Merge branch 'main' into ec2-instance-type

mergify[bot] · web-flow · commit e03837bf332a · 2025-05-21T19:15:06.000Z
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/aws-cdk-ses-receipt.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/aws-cdk-ses-receipt.template.json
@@ -86,7 +86,7 @@
        "Action": "s3:PutObject",
        "Condition": {
         "StringEquals": {
-         "aws:Referer": {
+         "aws:SourceAccount": {
           "Ref": "AWS::AccountId"
          }
         }
diff --git a/packages/aws-cdk-lib/aws-ecs-patterns/lib/base/application-load-balanced-service-base.ts b/packages/aws-cdk-lib/aws-ecs-patterns/lib/base/application-load-balanced-service-base.ts
@@ -219,8 +219,8 @@ export interface ApplicationLoadBalancedServiceBaseProps {
   readonly cloudMapOptions?: CloudMapOptions;
 
   /**
-   * Specifies whether the load balancer should redirect traffic on port 80 to port 443 to support HTTP->HTTPS redirects
-   * This is only valid if the protocol of the ALB is HTTPS
+   * Specifies whether the load balancer should redirect traffic on port 80 to the {@link listenerPort} to support HTTP->HTTPS redirects.
+   * This is only valid if the protocol of the ALB is HTTPS.
    *
    * @default false
    */
diff --git a/packages/aws-cdk-lib/aws-rds/lib/instance-engine.ts b/packages/aws-cdk-lib/aws-rds/lib/instance-engine.ts
@@ -371,7 +371,10 @@ export class MariaDbEngineVersion {
    */
   public static readonly VER_10_3_39 = MariaDbEngineVersion.of('10.3.39', '10.3');
 
-  /** Version "10.4" (only a major version, without a specific minor version). */
+  /**
+   * Version "10.4" (only a major version, without a specific minor version)
+   * @deprecated MariaDB 10.4 is no longer supported by Amazon RDS.
+   */
   public static readonly VER_10_4 = MariaDbEngineVersion.of('10.4', '10.4');
   /**
    * Version "10.4.8"
@@ -423,17 +426,35 @@ export class MariaDbEngineVersion {
    * @deprecated MariaDB 10.4.28 is no longer supported by Amazon RDS.
    */
   public static readonly VER_10_4_28 = MariaDbEngineVersion.of('10.4.28', '10.4');
-  /** Version "10.4.29". */
+  /**
+   * Version "10.4.29"
+   * @deprecated MariaDB 10.4.29 is no longer supported by Amazon RDS.
+   */
   public static readonly VER_10_4_29 = MariaDbEngineVersion.of('10.4.29', '10.4');
-  /** Version "10.4.30". */
+  /**
+   * Version "10.4.30"
+   * @deprecated MariaDB 10.4.30 is no longer supported by Amazon RDS.
+   */
   public static readonly VER_10_4_30 = MariaDbEngineVersion.of('10.4.30', '10.4');
-  /** Version "10.4.31". */
+  /**
+   * Version "10.4.31"
+   * @deprecated MariaDB 10.4.31 is no longer supported by Amazon RDS.
+   */
   public static readonly VER_10_4_31 = MariaDbEngineVersion.of('10.4.31', '10.4');
-  /** Version "10.4.32". */
+  /**
+   * Version "10.4.32"
+   * @deprecated MariaDB 10.4.32 is no longer supported by Amazon RDS.
+   */
   public static readonly VER_10_4_32 = MariaDbEngineVersion.of('10.4.32', '10.4');
-  /** Version "10.4.33". */
+  /**
+   * Version "10.4.33"
+   * @deprecated MariaDB 10.4.33 is no longer supported by Amazon RDS.
+   */
   public static readonly VER_10_4_33 = MariaDbEngineVersion.of('10.4.33', '10.4');
-  /** Version "10.4.34". */
+  /**
+   * Version "10.4.34"
+   * @deprecated MariaDB 10.4.34 is no longer supported by Amazon RDS.
+   */
   public static readonly VER_10_4_34 = MariaDbEngineVersion.of('10.4.34', '10.4');
 
   /** Version "10.5" (only a major version, without a specific minor version). */
diff --git a/packages/aws-cdk-lib/aws-ses-actions/lib/s3.ts b/packages/aws-cdk-lib/aws-ses-actions/lib/s3.ts
@@ -55,7 +55,7 @@ export class S3 implements ses.IReceiptRuleAction {
       resources: [this.props.bucket.arnForObjects(`${keyPattern}*`)],
       conditions: {
         StringEquals: {
-          'aws:Referer': cdk.Aws.ACCOUNT_ID,
+          'aws:SourceAccount': cdk.Aws.ACCOUNT_ID,
         },
       },
     });
diff --git a/packages/aws-cdk-lib/aws-ses-actions/test/actions.test.ts b/packages/aws-cdk-lib/aws-ses-actions/test/actions.test.ts
@@ -190,7 +190,7 @@ test('add s3 action', () => {
           Action: 's3:PutObject',
           Condition: {
             StringEquals: {
-              'aws:Referer': {
+              'aws:SourceAccount': {
                 Ref: 'AWS::AccountId',
               },
             },
diff --git a/packages/aws-cdk-lib/aws-ses/README.md b/packages/aws-cdk-lib/aws-ses/README.md
@@ -103,6 +103,12 @@ new ses.AllowListReceiptFilter(this, 'AllowList', {
 
 This will first create a block all filter and then create allow filters for the listed ip addresses.
 
+### AWS Service Principal permissions
+
+When adding an s3 action to a receipt rule, the CDK will automatically create a policy statement that allows the ses service principal to get write access to the bucket. This is done with the `SourceAccount` condition key, which is automatically added to the policy statement.
+Previously, the policy used the `Referer` condition key, which caused confused deputy problems when the bucket policy allowed access to the bucket for all principals.
+See more information in [this github issue](https://github.com/aws/aws-cdk/issues/29811)
+
 ## Email sending
 
 ### Dedicated IP pools
diff --git a/tools/@aws-cdk/enum-updater/lib/exclude-values.json b/tools/@aws-cdk/enum-updater/lib/exclude-values.json
@@ -65,6 +65,10 @@
         },
         "FunctionEventType": {
             "comment": "The origin-X events are only available to Lambda@Edge functions"
+        },
+        "PriceClass": {
+            "values": ["None"],
+            "comment": "NONE is not supported"
         }
     },
     "iot": {

Original file line number	Diff line number	Diff line change
`@@ -86,7 +86,7 @@`
`86`	`86`	`"Action": "s3:PutObject",`
`87`	`87`	`"Condition": {`
`88`	`88`	`"StringEquals": {`
`89`		`- "aws:Referer": {`
	`89`	`+ "aws:SourceAccount": {`
`90`	`90`	`"Ref": "AWS::AccountId"`
`91`	`91`	`}`
`92`	`92`	`}`