chore(release): 2.203.0 #34867
Merged
chore(release): 2.203.0 #34867
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…4788) These packages do not have to maintained in this repository anymore. Remove them. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…nt (#34405) ### Issue # (if applicable) None ### Reason for this change Cloudformation supports for configuring [client route enforcement](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-cre.html) feature for client VPN endpoint. ### Description of changes - Add `enableClientRouteEnforcement` prop to `ClientVpnEndpointProps` ### Describe any new or updated permissions being added None ### Description of how you validated changes Add both unit and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… needed (#34618) ### Issue # (if applicable) Closes #33505 ### Reason for this change The Ec2TaskDefinition should not pass the `@deprecated` `props.inferenceAccelerators` property if it's unset or empty, because this results in showing deprecation notices in the console. See [this comment](#33505 (comment)). ### Description of changes Do not rely only on passing the props, but check if the array actually contains any elements. ### Describe any new or updated permissions being added ### Description of how you validated changes Cannot test by hand due to #34610. UPDATE: manually tested in a production CDK stack. Result as expected, warnings are not shown during `cdk diff`. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-accessanalyzer │ └ resources │ └[~] resource AWS::AccessAnalyzer::Analyzer │ └ types │ ├[~] type AnalyzerConfiguration │ │ └ properties │ │ └[+] InternalAccessConfiguration: InternalAccessConfiguration │ ├[+] type InternalAccessAnalysisRule │ │ ├ documentation: Contains information about analysis rules for the internal access analyzer. Analysis rules determine which entities will generate findings based on the criteria you define when you create the rule. │ │ │ name: InternalAccessAnalysisRule │ │ └ properties │ │ └ Inclusions: Array<InternalAccessAnalysisRuleCriteria> │ ├[+] type InternalAccessAnalysisRuleCriteria │ │ ├ documentation: The criteria for an analysis rule for an internal access analyzer. │ │ │ name: InternalAccessAnalysisRuleCriteria │ │ └ properties │ │ ├ AccountIds: Array<string> │ │ ├ ResourceArns: Array<string> │ │ └ ResourceTypes: Array<string> │ └[+] type InternalAccessConfiguration │ ├ documentation: Specifies the configuration of an internal access analyzer for an AWS organization or account. This configuration determines how the analyzer evaluates internal access within your AWS environment. │ │ name: InternalAccessConfiguration │ └ properties │ └ InternalAccessAnalysisRule: InternalAccessAnalysisRule ├[~] service aws-amplify │ └ resources │ └[~] resource AWS::Amplify::App │ ├ properties │ │ └[+] JobConfig: JobConfig │ └ types │ └[+] type JobConfig │ ├ documentation: Describes the configuration details that apply to the jobs for an Amplify app. │ │ Use `JobConfig` to apply configuration to jobs, such as customizing the build instance size when you create or update an Amplify app. For more information about customizable build instances, see [Custom build instances](https://docs.aws.amazon.com/amplify/latest/userguide/custom-build-instance.html) in the *Amplify User Guide* . │ │ name: JobConfig │ └ properties │ └ BuildComputeType: string (required) ├[~] service aws-cleanrooms │ └ resources │ └[~] resource AWS::CleanRooms::Collaboration │ ├ properties │ │ ├ CreatorMemberAbilities: - Array<string> (required, immutable) │ │ │ + Array<string> (immutable) │ │ └ Members: - Array<MemberSpecification> (required, immutable) │ │ + Array<MemberSpecification> (immutable) │ └ types │ └[~] type MemberSpecification │ └ properties │ └ MemberAbilities: - Array<string> (required, immutable) │ + Array<string> (immutable) ├[~] service aws-connect │ └ resources │ └[~] resource AWS::Connect::EvaluationForm │ ├ properties │ │ └[+] AutoEvaluationConfiguration: AutoEvaluationConfiguration │ └ types │ ├[+] type AutoEvaluationConfiguration │ │ ├ name: AutoEvaluationConfiguration │ │ └ properties │ │ └ Enabled: boolean │ └[~] type EvaluationFormNumericQuestionAutomation │ └ properties │ └ PropertyValue: - NumericQuestionPropertyValueAutomation (required) │ + NumericQuestionPropertyValueAutomation ├[~] service aws-customerprofiles │ └ resources │ ├[~] resource AWS::CustomerProfiles::CalculatedAttributeDefinition │ │ └ types │ │ └[~] type Range │ │ └ properties │ │ └ Value: - integer (required) │ │ + integer │ └[~] resource AWS::CustomerProfiles::SegmentDefinition │ └ types │ ├[~] type ProfileAttributes │ │ └ properties │ │ └[+] ProfileType: ProfileTypeDimension │ └[+] type ProfileTypeDimension │ ├ documentation: Specifies profile type based criteria for a segment. │ │ name: ProfileTypeDimension │ └ properties │ ├ DimensionType: string (required) │ └ Values: Array<string> (required) ├[~] service aws-deadline │ └ resources │ └[~] resource AWS::Deadline::Fleet │ └ types │ └[~] type AcceleratorSelection │ └ properties │ ├ Name: (documentation changed) │ └ Runtime: (documentation changed) ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::Subnet │ │ └ types │ │ └[~] type BlockPublicAccessStates │ │ ├ - documentation: undefined │ │ │ + documentation: The state of VPC Block Public Access (BPA). │ │ └ properties │ │ └ InternetGatewayBlockMode: (documentation changed) │ └[~] resource AWS::EC2::TrafficMirrorFilter │ └ attributes │ └ Id: (documentation changed) ├[~] service aws-ecr │ └ resources │ └[~] resource AWS::ECR::RepositoryCreationTemplate │ └ properties │ └ ImageTagMutability: (documentation changed) ├[~] service aws-ecs │ └ resources │ └[~] resource AWS::ECS::Service │ └ - documentation: The `AWS::ECS::Service` resource creates an Amazon Elastic Container Service (Amazon ECS) service that runs and maintains the requested number of tasks and associated load balancers. │ > The stack update fails if you change any properties that require replacement and at least one Amazon ECS Service Connect `ServiceConnectConfiguration` property is configured. This is because AWS CloudFormation creates the replacement service first, but each `ServiceConnectService` must have a name that is unique in the namespace. > Starting April 15, 2023, AWS ; will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS , or Amazon EC2 . However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service. │ + documentation: The `AWS::ECS::Service` resource creates an Amazon Elastic Container Service (Amazon ECS) service that runs and maintains the requested number of tasks and associated load balancers. │ > The stack update fails if you change any properties that require replacement and at least one Amazon ECS Service Connect `ServiceConnectConfiguration` property is configured. This is because AWS CloudFormation creates the replacement service first, but each `ServiceConnectService` must have a name that is unique in the namespace. > Starting April 15, 2023, AWS ; will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS , or Amazon EC2 . However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service. > On June 12, 2025, Amazon ECS launched support for updating capacity provider configuration for Amazon ECS services. With this launch, Amazon ECS also aligned the AWS CloudFormation update behavior for `CapacityProviderStrategy` parameter with the standard practice. For more information, see [Amazon ECS adds support for updating capacity provider configuration for ECS services](https://docs.aws.amazon.com/about-aws/whats-new/2025/05/amazon-ecs-capacity-provider-configuration-ecs/) . Previously Amazon ECS ignored the `CapacityProviderStrategy` property if it was set to an empty list for example, `[]` in AWS CloudFormation , because updating capacity provider configuration was not supported. Now, with support for capacity provider updates, customers can remove capacity providers from a service by passing an empty list. When you specify an empty list ( `[]` ) for the `CapacityProviderStrategy` property in your AWS CloudFormation template, Amazon ECS will remove any capacity providers associated with the service, as follows: │ > │ > - For services created with a capacity provider strategy after the launch: │ > │ > - If there's a cluster default strategy set, the service will revert to using that default strategy. │ > - If no cluster default strategy exists, you will receive the following error: │ > │ > No launch type to fall back to for empty capacity provider strategy. Your service was not created with a launch type. │ > - For services created with a capacity provider strategy prior to the launch: │ > │ > - If `CapacityProviderStrategy` had `FARGATE_SPOT` or `FARGATE` capacity providers, the launch type will be updated to `FARGATE` and the capacity provider will be removed. │ > - If the strategy included Auto Scaling group capacity providers, the service will revert to EC2 launch type, and the Auto Scaling group capacity providers will not be used. │ > │ > Recommended Actions │ > │ > If you are currently using `CapacityProviderStrategy: []` in your AWS CloudFormation templates, you should take one of the following actions: │ > │ > - If you do not intend to update the Capacity Provider Strategy: │ > │ > - Remove the `CapacityProviderStrategy` property entirely from your AWS CloudFormation template │ > - Alternatively, use `!Ref AWS ::NoValue` for the `CapacityProviderStrategy` property in your template │ > - If you intend to maintain or update the Capacity Provider Strategy, specify the actual Capacity Provider Strategy for the service in your AWS CloudFormation template. │ > │ > If your AWS CloudFormation template had an empty list ([]) for `CapacityProviderStrategy` prior to the aforementioned launch on June 12, and you are using the same template with `CapacityProviderStrategy: []` , you might encounter the following error: │ > │ > Invalid request provided: When switching from launch type to capacity provider strategy on an existing service, or making a change to a capacity provider strategy on a service that is already using one, you must force a new deployment. (Service: Ecs, Status Code: 400, Request ID: xxx) (SDK Attempt Count: 1)" (RequestToken: xxx HandlerErrorCode: InvalidRequest) │ > │ > Note that AWS CloudFormation automatically initiates a new deployment when it detects a parameter change, but customers cannot choose to force a deployment through AWS CloudFormation . This is an invalid input scenario that requires one of the remediation actions listed above. │ > │ > If you are experiencing active production issues related to this change, contact AWS Support or your Technical Account Manager. ├[~] service aws-inspectorv2 │ └ resources │ └[~] resource AWS::InspectorV2::Filter │ ├ - tagInformation: undefined │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"map"} │ ├ properties │ │ └[+] Tags: Map<string, string> │ └ types │ ├[~] type FilterCriteria │ │ └ properties │ │ ├[+] CodeVulnerabilityDetectorName: Array<StringFilter> │ │ ├[+] CodeVulnerabilityDetectorTags: Array<StringFilter> │ │ ├[+] CodeVulnerabilityFilePath: Array<StringFilter> │ │ ├[+] EpssScore: Array<NumberFilter> │ │ ├[+] ExploitAvailable: Array<StringFilter> │ │ ├[+] FixAvailable: