chore(release): 2.227.0 (#36135)

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/bump/2.227.0/CHANGELOG.md)

Author: mergify[bot]

.github/workflows/codebuild-pr-build.yml

@@ -89,3 +89,20 @@ jobs:
           path: |
             ~/.docker-images.tar
           key: docker-cache-${{ runner.os }}
+          
+      - name: Save PR info for PR Linter
+        if: github.event_name == 'pull_request'
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          PR_SHA: ${{ github.event.pull_request.head.sha }}
+        run: |
+          mkdir -p ./pr
+          echo $PR_NUMBER > ./pr/pr_number
+          echo $PR_SHA > ./pr/pr_sha
+
+      - name: Upload PR info artifact
+        if: github.event_name == 'pull_request'
+        uses: actions/upload-artifact@v5
+        with:
+          name: pr_info
+          path: pr/

CHANGELOG.v2.alpha.md

@@ -2,6 +2,28 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.227.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.226.0-alpha.0...v2.227.0-alpha.0) (2025-11-20)
+
+
+### Features
+
+* **bedrock-agentcore-alpha:** agentcore gateway L2 construct ([#35771](https://github.com/aws/aws-cdk/issues/35771)) ([07c4a0d](https://github.com/aws/aws-cdk/commit/07c4a0dfd4f26519f433ec3dc19b4c294ae8d56e))
+* **imagebuilder-alpha:** add support for Component Construct ([#36006](https://github.com/aws/aws-cdk/issues/36006)) ([5ebf07d](https://github.com/aws/aws-cdk/commit/5ebf07d095005f29b5e7205df750bc81cb879aa4)), closes [aws/aws-cdk-rfcs#789](https://github.com/aws/aws-cdk-rfcs/issues/789) [aws/aws-cdk-rfcs#789](https://github.com/aws/aws-cdk-rfcs/issues/789)
+* **imagebuilder-alpha:** add support for Component Construct ([#36107](https://github.com/aws/aws-cdk/issues/36107)) ([93a76e4](https://github.com/aws/aws-cdk/commit/93a76e481e79bb7e0df1aabcb158cc9b064345bf)), closes [#36006](https://github.com/aws/aws-cdk/issues/36006) [#36104](https://github.com/aws/aws-cdk/issues/36104)
+* **imagebuilder-alpha:** add support for Distribution Configuration Construct ([#36005](https://github.com/aws/aws-cdk/issues/36005)) ([c36f43d](https://github.com/aws/aws-cdk/commit/c36f43d88adefb3473dbd729e7bec58e7f06c8cf)), closes [aws/aws-cdk-rfcs#789](https://github.com/aws/aws-cdk-rfcs/issues/789) [aws/aws-cdk-rfcs#789](https://github.com/aws/aws-cdk-rfcs/issues/789)
+* **imagebuilder-alpha:** add support for Distribution Configuration Construct ([#36108](https://github.com/aws/aws-cdk/issues/36108)) ([6051039](https://github.com/aws/aws-cdk/commit/605103939894a785062422f04ee31f5460b18d6f)), closes [#36005](https://github.com/aws/aws-cdk/issues/36005)
+
+
+### Bug Fixes
+
+* **bedrock-agentcore-alpha:** fix unexpected validation error when properties are Token  ([#35978](https://github.com/aws/aws-cdk/issues/35978)) ([084b736](https://github.com/aws/aws-cdk/commit/084b736f80959ee17a28c2d9c355b0dcf1faa393))
+
+
+### Reverts
+
+* **imagebuilder-alpha:** add support for Component Construct ([#36104](https://github.com/aws/aws-cdk/issues/36104)) ([689ad05](https://github.com/aws/aws-cdk/commit/689ad05b20a1332c5113b2084737e95a16bbd9ed)), closes [aws/aws-cdk#36006](https://github.com/aws/aws-cdk/issues/36006)
+* **imagebuilder-alpha:** add support for Distribution Configuration Construct ([#36103](https://github.com/aws/aws-cdk/issues/36103)) ([8d6867a](https://github.com/aws/aws-cdk/commit/8d6867ab94d1efe0835e922f28c9d3ac4aebcbf2)), closes [aws/aws-cdk#36005](https://github.com/aws/aws-cdk/issues/36005)
+
 ## [2.226.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.225.0-alpha.0...v2.226.0-alpha.0) (2025-11-20)
 
