chore(ci): update code collect coverage runner configuration #34942
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
aws-cdk-automation
added
the
pr/needs-maintainer-review
…ns are published separately (#34790) ### Issue Closes #31070 ### Reason for this change Assets are missing to be published in CDK pipelines when stacks with different synthesizers are used for the same account and region. When assets have identical content hashes but need to be published to different destinations (different publishing role ARNs), they were being incorrectly grouped together, causing assets to only be published to one destination instead of all required destinations. ### Description of changes • Modified publishAsset() method in packages/aws-cdk-lib/pipelines/lib/helpers-internal/pipeline-graph.ts • Changed asset tracking key from using only stackAsset.assetId to a composite key: `${stackAsset.assetId}:${stackAsset.assetPublishingRoleArn || 'default'}` • This ensures assets with the same content hash, but different destinations are treated as separate publishing jobs ### Describe any new or updated permissions being added NA ### Description of how you validated changes Checked with the code in #31070 and made sure there are 2 asset stages, locally ran the asset commands and verified that they are being deployed to right buckets: ``` muralikl@b0be83688a18 cdk.out % cdk-assets --path "assembly-pipeline-asset-stack-Staging/pipelineassetstackStagingdevlambdastackEC748226.assets.json" --verbose publish "a26bd817a0dac44954b5caf83f5880a96f831e43b56157224e073b49f236eb4e:current_account-us-east-1" verbose: Loaded manifest from assembly-pipeline-asset-stack-Staging/pipelineassetstackStagingdevlambdastackEC748226.assets.json: 2 assets found verbose: Applied selection: 1 assets selected. info : [0%] start: Publishing LambdaFN/Code (current_account-us-east-1) verbose: [0%] check: Check s3://cdk-dev-assets-123456789012-us-east-1/a26bd817a0dac44954b5caf83f5880a96f831e43b56157224e073b49f236eb4e.zip verbose: [0%] build: Zip /Users/muralikl/Downloads/aws-cdk/packages/@aws-cdk-testing/framework-integ/cdk.out/asset.a26bd817a0dac44954b5caf83f5880a96f831e43b56157224e073b49f236eb4e -> assembly-pipeline-asset-stack-Staging/.cache/a26bd817a0dac44954b5caf83f5880a96f831e43b56157224e073b49f236eb4e.zip verbose: [0%] upload: Upload s3://cdk-dev-assets-123456789012-us-east-1/a26bd817a0dac44954b5caf83f5880a96f831e43b56157224e073b49f236eb4e.zip info : [100%] success: Published LambdaFN/Code (current_account-us-east-1) muralikl@b0be83688a18 cdk.out % cdk-assets --path "assembly-pipeline-asset-stack-Production/pipelineassetstackProductionprdlambdastack4E5ABBC0.assets.json" --verbose publish "a26bd817a0dac44954b5caf83f5880a96f831e43b56157224e073b49f236eb4e:current_account-us-west-2" verbose: Loaded manifest from assembly-pipeline-asset-stack-Production/pipelineassetstackProductionprdlambdastack4E5ABBC0.assets.json: 2 assets found verbose: Applied selection: 1 assets selected. info : [0%] start: Publishing LambdaFN/Code (current_account-us-west-2) verbose: [0%] check: Check s3://cdk-hnb659fds-assets-123456789012-us-west-2/a26bd817a0dac44954b5caf83f5880a96f831e43b56157224e073b49f236eb4e.zip verbose: [0%] build: Zip /Users/muralikl/Downloads/aws-cdk/packages/@aws-cdk-testing/framework-integ/cdk.out/asset.a26bd817a0dac44954b5caf83f5880a96f831e43b56157224e073b49f236eb4e -> assembly-pipeline-asset-stack-Production/.cache/a26bd817a0dac44954b5caf83f5880a96f831e43b56157224e073b49f236eb4e.zip verbose: [0%] upload: Upload s3://cdk-hnb659fds-assets-123456789012-us-west-2/a26bd817a0dac44954b5caf83f5880a96f831e43b56157224e073b49f236eb4e.zip info : [100%] success: Published LambdaFN/Code (current_account-us-west-2) ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change L1 construct has `arnForPolicy` attribute but L2 construct does not support this. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-events-apidestination.html#aws-resource-events-apidestination-return-values#aws-resource-events-apidestination-return-values-fn--getatt ### Description of changes - Add `apiDestinationArnForPolicy` to `ApiDestinationAttributes ` and attribute of `IApiDestination` ### Describe any new or updated permissions being added None ### Description of how you validated changes Add both unit and integ tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #23897. ### Reason for this change The documentation for `RemovalPolicy.DESTROY` incorrectly states that it is the default removal policy, when in fact `RETAIN` is the actual default for most resources in the AWS CDK. This creates confusion for users who expect different behavior based on the documentation, potentially leading to unexpected costs or resource retention issues. ### Description of changes Updated the JSDoc comment for `RemovalPolicy.DESTROY` in `removal-policy.ts` to remove the incorrect statement that it is the default removal policy. The comment now accurately describes that this policy will physically destroy resources when applied, without claiming it's the default behavior. **Changes made:** - Modified the JSDoc comment for `DESTROY` enum value to clarify it is not the default removal policy - Ensured consistency with other CDK documentation that correctly states `RETAIN` is the default **Alternatives considered:** - Could have updated all related documentation simultaneously, but this focused change addresses the core issue in the source code - Considered adding explicit mention of what the actual default is, but kept the change minimal to avoid over-documentation **Design decisions:** - Kept the change simple and focused on removing the incorrect information rather than adding extensive explanations - Maintained consistency with existing comment style and format ### Describe any new or updated permissions being added No new or updated IAM permissions are needed for this documentation change. ### Description of how you validated changes - Verified the comment change accurately reflects the actual CDK behavior - Confirmed the change aligns with existing CDK documentation that correctly states `RETAIN` is the default - Reviewed related code in bucket.ts and other resources to ensure consistency - Built and tested locally to ensure no compilation issues ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… about to merge (#34946) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #34894. ### Reason for this change When createNewPoliciesWithAddToRolePolicy flag is false, addToRolePolicy() fails with CloudFormation intrinsic functions due to token resolution issues. More details in the issue itself. ### Description of changes This fix detects complex tokens and forces separate inline policies to prevent the error while maintaining backward compatibility. ### Describe any new or updated permissions being added No new permissions being added ### Description of how you validated changes Tested the new changes in the broken cdk app that was able to reproduce the issue (used reproduction steps from the original issue). The app can be synth now, and deployed. Verifying the lambda role manually in the console also showed that a single role is preserved but the role policies are now split in 2: one from the string literal and one from the token. Both are correctly resolved. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…34830) ### Issue # (if applicable) Closes #34811 Related: aws-cloudformation/cloudformation-coverage-roadmap#1101 ### Reason for this change Support for tag propagation to underlying resources (Lambda) for AWS Synthetics. ### Description of changes Add support for `ResourcesToReplicateTags` property (like [CF](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-synthetics-canary.html)) ### Describe any new or updated permissions being added / ### Description of how you validated changes - Added unit test - Added integration test ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`
**L1 CloudFormation resource definition changes:**
```
├[~] service aws-b2bi
│ └ resources
│ └[~] resource AWS::B2BI::Partnership
│ ├ properties
│ │ ├ Email: (documentation changed)
│ │ └ Phone: (documentation changed)
│ └ types
│ ├[~] type CapabilityOptions
│ │ └ properties
│ │ └ InboundEdi: (documentation changed)
│ ├[~] type InboundEdiOptions
│ │ ├ - documentation: undefined
│ │ │ + documentation: Contains options for processing inbound EDI files. These options allow for customizing how incoming EDI documents are processed.
│ │ └ properties
│ │ └ X12: (documentation changed)
│ ├[~] type X12InboundEdiOptions
│ │ ├ - documentation: undefined
│ │ │ + documentation: Contains options specific to processing inbound X12 EDI files.
│ │ └ properties
│ │ └ AcknowledgmentOptions: (documentation changed)
│ └[~] type X12OutboundEdiHeaders
│ └ properties
│ └ ControlNumbers: (documentation changed)
├[~] service aws-bedrock
│ └ resources
│ ├[~] resource AWS::Bedrock::DataSource
│ │ └ types
│ │ └[~] type S3DataSourceConfiguration
│ │ └ properties
│ │ └ InclusionPrefixes: (documentation changed)
│ └[~] resource AWS::Bedrock::Guardrail
│ └ types
│ ├[+] type ContentFiltersTierConfig
│ │ ├ documentation: Guardrail tier config for content policy
│ │ │ name: ContentFiltersTierConfig
│ │ └ properties
│ │ └ TierName: string (required)
│ ├[~] type ContentPolicyConfig
│ │ └ properties
│ │ └[+] ContentFiltersTierConfig: ContentFiltersTierConfig
│ ├[~] type TopicPolicyConfig
│ │ └ properties
│ │ └[+] TopicsTierConfig: TopicsTierConfig
│ └[+] type TopicsTierConfig
│ ├ documentation: Guardrail tier config for topic policy
│ │ name: TopicsTierConfig
│ └ properties
│ └ TierName: string (required)
├[+] service aws-billing
│ ├ capitalized: Billing
│ │ cloudFormationNamespace: AWS::Billing
│ │ name: aws-billing
│ │ shortName: billing
│ └ resources
│ └ resource AWS::Billing::BillingView
│ ├ name: BillingView
│ │ cloudFormationType: AWS::Billing::BillingView
│ │ documentation: A billing view is a container of cost & usage metadata.
│ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ ├ properties
│ │ ├ DataFilterExpression: DataFilterExpression
│ │ ├ Description: string (immutable)
│ │ ├ Name: string (required, immutable)
│ │ ├ Tags: Array<tag>
│ │ └ SourceViews: Array<string> (required, immutable)
│ ├ attributes
│ │ ├ Arn: string
│ │ ├ CreatedAt: number
│ │ ├ UpdatedAt: number
│ │ ├ OwnerAccountId: string
│ │ └ BillingViewType: string
│ └ types
│ ├ type DataFilterExpression
│ │ ├ name: DataFilterExpression
│ │ └ properties
│ │ ├ Dimensions: Dimensions
│ │ └ Tags: Tags
│ ├ type Dimensions
│ │ ├ name: Dimensions
│ │ └ properties
│ │ ├ Key: string
│ │ └ Values: Array<string>
│ └ type Tags
│ ├ name: Tags
│ └ properties
│ ├ Key: string
│ └ Values: Array<string>
├[~] service aws-cassandra
│ └ resources
│ └[~] resource AWS::Cassandra::Table
│ ├ properties
│ │ └[+] CdcSpecification: CdcSpecification
│ └ types
│ └[+] type CdcSpecification
│ ├ documentation: Represents the CDC configuration for the table
│ │ name: CdcSpecification
│ └ properties
│ ├ Status: string (required)
│ └ ViewType: string (default="NEW_AND_OLD_IMAGES")
├[~] service aws-cloudformation
│ └ resources
│ └[~] resource AWS::CloudFormation::StackSet
│ └ types
│ └[~] type OperationPreferences
│ └ properties
│ ├ FailureToleranceCount: (documentation changed)
│ └ FailureTolerancePercentage: (documentation changed)
├[~] service aws-cloudfront
│ └ resources
│ └[~] resource AWS::CloudFront::Distribution
│ └ types
│ ├[~] type CacheBehavior
│ │ └ properties
│ │ ├ DefaultTTL: (documentation changed)
│ │ ├ MaxTTL: (documentation changed)
│ │ ├ MinTTL: (documentation changed)
│ │ ├ SmoothStreaming: (documentation changed)
│ │ └ TrustedSigners: (documentation changed)
│ ├[~] type CustomOriginConfig
│ │ └ properties
│ │ ├ OriginKeepaliveTimeout: (documentation changed)
│ │ └ OriginReadTimeout: (documentation changed)
│ ├[~] type DefaultCacheBehavior
│ │ └ properties
│ │ ├ DefaultTTL: (documentation changed)
│ │ ├ MaxTTL: (documentation changed)
│ │ ├ MinTTL: (documentation changed)
│ │ ├ SmoothStreaming: (documentation changed)
│ │ └ TrustedSigners: (documentation changed)
│ ├[~] type DistributionConfig
│ │ └ properties
│ │ ├ Aliases: (documentation changed)
│ │ ├ AnycastIpListId: (documentation changed)
│ │ ├ ContinuousDeploymentPolicyId: (documentation changed)
│ │ ├ IPV6Enabled: (documentation changed)
│ │ ├ PriceClass: (documentation changed)
│ │ ├ Staging: (documentation changed)
│ │ └ TenantConfig: (documentation changed)
│ ├[~] type ForwardedValues
│ │ └ - documentation: This field is deprecated. We recommend that you use a cache policy or an origin request policy instead of this field.
