Merge branch 'main' into fix-agentcore-policy

Author: go-to-k

.github/workflows/codecov-collect.yml

@@ -28,7 +28,7 @@ jobs:
         run: cd packages/aws-cdk-lib && yarn test core
 
       - name: Upload Coverage and PR Info
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: coverage-artifacts
           path: |

.github/workflows/pr-linter-review-trigger.yml

@@ -26,7 +26,7 @@ jobs:
           mkdir -p ./pr
           echo $PR_NUMBER > ./pr/pr_number
           echo $PR_SHA > ./pr/pr_sha
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v5
         with:
           name: pr_info
           path: pr/

.github/workflows/spec-update.yml

@@ -31,7 +31,7 @@ jobs:
 
       # Upload the current db to be used later
       - name: Upload base database
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: db.base.json.gz
           path: node_modules/@aws-cdk/aws-service-spec/db.json.gz
@@ -49,7 +49,7 @@ jobs:
 
       # Now that we have updated the database, upload the new candidate db
       - name: Upload head database
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: db.head.json.gz
           path: node_modules/@aws-cdk/aws-service-spec/db.json.gz
@@ -69,7 +69,7 @@ jobs:
           git add .
           git diff --patch --staged > ${{ runner.temp }}/update-spec.patch
       - name: Upload Patch
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: update-spec.patch
           path: ${{ runner.temp }}/update-spec.patch
@@ -110,7 +110,7 @@ jobs:
           cat DIFF >> PR.md
           echo '```' >> PR.md
       - name: Upload PR body file
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: PR.md
           path: PR.md

.github/workflows/update-metadata-regions.yml

@@ -33,7 +33,7 @@ jobs:
           git add .
           git diff --patch --staged > ${{ runner.temp }}/update-spec.patch
       - name: Upload Patch
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: update-spec.patch
           path: ${{ runner.temp }}/update-spec.patch

.github/workflows/yarn-upgrade-need-manual-work.yml

@@ -66,7 +66,7 @@ jobs:
           git diff --binary --patch --staged > ${{ runner.temp }}/upgrade.patch
 
       - name: Upload Patch
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: upgrade.patch
           path: ${{ runner.temp }}/upgrade.patch

.github/workflows/yarn-upgrade.yml

@@ -80,7 +80,7 @@ jobs:
           git add .
           git diff --patch --staged > ${{ runner.temp }}/upgrade.patch
       - name: Upload Patch
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: upgrade.patch
           path: ${{ runner.temp }}/upgrade.patch

packages/@aws-cdk/aws-bedrock-agentcore-alpha/README.md

@@ -115,9 +115,9 @@ const runtime = new agentcore.Runtime(this, "MyAgentRuntime", {
 
 To grant the runtime permission to invoke a Bedrock model or inference profile:
 
-```text
+```typescript fixture=default
 // Note: This example uses @aws-cdk/aws-bedrock-alpha which must be installed separately
-import * as bedrock from '@aws-cdk/aws-bedrock-alpha';
+declare const runtime: agentcore.Runtime;
 
 // Create a cross-region inference profile for Claude 3.7 Sonnet
 const inferenceProfile = bedrock.CrossRegionInferenceProfile.fromConfig({

packages/@aws-cdk/aws-bedrock-agentcore-alpha/rosetta/default.ts-fixture

@@ -9,6 +9,7 @@ import * as s3 from 'aws-cdk-lib/aws-s3';
 import * as kms from 'aws-cdk-lib/aws-kms';
 import * as ecr from 'aws-cdk-lib/aws-ecr';
 import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as bedrock from '@aws-cdk/aws-bedrock-alpha';
 