 ## [2.225.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.224.0-alpha.0...v2.225.0-alpha.0) (2025-11-17)

CHANGELOG.v2.md

@@ -2,6 +2,21 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.227.0](https://github.com/aws/aws-cdk/compare/v2.226.0...v2.227.0) (2025-11-20)
+
+**CHANGES TO L1 RESOURCES:** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:
+  - **aws-backup**: AWS::Backup::LogicallyAirGappedBackupVault: EncryptionKeyArn attribute removed.
+
+### Features
+
+* update L1 CloudFormation resource definitions ([#36122](https://github.com/aws/aws-cdk/issues/36122)) ([51d805e](https://github.com/aws/aws-cdk/commit/51d805e8b06ff6c22097fe10f6cf71f84af119e0))
+* **core:** cfn constructs (L1s) can now accept constructs as parameters for known resource relationships ([#35838](https://github.com/aws/aws-cdk/issues/35838)) ([6be7b4b](https://github.com/aws/aws-cdk/commit/6be7b4bdad74fe2889bb0b7b33e9d5ad7ef2e415))
+* factory methods for Grants made public ([#36123](https://github.com/aws/aws-cdk/issues/36123)) ([f9a894f](https://github.com/aws/aws-cdk/commit/f9a894fe4dc35415405295ae60f713b8c32de375))
+* **dynamodb:** add `TableGrants` and `StreamGrants` ([#36093](https://github.com/aws/aws-cdk/issues/36093)) ([d0b074a](https://github.com/aws/aws-cdk/commit/d0b074a1bcc7ba54f809d7423bf744792dbaa690))
+* **rds:** support instance and iam-db-auth-error CloudWatch log exports ([#35058](https://github.com/aws/aws-cdk/issues/35058)) ([e71a8b1](https://github.com/aws/aws-cdk/commit/e71a8b1d167d2ba70472305b5a004b992f79fcc1)), closes [#35018](https://github.com/aws/aws-cdk/issues/35018)
+* **s3:** add `BucketGrants` ([#36102](https://github.com/aws/aws-cdk/issues/36102)) ([5891172](https://github.com/aws/aws-cdk/commit/58911727be529afa9d743492bebc1d8e7478a1d6))
+* grants are now available through a separate class ([#35782](https://github.com/aws/aws-cdk/issues/35782)) ([21fd959](https://github.com/aws/aws-cdk/commit/21fd9593c1d451d68b0f3825c47286a41fa5ea37))
+
 ## [2.226.0](https://github.com/aws/aws-cdk/compare/v2.225.0...v2.226.0) (2025-11-20)
 
 

docs/DESIGN_GUIDELINES.md

@@ -1048,53 +1048,49 @@ Grants are one of the most powerful concepts in the AWS Construct Library. They
 offer a higher level, intent-based, API for managing IAM permissions for AWS
 resources.
 
-**Despite the fact that they may be mutating**, grants should be exposed on the
-  construct interface, and not on the concrete class
-  _[awslint:grants-on-interface]_. See discussion above about mutability for
-  reasoning.
-
-Grants are represented as a set of methods with the “**grant**” prefix.
-
-All constructs that represent AWS resources must have at least one grant method
-called “**grant**” which can be used to grant a grantee (such as an IAM
-principal) permission to perform a set of actions on the resource with the
-following signature. This method is defined as an abstract method on the
-**Resource** base class (and the **IResource** interface)
-_[awslint:grants-grant-method]_:
+Grants for a given resource class are implemented in an accompanying class. For
+example, **sns.Topic** has a corresponding **sns.TopicGrants** class. To get an
+instance of the Grants class for a given resource, use the static **from<Resource>()**:
 
 ```ts
-grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant;
+const role = new iam.Role(/*...*/);
+
+const topic = new sns.Topic(/*...*/);
+const grants = TopicGrants.fromTopic(topic);
 ```
 
-The **iam.Grant** class has a rich API for implementing grants which implements
-the desired behavior.
+The `fromTopic()` method accepts the resource reference interface (`sns.ITopicRef`),
+which allows you to use the same class for both L1 and L2 constructs:
 
-Furthermore, resources should also include a set of grant methods for common use
-cases. For example, **dynamodb.Table.grantPutItem**,
-**s3.Bucket.grantReadWrite**, etc. In such cases, the signature of the grant
-method should adhere to the following rules _[awslint:grant-signature]_:
+```ts
+const topic = new sns.CfnTopic(/*...*/);
+const grants = TopicGrants.fromTopic(topic);
+```
 