│ │ If you want to include values in the cache key, use a cache policy. For more information, see [Creating cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html#cache-key-create-cache-policy) in the *Amazon CloudFront Developer Guide* .
│ │ If you want to send values to the origin but not include them in the cache key, use an origin request policy. For more information, see [Creating origin request policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html#origin-request-create-origin-request-policy) in the *Amazon CloudFront Developer Guide* .
│ │ A complex type that specifies how CloudFront handles query strings, cookies, and HTTP headers.
│ │ + documentation: > This field only supports standard distributions. You can't specify this field for multi-tenant distributions. For more information, see [Unsupported features for SaaS Manager for Amazon CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-config-options.html#unsupported-saas) in the *Amazon CloudFront Developer Guide* .
│ │ This field is deprecated. We recommend that you use a cache policy or an origin request policy instead of this field.
│ │ If you want to include values in the cache key, use a cache policy. For more information, see [Creating cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html#cache-key-create-cache-policy) in the *Amazon CloudFront Developer Guide* .
│ │ If you want to send values to the origin but not include them in the cache key, use an origin request policy. For more information, see [Creating origin request policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html#origin-request-create-origin-request-policy) in the *Amazon CloudFront Developer Guide* .
│ │ A complex type that specifies how CloudFront handles query strings, cookies, and HTTP headers.
│ ├[~] type TenantConfig
│ │ └ - documentation: The configuration for a distribution tenant.
│ │ + documentation: > This field only supports multi-tenant distributions. You can't specify this field for standard distributions. For more information, see [Unsupported features for SaaS Manager for Amazon CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-config-options.html#unsupported-saas) in the *Amazon CloudFront Developer Guide* .
│ │ The configuration for a distribution tenant.
│ ├[~] type ViewerCertificate
│ │ └ properties
│ │ └ IamCertificateId: (documentation changed)
│ └[~] type VpcOriginConfig
│ └ properties
│ ├ OriginKeepaliveTimeout: (documentation changed)
│ └ OriginReadTimeout: (documentation changed)
├[~] service aws-docdb
│ └ resources
│ └[~] resource AWS::DocDB::DBCluster
│ └ properties
│ ├[+] GlobalClusterIdentifier: string (immutable)
│ └[+] NetworkType: string
├[~] service aws-dynamodb
│ └ resources
│ ├[~] resource AWS::DynamoDB::GlobalTable
│ │ ├ - documentation: The `AWS::DynamoDB::GlobalTable` resource enables you to create and manage a Version 2019.11.21 global table. This resource cannot be used to create or manage a Version 2017.11.29 global table. For more information, see [Global tables](https://docs.aws.amazon.com//amazondynamodb/latest/developerguide/GlobalTables.html) .
│ │ │ > You cannot convert a resource of type `AWS::DynamoDB::Table` into a resource of type `AWS::DynamoDB::GlobalTable` by changing its type in your template. *Doing so might result in the deletion of your DynamoDB table.*
│ │ │ >
│ │ │ > You can instead use the GlobalTable resource to create a new table in a single Region. This will be billed the same as a single Region table. If you later update the stack to add other Regions then Global Tables pricing will apply.
│ │ │ You should be aware of the following behaviors when working with DynamoDB global tables.
│ │ │ - The IAM Principal executing the stack operation must have the permissions listed below in all regions where you plan to have a global table replica. The IAM Principal's permissions should not have restrictions based on IP source address. Some global tables operations (for example, adding a replica) are asynchronous, and require that the IAM Principal is valid until they complete. You should not delete the Principal (user or IAM role) until CloudFormation has finished updating your stack.
│ │ │ - `dynamodb:CreateTable`
│ │ │ - `dynamodb:UpdateTable`
│ │ │ - `dynamodb:DeleteTable`
│ │ │ - `dynamodb:DescribeContinuousBackups`
│ │ │ - `dynamodb:DescribeContributorInsights`
│ │ │ - `dynamodb:DescribeTable`
│ │ │ - `dynamodb:DescribeTableReplicaAutoScaling`
│ │ │ - `dynamodb:DescribeTimeToLive`
│ │ │ - `dynamodb:ListTables`
│ │ │ - `dynamodb:UpdateTimeToLive`
│ │ │ - `dynamodb:UpdateContributorInsights`
│ │ │ - `dynamodb:UpdateContinuousBackups`
│ │ │ - `dynamodb:ListTagsOfResource`
│ │ │ - `dynamodb:TagResource`
│ │ │ - `dynamodb:UntagResource`
│ │ │ - `dynamodb:BatchWriteItem`
│ │ │ - `dynamodb:CreateTableReplica`
│ │ │ - `dynamodb:DeleteItem`
│ │ │ - `dynamodb:DeleteTableReplica`
│ │ │ - `dynamodb:DisableKinesisStreamingDestination`
│ │ │ - `dynamodb:EnableKinesisStreamingDestination`
│ │ │ - `dynamodb:GetItem`
│ │ │ - `dynamodb:PutItem`
│ │ │ - `dynamodb:Query`
│ │ │ - `dynamodb:Scan`
│ │ │ - `dynamodb:UpdateItem`
│ │ │ - `dynamodb:DescribeTableReplicaAutoScaling`
│ │ │ - `dynamodb:UpdateTableReplicaAutoScaling`
│ │ │ - `iam:CreateServiceLinkedRole`
│ │ │ - `kms:CreateGrant`
│ │ │ - `kms:DescribeKey`
│ │ │ - `application-autoscaling:DeleteScalingPolicy`
│ │ │ - `application-autoscaling:DeleteScheduledAction`
│ │ │ - `application-autoscaling:DeregisterScalableTarget`
│ │ │ - `application-autoscaling:DescribeScalingPolicies`
│ │ │ - `application-autoscaling:DescribeScalableTargets`
│ │ │ - `application-autoscaling:PutScalingPolicy`
│ │ │ - `application-autoscaling:PutScheduledAction`
│ │ │ - `application-autoscaling:RegisterScalableTarget`
│ │ │ - When using provisioned billing mode, CloudFormation will create an auto scaling policy on each of your replicas to control their write capacities. You must configure this policy using the `WriteProvisionedThroughputSettings` property. CloudFormation will ensure that all replicas have the same write capacity auto scaling property. You cannot directly specify a value for write capacity for a global table.
│ │ │ - If your table uses provisioned capacity, you must configure auto scaling directly in the `AWS::DynamoDB::GlobalTable` resource. You should not configure additional auto scaling policies on any of the table replicas or global secondary indexes, either via API or via `AWS::ApplicationAutoScaling::ScalableTarget` or `AWS::ApplicationAutoScaling::ScalingPolicy` . Doing so might result in unexpected behavior and is unsupported.
│ │ │ - In AWS CloudFormation , each global table is controlled by a single stack, in a single region, regardless of the number of replicas. When you deploy your template, CloudFormation will create/update all replicas as part of a single stack operation. You should not deploy the same `AWS::DynamoDB::GlobalTable` resource in multiple regions. Doing so will result in errors, and is unsupported. If you deploy your application template in multiple regions, you can use conditions to only create the resource in a single region. Alternatively, you can choose to define your `AWS::DynamoDB::GlobalTable` resources in a stack separate from your application stack, and make sure it is only deployed to a single region.
│ │ │ + documentation: The `AWS::DynamoDB::GlobalTable` resource enables you to create and manage a Version 2019.11.21 global table. This resource cannot be used to create or manage a Version 2017.11.29 global table. For more information, see [Global tables](https://docs.aws.amazon.com//amazondynamodb/latest/developerguide/GlobalTables.html) .
│ │ │ > You cannot convert a resource of type `AWS::DynamoDB::Table` into a resource of type `AWS::DynamoDB::GlobalTable` by changing its type in your template. *Doing so might result in the deletion of your DynamoDB table.*
│ │ │ >
│ │ │ > You can instead use the GlobalTable resource to create a new table in a single Region. This will be billed the same as a single Region table. If you later update the stack to add other Regions then Global Tables pricing will apply.
│ │ │ You should be aware of the following behaviors when working with DynamoDB global tables.
│ │ │ - The IAM Principal executing the stack operation must have the permissions listed below in all regions where you plan to have a global table replica. The IAM Principal's permissions should not have restrictions based on IP source address. Some global tables operations (for example, adding a replica) are asynchronous, and require that the IAM Principal is valid until they complete. You should not delete the Principal (user or IAM role) until CloudFormation has finished updating your stack.
│ │ │ - `application-autoscaling:DeleteScalingPolicy`
│ │ │ - `application-autoscaling:DeleteScheduledAction`
│ │ │ - `application-autoscaling:DeregisterScalableTarget`
│ │ │ - `application-autoscaling:DescribeScalableTargets`
│ │ │ - `application-autoscaling:DescribeScalingPolicies`
│ │ │ - `application-autoscaling:PutScalingPolicy`
│ │ │ - `application-autoscaling:PutScheduledAction`
│ │ │ - `application-autoscaling:RegisterScalableTarget`
│ │ │ - `dynamodb:BatchWriteItem`
│ │ │ - `dynamodb:CreateGlobalTableWitness`
│ │ │ - `dynamodb:CreateTable`
│ │ │ - `dynamodb:CreateTableReplica`
│ │ │ - `dynamodb:DeleteGlobalTableWitness`
│ │ │ - `dynamodb:DeleteItem`
│ │ │ - `dynamodb:DeleteTable`
│ │ │ - `dynamodb:DeleteTableReplica`
│ │ │ - `dynamodb:DescribeContinuousBackups`
│ │ │ - `dynamodb:DescribeContributorInsights`
│ │ │ - `dynamodb:DescribeTable`
│ │ │ - `dynamodb:DescribeTableReplicaAutoScaling`
│ │ │ - `dynamodb:DescribeTimeToLive`
│ │ │ - `dynamodb:DisableKinesisStreamingDestination`
│ │ │ - `dynamodb:EnableKinesisStreamingDestination`
│ │ │ - `dynamodb:GetItem`
│ │ │ - `dynamodb:ListTables`
│ │ │ - `dynamodb:ListTagsOfResource`
│ │ │ - `dynamodb:PutItem`
│ │ │ - `dynamodb:Query`
│ │ │ - `dynamodb:Scan`
│ │ │ - `dynamodb:TagResource`
│ │ │ - `dynamodb:UntagResource`
│ │ │ - `dynamodb:UpdateContinuousBackups`
│ │ │ - `dynamodb:UpdateContributorInsights`
│ │ │ - `dynamodb:UpdateItem`
│ │ │ - `dynamodb:UpdateTable`
│ │ │ - `dynamodb:UpdateTableReplicaAutoScaling`
│ │ │ - `dynamodb:UpdateTimeToLive`
│ │ │ - `iam:CreateServiceLinkedRole`
│ │ │ - `kms:CreateGrant`
│ │ │ - `kms:DescribeKey`
│ │ │ - When using provisioned billing mode, CloudFormation will create an auto scaling policy on each of your replicas to control their write capacities. You must configure this policy using the `WriteProvisionedThroughputSettings` property. CloudFormation will ensure that all replicas have the same write capacity auto scaling property. You cannot directly specify a value for write capacity for a global table.
