArn: (documentation changed)
│ └ attributes
│ └ ExternalId: (documentation changed)
├[~] service aws-lambda
│ └ resources
│ ├[~] resource AWS::Lambda::EventInvokeConfig
│ │ └ types
│ │ ├[~] type DestinationConfig
│ │ │ └ - documentation: A configuration object that specifies the destination of an event after Lambda processes it.
│ │ │ + documentation: A configuration object that specifies the destination of an event after Lambda processes it. For more information, see [Adding a destination](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async-retain-records.html#invocation-async-destinations) .
│ │ ├[~] type OnFailure
│ │ │ └ - documentation: A destination for events that failed processing. See [Capturing records of Lambda asynchronous invocations](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async-retain-records.html) for more information.
│ │ │ + documentation: A destination for events that failed processing. For more information, see [Adding a destination](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async-retain-records.html#invocation-async-destinations) .
│ │ └[~] type OnSuccess
│ │ └ - documentation: A destination for events that were processed successfully.
│ │ To retain records of successful [asynchronous invocations](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async.html#invocation-async-destinations) , you can configure an Amazon SNS topic, Amazon SQS queue, Lambda function, or Amazon EventBridge event bus as the destination.
│ │ + documentation: A destination for events that were processed successfully.
│ │ To retain records of successful [asynchronous invocations](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async.html#invocation-async-destinations) , you can configure an Amazon SNS topic, Amazon SQS queue, Lambda function, or Amazon EventBridge event bus as the destination.
│ │ > `OnSuccess` is not supported in `CreateEventSourceMapping` or `UpdateEventSourceMapping` requests.
│ └[~] resource AWS::Lambda::EventSourceMapping
│ └ types
│ ├[~] type DestinationConfig
│ │ └ - documentation: A configuration object that specifies the destination of an event after Lambda processes it.
│ │ + documentation: A configuration object that specifies the destination of an event after Lambda processes it. For more information, see [Adding a destination](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async-retain-records.html#invocation-async-destinations) .
│ └[~] type OnFailure
│ └ - documentation: A destination for events that failed processing. See [Capturing records of Lambda asynchronous invocations](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async-retain-records.html) for more information.
│ + documentation: A destination for events that failed processing. For more information, see [Adding a destination](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async-retain-records.html#invocation-async-destinations) .
├[~] service aws-msk
│ └ resources
│ └[~] resource AWS::MSK::Cluster
│ └ types
│ └[~] type BrokerNodeGroupInfo
│ └ properties
│ └ InstanceType: (documentation changed)
├[~] service aws-mwaa
│ └ resources
│ └[~] resource AWS::MWAA::Environment
│ └ properties
│ └[+] WorkerReplacementStrategy: string
├[~] service aws-rds
│ └ resources
│ └[~] resource AWS::RDS::DBProxyTargetGroup
│ └ types
│ └[~] type ConnectionPoolConfigurationInfoFormat
│ └ properties
│ └ InitQuery: (documentation changed)
├[~] service aws-sagemaker
│ └ resources
│ └[~] resource AWS::SageMaker::Domain
│ └ types
│ ├[~] type DomainSettings
│ │ └ properties
│ │ └ UnifiedStudioSettings: (documentation changed)
│ └[~] type UnifiedStudioSettings
│ ├ - documentation: A collection of settings that apply to an Amazon SageMaker AI domain when you use it in Amazon SageMaker Unified Studio.
│ │ + documentation: The settings that apply to an Amazon SageMaker AI domain when you use it in Amazon SageMaker Unified Studio.
│ └ properties
│ └ StudioWebPortalAccess: (documentation changed)
└[~] service aws-wafv2
└ resources
├[~] resource AWS::WAFv2::RuleGroup
│ └ types
│ ├[+] type AsnMatchStatement
│ │ ├ name: AsnMatchStatement
│ │ └ properties
│ │ ├ AsnList: Array<integer>
│ │ └ ForwardedIPConfig: ForwardedIPConfiguration
│ ├[~] type RateBasedStatementCustomKey
│ │ └ properties
│ │ └[+] ASN: json
│ └[~] type Statement
│ └ properties
│ └[+] AsnMatchStatement: AsnMatchStatement
└[~] resource AWS::WAFv2::WebACL
├ properties
│ └ OnSourceDDoSProtectionConfig: - json
│ + OnSourceDDoSProtectionConfig ⇐ json
│ (documentation changed)
└ types
├[+] type AsnMatchStatement
│ ├ name: AsnMatchStatement
│ └ properties
│ ├ AsnList: Array<integer>
│ └ ForwardedIPConfig: ForwardedIPConfiguration
├[~] type AWSManagedRulesACFPRuleSet
│ └ - documentation: Details for your use of the account creation fraud prevention managed rule group, `AWSManagedRulesACFPRuleSet` . This configuration is used in `ManagedRuleGroupConfig` .