Array<StringFilter> │ │ ├[+] LambdaFunctionExecutionRoleArn: Array<StringFilter> │ │ ├[+] LambdaFunctionLastModifiedAt: Array<DateFilter> │ │ ├[+] LambdaFunctionLayers: Array<StringFilter> │ │ ├[+] LambdaFunctionName: Array<StringFilter> │ │ └[+] LambdaFunctionRuntime: Array<StringFilter> │ └[~] type PackageFilter │ └ properties │ ├[+] FilePath: StringFilter │ └[+] SourceLambdaLayerArn: StringFilter ├[~] service aws-kms │ └ resources │ └[~] resource AWS::KMS::Key │ └ properties │ ├ KeySpec: (documentation changed) │ ├ KeyUsage: (documentation changed) │ └ Origin: (documentation changed) ├[~] service aws-lambda │ └ resources │ └[~] resource AWS::Lambda::EventSourceMapping │ └ types │ ├[~] type SchemaRegistryAccessConfig │ │ └ properties │ │ ├ Type: (documentation changed) │ │ └ URI: (documentation changed) │ ├[~] type SchemaRegistryConfig │ │ └ properties │ │ ├ AccessConfigs: (documentation changed) │ │ ├ EventRecordFormat: (documentation changed) │ │ ├ SchemaRegistryURI: (documentation changed) │ │ └ SchemaValidationConfigs: (documentation changed) │ └[~] type SchemaValidationConfig │ └ properties │ └ Attribute: (documentation changed) ├[~] service aws-mediatailor │ └ resources │ └[~] resource AWS::MediaTailor::PlaybackConfiguration │ ├ properties │ │ └[+] LogConfiguration: LogConfiguration │ └ types │ ├[+] type AdsInteractionLog │ │ ├ documentation: Settings for customizing what events are included in logs for interactions with the ad decision server (ADS). │ │ │ For more information about ADS logs, inlcuding descriptions of the event types, see [MediaTailor ADS logs description and event types](https://docs.aws.amazon.com/mediatailor/latest/ug/ads-log-format.html) in AWS Elemental MediaTailor User Guide. │ │ │ name: AdsInteractionLog │ │ └ properties │ │ ├ ExcludeEventTypes: Array<string> │ │ └ PublishOptInEventTypes: Array<string> │ ├[+] type LogConfiguration │ │ ├ documentation: Defines where AWS Elemental MediaTailor sends logs for the playback configuration. │ │ │ name: LogConfiguration │ │ └ properties │ │ ├ AdsInteractionLog: AdsInteractionLog │ │ ├ EnabledLoggingStrategies: Array<string> │ │ ├ ManifestServiceInteractionLog: ManifestServiceInteractionLog │ │ └ PercentEnabled: integer (required) │ └[+] type ManifestServiceInteractionLog │ ├ documentation: Settings for customizing what events are included in logs for interactions with the origin server. │ │ For more information about manifest service logs, including descriptions of the event types, see [MediaTailor manifest logs description and event types](https://docs.aws.amazon.com/mediatailor/latest/ug/log-types.html) in AWS Elemental MediaTailor User Guide. │ │ name: ManifestServiceInteractionLog │ └ properties │ └ ExcludeEventTypes: Array<string> ├[+] service aws-mpa │ ├ capitalized: MPA │ │ cloudFormationNamespace: AWS::MPA │ │ name: aws-mpa │ │ shortName: mpa │ └ resources │ ├ resource AWS::MPA::ApprovalTeam │ │ ├ name: ApprovalTeam │ │ │ cloudFormationType: AWS::MPA::ApprovalTeam │ │ │ documentation: Resource Type definition for AWS::MPA::ApprovalTeam. │ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ ├ properties │ │ │ ├ ApprovalStrategy: ApprovalStrategy (required) │ │ │ ├ Approvers: Array<Approver> (required) │ │ │ ├ Tags: Array<tag> │ │ │ ├ Policies: Array<Policy> (required, immutable) │ │ │ ├ Name: string (required, immutable) │ │ │ └ Description: string (required) │ │ ├ attributes │ │ │ ├ Arn: string │ │ │ ├ VersionId: string │ │ │ ├ NumberOfApprovers: integer │ │ │ ├ UpdateSessionArn: string │ │ │ ├ CreationTime: string │ │ │ ├ LastUpdateTime: string │ │ │ ├ Status: string │ │ │ ├ StatusCode: string │ │ │ └ StatusMessage: string │ │ └ types │ │ ├ type ApprovalStrategy │ │ │ ├ name: ApprovalStrategy │ │ │ └ properties │ │ │ └ MofN: MofNApprovalStrategy (required) │ │ ├ type Approver │ │ │ ├ name: Approver │ │ │ └ properties │ │ │ ├ PrimaryIdentityId: string (required) │ │ │ ├ PrimaryIdentitySourceArn: string (required) │ │ │ ├ ApproverId: string │ │ │ ├ ResponseTime: string │ │ │ └ PrimaryIdentityStatus: string │ │ ├ type MofNApprovalStrategy │ │ │ ├ name: MofNApprovalStrategy │ │ │ └ properties │ │ │ └ MinApprovalsRequired: integer (required) │ │ └ type Policy │ │ ├ name: Policy │ │ └ properties │ │ └ PolicyArn: string (required, immutable) │ └ resource AWS::MPA::IdentitySource │ ├ name: IdentitySource │ │ cloudFormationType: AWS::MPA::IdentitySource │ │ documentation: Resource Type definition for AWS::MPA::IdentitySource. │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ ├ properties │ │ ├ IdentitySourceParameters: IdentitySourceParameters (required, immutable) │ │ └ Tags: Array<tag> │ ├ attributes │ │ ├ IdentitySourceArn: string │ │ ├ IdentitySourceType: string │ │ ├ IdentitySourceParameters.IamIdentityCenter.ApprovalPortalUrl: string │ │ ├ CreationTime: string │ │ ├ Status: string │ │ ├ StatusCode: string │ │ └ StatusMessage: string │ └ types │ ├ type IamIdentityCenter │ │ ├ name: IamIdentityCenter │ │ └ properties │ │ ├ InstanceArn: string (required, immutable) │ │ ├ Region: string (required, immutable) │ │ └ ApprovalPortalUrl: string │ └ type IdentitySourceParameters │ ├ name: IdentitySourceParameters │ └ properties │ └ IamIdentityCenter: IamIdentityCenter (required, immutable) ├[~] service aws-networkfirewall │ └ resources │ ├[~] resource AWS::NetworkFirewall::RuleGroup │ │ └ types │ │ └[~] type RuleVariables │ │ └ - documentation: Settings that are available for use in the rules in the `RuleGroup` where this is defined. │ │ + documentation: Settings that are available for use in the rules in the `RuleGroup` where this is defined. See `CreateRuleGroup` or `UpdateRuleGroup` for usage. │ └[~] resource AWS::NetworkFirewall::TLSInspectionConfiguration │ └ types │ └[~] type ServerCertificateConfiguration │ └ properties │ └ CertificateAuthorityArn: (documentation changed) ├[~] service aws-opsworkscm │ └ resources │ └[~] resource AWS::OpsWorksCM::Server │ ├ properties │ │ └[+] ServerName: string (immutable) │ └ attributes │ └ ServerName: (documentation changed) ├[~] service aws-sagemaker │ └ resources │ ├[~] resource AWS::SageMaker::Model │ │ └ types │ │ └[~] type S3DataSource │ │ └ properties │ │ └ S3DataType: (documentation changed) │ └[~] resource AWS::SageMaker::ModelPackage │ └ types │ └[~] type S3DataSource │ └ properties │ └ S3DataType: (documentation changed) ├[~] service aws-securityhub │ └ resources │ ├[+] resource AWS::SecurityHub::AggregatorV2 │ │ ├ name: AggregatorV2 │ │ │ cloudFormationType: AWS::SecurityHub::AggregatorV2 │ │ │ documentation: The AWS::SecurityHub::AggregatorV2 resource represents the AWS Security Hub AggregatorV2 in your account. One aggregatorv2 resource is created for each account in non opt-in region in which you configure region linking mode. │ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"map"} │ │ ├ properties │ │ │ ├ RegionLinkingMode: string (required) │ │ │ ├ LinkedRegions: Array<string> (required) │ │ │ └ Tags: Map<string, string> │ │ └ attributes │ │ ├ AggregatorV2Arn: string │ │ └ AggregationRegion: string │ ├[~] resource AWS::SecurityHub::AutomationRule │ │ └ types │ │ └[~] type StringFilter │ │ └ properties │ │ └ Comparison: (documentation changed) │ ├[+] resource AWS::SecurityHub::AutomationRuleV2 │ │ ├ name: AutomationRuleV2 │ │ │ cloudFormationType: AWS::SecurityHub::AutomationRuleV2 │ │ │ documentation: Resource schema for AWS::SecurityHub::AutomationRuleV2 │ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"map"} │ │ ├ properties │ │ │ ├ RuleName: string (required) │ │ │ ├ RuleStatus: string │ │ │ ├ Description: string (required) │ │ │ ├ RuleOrder: number (required) │ │ │ ├ Criteria: Criteria (required) │ │ │ ├ Actions: Array<AutomationRulesActionV2> (required) │ │ │ └ Tags: Map<string, string> │ │ ├ attributes │ │ │ ├ RuleArn: string │ │ │ ├ RuleId: string │ │ │ ├ CreatedAt: string │ │ │ └ UpdatedAt: string │ │ └ types │ │ ├ type AutomationRulesActionV2 │ │ │ ├ documentation: Allows you to configure automated responses │ │ │ │ name: AutomationRulesActionV2 │ │ │ └ properties │ │ │ ├ Type: string (required) │ │ │ ├ FindingFieldsUpdate: AutomationRulesFindingFieldsUpdateV2 │ │ │ └ ExternalIntegrationConfiguration: ExternalIntegrationConfiguration │ │ ├ type AutomationRulesFindingFieldsUpdateV2 │ │ │ ├ documentation: The changes to be applied to fields in a security finding when an automation rule is triggered │ │ │ │ name: AutomationRulesFindingFieldsUpdateV2 │ │ │ └ properties │ │ │ ├ SeverityId: integer │ │ │ ├ Comment: string │ │ │ └ StatusId: integer │ │ ├ type BooleanFilter │ │ │ ├ documentation: Boolean filter for querying findings │ │ │ │ name: BooleanFilter │ │ │ └ properties │ │ │ └ Value: boolean (required) │ │ ├ type CompositeFilter │ │ │ ├ documentation: Enables the creation of filtering criteria for security findings │ │ │ │ name: CompositeFilter │ │ │ └ properties │ │ │ ├ StringFilters: Array<OcsfStringFilter> │ │ │ ├ DateFilters: Array<OcsfDateFilter> │ │ │ ├ BooleanFilters: Array<OcsfBooleanFilter> │ │ │ ├ NumberFilters: Array<OcsfNumberFilter> │ │ │ ├ MapFilters: Array<OcsfMapFilter> │ │ │ └ Operator: string │ │ ├ type Criteria │ │ │ ├ documentation: Defines the parameters and conditions used to evaluate and filter security findings │ │ │ │ name: Criteria │ │ │ └ properties │ │ │ └ OcsfFindingCriteria: OcsfFindingFilters │ │ ├ type DateFilter │ │ │ ├ documentation: A date filter for querying findings │ │ │ │ name: DateFilter │ │ │ └ properties │ │ │ ├ DateRange: DateRange │ │ │ ├ End: string │ │ │ └ Start: string │ │ ├ type DateRange │ │ │ ├ documentation: A date range for the date filter │ │ │ │ name: DateRange │ │ │ └ properties │ │ │ ├ Unit: string (required) │ │ │ └ Value: number (required) │ │ ├ type ExternalIntegrationConfiguration │ │ │ ├ documentation: The settings for integrating automation rule actions with external systems or service │ │ │ │ name: ExternalIntegrationConfiguration │ │ │ └ properties │ │ │ └ ConnectorArn: string │ │ ├ type MapFilter │ │ │ ├ documentation: A map filter for filtering findings │ │ │ │ name: MapFilter │ │ │ └ properties │ │ │ ├ Comparison: string (required) │ │ │ ├ Key: string (required) │ │ │ └ Value: string (required) │ │ ├ type NumberFilter │ │ │ ├ documentation: A number filter for querying findings │ │ │ │ name: NumberFilter │ │ │ └ properties │ │ │ ├ Eq: number │ │ │ ├ Gte: number │ │ │ └ Lte: number │ │ ├ type OcsfBooleanFilter │ │ │ ├ documentation: Enables filtering of security findings based on boolean field values in OCSF │ │ │ │ name: OcsfBooleanFilter │ │ │ └ properties │ │ │ ├ FieldName: string (required) │ │ │ └ Filter: BooleanFilter (required) │ │ ├ type OcsfDateFilter │ │ │ ├ documentation: Enables filtering of security findings based on date and timestamp fields in OCSF │ │ │ │ name: OcsfDateFilter │ │ │ └ properties │ │ │ ├ FieldName: string (required) │ │ │ └ Filter: DateFilter (required) │ │ ├ type OcsfFindingFilters │ │ │ ├ documentation: The filtering conditions that align with OCSF standards │ │ │ │ name: OcsfFindingFilters │ │ │ └ properties │ │ │ ├ CompositeFilters: Array<CompositeFilter> │ │ │ └ CompositeOperator: string │ │ ├ type OcsfMapFilter │ │ │ ├ documentation: Enables filtering of security findings based on map field values in OCSF │ │ │ │ name: OcsfMapFilter │ │ │ └ properties │ │ │ ├ FieldName: string (required) │ │ │ └ Filter: MapFilter (required) │ │ ├ type OcsfNumberFilter │ │ │ ├ documentation: Enables filtering of security findings based on numerical field values in OCSF │ │ │ │ name: OcsfNumberFilter │ │ │ └ properties │ │ │ ├ FieldName: string (required) │ │ │ └ Filter: NumberFilter (required) │ │ ├ type OcsfStringFilter │ │ │ ├ documentation: Enables filtering of security findings based on string field values in OCSF │ │ │ │ name: OcsfStringFilter │ │ │ └ properties │ │ │ ├ FieldName: string (required) │ │ │ └ Filter: StringFilter (required) │ │ └ type StringFilter │ │ ├ documentation: A string filter for filtering findings │ │ │ name: StringFilter │ │ └ properties │ │ ├ Value: string (required) │ │ └ Comparison: string (required) │ └[~] resource AWS::SecurityHub::Insight │ └ types │ └[~] type StringFilter │ └ properties │ └ Comparison: (documentation changed) ├[~] service aws-synthetics │ └ resources │ └[~] resource AWS::Synthetics::Canary │ └ types │ └[~] type RunConfig │ └ properties │ └[+] EphemeralStorage: integer └[~] service aws-wafv2 └ resources ├[~] resource AWS::WAFv2::RuleGroup │ └ types │ ├[~] type AsnMatchStatement │ │ ├ - documentation: undefined │ │ │ + documentation: A rule statement that inspects web traffic based on the Autonomous System Number (ASN) associated with the request's IP address. │ │ │ For additional details, see [ASN match rule statement](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-asn-match.html) in the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) . │ │ └ properties │ │ ├ AsnList: (documentation changed) │ │ └ ForwardedIPConfig: (documentation changed) │ ├[~] type RateBasedStatementCustomKey │ │ └ properties │ │ └ ASN: (documentation changed) │ └[~] type Statement │ └ properties │ └ AsnMatchStatement: (documentation changed) └[~] resource AWS::WAFv2::WebACL ├ properties │ └ OnSourceDDoSProtectionConfig: - OnSourceDDoSProtectionConfig ⇐ json │ + OnSourceDDoSProtectionConfig └ types ├[~] type AsnMatchStatement │ ├ - documentation: undefined │ │ + documentation: A rule statement that inspects web traffic based on the Autonomous System Number (ASN) associated with the request's IP address. │ │ For additional details, see [ASN match rule statement](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-asn-match.html) in the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) . │ └ properties │ ├ AsnList: (documentation changed) │ └ ForwardedIPConfig: (documentation changed) ├[~] type AWSManagedRulesAntiDDoSRuleSet │ ├ - documentation: Configures how to use the AntiDDOS AWS managed rule group in the web ACL │ │ + documentation: Configures the use of the anti-DDoS managed rule group, `AWSManagedRulesAntiDDoSRuleSet` . This configuration is used in `ManagedRuleGroupConfig` . │ │ The configuration that you provide here determines whether and how the rules in the rule group are used. │ │ For additional information about this and the other intelligent threat mitigation rule groups, see [Intelligent threat mitigation in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-managed-protections) and [AWS Managed Rules rule groups list](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list) in the *AWS WAF Developer Guide* . │ └ properties │ ├ ClientSideActionConfig: (documentation changed) │ └ SensitivityToBlock: (documentation changed) ├[~] type ClientSideAction │ ├ - documentation: Client side action config for AntiDDOS AMR. │ │ + documentation: This is part of the `AWSManagedRulesAntiDDoSRuleSet` `ClientSideActionConfig` configuration in `ManagedRuleGroupConfig` . │ └ properties │ ├ ExemptUriRegularExpressions: (documentation changed) │ ├ Sensitivity: (documentation changed) │ └ UsageOfAction: (documentation changed) ├[~] type ClientSideActionConfig │ ├ - documentation: Client side action config for AntiDDOS AMR. │ │ + documentation: This is part of the configuration for the managed rules `AWSManagedRulesAntiDDoSRuleSet` in `ManagedRuleGroupConfig` . │ └ properties │ └ Challenge: (documentation changed) ├[~] type ManagedRuleGroupConfig │ └ properties │ └ AWSManagedRulesAntiDDoSRuleSet: (documentation changed) ├[~] type OnSourceDDoSProtectionConfig │ ├ - documentation: Configures the options for on-source DDoS protection provided by supported resource type. │ │ + documentation: Configures the level of DDoS protection that applies to web ACLs associated with Application Load Balancers. │ └ properties │ └ ALBLowReputationMode: (documentation changed) ├[~] type RateBasedStatementCustomKey │ └ properties │ └ ASN: (documentation changed) ├[~] type Regex │ ├ - documentation: Regex │ │ + documentation: A single regular expression. This is used in a `RegexPatternSet` and also in the configuration for the AWS Managed Rules rule group `AWSManagedRulesAntiDDoSRuleSet` . │ └ properties │ └ RegexString: (documentation changed) └[~] type Statement └ properties └ AsnMatchStatement: (documentation changed) ```
Closes #34532 ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
We want this bumped to have the feature flag report artifact type available. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change Adding new team member's GitHub account ### Description of changes Added my github username (abidhasan-aws) ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Make it possible to configure the version of `cdk-assets` CLI used by the CDK Pipeline. This is only useful for versions of `cdk-assets` *newer*` than `3.3.1`, as older versions have wildcard ranges in their transitive dependencies and may install different versions of packages depending on what is currently available on npmjs.com. The first `cdk-assets` version after `3.3.1` will bundle its dependencies so that the install operation will be deterministic. We recommend you don't use this feature and just leave it at `latest`. The bundling of dependencies of `cdk-assets` will already remove any install failures around the release time of a new SDKv3 version, that used to plague `cdk-assets` in the past. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Removes the need to keep this config up to date. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This PR updates the CDK enum mapping file.
The Pipelines construct used to inspect `package.json` of the library to come up with the major version of the CDK CLI to use. This made sense when we were developing v1 and v2 of CDK at the same time, but now that v1 is deprecated and the version lines of library and CLI have been decoupled, this does not make sense anymore. Just depend on CLI v2 directly, in a clear way. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…34647) ### Issue # (if applicable) Closes #34644. ### Reason for this change When a Helm chart upgrade fails, the current error logging only shows a generic error message like Error: UPGRADE FAILED: context deadline exceeded without providing any useful context for troubleshooting. This makes it difficult for users to diagnose issues. ### Description of changes This PR enhances the error logging and command output formatting for Helm chart operations in the AWS EKS module, addressing issues with error visibility and command readability in CloudWatch logs. Sample in the Cloudwatch Logs: >[INFO]2025-06-07T20:58:48.915Zd5b3df01-1266-4b70-a11e-0ad3b0987a9dRunning command: ['helm', 'upgrade', ' gingtestclusterchartawsloadbalancercontrollerdfdf7905', 'aws-load-balancer-controller', '--install', '--create-namespace', '--repo', 'https ://aws.github.io/eks-charts', '--values', '/tmp/values.yaml', '--version', '1.6.0', '--namespace', 'kube-system', '--kubeconfig', '/tmp/ kubeconfig'] With this in the log, users are able to see the full helm command lambda executes and try to reproduce it manually using the same helm command. ## Key Improvements 1. Enhanced Error Logging • Improved error message formatting for Helm chart operations • Added proper error context when Helm commands fail • Ensured error messages are properly decoded from bytes to UTF-8 strings 2. Consistent Command Formatting • Updated Helm command logging to match kubectl's format: `Running command: ['command', 'arg1', 'arg2', ...]` • Replaced URL-encoded command strings with more readable list format • Applied consistent logging patterns across both Helm and kubectl operations 3. Fixed AttributeError Issue • Fixed the AttributeError: 'list' object has no attribute 'replace' error that occurred when logging command lists • Simplified the logging approach to directly log command arrays without complex processing • Maintained protection of sensitive information in logs (like ResponseURL) 4. Verification • Added integration test `integ.helm-chart-logging.ts` that verifies the improved logging • Test creates a minimal EKS cluster and installs the AWS Load Balancer Controller chart • Confirmed proper logging format in CloudWatch logs These changes significantly improve the troubleshooting experience for users deploying Helm charts to EKS clusters through CDK. ### Describe any new or updated permissions being added No new or updated IAM permissions are needed for these changes. ### Description of how you validated changes ⏺ Description of how you validated changes The Helm logging improvements were validated through comprehensive CloudWatch log analysis of a real EKS deployment to ensure the enhanced error logging functionality works as expected. Validation Environment Setup 1. Test Stack Deployment: Deployed the integration test stack using: `npx cdk -a test/aws-eks/test/integ.helm-chart-logging.js deploy aws-cdk-eks-helm-logging-test` 2. Real Helm Operation: The test included installing the AWS Load Balancer Controller Helm chart, which exercises the actual Helm command execution path in a production-like scenario. CloudWatch Log Analysis Step 1: Located the kubectl provider Lambda function - Identified the Handler function responsible for Helm operations: aws-cdk-eks-helm-logging-test-awsc-Handler886CB40B-gBnxgmJfsAq9 - This function contains the Python code with our logging improvements Step 2: Verified Command Logging Enhancement Confirmed that Helm commands are now logged before execution with full parameter visibility: ``` Running command: ['helm', 'upgrade', 'gingtestclusterchartawsloadbalancercontrollerdfdf7905', 'aws-load-balancer-controller', '--install', '--create-namespace', '--repo', 'https://aws.github.io/eks-charts', '--values', '/tmp/values.yaml', '--version', '1.6.0', '--namespace', 'kube-system', '--kubeconfig', '/tmp/kubeconfig'] ``` Step 3: Validated UTF-8 Output Decoding Verified that Helm output is properly decoded and readable (not raw bytes): ``` Release "gingtestclusterchartawsloadbalancercontrollerdfdf7905" does not exist. Installing it now. NAME: gingtestclusterchartawsloadbalancercontrollerdfdf7905 LAST DEPLOYED: Sat Jun 21 14:50:42 2025 NAMESPACE: kube-system STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: AWS Load Balancer controller installed! ``` Validation Results ✅ Command Logging: Successfully logs the complete Helm command array before execution, providing clear visibility into what operations are being performed. ✅ UTF-8 Decoding: Output is clean and readable with proper formatting, eliminating raw byte strings that were difficult to interpret. ✅ Error Context: The logging framework is in place to show both failed commands and decoded error output when failures occur (verified through code inspection and successful deployment proving the error handling path is functional). ✅ Consistent Format: Logging follows the same pattern as kubectl operations, maintaining consistency across the kubectl provider. Testing Coverage - Success Path: Validated successful Helm chart installation with proper logging - Command Visibility: Confirmed all Helm parameters are visible in logs for troubleshooting - Output Readability: Verified clean text output without encoding issues - Integration: Tested in real AWS environment with actual EKS cluster and Helm operations The validation confirms that the logging improvements directly address the issue described in #34644 by providing the command context and detailed output that users need for effective troubleshooting without requiring manual cluster access. ### What this PR Provides: ✅ Direct Matches to the Issue #34644: 1. Enhanced Command Visibility: Running command: `['helm', 'upgrade', 'release-name', 'chart-name', '--install', ...]