│ │ │ - If your table uses provisioned capacity, you must configure auto scaling directly in the `AWS::DynamoDB::GlobalTable` resource. You should not configure additional auto scaling policies on any of the table replicas or global secondary indexes, either via API or via `AWS::ApplicationAutoScaling::ScalableTarget` or `AWS::ApplicationAutoScaling::ScalingPolicy` . Doing so might result in unexpected behavior and is unsupported.
│ │ │ - In AWS CloudFormation , each global table is controlled by a single stack, in a single region, regardless of the number of replicas. When you deploy your template, CloudFormation will create/update all replicas as part of a single stack operation. You should not deploy the same `AWS::DynamoDB::GlobalTable` resource in multiple regions. Doing so will result in errors, and is unsupported. If you deploy your application template in multiple regions, you can use conditions to only create the resource in a single region. Alternatively, you can choose to define your `AWS::DynamoDB::GlobalTable` resources in a stack separate from your application stack, and make sure it is only deployed to a single region.
│ │ ├ properties
│ │ │ ├[+] GlobalTableWitnesses: Array<GlobalTableWitness>
│ │ │ ├[+] MultiRegionConsistency: string
│ │ │ ├ Replicas: (documentation changed)
│ │ │ └ StreamSpecification: (documentation changed)
│ │ └ types
│ │ ├[+] type GlobalTableWitness
│ │ │ ├ documentation: The witness Region for the MRSC global table. A MRSC global table can be configured with either three replicas, or with two replicas and one witness.
│ │ │ │ The witness must be in a different Region than the replicas and within the same Region set:
│ │ │ │ - US Region set: US East (N. Virginia), US East (Ohio), US West (Oregon)
│ │ │ │ - EU Region set: Europe (Ireland), Europe (London), Europe (Paris), Europe (Frankfurt)
│ │ │ │ - AP Region set: Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Osaka)
│ │ │ │ name: GlobalTableWitness
│ │ │ └ properties
│ │ │ └ Region: string
│ │ └[~] type StreamSpecification
│ │ └ - documentation: Represents the DynamoDB Streams configuration for a table in DynamoDB.
│ │ You can only modify this value if your `AWS::DynamoDB::GlobalTable` contains only one entry in `Replicas` . You must specify a value for this property if your `AWS::DynamoDB::GlobalTable` contains more than one replica.
│ │ + documentation: Represents the DynamoDB Streams configuration for a table in DynamoDB .
│ │ You can only modify this value for a `AWS::DynamoDB::GlobalTable` resource configured for multi-Region eventual consistency (MREC, the default) if that resource contains only one entry in `Replicas` . You must specify a value for this property for a `AWS::DynamoDB::GlobalTable` resource configured for MREC with more than one entry in `Replicas` . For Multi-Region Strong Consistency (MRSC), Streams are not required and can be changed for existing tables.
│ └[~] resource AWS::DynamoDB::Table
│ └ properties
│ └ ResourcePolicy: (documentation changed)
├[~] service aws-ec2
│ └ resources
│ ├[~] resource AWS::EC2::CapacityReservationFleet
│ │ └ - tagInformation: undefined
│ │ + tagInformation: {"tagPropertyName":"TagSpecifications","variant":"standard"}
│ └[~] resource AWS::EC2::TrafficMirrorFilterRule
│ └ attributes
│ ├[-] Id: string
│ └ TrafficMirrorFilterRuleId: (documentation changed)
├[~] service aws-ecs
│ └ resources
│ ├[~] resource AWS::ECS::Service
│ │ └ attributes
│ │ └ ServiceArn: (documentation changed)
│ └[~] resource AWS::ECS::TaskDefinition
│ ├ properties
│ │ └ InferenceAccelerators: (documentation changed)
│ └ types
│ └[~] type InferenceAccelerator
│ ├ - documentation: Details on an Elastic Inference accelerator. For more information, see [Working with Amazon Elastic Inference on Amazon ECS](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-inference.html) in the *Amazon Elastic Container Service Developer Guide* .
│ │ + documentation: Details on an Elastic Inference accelerator. For more information, see [Working with Amazon Elastic Inference on Amazon ECS](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-inference.html) in the *Amazon Elastic Container Service Developer Guide*.
│ └ properties
│ └ DeviceName: (documentation changed)
├[~] service aws-emrserverless
│ └ resources
│ └[~] resource AWS::EMRServerless::Application
│ └ properties
│ └ IdentityCenterConfiguration: (documentation changed)
├[~] service aws-evs
│ └ resources
│ └[~] resource AWS::EVS::Environment
│ ├ properties
│ │ └ LicenseInfo: (documentation changed)
│ └ types
│ └[~] type LicenseInfo
│ └ properties
│ ├ SolutionKey: (documentation changed)
│ └ VsanKey: (documentation changed)
├[~] service aws-fsx
│ └ resources
│ └[~] resource AWS::FSx::S3AccessPointAttachment
│ ├ - documentation: Resource type definition for AWS::FSx::S3AccessPointAttachment
│ │ + documentation: An S3 access point attached to an Amazon FSx volume.
│ ├ properties
│ │ ├ Name: (documentation changed)
│ │ ├ OpenZFSConfiguration: (documentation changed)
│ │ ├ S3AccessPoint: (documentation changed)
│ │ └ Type: (documentation changed)
│ ├ attributes
│ │ ├ S3AccessPoint.Alias: (documentation changed)
│ │ └ S3AccessPoint.ResourceARN: (documentation changed)
│ └ types
│ ├[~] type FileSystemGID
│ │ ├ - documentation: undefined
│ │ │ + documentation: The GID of the file system user.
│ │ └ properties
│ │ └ Gid: (documentation changed)
│ ├[~] type OpenZFSFileSystemIdentity
│ │ ├ - documentation: undefined
│ │ │ + documentation: Specifies the file system user identity that will be used for authorizing all file access requests that are made using the S3 access point.
│ │ └ properties
│ │ ├ PosixUser: (documentation changed)
│ │ └ Type: (documentation changed)
│ ├[~] type OpenZFSPosixFileSystemUser
│ │ ├ - documentation: undefined
│ │ │ + documentation: The FSx for OpenZFS file system user that is used for authorizing all file access requests that are made using the S3 access point.
│ │ └ properties
│ │ ├ Gid: (documentation changed)
│ │ ├ SecondaryGids: (documentation changed)
│ │ └ Uid: (documentation changed)
│ ├[~] type S3AccessPoint
│ │ ├ - documentation: undefined
│ │ │ + documentation: Describes the S3 access point configuration of the S3 access point attachment.
│ │ └ properties
│ │ ├ Alias: (documentation changed)
│ │ ├ Policy: (documentation changed)
│ │ ├ ResourceARN: (documentation changed)
│ │ └ VpcConfiguration: (documentation changed)
│ ├[~] type S3AccessPointOpenZFSConfiguration
│ │ ├ - documentation: undefined
│ │ │ + documentation: Describes the FSx for OpenZFS attachment configuration of an S3 access point attachment.
│ │ └ properties
│ │ ├ FileSystemIdentity: (documentation changed)
│ │ └ VolumeId: (documentation changed)
│ └[~] type S3AccessPointVpcConfiguration
│ ├ - documentation: undefined
│ │ + documentation: If included, Amazon S3 restricts access to this access point to requests from the specified virtual private cloud (VPC).
│ └ properties
│ └ VpcId: (documentation changed)
├[~] service aws-gamelift
│ └ resources
│ ├[~] resource AWS::GameLift::ContainerFleet
│ │ └ types
│ │ └[~] type LogConfiguration
│ │ └ properties
│ │ └[+] LogGroupArn: string
│ └[~] resource AWS::GameLift::Fleet
│ └ properties
│ └ ApplyCapacity: - string (immutable)
│ + string
├[~] service aws-iot
│ └ resources
│ └[~] resource AWS::IoT::Logging
│ └ - documentation: Configure logging.
│ > If you already set the log function of AWS IoT Core , you can't deploy the AWS Cloud Development Kit (AWS CDK) to change the logging settings. You can change the logging settings by either:
│ >
│ > - Importing the existing logging resource into your AWS CloudFormation stack, such as with the [infrastructure as code generator (IaC generator)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/generate-IaC.html) .
│ > - Calling `aws iot set-v2-logging-options --disable-all-logs` before creating a new CloudFormation stack. This command disables all AWS IoT logging. As a result, no AWS IoT logs will be delivered to Amazon CloudWatch until you re-enable logging.
│ + documentation: Configure logging.
│ > If you already set the log function of AWS IoT Core , you can't deploy the Cloud Development Kit to change the logging settings. You can change the logging settings by either:
│ >
│ > - Importing the existing logging resource into your AWS CloudFormation stack, such as with the [infrastructure as code generator (IaC generator)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/generate-IaC.html) .
│ > - Calling `aws iot set-v2-logging-options --disable-all-logs` before creating a new CloudFormation stack. This command disables all AWS IoT logging. As a result, no AWS IoT logs will be delivered to Amazon CloudWatch until you re-enable logging.
├[~] service aws-kinesis
│ └ resources
│ └[~] resource AWS::Kinesis::StreamConsumer
│ ├ - tagInformation: undefined
│ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ └ properties
│ └[+] Tags: Array<tag> (immutable)
├[~] service aws-lex
│ └ resources
│ └[~] resource AWS::Lex::Bot
│ └ types
│ ├[~] type BuildtimeSettings
│ │ └ - documentation: undefined
│ │ + documentation: Contains specifications about the Amazon Lex build time generative AI capabilities from Amazon Bedrock that you can turn on for your bot.
│ ├[~] type DescriptiveBotBuilderSpecification
│ │ ├ - documentation: undefined
│ │ │ + documentation: Contains specifications for the descriptive bot building feature.
│ │ └ properties
│ │ ├ BedrockModelSpecification: (documentation changed)
│ │ └ Enabled: (documentation changed)
│ ├[~] type GenerativeAISettings
│ │ └ - documentation: undefined
│ │ + documentation: Contains specifications about the generative AI capabilities from Amazon Bedrock that you can turn on for your bot.
│ ├[~] type NluImprovementSpecification
│ │ ├ - documentation: undefined
│ │ │ + documentation: Configures the Assisted Natural Language Understanding (NLU) feature for your bot. This specification determines whether enhanced intent recognition and utterance understanding capabilities are active.
│ │ └ properties
│ │ └ Enabled: (documentation changed)
│ ├[~] type RuntimeSettings
│ │ └ - documentation: undefined
│ │ + documentation: Contains specifications about the Amazon Lex runtime generative AI capabilities from Amazon Bedrock that you can turn on for your bot.
│ ├[~] type SampleUtteranceGenerationSpecification
│ │ ├ - documentation: undefined
│ │ │ + documentation: Contains specifications for the sample utterance generation feature.