 class Fixture extends Stack {
   constructor(scope: Construct, id: string) {

packages/@aws-cdk/aws-msk-alpha/README.md

@@ -232,6 +232,36 @@ const cluster = new msk.Cluster(this, 'cluster', {
 });
 ```
 
+## MSK Express Brokers
+
+You can create an MSK cluster with Express Brokers by setting the `brokerType` property to `BrokerType.EXPRESS`. Express Brokers are a low-cost option for development, testing, and workloads that don't require the high availability guarantees of standard MSK cluster.
+For more information, see [Amazon MSK Express Brokers](https://docs.aws.amazon.com/msk/latest/developerguide/msk-broker-types-express.html).
+
+**Note:** When using Express Brokers, the following constraints apply:
+
+- Apache Kafka version must be 3.6.x or 3.8.x
+- You must specify the `instanceType`
+- The VPC must have at least 3 subnets (across 3 AZs)
+- `ebsStorageInfo` is not supported
+- `storageMode` is not supported
+- `logging` is not supported
+- Supported broker sizes: `m7g.xlarge`, `m7g.2xlarge`, `m7g.4xlarge`, `m7g.8xlarge`, `m7g.12xlarge`, `m7g.16xlarge`
+
+```ts
+declare const vpc: ec2.Vpc;
+
+const expressCluster = new msk.Cluster(this, 'ExpressCluster', {
+  clusterName: 'MyExpressCluster',
+  kafkaVersion: msk.KafkaVersion.V3_8_X,
+  vpc,
+  brokerType: msk.BrokerType.EXPRESS,
+  instanceType: ec2.InstanceType.of(
+    ec2.InstanceClass.M7G,
+    ec2.InstanceSize.XLARGE,
+  ),
+});
+```
+
 ## MSK Serverless
 
 You can also use MSK Serverless by using `ServerlessCluster` class.

packages/@aws-cdk/aws-msk-alpha/lib/cluster.ts

@@ -98,6 +98,15 @@ export interface ClusterProps {
    */
   readonly instanceType?: ec2.InstanceType;
 
+  /**
+   * The broker type for the cluster.
+   * When set to EXPRESS, the cluster will be created with Express Brokers.
+   * When this is set to EXPRESS, instanceType must also be specified.
+   *
+   * @default BrokerType.STANDARD
+   */
+  readonly brokerType?: BrokerType;
+
   /**
    * The AWS security groups to associate with the elastic network interfaces in order to specify who can
    * connect to and communicate with the Amazon MSK cluster.
@@ -199,6 +208,21 @@ export enum StorageMode {
   TIERED = 'TIERED',
 }
 
+/**
+ * The broker type for the cluster.
+ */
+export enum BrokerType {
+  /**
+   * Standard brokers provide high-availability guarantees.
+   */
+  STANDARD = 'STANDARD',
+
+  /**
+   * Express brokers are a low-cost option for development, testing, and workloads that don't require the high availability guarantees of standard MSK cluster.
+   */
+  EXPRESS = 'EXPRESS',
+}
+
 /**
  * The Amazon MSK configuration to use for the cluster.
  * Note: There is currently no Cloudformation Resource to create a Configuration
@@ -502,8 +526,36 @@ export class Cluster extends ClusterBase {
       throw new core.ValidationError('EBS volume size should be in the range 1-16384', this);
     }
 
+    const isExpress = props.brokerType === BrokerType.EXPRESS;
+
+    if (isExpress) {
+      // Validate Kafka version compatibility
+      const supportedVersions = ['3.6', '3.8'];
+      const kafkaVersionString = props.kafkaVersion.version;
+      const isCompatibleVersion = supportedVersions.some(version => kafkaVersionString.includes(version));
+      if (!isCompatibleVersion) {
+        throw new core.ValidationError(`Express brokers are only supported with Apache Kafka 3.6.x and 3.8.x, got ${kafkaVersionString}`, this);
+      }
+
+      if (!props.instanceType) {
+        throw new core.ValidationError('`instanceType` must also be specified when `brokerType` is `BrokerType.EXPRESS`.', this);
+      }
+      if (props.ebsStorageInfo) {
+        throw new core.ValidationError('`ebsStorageInfo` is not supported when `brokerType` is `BrokerType.EXPRESS`.', this);
+      }
+      if (props.storageMode) {
+        throw new core.ValidationError('`storageMode` is not supported when `brokerType` is `BrokerType.EXPRESS`.', this);
+      }
+      if (props.logging) {
+        throw new core.ValidationError('`logging` is not supported when `brokerType` is `BrokerType.EXPRESS`.', this);
+      }
+      if (subnetSelection.subnets.length < 3) {
+        throw new core.ValidationError(`Express cluster requires at least 3 subnets, got ${subnetSelection.subnets.length}`, this);
+      }
+    }
+
     const instanceType = props.instanceType
-      ? this.mskInstanceType(props.instanceType)
+      ? this.mskInstanceType(props.instanceType, isExpress)
       : this.mskInstanceType(
         ec2.InstanceType.of(ec2.InstanceClass.M5, ec2.InstanceSize.LARGE),
       );
@@ -598,7 +650,7 @@ export class Cluster extends ClusterBase {
         },
       }));
     }
-    const loggingInfo = {
+    const loggingInfo = isExpress ? undefined : {
       brokerLogs: {
         cloudWatchLogs: {
           enabled:
@@ -678,7 +730,7 @@ export class Cluster extends ClusterBase {
         securityGroups: this.connections.securityGroups.map(
           (group) => group.securityGroupId,
         ),
-        storageInfo: {
+        storageInfo: isExpress ? undefined : {
           ebsStorageInfo: {
             volumeSize: volumeSize,
           },
@@ -691,7 +743,7 @@ export class Cluster extends ClusterBase {
       configurationInfo: props.configurationInfo,
       enhancedMonitoring: props.monitoring?.clusterMonitoringLevel,
       openMonitoring: openMonitoring,
-      storageMode: props.storageMode,
+      storageMode: isExpress ? undefined : props.storageMode,
       loggingInfo: loggingInfo,
       clientAuthentication,
     });
@@ -706,8 +758,9 @@ export class Cluster extends ClusterBase {
     });
   }
 
-  private mskInstanceType(instanceType: ec2.InstanceType): string {
-    return `kafka.${instanceType.toString()}`;
+  private mskInstanceType(instanceType: ec2.InstanceType, express?:boolean): string {
+    const prefix = express ? 'express.' : 'kafka.';
+    return `${prefix}${instanceType.toString()}`;
   }
 
   /**