` - Shows exactly what Helm command was executed - Helps users understand the upgrade parameters 2. Better Error Context: Our fix includes: ```py error_message = output.decode('utf-8', errors='replace') logger.error("Command failed: %s", cmnd) logger.error("Error output: %s", error_message) ``` - Shows the exact command that failed - Provides the full error output from Helm - UTF-8 decoding ensures readable error messages 4. Cleaner Output: UTF-8 decoding prevents raw byte strings that are hard to read⚠️ Potential Gaps: 1. Detailed Kubernetes Diagnostics: - Our fix doesn't automatically run kubectl describe on failed resources - Users still might need more context about WHY Kubernetes rejected the changes 2. Proactive Resource State Checking: - Doesn't check resource status before/after operations - No automatic validation of cluster state Verdict: 🎯 SIGNIFICANTLY ADDRESSES THE ISSUE Our fixes directly solve the core problem described in issue #34644: - Before: Generic "UPGRADE FAILED" with no context - After: Clear command + full Helm error output + readable formatting Example of improvement: #### Before (what the issue complains about): Error: UPGRADE FAILED: context deadline exceeded #### After (with our fix): Running command: ['helm', 'upgrade', 'my-release', 'my-chart', '--timeout', '300s', ...] Command failed: ['helm', 'upgrade', 'my-release', 'my-chart', '--timeout', '300s', ...] Error output: Error: UPGRADE FAILED: timed out waiting for the condition: deployment "my-app" failed to roll out - insufficient resources Pod "my-app-xyz" is Pending due to insufficient CPU Additional Benefits Beyond the Issue: - Works for both success and failure cases - Applies to all Helm operations (install, upgrade, uninstall) - Consistent with kubectl command logging style - No performance impact Conclusion: Our fix directly addresses the pain points in issue #34644 by providing the command context and detailed error output that users were missing. While we could potentially add even more Kubernetes-specific diagnostics, our improvements give users the essential information they need to troubleshoot Helm failures without manual cluster access. ### Checklist • [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) -- By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license
### Issue # (if applicable) Closes #34669 ### Reason for this change Support configuring function log removal policy ### Description of changes Expose log group removal policy to function props ### Describe any new or updated permissions being added ### Description of how you validated changes Unit + Integ ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change Adds a tool to sync issue metadata with project board. Github currently [does not support](https://github.com/orgs/community/discussions/5953#discussioncomment-13251662) filtering and sorting by creation and update date. ### Description of changes Adds a GH Action to update and fill those issue metadata on the project board. Metadata includes Creation and update date. ### Describe any new or updated permissions being added N/A. ### Description of how you validated changes Unit tests added. Verified Action runs successfully on local fork [here](https://github.com/Abogical/aws-cdk/actions/runs/15828088690/job/44613474808). ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Ran npm-check-updates and yarn upgrade for the following dependencies: ``` @aws-cdk/asset-awscli-v1 ``` Checkout this branch and run integration tests locally to update snapshots. ``` (cd packages/@aws-cdk-testing/framework-integ && yarn integ --update-on-failed) ``` See https://www.npmjs.com/package/@aws-cdk/integ-runner for more integ runner options.
Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
Reverts #34776 as the current workflow runs are failing and this also leading to build failures
Run the PR build in GitHub Actions for improved user experience and reliability. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…correct path (#34814) ### Reason for this change Fixing the upload path for codecov-upload.ymp based workflow ### Description of changes Last successful run of CodeCov report was https://github.com/aws/aws-cdk/actions/runs/15032809949/job/42248762782 which uploaded to certain path configured in codecov Uploads after that have been failing silently due to path match failures in codecov Creating the path `./coverage/packages/aws-cdk-lib/core/coverage` and uploading to it should allow code coverage to be populated again ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…rsion (#34772) ### Issue #6176 Closes #6176. ### Reason for this change Using fromBucket to source lambda code can have the unintended silent effect of not updating when the code is updated on the S3 bucket. ### Description of changes - A note is added to the docs on this beahvior - A warning is added if `objectVersion` is not set. ### Describe any new or updated permissions being added No permissions added. ### Description of how you validated changes Unit tests to confirm the emission of warnings only if an object version is not set. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Use 32 core instance for the PR build. Also updates actions to the latest versions. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change [Restrictions for accessing a cache](https://docs.github.com/en/actions/how-tos/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache) effectively limit a PR to use the rosetta cache either from the same branch or the main branch. Because we currently don't fill the rosetta cache on main, most PRs cannot use this cache. Using the cache removes ~14min of most builds. This is a worthwhile investment. ### Description of changes Run the PR build against `main` and `v2-release` to always fill up the rosetta cache. We could probably set this up to skip tests, but for now this is easier. Also adds manual (always helpful) and merge group trigger (future proofing) to the build. ### Describe any new or updated permissions being added n/a ### Description of how you validated changes Reading the GitHub docs. Needs merging to actually validate. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change We are migrating `integ-runner` to use a new engine based of toolkit-lib instead of the CLI. To verify behavior, this engine was added under a new unstable feature flag. Let's use it in a repo that has a lot of traffic for `integ-runner` but is under own tight control and ownership, so we can easily react if something goes wrong. ### Description of changes Use the new `toolkit-lib-engine` by delcaring `integ-runner --unstable=toolkit-lib-engine` on our yarn scripts. ### Describe any new or updated permissions being added n/a ### Description of how you validated changes Tests still pass. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change Tell mergify about our new GitHub actions based build. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change DockerHub as strict rate limits. Use public.ecr.aws for all test instead. ### Description of how you validated changes Tests are passing ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change Updating L1 spec automation cron schedule `37 13 * * 1` -> `15 10 * * 1` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…34839) Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-accessanalyzer │ └ resources │ └[~] resource AWS::AccessAnalyzer::Analyzer │ ├ properties │ │ └ Type: (documentation changed) │ └ types │ ├[~] type AnalyzerConfiguration │ │ └ properties │ │ └ InternalAccessConfiguration: (documentation changed) │ ├[~] type InternalAccessAnalysisRuleCriteria │ │ └ properties │ │ ├ AccountIds: (documentation changed) │ │ └ ResourceTypes: (documentation changed) │ └[~] type InternalAccessConfiguration │ └ properties │ └ InternalAccessAnalysisRule: (documentation changed) ├[+] service aws-aiops │ ├ capitalized: AIOps │ │ cloudFormationNamespace: AWS::AIOps │ │ name: aws-aiops │ │ shortName: aiops │ └ resources │ └ resource AWS::AIOps::InvestigationGroup │ ├ name: InvestigationGroup │ │ cloudFormationType: AWS::AIOps::InvestigationGroup │ │ documentation: Definition of AWS::AIOps::InvestigationGroup Resource Type │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ ├ properties │ │ ├ RoleArn: string │ │ ├ Name: string (required, immutable) │ │ ├ RetentionInDays: integer (immutable) │ │ ├ EncryptionConfig: EncryptionConfigMap │ │ ├ InvestigationGroupPolicy: string │ │ ├ IsCloudTrailEventHistoryEnabled: boolean │ │ ├ TagKeyBoundaries: Array<string> │ │ ├ ChatbotNotificationChannels: Array<ChatbotNotificationChannel> │ │ ├ CrossAccountConfigurations: Array<CrossAccountConfiguration> │ │ └ Tags: Array<tag> │ ├ attributes │ │ ├ CreatedBy: string │ │ ├ CreatedAt: string │ │ ├ LastModifiedBy: string │ │ ├ LastModifiedAt: string │ │ └ Arn: string │ └ types │ ├ type ChatbotNotificationChannel │ │ ├ name: ChatbotNotificationChannel │ │ └ properties │ │ ├ SNSTopicArn: string │ │ └ ChatConfigurationArns: Array<string> │ ├ type CrossAccountConfiguration │ │ ├ name: CrossAccountConfiguration │ │ └ properties │ │ └ SourceRoleArn: string │ └ type EncryptionConfigMap │ ├ name: EncryptionConfigMap │ └ properties │ ├ EncryptionConfigurationType: string │ └ KmsKeyId: string ├[~] service aws-arczonalshift │ └ resources │ └[~] resource AWS::ARCZonalShift::ZonalAutoshiftConfiguration │ ├ - documentation: The zonal autoshift configuration for a resource includes the practice run configuration and the status for running autoshifts, zonal autoshift status. When a resource has a practice run configuation, Route 53 ARC starts weekly zonal shifts for the resource, to shift traffic away from an Availability Zone. Weekly practice runs help you to make sure that your application can continue to operate normally with the loss of one Availability Zone. │ │ You can update the zonal autoshift autoshift status to enable or disable zonal autoshift. When zonal autoshift is `ENABLED` , you authorize AWS to shift away resource traffic for an application from an Availability Zone during events, on your behalf, to help reduce time to recovery. Traffic is also shifted away for