│ │ └ properties
│ │ └ Enabled: (documentation changed)
│ └[~] type SlotResolutionImprovementSpecification
│ ├ - documentation: undefined
│ │ + documentation: Contains specifications for the assisted slot resolution feature.
│ └ properties
│ ├ BedrockModelSpecification: (documentation changed)
│ └ Enabled: (documentation changed)
├[~] service aws-neptune
│ └ resources
│ └[~] resource AWS::Neptune::DBInstance
│ ├ properties
│ │ └ DBSnapshotIdentifier: - string (immutable)
│ │ + string (deprecated=WARN, immutable)
│ │ (documentation changed)
│ └ attributes
│ └[-] Id: string
├[+] service aws-odb
│ ├ capitalized: ODB
│ │ cloudFormationNamespace: AWS::ODB
│ │ name: aws-odb
│ │ shortName: odb
│ └ resources
│ ├ resource AWS::ODB::CloudAutonomousVmCluster
│ │ ├ name: CloudAutonomousVmCluster
│ │ │ cloudFormationType: AWS::ODB::CloudAutonomousVmCluster
│ │ │ documentation: The AWS::ODB::CloudAutonomousVmCluster resource creates a Cloud Autonomous VM Cluster
│ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ │ ├ properties
│ │ │ ├ OdbNetworkId: string (immutable)
│ │ │ ├ DisplayName: string (immutable)
│ │ │ ├ CloudExadataInfrastructureId: string (immutable)
│ │ │ ├ AutonomousDataStorageSizeInTBs: number (immutable)
│ │ │ ├ CpuCoreCountPerNode: integer (immutable)
│ │ │ ├ DbServers: Array<string> (immutable)
│ │ │ ├ Description: string (immutable)
│ │ │ ├ IsMtlsEnabledVmCluster: boolean (immutable)
│ │ │ ├ LicenseModel: string (immutable)
│ │ │ ├ MaintenanceWindow: MaintenanceWindow (immutable)
│ │ │ ├ MemoryPerOracleComputeUnitInGBs: integer (immutable)
│ │ │ ├ ScanListenerPortNonTls: integer (immutable)
│ │ │ ├ ScanListenerPortTls: integer (immutable)
│ │ │ ├ Tags: Array<tag>
│ │ │ ├ TimeZone: string (immutable)
│ │ │ └ TotalContainerDatabases: integer (immutable)
│ │ ├ attributes
│ │ │ ├ CloudAutonomousVmClusterId: string
│ │ │ ├ CloudAutonomousVmClusterArn: string
│ │ │ ├ OciResourceAnchorName: string
│ │ │ ├ AutonomousDataStoragePercentage: number
│ │ │ ├ AvailableAutonomousDataStorageSizeInTBs: number
│ │ │ ├ AvailableContainerDatabases: integer
│ │ │ ├ AvailableCpus: number
│ │ │ ├ ComputeModel: string
│ │ │ ├ CpuCoreCount: integer
│ │ │ ├ CpuPercentage: number
│ │ │ ├ DataStorageSizeInGBs: number
│ │ │ ├ DataStorageSizeInTBs: number
│ │ │ ├ DbNodeStorageSizeInGBs: integer
│ │ │ ├ Domain: string
│ │ │ ├ ExadataStorageInTBsLowestScaledValue: number
│ │ │ ├ Hostname: string
│ │ │ ├ Ocid: string
│ │ │ ├ OciUrl: string
│ │ │ ├ MaxAcdsLowestScaledValue: integer
│ │ │ ├ MemorySizeInGBs: integer
│ │ │ ├ NodeCount: integer
│ │ │ ├ NonProvisionableAutonomousContainerDatabases: integer
│ │ │ ├ ProvisionableAutonomousContainerDatabases: integer
│ │ │ ├ ProvisionedAutonomousContainerDatabases: integer
│ │ │ ├ ProvisionedCpus: number
│ │ │ ├ ReclaimableCpus: number
│ │ │ ├ ReservedCpus: number
│ │ │ └ Shape: string
│ │ └ types
│ │ └ type MaintenanceWindow
│ │ ├ documentation: The scheduling details for the maintenance window. Patching and system updates take place during the maintenance window.
│ │ │ name: MaintenanceWindow
│ │ └ properties
│ │ ├ DaysOfWeek: Array<string>
│ │ ├ HoursOfDay: Array<integer>
│ │ ├ LeadTimeInWeeks: integer
│ │ ├ Months: Array<string>
│ │ ├ Preference: string
│ │ └ WeeksOfMonth: Array<integer>
│ ├ resource AWS::ODB::CloudExadataInfrastructure
│ │ ├ name: CloudExadataInfrastructure
│ │ │ cloudFormationType: AWS::ODB::CloudExadataInfrastructure
│ │ │ documentation: The AWS::ODB::CloudExadataInfrastructure resource creates an Exadata Infrastructure
│ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ │ ├ properties
│ │ │ ├ AvailabilityZone: string (immutable)
│ │ │ ├ AvailabilityZoneId: string (immutable)
│ │ │ ├ ComputeCount: integer (immutable)
│ │ │ ├ CustomerContactsToSendToOCI: Array<CustomerContact> (immutable)
│ │ │ ├ DatabaseServerType: string (immutable)
│ │ │ ├ DisplayName: string (immutable)
│ │ │ ├ Shape: string (immutable)
│ │ │ ├ StorageCount: integer (immutable)
│ │ │ ├ StorageServerType: string (immutable)
│ │ │ └ Tags: Array<tag>
│ │ ├ attributes
│ │ │ ├ ActivatedStorageCount: integer
│ │ │ ├ AdditionalStorageCount: integer
│ │ │ ├ AvailableStorageSizeInGBs: integer
│ │ │ ├ CloudExadataInfrastructureArn: string
│ │ │ ├ CloudExadataInfrastructureId: string
│ │ │ ├ ComputeModel: string
│ │ │ ├ CpuCount: integer
│ │ │ ├ DataStorageSizeInTBs: number
│ │ │ ├ DbNodeStorageSizeInGBs: integer
│ │ │ ├ DbServerVersion: string
│ │ │ ├ MaxCpuCount: integer
│ │ │ ├ MaxDataStorageInTBs: number
│ │ │ ├ MaxDbNodeStorageSizeInGBs: integer
│ │ │ ├ MaxMemoryInGBs: integer
│ │ │ ├ MemorySizeInGBs: integer
│ │ │ ├ OciResourceAnchorName: string
│ │ │ ├ OciUrl: string
│ │ │ ├ Ocid: string
│ │ │ ├ StorageServerVersion: string
│ │ │ ├ TotalStorageSizeInGBs: integer
│ │ │ └ DbServerIds: Array<string>
│ │ └ types
│ │ └ type CustomerContact
│ │ ├ documentation: A contact to receive notification from Oracle about maintenance updates for a specific Exadata infrastructure.
│ │ │ name: CustomerContact
│ │ └ properties
│ │ └ Email: string
│ ├ resource AWS::ODB::CloudVmCluster
│ │ ├ name: CloudVmCluster
│ │ │ cloudFormationType: AWS::ODB::CloudVmCluster
│ │ │ documentation: The AWS::ODB::CloudVmCluster resource creates a Cloud VM Cluster
│ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ │ ├ properties
│ │ │ ├ CloudExadataInfrastructureId: string (immutable)
│ │ │ ├ ClusterName: string (immutable)
│ │ │ ├ CpuCoreCount: integer (immutable)
│ │ │ ├ DataCollectionOptions: DataCollectionOptions (immutable)
│ │ │ ├ DataStorageSizeInTBs: number (immutable)
│ │ │ ├ DbNodeStorageSizeInGBs: integer (immutable)
│ │ │ ├ DbServers: Array<string> (immutable)
│ │ │ ├ DisplayName: string (immutable)
│ │ │ ├ GiVersion: string (immutable)
│ │ │ ├ Hostname: string (immutable)
│ │ │ ├ IsLocalBackupEnabled: boolean (immutable)
│ │ │ ├ IsSparseDiskgroupEnabled: boolean (immutable)
│ │ │ ├ LicenseModel: string (immutable)
│ │ │ ├ MemorySizeInGBs: integer (immutable)
│ │ │ ├ OdbNetworkId: string (immutable)
│ │ │ ├ ScanListenerPortTcp: integer (immutable)
│ │ │ ├ SshPublicKeys: Array<string> (immutable)
│ │ │ ├ SystemVersion: string (immutable)
│ │ │ ├ Tags: Array<tag>
│ │ │ └ TimeZone: string (immutable)
│ │ ├ attributes
│ │ │ ├ CloudVmClusterArn: string
│ │ │ ├ CloudVmClusterId: string
│ │ │ ├ ComputeModel: string
│ │ │ ├ DiskRedundancy: string
│ │ │ ├ Domain: string
│ │ │ ├ ListenerPort: integer
│ │ │ ├ NodeCount: integer
│ │ │ ├ Ocid: string
│ │ │ ├ OciResourceAnchorName: string
│ │ │ ├ OciUrl: string
│ │ │ ├ ScanDnsName: string
│ │ │ ├ ScanIpIds: Array<string>
│ │ │ ├ Shape: string
│ │ │ ├ StorageSizeInGBs: integer
│ │ │ └ VipIds: Array<string>
│ │ └ types
│ │ └ type DataCollectionOptions
│ │ ├ documentation: Information about the data collection options enabled for a VM cluster.
│ │ │ name: DataCollectionOptions
│ │ └ properties
│ │ ├ IsDiagnosticsEventsEnabled: boolean
│ │ ├ IsHealthMonitoringEnabled: boolean
│ │ └ IsIncidentLogsEnabled: boolean
│ └ resource AWS::ODB::OdbNetwork
│ ├ name: OdbNetwork
│ │ cloudFormationType: AWS::ODB::OdbNetwork
│ │ documentation: The AWS::ODB::OdbNetwork resource creates an ODB Network
│ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ ├ properties
│ │ ├ AvailabilityZone: string (immutable)
│ │ ├ AvailabilityZoneId: string (immutable)
│ │ ├ BackupSubnetCidr: string (immutable)
│ │ ├ ClientSubnetCidr: string (immutable)
│ │ ├ DefaultDnsPrefix: string (immutable)
│ │ ├ DeleteAssociatedResources: boolean
│ │ ├ DisplayName: string (immutable)
│ │ └ Tags: Array<tag>
│ └ attributes
│ ├ OciNetworkAnchorId: string
│ ├ OciResourceAnchorName: string
│ ├ OciVcnUrl: string
│ ├ OdbNetworkArn: string
│ └ OdbNetworkId: string
├[~] service aws-omics
│ └ resources
│ └[~] resource AWS::Omics::Workflow
│ └ - documentation: Creates a private workflow.Private workflows depend on a variety of resources that you create and configure before creating the workflow:
│ - *Input data* : Input data for the workflow, stored in an S3 bucket or a AWS HealthOmics sequence store.
│ - *Workflow definition files* : Define your workflow in one or more workflow definition files, written in WDL, Nextflow, or CWL. The workflow definition specifies the inputs and outputs for runs that use the workflow. It also includes specifications for the runs and run tasks for your workflow, including compute and memory requirements.
│ - *Parameter template files* : Define run parameters using a parameter template file (written in JSON).
│ - *ECR container images* : Create one or more container images for the workflow. Store the images in a private ECR repository.
│ - (Optional) *Sentieon licenses* : Request a Sentieon license if you plan to use Sentieon software in a private workflow.
│ For more information, see [Creating or updating a private workflow in AWS HealthOmics](https://docs.aws.amazon.com/omics/latest/dev/creating-private-workflows.html) in the AWS HealthOmics User Guide.