-1. Name should have a “grant” prefix
-2. Returns an **iam.Grant** object
-3. First argument must be **grantee: iam.IGrantable**
+The instance methods of the Grants classes can be used to grant a grantee
+(such as an IAM principal) permission to perform a set of actions on the resource:
 
 ```ts
-grantXxx(grantee: iam.IGrantable): iam.Grant;
+// Allow the role to publish and subscribe to the topic
+topicGrants.publish(role);
+topicGrants.subscribe(role);
 ```
 
-It makes sense for some AWS resources to also expose grant methods on all
-resources in the account. To support such use cases, expose a set of static
-grant methods on the construct class. For example,
-**dynamodb.Table.grantAllListStreams**. The signature of static grants should be
-similar _[awslint:grants-static-all]_.
+For every resource that has an accompanying Grants class, the construct interface should
+include a public **grants** property that returns an instance of the Grants class:
 
 ```ts
-export class Table {
-  public static grantAll(grantee: iam.IGrantable, ...actions: string[]): iam.Grant;
-  public static grantAllListStreams(grantee: iam.IGrantable): iam.Grant;
+export abstract class TopicBase extends Resource implements ITopic, IEncryptedResource {
+  ...
+  public readonly grants: TopicGrants = TopicGrants.fromTopic(this);
+  ...
 }
 ```
 
+The `TopicGrants` class, and many others, are generated automatically. But if there
+is no auto-generated grants class for a resource, you can implement it manually,
+following the same patterns.
+
 ### Metrics
 
 Almost all AWS resources emit CloudWatch metrics, which can be used with alarms

packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2-integrations/test/websocket/integ.lambda-connect-disconnect-trigger.js.snapshot/integ-apigwv2-lambda-connect-integration.template.json

@@ -52,17 +52,12 @@
         "dynamodb:UpdateItem"
        ],
        "Effect": "Allow",
-       "Resource": [
-        {
-         "Fn::GetAtt": [
-          "WebSocketLogTable7F74AAC5",
-          "Arn"
-         ]
-        },
-        {
-         "Ref": "AWS::NoValue"
-        }
-       ]
+       "Resource": {
+        "Fn::GetAtt": [
+         "WebSocketLogTable7F74AAC5",
+         "Arn"
+        ]
+       }
       }
      ],
      "Version": "2012-10-17"
@@ -97,7 +92,7 @@
       "Arn"
      ]
     },
-    "Runtime": "nodejs14.x",
+    "Runtime": "nodejs22.x",
     "Timeout": 5
    },
    "DependsOn": [
@@ -157,17 +152,12 @@
         "dynamodb:UpdateItem"
        ],
        "Effect": "Allow",
-       "Resource": [
-        {
-         "Fn::GetAtt": [
-          "WebSocketLogTable7F74AAC5",
-          "Arn"
-         ]
-        },
-        {
-         "Ref": "AWS::NoValue"
-        }
-       ]
+       "Resource": {
+        "Fn::GetAtt": [
+         "WebSocketLogTable7F74AAC5",
+         "Arn"
+        ]
+       }
       }
      ],
      "Version": "2012-10-17"
@@ -202,7 +192,7 @@
       "Arn"
      ]
     },
-    "Runtime": "nodejs14.x",
+    "Runtime": "nodejs22.x",
     "Timeout": 5
    },
    "DependsOn": [

packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2-integrations/test/websocket/integ.lambda-connect-disconnect-trigger.ts

@@ -17,7 +17,7 @@ const webSocketTableName = 'WebSocketConnections';
 
 const connectFunction = new lambda.Function(stack, 'Connect Function', {
   functionName: 'process_connect_requests',
-  runtime: lambda.Runtime.NODEJS_14_X,
+  runtime: lambda.Runtime.NODEJS_22_X,
   handler: 'index.handler',
   code: lambda.Code.fromAsset(path.join(__dirname, 'lambdas', 'connect')),
   timeout: cdk.Duration.seconds(5),
@@ -31,7 +31,7 @@ const disconnectFunction = new lambda.Function(
   'Disconnect Function',
   {
     functionName: 'process_disconnect_requests',
-    runtime: lambda.Runtime.NODEJS_14_X,
+    runtime: lambda.Runtime.NODEJS_22_X,
     handler: 'index.handler',
     code: lambda.Code.fromAsset(
       path.join(__dirname, 'lambdas', 'disconnect'),

packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.appsync-eventapi-dynamodb.js.snapshot/EventApiDynamoDBStack.template.json