│ + documentation: Details for your use of the account creation fraud prevention managed rule group, `AWSManagedRulesACFPRuleSet` . This configuration is used in `ManagedRuleGroupConfig` .
│ For additional information about this and the other intelligent threat mitigation rule groups, see [Intelligent threat mitigation in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-managed-protections) and [AWS Managed Rules rule groups list](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list) in the *AWS WAF Developer Guide* .
├[+] type AWSManagedRulesAntiDDoSRuleSet
│ ├ documentation: Configures how to use the AntiDDOS AWS managed rule group in the web ACL
│ │ name: AWSManagedRulesAntiDDoSRuleSet
│ └ properties
│ ├ ClientSideActionConfig: ClientSideActionConfig (required)
│ └ SensitivityToBlock: string
├[~] type AWSManagedRulesATPRuleSet
│ └ - documentation: Details for your use of the account takeover prevention managed rule group, `AWSManagedRulesATPRuleSet` . This configuration is used in `ManagedRuleGroupConfig` .
│ + documentation: Details for your use of the account takeover prevention managed rule group, `AWSManagedRulesATPRuleSet` . This configuration is used in `ManagedRuleGroupConfig` .
│ For additional information about this and the other intelligent threat mitigation rule groups, see [Intelligent threat mitigation in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-managed-protections) and [AWS Managed Rules rule groups list](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list) in the *AWS WAF Developer Guide* .
├[~] type AWSManagedRulesBotControlRuleSet
│ └ - documentation: Details for your use of the Bot Control managed rule group, `AWSManagedRulesBotControlRuleSet` . This configuration is used in `ManagedRuleGroupConfig` .
│ + documentation: Details for your use of the Bot Control managed rule group, `AWSManagedRulesBotControlRuleSet` . This configuration is used in `ManagedRuleGroupConfig` .
│ For additional information about this and the other intelligent threat mitigation rule groups, see [Intelligent threat mitigation in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-managed-protections) and [AWS Managed Rules rule groups list](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list) in the *AWS WAF Developer Guide* .
├[+] type ClientSideAction
│ ├ documentation: Client side action config for AntiDDOS AMR.
│ │ name: ClientSideAction
│ └ properties
│ ├ UsageOfAction: string (required)
│ ├ Sensitivity: string
│ └ ExemptUriRegularExpressions: Array<Regex>
├[+] type ClientSideActionConfig
│ ├ documentation: Client side action config for AntiDDOS AMR.
│ │ name: ClientSideActionConfig
│ └ properties
│ └ Challenge: ClientSideAction (required)
├[~] type ManagedRuleGroupConfig
│ └ properties
│ └[+] AWSManagedRulesAntiDDoSRuleSet: AWSManagedRulesAntiDDoSRuleSet
├[~] type ManagedRuleGroupStatement
│ └ properties
│ ├ ManagedRuleGroupConfigs: (documentation changed)
│ └ RuleActionOverrides: (documentation changed)
├[+] type OnSourceDDoSProtectionConfig
│ ├ documentation: Configures the options for on-source DDoS protection provided by supported resource type.