│ + documentation: Creates a private workflow.Private workflows depend on a variety of resources that you create and configure before creating the workflow:
│ - *Input data* : Input data for the workflow, stored in an S3 bucket or a AWS HealthOmics sequence store.
│ - *Workflow definition files* : Define your workflow in one or more workflow definition files, written in WDL, Nextflow, or CWL. The workflow definition specifies the inputs and outputs for runs that use the workflow. It also includes specifications for the runs and run tasks for your workflow, including compute and memory requirements.
│ - (Optional) *Parameter template* - You can create a parameter template file that defines the run parameters, or AWS HealthOmics can generate the parameter template for you.
│ - *ECR container images* : Create one or more container images for the workflow. Store the images in a private ECR repository.
│ - (Optional) *Sentieon licenses* : Request a Sentieon license if you plan to use Sentieon software in a private workflow.
│ For more information, see [Creating or updating a private workflow in AWS HealthOmics](https://docs.aws.amazon.com/omics/latest/dev/creating-private-workflows.html) in the AWS HealthOmics User Guide.
├[~] service aws-qbusiness
│ └ resources
│ ├[~] resource AWS::QBusiness::DataAccessor
│ │ ├ properties
│ │ │ └[+] AuthenticationDetail: DataAccessorAuthenticationDetail
│ │ └ types
│ │ ├[+] type DataAccessorAuthenticationConfiguration
│ │ │ ├ documentation: A union type that contains the specific authentication configuration based on the authentication type selected.
│ │ │ │ name: DataAccessorAuthenticationConfiguration
│ │ │ └ properties
│ │ │ └ IdcTrustedTokenIssuerConfiguration: DataAccessorIdcTrustedTokenIssuerConfiguration (required)
│ │ ├[+] type DataAccessorAuthenticationDetail
│ │ │ ├ documentation: Contains the authentication configuration details for a data accessor. This structure defines how the ISV authenticates when accessing data through the data accessor.
│ │ │ │ name: DataAccessorAuthenticationDetail
│ │ │ └ properties
│ │ │ ├ AuthenticationType: string (required)
│ │ │ ├ AuthenticationConfiguration: DataAccessorAuthenticationConfiguration
│ │ │ └ ExternalIds: Array<string>
│ │ └[+] type DataAccessorIdcTrustedTokenIssuerConfiguration
│ │ ├ documentation: Configuration details for IAM Identity Center Trusted Token Issuer (TTI) authentication.
│ │ │ name: DataAccessorIdcTrustedTokenIssuerConfiguration
│ │ └ properties
│ │ └ IdcTrustedTokenIssuerArn: string (required)
│ ├[~] resource AWS::QBusiness::DataSource
│ │ └ types
│ │ └[~] type HookConfiguration
│ │ └ properties
│ │ └ LambdaArn: (documentation changed)
│ └[~] resource AWS::QBusiness::Permission
│ ├ properties
│ │ └[+] Conditions: Array<Condition> (immutable)
│ └ types
│ └[+] type Condition
│ ├ name: Condition
│ └ properties
│ ├ ConditionOperator: string (required)
│ ├ ConditionKey: string (required)
│ └ ConditionValues: Array<string> (required)
├[~] service aws-quicksight
│ └ resources
│ ├[~] resource AWS::QuickSight::CustomPermissions
│ │ └ types
│ │ └[~] type Capabilities
│ │ └ properties
│ │ ├ ExportToCsv: (documentation changed)
│ │ ├[+] ExportToCsvInScheduledReports: string
│ │ ├ ExportToExcel: (documentation changed)
│ │ ├[+] ExportToExcelInScheduledReports: string
│ │ ├[+] ExportToPdf: string
│ │ ├[+] ExportToPdfInScheduledReports: string
│ │ ├[+] IncludeContentInScheduledReportsEmail: string
│ │ └[+] PrintReports: string
│ ├[~] resource AWS::QuickSight::Dashboard
│ │ └ types
│ │ └[~] type ExportToCSVOption
│ │ └ - documentation: Enable/disable visual-level downloads option.
│ │ + documentation: Export to .csv option.
│ └[~] resource AWS::QuickSight::DataSource
│ └ types
│ ├[~] type OracleParameters
│ │ └ properties
│ │ └[+] UseServiceName: boolean (default=false)
│ └[~] type RedshiftParameters
│ └ properties
│ └ IdentityCenterConfiguration: - IdentityCenterConfiguration
│ + json ⇐ IdentityCenterConfiguration
├[~] service aws-rds
│ └ resources
│ └[~] resource AWS::RDS::DBInstance
│ └ properties
│ ├[+] BackupTarget: string (immutable)
│ └ MultiAZ: (documentation changed)
├[~] service aws-redshiftserverless
│ └ resources
│ └[~] resource AWS::RedshiftServerless::Snapshot
│ ├ - documentation: Resource Type definition for AWS::RedshiftServerless::Snapshot Resource Type.
│ │ + documentation: A snapshot object that contains databases.
│ ├ properties
│ │ ├ NamespaceName: (documentation changed)
│ │ ├ RetentionPeriod: (documentation changed)
│ │ └ Tags: (documentation changed)
│ ├ attributes
│ │ ├ OwnerAccount: (documentation changed)
│ │ ├ Snapshot.AdminUsername: (documentation changed)
│ │ ├ Snapshot.KmsKeyId: (documentation changed)
│ │ ├ Snapshot.NamespaceArn: (documentation changed)
│ │ ├ Snapshot.NamespaceName: (documentation changed)
│ │ ├ Snapshot.OwnerAccount: (documentation changed)
│ │ ├ Snapshot.RetentionPeriod: (documentation changed)
│ │ ├ Snapshot.SnapshotArn: (documentation changed)
│ │ ├ Snapshot.SnapshotCreateTime: (documentation changed)
│ │ ├ Snapshot.SnapshotName: (documentation changed)
│ │ └ Snapshot.Status: (documentation changed)
│ └ types
│ └[~] type Snapshot
│ ├ - documentation: undefined
│ │ + documentation: A snapshot object that contains databases.
│ └ properties
│ ├ AdminUsername: (documentation changed)
│ ├ KmsKeyId: (documentation changed)
│ ├ NamespaceArn: (documentation changed)
│ ├ NamespaceName: (documentation changed)
│ ├ OwnerAccount: (documentation changed)
│ ├ RetentionPeriod: (documentation changed)
│ ├ SnapshotArn: (documentation changed)
│ ├ SnapshotCreateTime: (documentation changed)
│ ├ SnapshotName: (documentation changed)
│ └ Status: (documentation changed)
├[~] service aws-s3tables
│ └ resources
│ └[+] resource AWS::S3Tables::Table
│ ├ name: Table
│ │ cloudFormationType: AWS::S3Tables::Table
│ │ documentation: Resource Type definition for AWS::S3Tables::Table
│ ├ properties
│ │ ├ WithoutMetadata: string (immutable)
│ │ ├ Compaction: Compaction
│ │ ├ Namespace: string (required)
│ │ ├ TableName: string (required)
│ │ ├ TableBucketARN: string (required, immutable)
│ │ ├ OpenTableFormat: string (required, immutable)
│ │ ├ IcebergMetadata: IcebergMetadata (immutable)
│ │ └ SnapshotManagement: SnapshotManagement
│ ├ attributes
│ │ ├ TableARN: string
│ │ ├ WarehouseLocation: string
│ │ └ VersionToken: string
│ └ types
│ ├ type Compaction
│ │ ├ documentation: Settings governing the Compaction maintenance action. Contains details about the compaction settings for an Iceberg table.
│ │ │ name: Compaction
│ │ └ properties
│ │ ├ Status: string
│ │ └ TargetFileSizeMB: integer
│ ├ type IcebergMetadata
│ │ ├ documentation: Contains details about the metadata for an Iceberg table.
│ │ │ name: IcebergMetadata
│ │ └ properties
│ │ └ IcebergSchema: IcebergSchema (required)
│ ├ type IcebergSchema
│ │ ├ documentation: Contains details about the schema for an Iceberg table
│ │ │ name: IcebergSchema
│ │ └ properties
│ │ └ SchemaFieldList: Array<SchemaField> (required)
│ ├ type SchemaField
│ │ ├ documentation: Contains details about the schema for an Iceberg table
│ │ │ name: SchemaField
│ │ └ properties
│ │ ├ Type: string (required)
│ │ ├ Required: boolean
│ │ └ Name: string (required)
│ └ type SnapshotManagement
│ ├ documentation: Contains details about the snapshot management settings for an Iceberg table. A snapshot is expired when it exceeds MinSnapshotsToKeep and MaxSnapshotAgeHours.