the required weekly practice runs. │ │ + documentation: The zonal autoshift configuration for a resource includes the practice run configuration and the status for running autoshifts, zonal autoshift status. When a resource has a practice run configuation, ARC starts weekly zonal shifts for the resource, to shift traffic away from an Availability Zone. Weekly practice runs help you to make sure that your application can continue to operate normally with the loss of one Availability Zone. │ │ You can update the zonal autoshift autoshift status to enable or disable zonal autoshift. When zonal autoshift is `ENABLED` , you authorize AWS to shift away resource traffic for an application from an Availability Zone during events, on your behalf, to help reduce time to recovery. Traffic is also shifted away for the required weekly practice runs. │ ├ properties │ │ └ ResourceIdentifier: (documentation changed) │ └ types │ ├[~] type ControlCondition │ │ └ - documentation: A control condition is an alarm that you specify for a practice run. When you configure practice runs with zonal autoshift for a resource, you specify Amazon CloudWatch alarms, which you create in CloudWatch to use with the practice run. The alarms that you specify are an *outcome alarm* , to monitor application health during practice runs and, optionally, a *blocking alarm* , to block practice runs from starting or to interrupt a practice run in progress. │ │ Control condition alarms do not apply for autoshifts. │ │ For more information, see [Considerations when you configure zonal autoshift](https://docs.aws.amazon.com/r53recovery/latest/dg/arc-zonal-autoshift.considerations.html) in the Route 53 ARC Developer Guide. │ │ + documentation: A control condition is an alarm that you specify for a practice run. When you configure practice runs with zonal autoshift for a resource, you specify Amazon CloudWatch alarms, which you create in CloudWatch to use with the practice run. The alarms that you specify are an *outcome alarm* , to monitor application health during practice runs and, optionally, a *blocking alarm* , to block practice runs from starting or to interrupt a practice run in progress. │ │ Control condition alarms do not apply for autoshifts. │ │ For more information, see [Considerations when you configure zonal autoshift](https://docs.aws.amazon.com/r53recovery/latest/dg/arc-zonal-autoshift.considerations.html) in the ARC Developer Guide. │ └[~] type PracticeRunConfiguration │ ├ - documentation: A practice run configuration for a resource includes the Amazon CloudWatch alarms that you've specified for a practice run, as well as any blocked dates or blocked windows for the practice run. │ │ When a resource has a practice run configuation, Route 53 ARC starts weekly zonal shifts for the resource, to shift traffic away from an Availability Zone. Weekly practice runs help you to make sure that your application can continue to operate normally with the loss of one Availability Zone. │ │ You can update or delete a practice run configuration. When you delete a practice run configuration, zonal autoshift is disabled for the resource. A practice run configuration is required when zonal autoshift is enabled. │ │ + documentation: A practice run configuration for a resource includes the Amazon CloudWatch alarms that you've specified for a practice run, as well as any blocked dates or blocked windows for the practice run. │ │ When a resource has a practice run configuation, ARC starts weekly zonal shifts for the resource, to shift traffic away from an Availability Zone. Weekly practice runs help you to make sure that your application can continue to operate normally with the loss of one Availability Zone. │ │ You can update or delete a practice run configuration. When you delete a practice run configuration, zonal autoshift is disabled for the resource. A practice run configuration is required when zonal autoshift is enabled. │ └ properties │ └ BlockedWindows: (documentation changed) ├[~] service aws-b2bi │ └ resources │ ├[~] resource AWS::B2BI::Partnership │ │ └ types │ │ ├[~] type CapabilityOptions │ │ │ └ properties │ │ │ └[+] InboundEdi: InboundEdiOptions │ │ ├[+] type InboundEdiOptions │ │ │ ├ name: InboundEdiOptions │ │ │ └ properties │ │ │ └ X12: X12InboundEdiOptions │ │ ├[+] type WrapOptions │ │ │ ├ name: WrapOptions │ │ │ └ properties │ │ │ ├ WrapBy: string │ │ │ ├ LineTerminator: string │ │ │ └ LineLength: number │ │ ├[+] type X12AcknowledgmentOptions │ │ │ ├ name: X12AcknowledgmentOptions │ │ │ └ properties │ │ │ ├ FunctionalAcknowledgment: string (required) │ │ │ └ TechnicalAcknowledgment: string (required) │ │ ├[+] type X12ControlNumbers │ │ │ ├ name: X12ControlNumbers │ │ │ └ properties │ │ │ ├ StartingInterchangeControlNumber: number │ │ │ ├ StartingFunctionalGroupControlNumber: number │ │ │ └ StartingTransactionSetControlNumber: number │ │ ├[~] type X12Envelope │ │ │ └ properties │ │ │ └[+] WrapOptions: WrapOptions │ │ ├[+] type X12InboundEdiOptions │ │ │ ├ name: X12InboundEdiOptions │ │ │ └ properties │ │ │ └ AcknowledgmentOptions: X12AcknowledgmentOptions │ │ └[~] type X12OutboundEdiHeaders │ │ └ properties │ │ ├[+] ControlNumbers: X12ControlNumbers │ │ └[+] Gs05TimeFormat: string │ └[~] resource AWS::B2BI::Transformer │ └ types │ ├[+] type AdvancedOptions │ │ ├ name: AdvancedOptions │ │ └ properties │ │ └ X12: X12AdvancedOptions │ ├[~] type InputConversion │ │ └ properties │ │ └[+] AdvancedOptions: AdvancedOptions │ ├[+] type X12AdvancedOptions │ │ ├ name: X12AdvancedOptions │ │ └ properties │ │ └ SplitOptions: X12SplitOptions │ └[+] type X12SplitOptions │ ├ name: X12SplitOptions │ └ properties │ └ SplitBy: string ├[~] service aws-batch │ └ resources │ └[~] resource AWS::Batch::ComputeEnvironment │ └ types │ ├[~] type Ec2ConfigurationObject │ │ └ properties │ │ └ ImageType: (documentation changed) │ ├[~] type LaunchTemplateSpecification │ │ └ properties │ │ └[+] UserdataType: string │ └[~] type LaunchTemplateSpecificationOverride │ └ properties │ └[+] UserdataType: string ├[~] service aws-bedrock │ └ resources │ └[~] resource AWS::Bedrock::Guardrail │ ├ - documentation: Creates a guardrail to block topics and to implement safeguards for your generative AI applications. │ │ You can configure the following policies in a guardrail to avoid undesirable and harmful content, filter out denied topics and words, and remove sensitive information for privacy protection. │ │ - *Content filters* - Adjust filter strengths to block input prompts or model responses containing harmful content. │ │ - *Denied topics* - Define a set of topics that are undesirable in the context of your application. These topics will be blocked if detected in user queries or model responses. │ │ - *Word filters* - Configure filters to block undesirable words, phrases, and profanity. Such words can include offensive terms, competitor names etc. │ │ - *Sensitive information filters* - Block or mask sensitive information such as personally identifiable information (PII) or custom regex in user inputs and model responses. │ │ In addition to the above policies, you can also configure the messages to be returned to the user if a user input or model response is in violation of the policies defined in the guardrail. │ │ For more information, see [Amazon Bedrock Guardrails](https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails.html) in the *Amazon Bedrock User Guide* . │ │ + documentation: Creates a guardrail to detect and filter harmful content in your generative AI application. │ │ Amazon Bedrock Guardrails provides the following safeguards (also known as policies) to detect and filter harmful content: │ │ - *Content filters* - Detect and filter harmful text or image content in input prompts or model responses. Filtering is done based on detection of certain predefined harmful content categories: Hate, Insults, Sexual, Violence, Misconduct and Prompt Attack. You also can adjust the filter strength for each of these categories. │ │ - *Denied topics* - Define a set of topics that are undesirable in the context of your application. The filter will help block them if detected in user queries or model responses. │ │ - *Word filters* - Configure filters to help block undesirable words, phrases, and profanity (exact match). Such words can include offensive terms, competitor names, etc. │ │ - *Sensitive information filters* - Configure filters to help block or mask sensitive information, such as personally identifiable information (PII), or custom regex in user inputs and model responses. Blocking or masking is done based on probabilistic detection of sensitive information in standard formats in entities such as SSN number, Date of Birth, address, etc. This also allows configuring regular expression based detection of patterns for identifiers. │ │ - *Contextual grounding check* - Help detect and filter hallucinations in model responses based on grounding in a source and relevance to the user query. │ │ For more information, see [How Amazon Bedrock Guardrails works](https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-how.html) . │ ├ properties │ │ └[+] CrossRegionConfig: GuardrailCrossRegionConfig │ └ types │ └[+] type GuardrailCrossRegionConfig │ ├ documentation: The system-defined guardrail profile that you're using with your guardrail. Guardrail profiles define the destination AWS Regions where guardrail inference requests can be automatically routed. Using guardrail profiles helps maintain guardrail performance and reliability when demand increases. │ │ For more information, see the [Amazon Bedrock User Guide](https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-cross-region.html) . │ │ name: GuardrailCrossRegionConfig │ └ properties │ └ GuardrailProfileArn: string (required) ├[~] service aws-cloudformation │ └ resources │ ├[~] resource AWS::CloudFormation::GuardHook │ │ └ types │ │ └[~] type S3Location │ │ └ properties │ │ └ Uri: (documentation changed) │ ├[~] resource AWS::CloudFormation::HookVersion │ │ └ properties │ │ └ SchemaHandlerPackage: (documentation changed) │ ├[~] resource AWS::CloudFormation::ModuleVersion │ │ └ properties │ │ └ ModulePackage: (documentation changed) │ ├[~] resource AWS::CloudFormation::ResourceVersion │ │ └ properties │ │ └ SchemaHandlerPackage: (documentation changed) │ ├[~] resource AWS::CloudFormation::Stack │ │ └ properties │ │ └ TemplateURL: (documentation changed) │ ├[~] resource AWS::CloudFormation::StackSet │ │ └ properties │ │ ├ TemplateBody: (documentation changed) │ │ └ TemplateURL: (documentation changed) │ └[~] resource AWS::CloudFormation::WaitCondition │ └ properties │ └ Handle: (documentation changed) ├[~] service aws-cloudfront │ └ resources │ ├[~] resource AWS::CloudFront::Distribution │ │ └ types │ │ ├[~] type CustomOriginConfig │ │ │ └ properties │ │ │ ├ OriginKeepaliveTimeout: (documentation changed) │ │ │ ├ OriginReadTimeout: (documentation changed) │ │ │ └ OriginSSLProtocols: (documentation changed) │ │ ├[~] type Origin │ │ │ └ properties │ │ │ └[+] ResponseCompletionTimeout: integer │ │ ├[~] type S3OriginConfig │ │ │ └ properties │ │ │ └[+] OriginReadTimeout: integer (default=30) │ │ └[~] type VpcOriginConfig │ │ └ properties │ │ ├ OriginKeepaliveTimeout: (documentation changed) │ │ └ OriginReadTimeout: (documentation changed) │ └[~] resource AWS::CloudFront::VpcOrigin │ └ types │ └[~] type VpcOriginEndpointConfig │ └ properties │ └ OriginSSLProtocols: (documentation changed) ├[~] service aws-connectcampaignsv2 │ └ resources │ └[~] resource AWS::ConnectCampaignsV2::Campaign │ └ types │ └[~] type CommunicationLimitsConfig │ └ properties │ └[+] InstanceLimitsHandling: string ├[~] service aws-datazone │ └ resources │ └[~] resource AWS::DataZone::ProjectProfile │ └ types │ └[~] type EnvironmentConfigurationParametersDetails │ └ properties │ └[+] SsmPath: string ├[~] service aws-deadline │ └ resources │ └[~] resource AWS::Deadline::Fleet │ └ types │ └[~] type AcceleratorSelection │ └ properties │ └ Runtime: (documentation changed) ├[~] service aws-dsql │ └ resources │ └[~] resource AWS::DSQL::Cluster │ ├ properties │ │ └[+] KmsEncryptionKey: string │ ├ attributes │ │ └[+] EncryptionDetails: EncryptionDetails │ └ types │ └[+] type EncryptionDetails │ ├ documentation: Configuration details about encryption for the cluster including the AWS KMS key ARN, encryption type, and encryption status. │ │ name: EncryptionDetails │ └ properties │ ├ EncryptionStatus: string │ ├ EncryptionType: string │ └ KmsKeyArn: string ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::NetworkInterfacePermission │ │ └ - documentation: Specifies a permission for an Amazon EC2 network interface. For example, you can grant an AWS authorized partner account permission to attach the specified network interface to an instance in their account. │ │ + documentation: Specifies a permission for the network interface, For example, you can grant an AWS -authorized account permission to attach the network interface to an instance in their account. │ └[~] resource AWS::EC2::TrafficMirrorFilterRule │ └ attributes │ └[+] TrafficMirrorFilterRuleId: string ├[~] service aws-ecs │ └ resources │ ├[~] resource AWS::ECS::Service │ │ └ types │ │ └[~] type LogConfiguration │ │ └ properties │ │ └ Options: (documentation changed) │ └[~] resource AWS::ECS::TaskDefinition │ ├ properties │ │ └ InferenceAccelerators: - Array<InferenceAccelerator> (immutable) │ │ + Array<InferenceAccelerator> (deprecated=WARN, immutable) │ └ types │ ├[~] type ContainerDefinition │ │ └ properties │ │ └ Image: (documentation changed) │ └[~] type LogConfiguration │ └ properties │ └ Options: (documentation changed) ├[~] service aws-elasticloadbalancingv2 │ └ resources │ └[~] resource AWS::ElasticLoadBalancingV2::Listener │ └ properties │ └ Certificates: (documentation changed) ├[~] service aws-emrserverless │ └ resources │ └[~] resource AWS::EMRServerless::Application │ ├ properties │ │ └[+] IdentityCenterConfiguration: IdentityCenterConfiguration │ └ types │ └[+] type IdentityCenterConfiguration │ ├ documentation: The IAM IdentityCenter configuration for trusted-identity-propagation on this application. Supported with release labels emr-7.8.0 and above. │ │ name: IdentityCenterConfiguration │ └ properties │ └ IdentityCenterInstanceArn: string ├[~] service aws-fsx │ └ resources │ └[+] resource AWS::FSx::S3AccessPointAttachment │ ├ name: S3AccessPointAttachment │ │ cloudFormationType: AWS::FSx::S3AccessPointAttachment │ │ documentation: Resource type definition for AWS::FSx::S3AccessPointAttachment │ ├ properties │ │ ├ Name: string (required, immutable) │ │ ├ Type: string (required, immutable) │ │ ├ OpenZFSConfiguration: S3AccessPointOpenZFSConfiguration (required, immutable) │ │ └ S3AccessPoint: S3AccessPoint (immutable) │ ├ attributes │ │ ├ S3AccessPoint.ResourceARN: string │ │ └ S3AccessPoint.Alias: string │ └ types │ ├ type FileSystemGID │ │ ├ name: FileSystemGID │ │ └ properties │ │ └ Gid: number (required) │ ├ type OpenZFSFileSystemIdentity │ │ ├ name: OpenZFSFileSystemIdentity │ │ └ properties │ │ ├ Type: string (required) │ │ └ PosixUser: OpenZFSPosixFileSystemUser (required) │ ├ type OpenZFSPosixFileSystemUser │ │ ├ name: OpenZFSPosixFileSystemUser │ │ └ properties │ │ ├ Uid: number (required) │ │ ├ Gid: number (required) │ │ └ SecondaryGids: Array<FileSystemGID> │ ├ type S3AccessPoint │ │ ├ name: S3AccessPoint │ │ └ properties │ │ ├ ResourceARN: string │ │ ├ Alias: string │ │ ├ VpcConfiguration: S3AccessPointVpcConfiguration │ │ └ Policy: json | string │ ├ type S3AccessPointOpenZFSConfiguration │ │ ├ name: S3AccessPointOpenZFSConfiguration │ │ └ properties │ │ ├ VolumeId: string (required) │ │ └ FileSystemIdentity: OpenZFSFileSystemIdentity (required) │ └ type S3AccessPointVpcConfiguration │ ├ name: S3AccessPointVpcConfiguration │ └ properties │ └ VpcId: string (required) ├[~] service aws-inspectorv2 │ └ resources │ └[~] resource AWS::InspectorV2::Filter │ └ properties │ └ Tags: (documentation changed) ├[~] service aws-kendra │ └ resources │ └[~] resource AWS::Kendra::DataSource │ └ types │ ├[~] type DataSourceConfiguration │ │ └ properties │ │ └ TemplateConfiguration: (documentation changed) │ └[~] type TemplateConfiguration │ ├ - documentation: undefined │ │ + documentation: Provides a template for the configuration information to connect to your data source. │ └ properties │ └ Template: - string (required) │ + json ⇐ string (required) │ (documentation changed) ├[~] service aws-lambda │ └ resources │ └[~] resource AWS::Lambda::EventSourceMapping │ └ types │ ├[~] type AmazonManagedKafkaEventSourceConfig │ │ └ properties │ │ └ SchemaRegistryConfig: (documentation changed) │ ├[~] type SchemaRegistryAccessConfig │ │ ├ - documentation: undefined │ │ │ + documentation: Specific access configuration settings that tell Lambda how to authenticate with your schema registry. │ │ │ If you're working with an AWS Glue schema registry, don't provide authentication details in this object. Instead, ensure that your execution role has the required permissions for Lambda to access your cluster. │ │ │ If you're working with a Confluent schema registry, choose the authentication method in the `Type` field, and provide the AWS Secrets Manager secret ARN in the `URI` field. │ │ └ properties │ │ ├ Type: (documentation changed) │ │ └ URI: (documentation changed) │ ├[~] type SchemaRegistryConfig │ │ ├ - documentation: undefined │ │ │ + documentation: Specific configuration settings for a Kafka schema registry. │ │ └ properties │ │ ├ AccessConfigs: (documentation changed) │ │ ├ EventRecordFormat: (documentation changed) │ │ ├ SchemaRegistryURI: (documentation changed) │ │ └ SchemaValidationConfigs: (documentation changed) │ ├[~] type SchemaValidationConfig │ │ ├ - documentation: undefined │ │ │ + documentation: Specific schema validation configuration settings that tell Lambda the message attributes you want to validate and filter using your schema registry. │ │ └ properties │ │ └ Attribute: (documentation changed) │ └[~] type SelfManagedKafkaEventSourceConfig │ └ properties │ └ SchemaRegistryConfig: (documentation changed) ├[~] service aws-lex │ └ resources │ └[~] resource AWS::Lex::Bot │ └ types │ ├[~] type BotLocale │ │ └ properties │ │ └[+] GenerativeAISettings: GenerativeAISettings │ ├[+] type BuildtimeSettings │ │ ├ name: BuildtimeSettings │ │ └ properties │ │ ├ DescriptiveBotBuilderSpecification: DescriptiveBotBuilderSpecification │ │ └ SampleUtteranceGenerationSpecification: SampleUtteranceGenerationSpecification │ ├[+] type DescriptiveBotBuilderSpecification │ │ ├ name: DescriptiveBotBuilderSpecification │ │ └ properties │ │ ├ Enabled: boolean (required) │ │ └ BedrockModelSpecification: BedrockModelSpecification │ ├[+] type GenerativeAISettings │ │ ├ name: GenerativeAISettings │ │ └ properties │ │ ├ BuildtimeSettings: BuildtimeSettings │ │ └ RuntimeSettings: RuntimeSettings │ ├[+] type NluImprovementSpecification │ │ ├ name: NluImprovementSpecification │ │ └ properties │ │ └ Enabled: boolean (required) │ ├[+] type RuntimeSettings │ │ ├ name: RuntimeSettings │ │ └ properties │ │ ├ NluImprovementSpecification: NluImprovementSpecification │ │ └ SlotResolutionImprovementSpecification: SlotResolutionImprovementSpecification │ ├[+] type SampleUtteranceGenerationSpecification │ │ ├ name: SampleUtteranceGenerationSpecification │ │ └ properties │ │ ├ Enabled: boolean (required) │ │ └ BedrockModelSpecification: BedrockModelSpecification │ └[+] type SlotResolutionImprovementSpecification │ ├ name: SlotResolutionImprovementSpecification │ └ properties │ ├ Enabled: boolean (required) │ └ BedrockModelSpecification: BedrockModelSpecification ├[~] service aws-logs │ └ resources │ └[~] resource AWS::Logs::Transformer │ └ types │ ├[+] type ParseToOCSF │ │ ├ documentation: This processor converts logs into [Open Cybersecurity Schema Framework (OCSF)](https://docs.aws.amazon.com/https://ocsf.io) events. │ │ │ For more information about this processor including examples, see [parseToOSCF](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html#CloudWatch-Logs-Transformation-parseToOCSF) in the *CloudWatch Logs User Guide* . │ │ │ name: ParseToOCSF │ │ └ properties │ │ ├ Source: string │ │ ├ EventSource: string (required) │ │ └ OcsfVersion: string (required) │ └[~] type Processor │ └ properties │ └[+] ParseToOCSF: ParseToOCSF ├[~] service aws-mediatailor │ └ resources │ └[~] resource AWS::MediaTailor::PlaybackConfiguration │ └ properties │ └[+] InsertionMode: string ├[~] service aws-mpa │ └ resources │ ├[~] resource AWS::MPA::ApprovalTeam │ │ ├ - documentation: Resource Type definition for AWS::MPA::ApprovalTeam. │ │ │ + documentation: Creates a new approval team. For more information, see [Approval team](https://docs.aws.amazon.com/mpa/latest/userguide/mpa-concepts.html) in the *Multi-party approval User Guide* . │ │ ├ properties │ │ │ ├ ApprovalStrategy: (documentation changed) │ │ │ ├ Approvers: (documentation changed) │ │ │ ├ Description: (documentation changed) │ │ │ ├ Name: (documentation changed) │ │ │ ├ Policies: (documentation changed) │ │ │ └ Tags: (documentation changed) │ │ ├ attributes │ │ │ ├ Arn: (documentation changed) │ │ │ ├ CreationTime: (documentation changed) │ │ │ ├ LastUpdateTime: (documentation changed) │ │ │ ├ NumberOfApprovers: (documentation changed) │ │ │ ├ Status: (documentation changed) │ │ │ ├ StatusCode: (documentation changed) │ │ │ ├ StatusMessage: (documentation changed) │ │ │ ├ UpdateSessionArn: (documentation changed) │ │ │ └ VersionId: (documentation changed) │ │ └ types │ │ ├[~] type ApprovalStrategy │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Strategy for how an approval team grants approval. │ │ │ └ properties │ │ │ └ MofN: (documentation changed) │ │ ├[~] type Approver │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Contains details for an approver. │ │ │ └ properties │ │ │ ├ ApproverId: (documentation changed) │ │ │ ├ PrimaryIdentityId: (documentation changed) │ │ │ ├ PrimaryIdentitySourceArn: (documentation changed) │ │ │ ├ PrimaryIdentityStatus: (documentation changed) │ │ │ └ ResponseTime: (documentation changed) │ │ ├[~] type MofNApprovalStrategy │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Strategy for how an approval team grants approval. │ │ │ └ properties │ │ │ └ MinApprovalsRequired: (documentation changed) │ │ └[~] type Policy │ │ └ - documentation: undefined │ │ + documentation: Contains details for a policy. Policies define what operations a team that define the permissions for team resources. │ └[~] resource