@@ -77,17 +77,12 @@
         "dynamodb:UpdateItem"
        ],
        "Effect": "Allow",
-       "Resource": [
-        {
-         "Fn::GetAtt": [
-          "table8235A42E",
-          "Arn"
-         ]
-        },
-        {
-         "Ref": "AWS::NoValue"
-        }
-       ]
+       "Resource": {
+        "Fn::GetAtt": [
+         "table8235A42E",
+         "Arn"
+        ]
+       }
       }
      ],
      "Version": "2012-10-17"

packages/@aws-cdk-testing/framework-integ/test/aws-appsync/test/integ.auth-apikey.js.snapshot/aws-appsync-integ.assets.json

@@ -71,17 +71,12 @@
         "dynamodb:UpdateItem"
        ],
        "Effect": "Allow",
-       "Resource": [
-        {
-         "Fn::GetAtt": [
-          "TestTable5769773A",
-          "Arn"
-         ]
-        },
-        {
-         "Ref": "AWS::NoValue"
-        }
-       ]
+       "Resource": {
+        "Fn::GetAtt": [
+         "TestTable5769773A",
+         "Arn"
+        ]
+       }
       }
      ],
      "Version": "2012-10-17"
@@ -103,8 +98,6 @@
       "ApiId"
      ]
     },
-    "Name": "testDataSource",
-    "Type": "AMAZON_DYNAMODB",
     "DynamoDBConfig": {
      "AwsRegion": {
       "Ref": "AWS::Region"
@@ -113,12 +106,14 @@
       "Ref": "TestTable5769773A"
      }
     },
+    "Name": "testDataSource",
     "ServiceRoleArn": {
      "Fn::GetAtt": [
       "ApitestDataSourceServiceRoleACBC3F3D",
       "Arn"
      ]
-    }
+    },
+    "Type": "AMAZON_DYNAMODB"
    }
   },
   "ApiQueryGetTestsF8C40170": {
@@ -130,12 +125,12 @@
       "ApiId"
      ]
     },
-    "FieldName": "getTests",
-    "TypeName": "Query",
     "DataSourceName": "testDataSource",
+    "FieldName": "getTests",
     "Kind": "UNIT",
     "RequestMappingTemplate": "{\"version\" : \"2017-02-28\", \"operation\" : \"Scan\", \"consistentRead\": false}",
-    "ResponseMappingTemplate": "$util.toJson($ctx.result.items)"
+    "ResponseMappingTemplate": "$util.toJson($ctx.result.items)",
+    "TypeName": "Query"
    },
    "DependsOn": [
     "ApiSchema510EECD7",
@@ -151,12 +146,12 @@
       "ApiId"
      ]
     },
-    "FieldName": "addTest",
-    "TypeName": "Mutation",
     "DataSourceName": "testDataSource",
+    "FieldName": "addTest",
     "Kind": "UNIT",
     "RequestMappingTemplate": "\n      #set($input = $ctx.args.test)\n      \n      {\n        \"version\": \"2017-02-28\",\n        \"operation\": \"PutItem\",\n        \"key\" : {\n      \"id\" : $util.dynamodb.toDynamoDBJson($util.autoId())\n    },\n        \"attributeValues\": $util.dynamodb.toMapValuesJson($input)\n      }",
-    "ResponseMappingTemplate": "$util.toJson($ctx.result)"
+    "ResponseMappingTemplate": "$util.toJson($ctx.result)",
+    "TypeName": "Mutation"
    },
    "DependsOn": [
     "ApiSchema510EECD7",
@@ -166,19 +161,19 @@
   "TestTable5769773A": {
    "Type": "AWS::DynamoDB::Table",
    "Properties": {
-    "KeySchema": [
+    "AttributeDefinitions": [
      {
       "AttributeName": "id",
-      "KeyType": "HASH"
+      "AttributeType": "S"
      }
     ],
-    "AttributeDefinitions": [
+    "BillingMode": "PAY_PER_REQUEST",
+    "KeySchema": [
      {
       "AttributeName": "id",
-      "AttributeType": "S"
+      "KeyType": "HASH"
      }
-    ],
-    "BillingMode": "PAY_PER_REQUEST"
+    ]
    },
    "UpdateReplacePolicy": "Delete",
    "DeletionPolicy": "Delete"