│ │ name: SnapshotManagement
│ └ properties
│ ├ Status: string
│ ├ MinSnapshotsToKeep: integer
│ └ MaxSnapshotAgeHours: integer
└[~] service aws-transfer
└ resources
└[~] resource AWS::Transfer::Server
└ types
└[~] type EndpointDetails
└ properties
└ AddressAllocationIds: (documentation changed)
```
…ck level (under feature flag) (#31443) Stacks are considered taggable, and so `Tags.of(this).add('key', 'value')` used to add tags to Stacks in scope. Usually this happens if `this` is an instance of `Stack`, which it commonly is in user code. Since `Tags.of(...)` walks the construct tree, it will add tags to the stack *and* to all the resources in the stack. Then, come deploy time, CloudFormation will also try and apply all the stack tags to the resources again. This is both unnecessary, as well as leads to loss of control: `excludeResourceTypes` appears to not work, since it will lead to resources not being tagged in the template (good) but then the resources will still be tagged by CloudFormation because the stack itself is tagged (bad). Also, if the tags applied this way contain intrinsics, they will contain nonsense because they are applied in a context where CloudFormation expressions don't work. ## In this change There is way to prevent Stacks from being tagged, by including `aws:cdk:stack` in the list of `excludeResourceTypes` (this is a fake resource type that Stack tags respect). Under a feature flag, `@aws-cdk/core:explicitStackTags`, this is now the default behavior. That resource type will be excluded by default, unless it is listed in the `includeResourceTypes` list. However, doing `includeResourceTypes` is still not desirable: stack tags should be applied directly on the `Stack` object if desired. This requires a user to make a conscious decision between resource-level and stack-level tagging: either apply tags to the stack, which will apply it to all resources but remove the ability to do `excludeResourceTypes`; or apply tags to (groups of) resources inside the template. Another benefit is that for tags applied at the stack level, this will resolve the following issue: #15947, as resources "becoming" taggable all of a sudden will not affect the template anymore. Closes #28017. Closes #33945. Closes #30055. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #34861. ### Reason for this change Creates CDK constructs for CloudWatch Logs Transformers. Transformers already have CFN constructs and this achieves functional parity. ### Description of changes Added a `Transformer` construct which is an abstraction over `cfnTransformer`. Created a factory class `ProcessorFactory` with static methods to create each of the 5 overarching types of processors described in https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation-Processors.html, namely: `ParserProcessor`, `VendedLogParser`, `StringMutatorProcessor`, `JsonMutatorProcessor` and `DataConverterProcessor`. These classes implement a `_bind()` method responsible for returning the props expected by CFN constructs for each processor of the respective types. These classes are further split into their processors defined by enums (`ParserProcessorType`, `VendedLogType`, `StringMutatorType`, `JsonMutatorType`, `DataConverterType`) and properties for each processor. A `Transformer` expects a `transformerConfig` which is a list of processors. Processors can be created using the static methods `createParserProcessor`, `createVendedLogParser`, `createStringMutatorProcessor`, `createJsonMutatorProcessor` and `createDataConverterProcessor` in the `ProcessorFactory`, by passing the type (from the enums defined above) and the relevant props for that processor. `ValidationError` is thrown if the expected/required props are not passed. Further validations are performed for limit breaches or positions of parsers being incorrect. ### Describe any new or updated permissions being added - ### Description of how you validated changes Added unit tests for each processor and each validation. Added integ test. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change Cloudformation supports for configuring [cache namespace for CodeBuild projects](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-projectcache.html#cfn-codebuild-project-projectcache-cachenamespace). This feature is used for sharing the same cache across multiple projects. https://docs.aws.amazon.com/codebuild/latest/userguide/caching-s3.html#caching-s3-sharing ### Description of changes - Add `cacheNamespace` to `BucketCacheOptions` ### Describe any new or updated permissions being added None ### Description of how you validated changes Add both unit and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-aiops │ └ resources │ └[~] resource AWS::AIOps::InvestigationGroup │ ├ - documentation: Definition of AWS::AIOps::InvestigationGroup Resource Type │ │ + documentation: Creates an *investigation group* in your account. Creating an investigation group is a one-time setup task for each Region in your account. It is a necessary task to be able to perform investigations. │ │ Settings in the investigation group help you centrally manage the common properties of your investigations, such as the following: │ │ - Who can access the investigations │ │ - Whether investigation data is encrypted with a customer managed AWS Key Management Service key. │ │ - How long investigations and their data are retained by default. │ │ Currently, you can have one investigation group in each Region in your account. Each investigation in a Region is a part of the investigation group in that Region │ │ To create an investigation group and set up Amazon Q Developer operational investigations, you must be signed in to an IAM principal that has the either the `AIOpsConsoleAdminPolicy` or the `AdministratorAccess` IAM policy attached, or to an account that has similar permissions. │ │ > You can optionally configure CloudWatch alarms to start investigations and add events to investigations. The examples section on this page demonstrates creating an investigation group and an alarm at the same time. │ │ > │ │ > For more information about configuring CloudWatch alarms to work with Amazon Q Developer operational investigations, see │ ├ properties │ │ ├ ChatbotNotificationChannels: (documentation changed) │ │ ├ EncryptionConfig: (documentation changed) │ │ ├ IsCloudTrailEventHistoryEnabled: (documentation changed) │ │ ├ Name: (documentation changed) │ │ ├ RetentionInDays: (documentation changed) │ │ ├ RoleArn: (documentation changed) │ │ ├ TagKeyBoundaries: (documentation changed) │ │ └ Tags: (documentation changed) │ ├ attributes │ │ ├ Arn: (documentation changed) │ │ ├ CreatedAt: (documentation changed) │ │ ├ CreatedBy: (documentation changed) │ │ ├ LastModifiedAt: (documentation changed) │ │ └ LastModifiedBy: (documentation changed) │ └ types │ ├[~] type ChatbotNotificationChannel │ │ └ - documentation: undefined │ │ + documentation: This structure is a string array. The first string is the ARN of a Amazon SNS topic. The array of strings display the ARNs of Amazon Q in chat applications configurations that are associated with that topic. For more information about these configuration ARNs, see [Getting started with Amazon Q in chat applications](https://docs.aws.amazon.com/chatbot/latest/adminguide/getting-started.html) and [Resource type defined by AWS Chatbot](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awschatbot.html#awschatbot-resources-for-iam-policies) . │ └[~] type EncryptionConfigMap │ └ properties │ └ KmsKeyId: (documentation changed) ├[~] service aws-arczonalshift │ └ resources │ └[~] resource AWS::ARCZonalShift::ZonalAutoshiftConfiguration │ └ types │ └[~] type PracticeRunConfiguration │ └ properties │ └ BlockedWindows: (documentation changed) ├[~] service aws-cassandra │ └ resources │ └[~] resource AWS::Cassandra::Table │ ├ properties │ │ └ CdcSpecification: (documentation changed) │ └ types │ └[~] type CdcSpecification │ ├ - documentation: Represents the CDC configuration for the table │ │ + documentation: The settings for the CDC stream of a table. For more information about CDC streams, see [Working with change data capture (CDC) streams in Amazon Keyspaces](https://docs.aws.amazon.com/keyspaces/latest/devguide/cdc.html) in the *Amazon Keyspaces Developer Guide* . │ └ properties │ ├ Status: (documentation changed) │ └ ViewType: (documentation changed) ├[~] service aws-cloudformation │ └ resources │ ├[~] resource AWS::CloudFormation::HookDefaultVersion │ │ └ attributes │ │ └ Arn: (documentation changed) │ ├[~] resource AWS::CloudFormation::HookTypeConfig │ │ └ attributes │ │ └ ConfigurationArn: (documentation changed) │ ├[~] resource AWS::CloudFormation::Macro │ │ └ attributes │ │ └ Id: (documentation changed) │ ├[~] resource AWS::CloudFormation::Stack │ │ ├ - documentation: The `AWS::CloudFormation::Stack` resource nests a stack as a resource in a top-level template. For more information, see [Nested stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html) in the *AWS CloudFormation User Guide* . │ │ │ You can add output values from a nested stack within the containing template. You use the [GetAtt](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html) function with the nested stack's logical name and the name of the output value in the nested stack in the format `Outputs. *NestedStackOutputName*` . │ │ │ We strongly recommend that updates to nested stacks are run from the parent stack. │ │ │ When you apply template changes to update a top-level stack, CloudFormation updates the top-level stack and initiates an update to its nested stacks. CloudFormation updates the resources of modified nested stacks, but doesn't update the resources of unmodified nested stacks. │ │ │ For stacks that contain IAM resources, you must acknowledge IAM capabilities. Also, make sure that you have cancel update stack permissions, which are required if an update rolls back. For more information about IAM and CloudFormation , see [Controlling access with AWS Identity and Access Management](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/control-access-with-iam.html) in the *AWS CloudFormation User Guide* . │ │ │ > A subset of `AWS::CloudFormation::Stack` resource type properties listed below are available to customers using CloudFormation , AWS CDK , and Cloud Control to configure. │ │ │ > │ │ │ > - `NotificationARNs` │ │ │ > - `Parameters` │ │ │ > - `Tags` │ │ │ > - `TemplateURL` │ │ │ > - `TimeoutInMinutes` │ │ │ > │ │ │ > These properties can be configured only when using Cloud Control . This is because the below properties are set by the parent stack, and thus cannot be configured using CloudFormation or AWS CDK but only Cloud Control . │ │ │ > │ │ │ > - `Capabilities` │ │ │ > - `Description` │ │ │ > - `DisableRollback` │ │ │ > - `EnableTerminationProtection` │ │ │ > - `RoleARN` │ │ │ > - `StackName` │ │ │ > - `StackPolicyBody` │ │ │ > - `StackPolicyURL` │ │ │ > - `StackStatusReason` │ │ │ > - `TemplateBody` │ │ │ > │ │ │ > Customers that configure `AWS::CloudFormation::Stack` using CloudFormation and AWS CDK can do so for nesting a CloudFormation stack as a resource in their top-level template. │ │ │ > │ │ │ > These read-only properties can be accessed only when using Cloud Control . │ │ │ > │ │ │ > - `ChangeSetId` │ │ │ > - `CreationTime` │ │ │ > - `LastUpdateTime` │ │ │ > - `Outputs` │ │ │ > - `ParentId` │ │ │ > - `RootId` │ │ │ > - `StackId` │ │ │ > - `StackStatus` │ │ │ + documentation: The `AWS::CloudFormation::Stack` resource nests a stack as a resource in a top-level template. For more information, see [Nested stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html) in the *AWS CloudFormation User Guide* . │ │ │ You can add output values from a nested stack within the containing template. You use the [GetAtt](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html) function with the nested stack's logical name and the name of the output value in the nested stack in the format `Outputs. *NestedStackOutputName*` . │ │ │ We strongly recommend that updates to nested stacks are run from the parent stack. │ │ │ When you apply template changes to update a top-level stack, CloudFormation updates the top-level stack and initiates an update to its nested stacks. CloudFormation updates the resources of modified nested stacks, but doesn't update the resources of unmodified nested stacks. │ │ │ For stacks that contain IAM resources, you must acknowledge IAM capabilities. Also, make sure that you have cancel update stack permissions, which are required if an update rolls back. For more information about IAM and CloudFormation , see [Controlling access with AWS Identity and Access Management](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/control-access-with-iam.html) in the *AWS CloudFormation User Guide* . │ │ │ > A subset of `AWS::CloudFormation::Stack` resource type properties listed below are available to customers using CloudFormation , AWS CDK , and Cloud Control to configure. │ │ │ > │ │ │ > - `NotificationARNs` │ │ │ > - `Parameters` │ │ │ > - `Tags` │ │ │ > - `TemplateURL` │ │ │ > - `TimeoutInMinutes` │ │ │ > │ │ │ > These properties can be configured only when using Cloud Control . This is because the below properties are set by the parent stack, and thus cannot be configured using CloudFormation or AWS CDK but only Cloud Control . │ │ │ > │ │ │ > - `Capabilities` │ │ │ > - `Description` │ │ │ > - `DisableRollback` │ │ │ > - `EnableTerminationProtection` │ │ │ > - `RoleARN` │ │ │ > - `StackName` │ │ │ > - `StackPolicyBody` │ │ │ > - `StackPolicyURL` │ │ │ > - `StackStatusReason` │ │ │ > - `TemplateBody` │ │ │ > │ │ │ > Customers that configure `AWS::CloudFormation::Stack` using CloudFormation and AWS CDK can do so for nesting a CloudFormation stack as a resource in their top-level template. │ │ │ > │ │ │ > These read-only properties can be accessed only when using Cloud Control . │ │ │ > │ │ │ > - `ChangeSetId` │ │ │ > - `CreationTime` │ │ │ > - `LastUpdateTime` │ │ │ > - `Outputs` │ │ │ > - `ParentId` │ │ │ > - `RootId` │ │ │ > - `StackId` │ │ │ > - `StackStatus` │ │ └ attributes │ │ ├ ChangeSetId: (documentation changed) │ │ └ CreationTime: (documentation changed) │ ├[~] resource AWS::CloudFormation::StackSet │ │ ├ - documentation: The `AWS::CloudFormation::StackSet` resource enables you to provision stacks into AWS accounts and across Regions by using a single CloudFormation template. In the stack set, you specify the template to use, in addition to any parameters and capabilities that the template requires. │ │ │ > Run deployments to nested StackSets from the parent stack, not directly through the StackSet API. │ │ │ + documentation: The `AWS::CloudFormation::StackSet` resource contains information about a StackSet. With StackSets, you can provision stacks across AWS accounts and Regions from a single CloudFormation template. Each stack is based on the same CloudFormation template, but you can customize individual stacks using parameters. │ │ │ > Run deployments to nested StackSets from the parent stack, not