│ │ name: OnSourceDDoSProtectionConfig
│ └ properties
│ └ ALBLowReputationMode: string (required)
├[~] type RateBasedStatementCustomKey
│ └ properties
│ └[+] ASN: json
├[+] type Regex
│ ├ documentation: Regex
│ │ name: Regex
│ └ properties
│ └ RegexString: string
├[~] type RuleGroupReferenceStatement
│ └ properties
│ └ RuleActionOverrides: (documentation changed)
└[~] type Statement
└ properties
└[+] AsnMatchStatement: AsnMatchStatement
```
### Reason for this change Corrects link to `integ-runner` after it has been moved to the `aws-cdk-cli` repo. ### Description of changes Changed link. ### Describe any new or updated permissions being added None. ### Description of how you validated changes Link works. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) N/A ### Reason for this change Amplify supports branch-level compute role setting. But current L2 Construct doesn't support it. ### Description of changes Add `computeRole` property for `Branch` construct. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Add a unit test and an integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change
Lambda is introducing a new property in Event Sources named `SchemaRegistryConfig` in `SelfManagedKafkaEventSourceConfig` and `AmazonManagedKafkaEventSourceConfig` to set configuration settings for a schema registry that will be used to de-serialize the event read from these Kafka event sources. When specified, it allows de-serialization events before they are passed to target function and validation of their format. The users may use a Confluent registry, a self managed registry or AWS Glue Registry. Note, the even source mapping must have `ProvisionedPollerConfig` set (be on provisioned mode) for this feature to be used.
This feature is currently supported for MSK and Self-managed Kafka event sources.
### Description of changes
This new property can be opted in by setting `SchemaRegistryConfig` in `SelfManagedKafkaEventSourceConfig` or `AmazonManagedKafkaEventSourceConfig`. An example is shown bellow:
```
myFunction.addEventSource(new ManagedKafkaEventSource({
clusterArn,
topic,
startingPosition: lambda.StartingPosition.TRIM_HORIZON,
provisionedPollerConfig: {
minimumPollers: 1,
maximumPollers: 3,
},
schemaRegistryConfig: {
schemaRegistryUri: 'https://example.com',
eventRecordFormat: lambda.EventRecordFormat.JSON,
accessConfigs: [
{
type: lambda.SchemaRegistryAccessConfigType.BASIC_AUTH,
uri: 'https://example.com',
},
],
schemaValidationConfigs: [{ attribute: lambda.SchemaValidationAttribute.KEY }],
},
}));
```
### Describe any new or updated permissions being added
Following IAM permissions will be added to the target function execution role **only if user passed a Glue registry**.
```
{
Action: 'glue:GetRegistry',
Effect: 'Allow',
Resource: {
'Fn::GetAtt': ['Registry', 'Arn'], // Glue registry ARN
},
},
{
Action: [
'glue:GetSchemaVersion',
'glue:GetSchema',
],
Effect: 'Allow',
Resource: [
{
'Fn::GetAtt': ['Registry', 'Arn'],
},
'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:schema/lambda-gp-test-glue-schema-registry/*',
],
},
```
### Description of how you validated changes
Unit tests for each case have been added in the PR. Note, MSK and SMK validations follow the same path so for validations there are only unit tests for MSK cases which should apply for both.
Integration test for both Glue and confluent case have been added for SMK. Since, MSK requires a Kafka cluster in VPC that we typically do not add integration tests for it.
### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ctures (#31771) ### Issue # (if applicable) Closes #31758. ### Reason for this change The current custom response headers implementation does not support Amplify apps with monorepo structures, this is due to a difference in the YAML formats for these apps: https://docs.aws.amazon.com/amplify/latest/userguide/custom-header-YAML-format.html ### Description of changes An `appRoot` property has been added to `CustomResponseHeader`, which specifies the appRoot from the build spec to use for the output YAML. ### Description of how you validated changes I added unit tests and tested the implementation using a sample deployment. I'm happy to add integration tests if required. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) N/A ### Reason for this change Typographical error in the error message string — "lenght" was misspelled and needed correction. ### Description of changes - Fixed a typo in the `MultipleFileAssetsApp` class. - Updated the error message to correct the word "lenght" to "length". - No logic or functional changes were made. - Alternatives such as rephrasing the message were considered unnecessary. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes - Visually verified the corrected string in the source code. - Confirmed that no logic or behavior was affected. - No tests were necessary since this was a non-functional change. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws-cdk-automation
added
auto-approve
pr/no-squash
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
aws-cdk-automation
had a problem deploying
to
test-pipeline
GitHub Actions
Failure
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Comments on closed issues and PRs are hard for our team to see. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See CHANGELOG