AWS::MPA::IdentitySource │ ├ - documentation: Resource Type definition for AWS::MPA::IdentitySource. │ │ + documentation: Creates a new identity source. For more information, see [Identity Source](https://docs.aws.amazon.com/mpa/latest/userguide/mpa-concepts.html) in the *Multi-party approval User Guide* . │ ├ properties │ │ ├ IdentitySourceParameters: (documentation changed) │ │ └ Tags: (documentation changed) │ ├ attributes │ │ ├ CreationTime: (documentation changed) │ │ ├ IdentitySourceArn: (documentation changed) │ │ ├ IdentitySourceParameters.IamIdentityCenter.ApprovalPortalUrl: (documentation changed) │ │ ├ IdentitySourceType: (documentation changed) │ │ ├ Status: (documentation changed) │ │ ├ StatusCode: (documentation changed) │ │ └ StatusMessage: (documentation changed) │ └ types │ ├[~] type IamIdentityCenter │ │ ├ - documentation: undefined │ │ │ + documentation: AWS IAM Identity Center credentials. For more information see, [AWS IAM Identity Center](https://docs.aws.amazon.com/identity-center/) . │ │ └ properties │ │ ├ ApprovalPortalUrl: (documentation changed) │ │ ├ InstanceArn: (documentation changed) │ │ └ Region: (documentation changed) │ └[~] type IdentitySourceParameters │ ├ - documentation: undefined │ │ + documentation: Contains details for the resource that provides identities to the identity source. For example, an IAM Identity Center instance. │ └ properties │ └ IamIdentityCenter: (documentation changed) ├[~] service aws-networkmanager │ └ resources │ └[~] resource AWS::NetworkManager::VpcAttachment │ └ types │ └[~] type VpcOptions │ └ properties │ ├[+] DnsSupport: boolean (default=true) │ └[+] SecurityGroupReferencingSupport: boolean (default=true) ├[~] service aws-redshiftserverless │ └ resources │ └[+] resource AWS::RedshiftServerless::Snapshot │ ├ name: Snapshot │ │ cloudFormationType: AWS::RedshiftServerless::Snapshot │ │ documentation: Resource Type definition for AWS::RedshiftServerless::Snapshot Resource Type. │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ ├ properties │ │ ├ SnapshotName: string (required, immutable) │ │ ├ NamespaceName: string (immutable) │ │ ├ RetentionPeriod: integer │ │ └ Tags: Array<tag> (immutable) │ ├ attributes │ │ ├ Snapshot: Snapshot │ │ ├ OwnerAccount: string │ │ ├ Snapshot.SnapshotName: string │ │ ├ Snapshot.NamespaceName: string │ │ ├ Snapshot.NamespaceArn: string │ │ ├ Snapshot.SnapshotArn: string │ │ ├ Snapshot.SnapshotCreateTime: string │ │ ├ Snapshot.Status: string │ │ ├ Snapshot.AdminUsername: string │ │ ├ Snapshot.KmsKeyId: string │ │ ├ Snapshot.OwnerAccount: string │ │ └ Snapshot.RetentionPeriod: integer │ └ types │ └ type Snapshot │ ├ name: Snapshot │ └ properties │ ├ NamespaceArn: string │ ├ NamespaceName: string │ ├ SnapshotName: string │ ├ SnapshotCreateTime: string │ ├ Status: string │ ├ AdminUsername: string │ ├ KmsKeyId: string │ ├ OwnerAccount: string │ ├ RetentionPeriod: integer │ └ SnapshotArn: string ├[~] service aws-route53resolver │ └ resources │ ├[~] resource AWS::Route53Resolver::ResolverEndpoint │ │ └ properties │ │ ├ Direction: (documentation changed) │ │ └ Protocols: (documentation changed) │ └[~] resource AWS::Route53Resolver::ResolverRule │ ├ properties │ │ ├[+] DelegationRecord: string │ │ └ RuleType: (documentation changed) │ └ attributes │ └ TargetIps: (documentation changed) ├[~] service aws-s3 │ └ resources │ └[~] resource AWS::S3::Bucket │ └ types │ └[~] type ReplicationDestination │ └ properties │ └ StorageClass: (documentation changed) ├[~] service aws-s3tables │ └ resources │ └[+] resource AWS::S3Tables::Namespace │ ├ name: Namespace │ │ cloudFormationType: AWS::S3Tables::Namespace │ │ documentation: Creates a namespace. A namespace is a logical grouping of tables within your table bucket, which you can use to organize tables. For more information, see [Create a namespace](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-namespace-create.html) in the *Amazon Simple Storage Service User Guide* . │ │ - **Permissions** - You must have the `s3tables:CreateNamespace` permission to use this operation. │ └ properties │ ├ TableBucketARN: string (required, immutable) │ └ Namespace: string (required, immutable) ├[~] service aws-securityhub │ └ resources │ ├[~] resource AWS::SecurityHub::AggregatorV2 │ │ ├ - documentation: The AWS::SecurityHub::AggregatorV2 resource represents the AWS Security Hub AggregatorV2 in your account. One aggregatorv2 resource is created for each account in non opt-in region in which you configure region linking mode. │ │ │ + documentation: Enables aggregation across AWS Regions . This API is in private preview and subject to change. │ │ ├ properties │ │ │ ├ LinkedRegions: (documentation changed) │ │ │ ├ RegionLinkingMode: (documentation changed) │ │ │ └ Tags: (documentation changed) │ │ └ attributes │ │ ├ AggregationRegion: (documentation changed) │ │ └ AggregatorV2Arn: (documentation changed) │ ├[~] resource AWS::SecurityHub::AutomationRuleV2 │ │ ├ - documentation: Resource schema for AWS::SecurityHub::AutomationRuleV2 │ │ │ + documentation: Creates a V2 automation rule. This API is in private preview and subject to change. │ │ ├ properties │ │ │ ├ Actions: (documentation changed) │ │ │ ├ Criteria: (documentation changed) │ │ │ ├ Description: (documentation changed) │ │ │ ├ RuleName: (documentation changed) │ │ │ ├ RuleOrder: (documentation changed) │ │ │ ├ RuleStatus: (documentation changed) │ │ │ └ Tags: (documentation changed) │ │ ├ attributes │ │ │ ├ CreatedAt: (documentation changed) │ │ │ ├ RuleArn: (documentation changed) │ │ │ ├ RuleId: (documentation changed) │ │ │ └ UpdatedAt: (documentation changed) │ │ └ types │ │ ├[~] type AutomationRulesActionV2 │ │ │ ├ - documentation: Allows you to configure automated responses │ │ │ │ + documentation: Allows you to configure automated responses. │ │ │ └ properties │ │ │ ├ ExternalIntegrationConfiguration: (documentation changed) │ │ │ ├ FindingFieldsUpdate: (documentation changed) │ │ │ └ Type: (documentation changed) │ │ ├[~] type AutomationRulesFindingFieldsUpdateV2 │ │ │ ├ - documentation: The changes to be applied to fields in a security finding when an automation rule is triggered │ │ │ │ + documentation: Allows you to define the structure for modifying specific fields in security findings. │ │ │ └ properties │ │ │ ├ Comment: (documentation changed) │ │ │ ├ SeverityId: (documentation changed) │ │ │ └ StatusId: (documentation changed) │ │ ├[~] type BooleanFilter │ │ │ ├ - documentation: Boolean filter for querying findings │ │ │ │ + documentation: Boolean filter for querying findings. │ │ │ └ properties │ │ │ └ Value: (documentation changed) │ │ ├[~] type CompositeFilter │ │ │ ├ - documentation: Enables the creation of filtering criteria for security findings │ │ │ │ + documentation: Enables the creation of filtering criteria for security findings. │ │ │ └ properties │ │ │ ├ BooleanFilters: (documentation changed) │ │ │ ├ DateFilters: (documentation changed) │ │ │ ├ MapFilters: (documentation changed) │ │ │ ├ NumberFilters: (documentation changed) │ │ │ ├ Operator: (documentation changed) │ │ │ └ StringFilters: (documentation changed) │ │ ├[~] type Criteria │ │ │ ├ - documentation: Defines the parameters and conditions used to evaluate and filter security findings │ │ │ │ + documentation: The filtering type and configuration of the automation rule. │ │ │ └ properties │ │ │ └ OcsfFindingCriteria: (documentation changed) │ │ ├[~] type DateFilter │ │ │ ├ - documentation: A date filter for querying findings │ │ │ │ + documentation: A date filter for querying findings. │ │ │ └ properties │ │ │ ├ DateRange: (documentation changed) │ │ │ ├ End: (documentation changed) │ │ │ └ Start: (documentation changed) │ │ ├[~] type DateRange │ │ │ ├ - documentation: A date range for the date filter │ │ │ │ + documentation: A date range for the date filter. │ │ │ └ properties │ │ │ ├ Unit: (documentation changed) │ │ │ └ Value: (documentation changed) │ │ ├[~] type ExternalIntegrationConfiguration │ │ │ ├ - documentation: The settings for integrating automation rule actions with external systems or service │ │ │ │ + documentation: The settings for integrating automation rule actions with external systems or service. │ │ │ └ properties │ │ │ └ ConnectorArn: (documentation changed) │ │ ├[~] type MapFilter │ │ │ ├ - documentation: A map filter for filtering findings │ │ │ │ + documentation: A map filter for filtering AWS Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator. │ │ │ └ properties │ │ │ ├ Comparison: (documentation changed) │ │ │ ├ Key: (documentation changed) │ │ │ └ Value: (documentation changed) │ │ ├[~] type NumberFilter │ │ │ ├ - documentation: A number filter for querying findings │ │ │ │ + documentation: A number filter for querying findings. │ │ │ └ properties │ │ │ ├ Eq: (documentation changed) │ │ │ ├ Gte: (documentation changed) │ │ │ └ Lte: (documentation changed) │ │ ├[~] type OcsfBooleanFilter │ │ │ ├ - documentation: Enables filtering of security findings based on boolean field values in OCSF │ │ │ │ + documentation: Enables filtering of security findings based on boolean field values in OCSF. │ │ │ └ properties │ │ │ ├ FieldName: (documentation changed) │ │ │ └ Filter: (documentation changed) │ │ ├[~] type OcsfDateFilter │ │ │ ├ - documentation: Enables filtering of security findings based on date and timestamp fields in OCSF │ │ │ │ + documentation: Enables filtering of security findings based on date and timestamp fields in OCSF. │ │ │ └ properties │ │ │ ├ FieldName: (documentation changed) │ │ │ └ Filter: (documentation changed) │ │ ├[~] type OcsfFindingFilters │ │ │ ├ - documentation: The filtering conditions that align with OCSF standards │ │ │ │ + documentation: Specifies the filtering criteria for security findings using OCSF. │ │ │ └ properties │ │ │ ├ CompositeFilters: (documentation changed) │ │ │ └ CompositeOperator: (documentation changed) │ │ ├[~] type OcsfMapFilter │ │ │ ├ - documentation: Enables filtering of security findings based on map field values in OCSF │ │ │ │ + documentation: Enables filtering of security findings based on map field values in OCSF. │ │ │ └ properties │ │ │ ├ FieldName: (documentation changed) │ │ │ └ Filter: (documentation changed) │ │ ├[~] type OcsfNumberFilter │ │ │ ├ - documentation: Enables filtering of security findings based on numerical field values in OCSF │ │ │ │ + documentation: Enables filtering of security findings based on numerical field values in OCSF. │ │ │ └ properties │ │ │ ├ FieldName: (documentation changed) │ │ │ └ Filter: (documentation changed) │ │ ├[~] type OcsfStringFilter │ │ │ ├ - documentation: Enables filtering of security findings based on string field values in OCSF │ │ │ │ + documentation: Enables filtering of security findings based on string field values in OCSF. │ │ │ └ properties │ │ │ ├ FieldName: (documentation changed) │ │ │ └ Filter: (documentation changed) │ │ └[~] type StringFilter │ │ ├ - documentation: A string filter for filtering findings │ │ │ + documentation: A string filter for filtering AWS Security Hub findings. │ │ └ properties │ │ ├ Comparison: (documentation changed) │ │ └ Value: (documentation changed) │ └[+] resource AWS::SecurityHub::HubV2 │ ├ name: HubV2 │ │ cloudFormationType: AWS::SecurityHub::HubV2 │ │ documentation: Returns details about the service resource in your account. This API is in private preview and subject to change. │ │ tagInformation: {"tagPropertyName":"Tags","variant":"map"} │ ├ properties │ │ └ Tags: Map<string, string> │ └ attributes │ ├ HubV2Arn: string │ └ SubscribedAt: string ├[~] service aws-synthetics │ └ resources │ └[~] resource AWS::Synthetics::Canary │ └ types │ └[~] type RunConfig │ └ properties │ └ EphemeralStorage: (documentation changed) ├[~] service aws-vpclattice │ └ resources │ └[~] resource AWS::VpcLattice::Service │ └ properties │ └ DnsEntry: (documentation changed) └[+] service aws-workspacesinstances ├ capitalized: WorkspacesInstances │ cloudFormationNamespace: AWS::WorkspacesInstances │ name: aws-workspacesinstances │ shortName: workspacesinstances └ resources ├ resource AWS::WorkspacesInstances::Volume │ ├ name: Volume │ │ cloudFormationType: AWS::WorkspacesInstances::Volume │ │ documentation: Resource Type definition for AWS::WorkspacesInstances::Volume - Manages WorkSpaces Volume resources │ ├ properties │ │ ├ AvailabilityZone: string (required, immutable) │ │ ├ Encrypted: boolean (immutable) │ │ ├ Iops: integer (immutable) │ │ ├ KmsKeyId: string (immutable) │ │ ├ SizeInGB: integer (immutable) │ │ ├ SnapshotId: string (immutable) │ │ ├ Throughput: integer (immutable) │ │ ├ VolumeType: string (immutable) │ │ └ TagSpecifications: Array<TagSpecification> (immutable) │ ├ attributes │ │ └ VolumeId: string │ └ types │ └ type TagSpecification │ ├ name: TagSpecification │ └ properties │ ├ ResourceType: string │ └ Tags: Array<tag> ├ resource AWS::WorkspacesInstances::VolumeAssociation │ ├ name: VolumeAssociation │ │ cloudFormationType: AWS::WorkspacesInstances::VolumeAssociation │ │ documentation: Resource Type definition for AWS::WorkspacesInstances::VolumeAssociation │ └ properties │ ├ WorkspaceInstanceId: string (required, immutable) │ ├ VolumeId: string (required, immutable) │ ├ Device: string (required, immutable) │ └ DisassociateMode: string └ resource AWS::WorkspacesInstances::WorkspaceInstance ├ name: WorkspaceInstance │ cloudFormationType: AWS::WorkspacesInstances::WorkspaceInstance │ documentation: Resource Type definition for AWS::WorkspacesInstances::WorkspaceInstance │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} ├ properties │ ├ ManagedInstance: ManagedInstance (immutable) │ └ Tags: Array<tag> ├ attributes │ ├ WorkspaceInstanceId: string │ ├ ProvisionState: string │ ├ EC2ManagedInstance: EC2ManagedInstance │ └ EC2ManagedInstance.InstanceId: string └ types ├ type BlockDeviceMapping │ ├ name: BlockDeviceMapping │ └ properties │ ├ DeviceName: string │ ├ Ebs: EbsBlockDevice │ ├ NoDevice: string │ └ VirtualName: string ├ type CpuOptionsRequest │ ├ name: CpuOptionsRequest │ └ properties │ ├ CoreCount: integer │ └ ThreadsPerCore: integer ├ type CreditSpecificationRequest │ ├ name: CreditSpecificationRequest │ └ properties │ └ CpuCredits: string ├ type EbsBlockDevice │ ├ name: EbsBlockDevice │ └ properties │ ├ VolumeType: string │ ├ Encrypted: boolean │ ├ KmsKeyId: string │ ├ Iops: integer │ ├ Throughput: integer │ └ VolumeSize: integer ├ type EC2ManagedInstance │ ├ name: EC2ManagedInstance │ └ properties │ └ InstanceId: string ├ type EnclaveOptionsRequest │ ├ name: EnclaveOptionsRequest │ └ properties │ └ Enabled: boolean ├ type HibernationOptionsRequest │ ├ name: HibernationOptionsRequest │ └ properties │ └ Configured: boolean ├ type IamInstanceProfileSpecification │ ├ name: IamInstanceProfileSpecification │ └ properties │ └ Name: string ├ type InstanceMaintenanceOptionsRequest │ ├ name: InstanceMaintenanceOptionsRequest │ └ properties │ └ AutoRecovery: string ├ type InstanceMetadataOptionsRequest │ ├ name: InstanceMetadataOptionsRequest │ └ properties │ ├ HttpEndpoint: string │ ├ HttpProtocolIpv6: string │ ├ HttpPutResponseHopLimit: integer │ ├ HttpTokens: string │ └ InstanceMetadataTags: string ├ type InstanceNetworkInterfaceSpecification │ ├ name: InstanceNetworkInterfaceSpecification │ └ properties │ ├ Description: string │ ├ DeviceIndex: integer │ ├ Groups: Array<string> │ └ SubnetId: string ├ type InstanceNetworkPerformanceOptionsRequest │ ├ name: InstanceNetworkPerformanceOptionsRequest │ └ properties │ └ BandwidthWeighting: string ├ type ManagedInstance │ ├ name: ManagedInstance │ └ properties │ ├ BlockDeviceMappings: Array<BlockDeviceMapping> │ ├ CpuOptions: CpuOptionsRequest │ ├ CreditSpecification: CreditSpecificationRequest │ ├ DisableApiStop: boolean │ ├ EbsOptimized: boolean │ ├ EnclaveOptions: EnclaveOptionsRequest │ ├ HibernationOptions: HibernationOptionsRequest │ ├ IamInstanceProfile: IamInstanceProfileSpecification │ ├ ImageId: string (required) │ ├ InstanceType: string (required) │ ├ KeyName: string │ ├ MaintenanceOptions: InstanceMaintenanceOptionsRequest │ ├ MetadataOptions: InstanceMetadataOptionsRequest │ ├ Monitoring: RunInstancesMonitoringEnabled │ ├ NetworkInterfaces: Array<InstanceNetworkInterfaceSpecification> │ ├ NetworkPerformanceOptions: InstanceNetworkPerformanceOptionsRequest │ ├ Placement: Placement │ ├ PrivateDnsNameOptions: PrivateDnsNameOptionsRequest │ ├ TagSpecifications: Array<TagSpecification> │ └ UserData: string ├ type Placement │ ├ name: Placement │ └ properties │ ├ AvailabilityZone: string │ ├ GroupName: string │ └ Tenancy: string ├ type PrivateDnsNameOptionsRequest │ ├ name: PrivateDnsNameOptionsRequest │ └ properties │ ├ HostnameType: string │ ├ EnableResourceNameDnsARecord: boolean │ └ EnableResourceNameDnsAAAARecord: boolean ├ type RunInstancesMonitoringEnabled │ ├ name: RunInstancesMonitoringEnabled │ └ properties │ └ Enabled: boolean └ type TagSpecification ├ name: TagSpecification └ properties ├ ResourceType: string └ Tags: Array<tag> ``` BREAKING CHANGE: Some L1 resources experienced breaking changes due to updated CloudFormation resources. Please check the notes for each specific module for more information. - ***aws-cdk-lib.aws_kendra.CfnDataSource.TemplateConfigurationProperty***: `template` property here has changed from `string` to `json`
### Reason for this change > ECR Public repo allows 1 request/second for un-authenticated pulls and 10 request/second for authenticated pulls. We try to avoid making requests to any repos by caching the used image as much as possible. We do this on builds on main as a baseline and restore the cache on PRs. This assumes that most PRs won't add new images and adding new images is rare enough. ### Description of changes Add a cache for docker images. ### Describe any new or updated permissions being added None. ### Description of how you validated changes Run the commands manually. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change Pushing a new commit should cancel any in progress PR builds. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Update codecov upload workflow to upload artifacts from proper paths present in https://github.com/aws/aws-cdk/blob/main/codecov.yml#L35 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ts to support cross account visibility (#34793) ### Issue # (if applicable) Closes #26105 ### Reason for this change CloudWatch supports cross-account visibility for dashboards, allowing users to view metrics and logs from multiple AWS accounts in a single dashboard. However, the CDK CloudWatch construct library was missing the ability to specify the account ID for widgets, preventing users from creating cross-account dashboards using CDK. ### Description of changes I've added an optional accountId property to the following interfaces and classes: • MetricWidgetProps interface in graph.ts (base interface for metric widgets) • LogQueryWidgetProps interface in log-query.ts This property is then passed through to the CloudWatch dashboard JSON for each widget type: • AlarmWidget • GraphWidget • SingleValueWidget • GaugeWidget • TableWidget • LogQueryWidget I've also: • Added comprehensive JSDoc documentation explaining the cross-account functionality • Updated the README.md with a new section on cross-account visibility • Updated unit tests to verify the accountId is properly included in the widget JSON • Updated integration tests to demonstrate the feature Design decisions: • Made accountId optional to maintain backward compatibility • Added the property to the base interfaces to ensure consistent implementation across widget types • Provided clear documentation on prerequisites for cross-account functionality ### Describe any new or updated permissions being added No new IAM permissions are added by this change in the CDK code itself. However, users implementing cross-account CloudWatch dashboards will need to configure appropriate permissions between their accounts: 1. The monitoring account must be set up as a monitoring account in CloudWatch settings 2. The source account must grant permissions to the monitoring account using CloudWatch resource policies 3. Appropriate IAM roles and policies must be configured as described in the AWS documentation ### Description of how you validated changes • Added unit tests for all widget types to verify the accountId property is correctly passed to the CloudWatch dashboard JSON • Updated integration tests to include accountId in various widget configurations ### Checklist • [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)
Automated changes by [create-pull-request](https://github.com/peter-evans/create-pull-request) GitHub action
### Issue # (if applicable) N/A ### Reason for this change For the Feature Flag CLI tool feature. ### Description of changes Populated a Feature Flag report that had individual Feature Flag objects with the recommended value, user value, and description. Stored the report into the Cloud Assembly. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Added unit tests. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #34492 ### Reason for this change Cluster has this param but Instance doesn't ### Description of changes - Instance engine lifecycle support - Move enum EngineLifecycleSupport to props as it is shared across cluster and instance ### Describe any new or updated permissions being added ### Description of how you validated changes Unit + Integ ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…n Lambda responses (#34843) ### Issue # (if applicable) Closes #34768 ### Reason for this change The handler in cross-region-aws-sdk-handler/index.ts file was not incorrectly returning byte-array as the payload when the called service was AWS Lambda. More details in the issue itself. ### Description of changes The handler now checks the response to identify if it is a byte-array or other type of binary data and parses it correctly into a string, which is the expected format ### Describe any new or updated permissions being added NA ### Description of how you validated changes Integ test added and unit tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws-cdk-automation
added
auto-approve
pr/no-squash
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
ozelalisen
approved these changes
Jul 1, 2025
Collaborator
Author
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Contributor
|
Comments on closed issues and PRs are hard for our team to see. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
15 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See CHANGELOG