directly through the StackSet API. │ │ ├ properties │ │ │ ├ AdministrationRoleARN: (documentation changed) │ │ │ ├ CallAs: (documentation changed) │ │ │ ├ Capabilities: (documentation changed) │ │ │ ├ Description: (documentation changed) │ │ │ ├ ExecutionRoleName: (documentation changed) │ │ │ ├ ManagedExecution: (documentation changed) │ │ │ ├ OperationPreferences: (documentation changed) │ │ │ ├ Parameters: (documentation changed) │ │ │ ├ PermissionModel: (documentation changed) │ │ │ └ StackSetName: (documentation changed) │ │ ├ attributes │ │ │ └ StackSetId: (documentation changed) │ │ └ types │ │ ├[~] type DeploymentTargets │ │ │ └ - documentation: The AWS OrganizationalUnitIds or Accounts for which to create stack instances in the specified Regions. │ │ │ + documentation: The AWS `OrganizationalUnitIds` or `Accounts` for which to create stack instances in the specified Regions. │ │ ├[~] type ManagedExecution │ │ │ └ properties │ │ │ └ Active: (documentation changed) │ │ ├[~] type OperationPreferences │ │ │ ├ - documentation: The user-specified preferences for how CloudFormation performs a stack set operation. For more information on maximum concurrent accounts and failure tolerance, see [Stack set operation options](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html#stackset-ops-options) in the *AWS CloudFormation User Guide* . │ │ │ │ + documentation: The user-specified preferences for how CloudFormation performs a StackSet operation. For more information on maximum concurrent accounts and failure tolerance, see [StackSet operation options](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html#stackset-ops-options) in the *AWS CloudFormation User Guide* . │ │ │ └ properties │ │ │ └ ConcurrencyMode: (documentation changed) │ │ └[~] type StackInstances │ │ └ properties │ │ └ ParameterOverrides: (documentation changed) │ ├[~] resource AWS::CloudFormation::WaitCondition │ │ ├ - documentation: The `AWS::CloudFormation::WaitCondition` resource provides a way to coordinate stack resource creation with configuration actions that are external to the stack creation or to track the status of a configuration process. In these situations, we recommend that you associate a `CreationPolicy` attribute with the wait condition instead of using a wait condition handle. For more information and an example, see [CreationPolicy attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-creationpolicy.html) in the *AWS CloudFormation User Guide* . If you use a `CreationPolicy` with a wait condition, don't specify any of the wait condition's properties. │ │ │ > If you use AWS PrivateLink , resources in the VPC that respond to wait conditions must have access to CloudFormation , specific Amazon S3 buckets. Resources must send wait condition responses to a presigned Amazon S3 URL. If they can't send responses to Amazon S3 , CloudFormation won't receive a response and the stack operation fails. For more information, see [Access CloudFormation using an interface endpoint ( AWS PrivateLink )](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/vpc-interface-endpoints.html) in the *AWS CloudFormation User Guide* . > For Amazon EC2 and Auto Scaling resources, we recommend that you use a `CreationPolicy` attribute instead of wait conditions. Add a `CreationPolicy` attribute to those resources, and use the `cfn-signal` helper script to signal when an instance creation process has completed successfully. │ │ │ + documentation: The `AWS::CloudFormation::WaitCondition` resource provides a way to coordinate stack resource creation with configuration actions that are external to the stack creation or to track the status of a configuration process. In these situations, we recommend that you associate a `CreationPolicy` attribute with the wait condition instead of using a wait condition handle. For more information and an example, see [CreationPolicy attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-attribute-creationpolicy.html) in the *AWS CloudFormation User Guide* . If you use a `CreationPolicy` with a wait condition, don't specify any of the wait condition's properties. │ │ │ > If you use AWS PrivateLink , resources in the VPC that respond to wait conditions must have access to CloudFormation , specific Amazon S3 buckets. Resources must send wait condition responses to a presigned Amazon S3 URL. If they can't send responses to Amazon S3 , CloudFormation won't receive a response and the stack operation fails. For more information, see [Access CloudFormation using an interface endpoint ( AWS PrivateLink )](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/vpc-interface-endpoints.html) in the *AWS CloudFormation User Guide* . > For Amazon EC2 and Auto Scaling resources, we recommend that you use a `CreationPolicy` attribute instead of wait conditions. Add a `CreationPolicy` attribute to those resources, and use the `cfn-signal` helper script to signal when an instance creation process has completed successfully. │ │ └ attributes │ │ └ Id: (documentation changed) │ └[~] resource AWS::CloudFormation::WaitConditionHandle │ └ attributes │ └ Id: (documentation changed) ├[~] service aws-cloudfront │ └ resources │ └[~] resource AWS::CloudFront::Distribution │ └ types │ └[~] type DistributionConfig │ └ properties │ ├ ConnectionMode: (documentation changed) │ └ WebACLId: (documentation changed) ├[~] service aws-datasync │ └ resources │ └[~] resource AWS::DataSync::LocationEFS │ └ types │ └[~] type Ec2Config │ └ properties │ └ SubnetArn: (documentation changed) ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::CustomerGateway │ │ └ properties │ │ └ IpAddress: (documentation changed) │ └[~] resource AWS::EC2::VPNConnection │ └ properties │ └ OutsideIpAddressType: (documentation changed) ├[~] service aws-ecs │ └ resources │ └[~] resource AWS::ECS::TaskDefinition │ └ types │ └[~] type InferenceAccelerator │ ├ - documentation: Details on an Elastic Inference accelerator. For more information, see [Working with Amazon Elastic Inference on Amazon ECS](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-inference.html) in the *Amazon Elastic Container Service Developer Guide*. │ │ + documentation: undefined │ └ properties │ ├ DeviceName: (documentation changed) │ └ DeviceType: (documentation changed) ├[~] service aws-fsx │ └ resources │ └[~] resource AWS::FSx::FileSystem │ ├ properties │ │ ├ KmsKeyId: (documentation changed) │ │ ├ LustreConfiguration: (documentation changed) │ │ ├ OntapConfiguration: (documentation changed) │ │ ├ OpenZFSConfiguration: (documentation changed) │ │ └ WindowsConfiguration: (documentation changed) │ └ types │ ├[~] type DataReadCacheConfiguration │ │ ├ - documentation: undefined │ │ │ + documentation: The configuration for the optional provisioned SSD read cache on Amazon FSx for Lustre file systems that use the Intelligent-Tiering storage class. │ │ └ properties │ │ ├ SizeGiB: (documentation changed) │ │ └ SizingMode: (documentation changed) │ ├[~] type LustreConfiguration │ │ └ properties │ │ ├ DataReadCacheConfiguration: (documentation changed) │ │ ├ EfaEnabled: (documentation changed) │ │ ├ MetadataConfiguration: (documentation changed) │ │ └ ThroughputCapacity: (documentation changed) │ ├[~] type MetadataConfiguration │ │ ├ - documentation: undefined │ │ │ + documentation: The configuration that allows you to specify the performance of metadata operations for an FSx for Lustre file system. │ │ └ properties │ │ ├ Iops: (documentation changed) │ │ └ Mode: (documentation changed) │ └[~] type OpenZFSConfiguration │ └ properties │ └ ThroughputCapacity: (documentation changed) ├[~] service aws-glue │ └ resources │ └[~] resource AWS::Glue::Job │ └ properties │ └ WorkerType: (documentation changed) ├[~] service aws-imagebuilder │ └ resources │ └[~] resource AWS::ImageBuilder::Workflow │ └ properties │ └ Tags: - Map<string, string> (immutable) │ + Map<string, string> ├[~] service aws-kinesis │ └ resources │ └[~] resource AWS::Kinesis::StreamConsumer │ ├ properties │ │ └ Tags: (documentation changed) │ └ attributes │ └[-] Id: string ├[~] service aws-odb │ └ resources │ ├[~] resource AWS::ODB::CloudAutonomousVmCluster │ │ ├ - documentation: The AWS::ODB::CloudAutonomousVmCluster resource creates a Cloud Autonomous VM Cluster │ │ │ + documentation: The `AWS::ODB::CloudAutonomousVmCluster` resource creates an Autonomous VM cluster. An Autonomous VM cluster provides the infrastructure for running Autonomous Databases. │ │ └ properties │ │ ├ AutonomousDataStorageSizeInTBs: (documentation changed) │ │ ├ CloudExadataInfrastructureId: (documentation changed) │ │ ├ CpuCoreCountPerNode: (documentation changed) │ │ ├ DisplayName: (documentation changed) │ │ ├ IsMtlsEnabledVmCluster: (documentation changed) │ │ ├ LicenseModel: (documentation changed) │ │ ├ MemoryPerOracleComputeUnitInGBs: (documentation changed) │ │ ├ OdbNetworkId: (documentation changed) │ │ ├ Tags: (documentation changed) │ │ └ TotalContainerDatabases: (documentation changed) │ ├[~] resource AWS::ODB::CloudExadataInfrastructure │ │ ├ - documentation: The AWS::ODB::CloudExadataInfrastructure resource creates an Exadata Infrastructure │ │ │ + documentation: The `AWS::ODB::CloudExadataInfrastructure` resource creates an Exadata infrastructure. An Exadata infrastructure provides the underlying compute and storage resources for Oracle Database workloads. │ │ └ properties │ │ ├ AvailabilityZone: (documentation changed) │ │ ├ AvailabilityZoneId: (documentation changed) │ │ ├ ComputeCount: (documentation changed) │ │ ├ DatabaseServerType: (documentation changed) │ │ ├ DisplayName: (documentation changed) │ │ ├ Shape: (documentation changed) │ │ ├ StorageCount: (documentation changed) │ │ └ StorageServerType: (documentation changed) │ ├[~] resource AWS::ODB::CloudVmCluster │ │ ├ - documentation: The AWS::ODB::CloudVmCluster resource creates a Cloud VM Cluster │ │ │ + documentation: The `AWS::ODB::CloudVmCluster` resource creates a VM cluster on the specified Exadata infrastructure in the Oracle Database. A VM cluster provides the compute resources for Oracle Database workloads. │ │ ├ properties │ │ │ ├ CloudExadataInfrastructureId: (documentation changed) │ │ │ ├ CpuCoreCount: (documentation changed) │ │ │ ├ DataCollectionOptions: (documentation changed) │ │ │ ├ DisplayName: (documentation changed) │ │ │ ├ GiVersion: (documentation changed) │ │ │ ├ Hostname: (documentation changed) │ │ │ ├ IsLocalBackupEnabled: (documentation changed) │ │ │ ├ IsSparseDiskgroupEnabled: (documentation changed) │ │ │ ├ OdbNetworkId: (documentation changed) │ │ │ ├ ScanListenerPortTcp: (documentation changed) │ │ │ └ SshPublicKeys: (documentation changed) │ │ ├ attributes │ │ │ └ DiskRedundancy: (documentation changed) │ │ └ types │ │ └[~] type DataCollectionOptions │ │ └ properties │ │ ├ IsDiagnosticsEventsEnabled: (documentation changed) │ │ ├ IsHealthMonitoringEnabled: (documentation changed) │ │ └ IsIncidentLogsEnabled: (documentation changed) │ └[~] resource AWS::ODB::OdbNetwork │ ├ - documentation: The AWS::ODB::OdbNetwork resource creates an ODB Network │ │ + documentation: The `AWS::ODB::OdbNetwork` resource creates an ODB network. An ODB network provides the networking foundation for Oracle Database resources. │ └ properties │ ├ AvailabilityZone: (documentation changed) │ ├ AvailabilityZoneId: (documentation changed) │ ├ ClientSubnetCidr: (documentation changed) │ ├ DeleteAssociatedResources: (documentation changed) │ └ DisplayName: (documentation changed) ├[~] service aws-quicksight │ └ resources │ └[~] resource AWS::QuickSight::CustomPermissions │ └ types │ └[~] type Capabilities │ └ properties │ ├ ExportToCsvInScheduledReports: (documentation changed) │ ├ ExportToExcelInScheduledReports: (documentation changed) │ ├ ExportToPdf: (documentation changed) │ ├ ExportToPdfInScheduledReports: (documentation changed) │ ├ IncludeContentInScheduledReportsEmail: (documentation changed) │ └ PrintReports: (documentation changed) ├[~] service aws-s3tables │ └ resources │ └[~] resource AWS::S3Tables::Table │ ├ - documentation: Resource Type definition for AWS::S3Tables::Table │ │ + documentation: Creates a new table associated with the given namespace in a table bucket. For more information, see [Creating an Amazon S3 table](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-create.html) in the *Amazon Simple Storage Service User Guide* . │ │ - **Permissions** - - You must have the `s3tables:CreateTable` permission to use this operation. │ │ - If you use this operation with the optional `metadata` request parameter you must have the `s3tables:PutTableData` permission. │ │ - If you use this operation with the optional `encryptionConfiguration` request parameter you must have the `s3tables:PutTableEncryption` permission. │ │ > Additionally, If you choose SSE-KMS encryption you must grant the S3 Tables maintenance principal access to your KMS key. For more information, see [Permissions requirements for S3 Tables SSE-KMS encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-kms-permissions.html) . │ ├ properties │ │ └ Namespace: (documentation changed) │ ├ attributes │ │ └ TableARN: (documentation changed) │ └ types │ ├[~] type IcebergSchema │ │ └ - documentation: Contains details about the schema for an Iceberg table │ │ + documentation: Contains details about the schema for an Iceberg table. │ └[~] type SchemaField │ ├ - documentation: Contains details about the schema for an Iceberg table │ │ + documentation: Contains details about a schema field. │ └ properties │ ├ Name: (documentation changed) │ ├ Required: (documentation changed) │ └ Type: (documentation changed) ├[~] service aws-sagemaker │ └ resources │ └[~] resource AWS::SageMaker::Domain │ └ types │ └[~] type UnifiedStudioSettings │ └ properties │ └[+] SingleSignOnApplicationArn: string └[~] service aws-transfer └ resources └[~] resource AWS::Transfer::Connector └ types └[~] type SftpConfig └ properties └[+] MaxConcurrentConnections: integer (default=1) ```
…nation (#34738) ### Issue # (if applicable) Closes #34737. ### Reason for this change Amazon Data Firehose supports to configure the time zone of timestamps in S3 object prefix. For details, see https://docs.aws.amazon.com/firehose/latest/dev/s3-prefixes.html#timestamp-namespace ### Description of changes Added the `timeZone` prop to `S3BucketProps` interface to set `ExtendedS3Destination.CustomTimeZone`. Note: Not in `CommonProps` since only `ExtendedS3DestinationConfiguration` supports time zone. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Unit test and integ test. I've confirmed setting timeZone reflects to Firehose's console. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Reverts #34863 This PR is being reverted because it introduced new enums containing quotes, which exposed a bug in our construct-metadata-updater package. The bug caused the release build to fail. Since we need to ship a P0 fix in the upcoming release, we're temporarily reverting this PR while we develop a proper long-term solution for handling quoted enum values in the construct-metadata-updater.
… logging off by default
### Issue # (if applicable)
Closes #<issue number here>.
### Reason for this change
DeliveryStream creates a new iam.Role every reference grantPrincipal, so we get the error `There is already a Construct with name 'Service Role' in DeliveryStream [Delivery Stream Multiple]`. This is easy to reproduce if you use deliveryStream with multiple `grantXXX` methods.
This is test result before fix codes.
```
yarn test aws-kinesisfirehose/test/delivery-stream.test.ts -t
"multiple calls to grantPrincipal should return the same instance of IAM role"
yarn run v1.22.22
$ jest aws-kinesisfirehose/test/delivery-stream.test.ts -t 'multiple calls to grantPrincipal should return the same instance of IAM role'
ts-jest[config] (WARN)
The "ts-jest" config option "isolatedModules" is deprecated and will be removed in v30.0.0. Please use "isolatedModules: true" in /workspaces/aws-cdk/packages/aws-cdk-lib/tsconfig.json instead, see https://www.typescriptlang.org/tsconfig/#isolatedModules
FAIL aws-kinesisfirehose/test/delivery-stream.test.ts
delivery stream
✕ multiple calls to grantPrincipal should return the same instance of IAM role (45 ms)
○ other tests...
● delivery stream › multiple calls to grantPrincipal should return the same instance of IAM role
expect(received).not.toThrow()
Error name: "Error"
Error message: "There is already a Construct with name 'Service Role' in DeliveryStream [Delivery Stream Multiple]"
155 |
156 | constructor(scope: Construct, id: string, props: ResourceProps = {}) {
> 157 | super(scope, id);
| ^
158 |
159 | if ((props.account !== undefined || props.region !== undefined) && props.environmentFromArn !== undefined) {
160 | throw new ValidationError(`Supply at most one of 'account'/'region' (${props.account}/${props.region}) and 'environmentFromArn' (${props.environmentFromArn})`, this);
at Node.addChild (../../node_modules/constructs/src/construct.ts:430:13)
at new Node (../../node_modules/constructs/src/construct.ts:71:17)
at new Construct (../../node_modules/constructs/src/construct.ts:482:17)
at new Resource (core/lib/resource.ts:157:5)
at new Role (aws-iam/lib/role.ts:472:5)
at new Role (core/lib/prop-injectable.ts:36:7)
at WrappedClass.get grantPrincipal [as grantPrincipal] (aws-kinesisfirehose/lib/delivery-stream.ts:320:26)
at aws-kinesisfirehose/test/delivery-stream.test.ts:410:33
at Object.<anonymous> (../../node_modules/expect/build/toThrowMatchers.js:74:11)
at Object.throwingMatcher [as toThrow] (../../node_modules/expect/build/index.js:320:21)
at Object.<anonymous> (aws-kinesisfirehose/test/delivery-stream.test.ts:410:53)
408 | });
409 | const principal = deliveryStream.grantPrincipal;
> 410 | expect(() => deliveryStream.grantPrincipal).not.toThrow();
| ^
411 | expect(deliveryStream.grantPrincipal).toBe(principal);
412 | });
413 |
at Object.<anonymous> (aws-kinesisfirehose/test/delivery-stream.test.ts:410:53)
```
### Description of changes
I changed grantPrincipal implementation from create a new iam.Role every reference to create a new iam.Role only at first reference.
### Describe any new or updated permissions being added
None.
### Description of how you validated changes
Create the new unit test.
### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ta (#34916) ### Issue #22843 Closes #22843. ### Reason for this change The s3-deployment construct implementation had its own implmenetation of resolving references. This is unnecessary as these references should be resolved in the synthesis stage. Furthermore, this implementation did not support cross-stack references. ### Description of changes The construct will now pass the tokens as is and let the app synthesis take care of resolving the references instead as expected. Non-tokens will not use markers. Note: Credits to @smnrd who has written the reproduction steps here: #22843 This has helped in writing the nested stack integration test. ### Describe any new or updated permissions being added No new permissions are added. ### Description of how you validated changes Unit tests, Integrations tests, and manually via the AWS console. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #34861. ### Reason for this change Creates CDK constructs for CloudWatch Logs Transformers. Transformers already have CFN constructs and this achieves functional parity. ### Description of changes Added a `Transformer` construct which is an abstraction over `cfnTransformer`. Created a factory class `ProcessorFactory` with static methods to create each of the 5 overarching types of processors described in https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation-Processors.html, namely: `ParserProcessor`, `VendedLogParser`, `StringMutatorProcessor`, `JsonMutatorProcessor` and `DataConverterProcessor`. These classes implement a `_bind()` method responsible for returning the props expected by CFN constructs for each processor of the respective types. These classes are further split into their processors defined by enums (`ParserProcessorType`, `VendedLogType`, `StringMutatorType`, `JsonMutatorType`, `DataConverterType`) and properties for each processor. A `Transformer` expects a `transformerConfig` which is a list of processors. Processors can be created using the static methods `createParserProcessor`, `createVendedLogParser`, `createStringMutatorProcessor`, `createJsonMutatorProcessor` and `createDataConverterProcessor` in the `ProcessorFactory`, by passing the type (from the enums defined above) and the relevant props for that processor. `ValidationError` is thrown if the expected/required props are not passed. Further validations are performed for limit breaches or positions of parsers being incorrect. ### Describe any new or updated permissions being added - ### Description of how you validated changes Added unit tests for each processor and each validation. Added integ test. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* ### Notes This recreates #34863 that was reverted #34984
…aunch template (#34832) This patch add an option to run validation when migrating to launch template, which checks if UpdatePolicy is specified. ### Issue # (if applicable) Closes #34283. ### Reason for this change To make migration to Launch Template safer. ### Description of changes This change introduces an option flag to check whether or not UpdatePolicy is specified. As enforcing UpdatePolicy, existing EC2 instances based on Launch Configuration are terminated, and new EC2 instances based on Launch Template are launched, which always references IAM instance profile defined by Launch Template. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Added an unit test and integration test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #34743 ### Reason for this change Database insights for Aurora Cluster was previously implemented in #32851. Database insights is also supported for RDS instances, but the current L2 construct does not support it. https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Database-Insights.html ### Description of changes - Add databaseInsightsMode property to DatabaseInstance class - Consolidate validation logic by creating a shared validation module that works for both cluster and instance types ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Add unit tests and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change This change adds comprehensive support for Amazon Bedrock Prompt Management to the aws-bedrock-alpha package. ### Description of changes Amazon Bedrock Prompt Management allows users to create, save, and version prompts to streamline AI workflows and ensure consistent prompt usage across different applications. **Prompt Construct** : Main construct for creating and managing Bedrock prompts with support for multiple variants. **Prompt Variants**: Three types of prompt variants: `TextPromptVariant`: Simple text-based prompts with variable substitution `ChatPromptVariant`: Conversational prompts supporting system messages, message history, and tool configurations `AgentPromptVariant`: Prompts designed for integration with Bedrock Agents **Prompt Versioning** : `PromptVersion` construct for creating immutable snapshots of prompts **Tool Configuration** : Support for tool choice and tool specifications in chat prompts **Prompt Routing** : Integration with Amazon Bedrock intelligent prompt routing for cost optimization ### Describe any new or updated permissions being added `bedrock:GetPrompt` - Required to retrieve prompt details (granted via `grantGet()` method) ### Description of how you validated changes Added Unit test and Integration test. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Related to #34863. ### Reason for this change Because the linked PR contains quotes inside the enum values, the metadata updater produces invalid typescript code: see fe7e986 ### Description of changes This change fixes the handling of the cases: Single quotes inside an enum value: `'\''`, instead of being translated to `'''` (which is not valid typescript), will be escaped properly. Double quotes inside an enum value: `'"'` will get translated to `'\''` (which is valid typescript but not what we expect), will be escaped properly. ### Description of how you validated changes Ran the Github workflow in my account, and then built the created PR and ran unit+integ tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
ozelalisen
had a problem deploying
to
test-pipeline
GitHub Actions
Failure
aws-cdk-automation
requested changes
Jul 17, 2025
Collaborator
aws-cdk-automation
left a comment
aws-cdk-automation
left a comment
There was a problem hiding this comment.
The pull request linter fails with the following errors:
❌ Manual changes to the classes.ts file are not allowed.
❌ Manual changes to the enums.ts file are not allowed.
❌ Manual changes to the module-enums.json file are not allowed.
❌ Manual changes to the module-enumlikes.json file are not allowed.
If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.
Contributor
|
Comments on closed issues and PRs are hard for our team to see. |
aws-cdk-automation
deleted the
ozelalisen/codebuild-github-actions-runner
branch
Collaborator
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
18 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue # (if applicable)
Closes #.
Reason for this change
Description of changes
Describe any new or updated permissions being added
Description of how you validated changes
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license