chore(release): 2.214.0 #35392
Merged
chore(release): 2.214.0 #35392
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…llOnly managed policy (#35248) ### Issue Closes #35244 ### Problem Statement The current KubectlProvider implementation uses the AmazonEC2ContainerRegistryReadOnly managed policy for ECR access, which has two key limitations: 1. Too broad: Includes unnecessary permissions like ecr:ListImages that kubectl doesn't require 2. Too narrow: Missing the ecr:BatchImportUpstreamImage action required for ECR pull-through cache functionality This prevents users from leveraging ECR pull-through caches when installing Helm charts from ECR repositories via the CDK. ### Solution Replace `AmazonEC2ContainerRegistryReadOnly` with `AmazonEC2ContainerRegistryPullOnly` in the KubectlProvider's IAM role. The `AmazonEC2ContainerRegistryPullOnly` policy: • Provides the exact permissions needed for container image pulling • Includes support for ecr:BatchImportUpstreamImage enabling pull-through cache functionality • Follows the principle of least privilege by removing unnecessary permissions ### Changes Made • Updated kubectl-provider.ts to use AmazonEC2ContainerRegistryPullOnly instead of AmazonEC2ContainerRegistryReadOnly • Regenerated integration test snapshots to reflect the policy change across all affected EKS test cases ### Impact • **Enables ECR pull-through cache support** for Helm chart installations via kubectl • **Improves security posture** by applying principle of least privilege • **Maintains backward compatibility** - all existing functionality continues to work • **No breaking changes** - this is a drop-in replacement with enhanced capabilities ### Testing • All existing integration tests pass with updated snapshots • The change affects multiple EKS integration test scenarios including ALB controller, custom addons, and various node group configurations • Verified that the new policy provides all necessary permissions for kubectl operations ### References • [AmazonEC2ContainerRegistryPullOnly Policy Documentation](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEC2ContainerRegistryPullOnly.html) • [AmazonEC2ContainerRegistryReadOnly Policy Documentation](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEC2ContainerRegistryReadOnly.html) --- By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license
Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
### Issue # (if applicable) Closes #34707 ### Reason for this change Set subscription filter with exists `false` for a property. ### Description of changes Add new `notExistsCondition()` method. ### Describe any new or updated permissions being added None. ### Description of how you validated changes Extended existing integration test. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
#34859) ### Issue #15891 Closes #15891. ### Reason for this change To fix intermittent CreatInvalidation errors and wait errors when attempting to invalidating to invalidating the Cloudfront cache. ### Description of changes - Modified retry strategy of Cloudfront client to help with intermittent CreateInvalidation errors. ### Describe any new or updated permissions being added No permissions added. ### Description of how you validated changes Ran `/packages/@aws-cdk/custom-resource-handlers/test/aws-s3-deployment/bucket-deployment-handler/test.sh` successfuly. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…#35223) ### Issue # (if applicable) Related to #33054 ### Reason for this change This PR includes backward-compatible changes being made to add L2 support for the [CfnTable](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3tables.CfnTable.html) and [CfnTablePolicy](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3tables.CfnTablePolicy.html) constructs with a consistent user interface, recommended defaults, and in-built validations for managing Table level IAM resource policies. ### Description of changes **New L2 Construct**: TablePolicy: defines an underlying [CfnTablePolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3tables-tablepolicy.html) resource **New methods added to Table construct**: - `addToResourcePolicy`: Attaches a policy statement to the Table's IAM policy - `grantRead`: Grants read access to the table for the given principal - `grantWrite`: Grants write access to the table for the given principal - `grantReadWrite`: Grants read and write access to the table for the given principal ### Describe any new or updated permissions being added Method | IAM Actions | Description -- | -- | -- table.grantRead | s3tables:Get* | Grants read permission to S3 Table table.grantWrite | s3tables:PutTableData<br>s3tables:UpdateTableMetadataLocation<br>s3tables:RenameTable | Grants write permission to S3 Table table.grantReadWrite | s3tables:Get*<br>s3tables:PutTableData<br>s3tables:UpdateTableMetadataLocation<br>s3tables:CreateTable | Grants read and write permissions to S3 Table ### Description of how you validated changes - Unit tests - Passing Integration tests with snapshots and assertions via API calls ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #34520 Closes #34911 ### Reason for this change ### Description of changes - Support version 1.33 - Add support for AL2023 EKS optimized AMI + user data since 1.33 no longer support AL2. I believe this change should also be included in v1 module. Please let me know if you guys agree, happy to open another PR adding this to v1 - Fix failing integration tests - Upgrade dependencies: cdk8s-plus-32 ### Describe any new or updated permissions being added ### Description of how you validated changes Unit + Integ ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…35253) ### Issue # (if applicable) N/A ### Reason for this change Amazon EventBridge supports Customer Managed Key for Events Archive since 2025/03. But current L2 Construct does not support Customer Managed Keys as an attribute. ### Description of changes Add `kmsKey` property to the `EventsArchive` class. A similar change for EventBus is implemented here: #30493 ### Describe any new or updated permissions being added None ### Description of how you validated changes Add unit tests and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…Node.js (#34537) ### Issue # (if applicable) Closes #28318 ### Reason for this change The previous version of pnpm (7.30.5) used in the Dockerfile is no longer supported. Therefore, I upgraded pnpm to the latest version 8.x. Additionally, this update addresses the bug reported in issue #28318. ### Description of changes Updated the version of pnpm installed in the Dockerfile from 7.30.5 to 8.15.9, as the previous version is no longer supported. ### Description of how you validated changes I ran the unit tests for aws-lambda-nodejs. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change Amazon ECS now supports for configuring Amazon EBS Provisioned Rate for Volume Initialization. https://aws.amazon.com/jp/about-aws/whats-new/2025/05/amazon-ecs-ebs-provisioned-rate-volume-initialization/ This feature cannot be configurable by AWS CDK. ### Description of changes - Add `volumeInitializationRate` to `ServiceManagedEBSVolumeConfiguration` ### Describe any new or updated permissions being added None ### Description of how you validated changes Add both unit and integ tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…35103) _Description copied from #34639_ ### Issue #34634 Closes #34634. ### Reason for this change The old Lambda Runtime Python 3.9 is being deprecated ### Description of changes - Update Lambda Runtime to Python 3.13 (newest currently supported) - Python 3.13 is supported in All Regions (https://aws.amazon.com/about-aws/whats-new/2024/11/aws-lambda-support-python-313) - The function code is very basic. All syntax and standard library functions used by the code continue to work in 3.13 - Fixed a minor logging bug in the lambda code - Added Runtime-Property assertion to unit tests - Updated Runtime-Property assertion in integ tests ### Describe any new or updated permissions being added None ### Description of how you validated changes ```bash (cd packages/aws-cdk-lib && yarn test aws-ecs) ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #35276. ### Reason for this change AWS SQS recently increased the maximum message size limit from 256KB to 1MB (announced August 2025), but the CDK validation logic still enforces the old 256KB limit. This prevents users from creating SQS queues with the new maximum message size of 1MB, limiting their ability to fully utilize AWS SQS capabilities. This enhancement aligns the CDK validation with the current AWS SQS service limits, enabling developers to create queues that can handle larger messages up to 1MB as supported by the underlying AWS service. ### Description of changes Updated the SQS queue validation logic and documentation to support the new 1MB maximum message size limit: - **Validation Logic Update**: Modified `validate-queue-props.ts` to change the maximum limit from 262,144 bytes (256KB) to 1,048,576 bytes (1MB) in the `validateRange` function call - **Error Message Update**: Updated validation error messages to reflect the new 1,048,576 byte limit for better user guidance - **JSDoc Documentation**: Updated documentation in `queue.ts` to reflect the new maximum limit from "262144 bytes (256 KiB)" to "1048576 bytes (1 MiB)" - **TypeScript Definitions**: Updated corresponding TypeScript definition files to maintain consistency - **Comprehensive Test Coverage**: Added extensive test cases covering boundary validation, token handling, multi-error scenarios, and CloudFormation synthesis **Key Design Decisions**: - Maintained the minimum limit of 1,024 bytes (unchanged) - Preserved the default value documentation as 256KB since AWS SQS service default remains unchanged - Used consistent numeric formatting with underscores (1_048_576) following existing code patterns - Ensured full backward compatibility - all existing valid values remain valid **Why These Changes Address the Issue**: - Expands the valid range from 1024-262144 bytes to 1024-1048576 bytes - Enables users to create SQS queues with message sizes up to 1MB as supported by AWS - Provides clear error messages when limits are exceeded - Maintains all existing functionality while adding new capabilities ### Describe any new or updated permissions being added N/A - This change only updates validation limits and does not require any new IAM permissions or modify resource access patterns. ### Description of how you validated changes **Unit Tests**: Added comprehensive test coverage with 5 new test scenarios: - Boundary validation tests for minimum (1023 invalid, 1024 valid) and maximum (1048576 valid, 1048577 invalid) limits - CDK token handling test to ensure validation is properly skipped for tokens - Multi-error validation test to verify maxMessageSizeBytes validation works alongside other property validation - CloudFormation synthesis test to ensure correct CloudFormation property generation with new limits **Integration Tests**: Verified that CDK synthesizes correct CloudFormation templates with the new maximum message size values and that the `MaximumMessageSize` property is correctly set to 1048576. **Manual Validation**: - Confirmed all existing tests continue to pass, ensuring no regression in functionality - Verified that validation logic correctly accepts values up to 1MB and rejects values above 1MB - Tested error message accuracy and helpfulness for out-of-range values - Validated JSDoc documentation consistency across all modified files **Regression Testing**: All existing SQS tests pass without modification, confirming full backward compatibility is maintained. No existing functionality is broken by these changes. **Performance Testing**: No performance impact expected as this only changes validation constants and adds minimal test overhead. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…y in README (#35291) ### Reason for this change Adds further documentation to the recently added `waitForDistributionInvalidation` property. Related: #34859 ### Description of changes Added doc in README ### Describe any new or updated permissions being added No new permissions are added. ### Description of how you validated changes N/A ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…fix (#35147) Add `bedrockagent: 'bedrock'` mapping to iamServiceMap in CallAwsService to ensure correct IAM permissions are generated. Without this mapping, Step Functions tasks using service='bedrockagent' would generate incorrect 'bedrockagent:action' IAM permissions instead of the correct 'bedrock:action' format required by AWS IAM. Fixes issue where Bedrock Agent actions like startIngestionJob and getIngestionJob would fail with access denied errors due to incorrect IAM policy generation. ### Issue # (if applicable) Closes #35146 ### Reason for this change The CDK's Step Functions SDK integration (`CallAwsService`) generates incorrect IAM permissions for Amazon Bedrock Agent actions. When using `service="bedrockagent"` with actions like `startIngestionJob` and `getIngestionJob`, the auto-generated IAM policy incorrectly uses the `bedrockagent:` service prefix instead of the correct `bedrock:` prefix. This causes Step Functions executions to fail with access denied errors because AWS IAM uses `bedrock:` as the service prefix for all Bedrock-related actions, including Bedrock Agent operations. ### Description of changes **Core Change:** - Added `bedrockagent: 'bedrock'` mapping to the existing `iamServiceMap` object in `CallAwsService` class - This follows the established pattern used by 6 other service mappings (e.g., `mwaa: 'airflow'`, `sfn: 'states'`) **Test Coverage:** - Added comprehensive test case `'IAM policy for bedrockagent'` following existing test patterns - Verifies that `service: 'bedrockagent'` generates correct `bedrock:startIngestionJob` IAM action - Ensures no regressions in existing service mappings **Files Modified:** - `packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/aws-sdk/call-aws-service.ts` - Added mapping - `packages/aws-cdk-lib/aws-stepfunctions-tasks/test/aws-sdk/call-aws-service.test.ts` - Added test **Design Decision:** This approach was chosen because it follows the existing architecture pattern and requires minimal code changes while maintaining backward compatibility. Alternative approaches like modifying the IAM action generation logic would be more invasive and risky. ### Describe any new or updated permissions being added No new permissions are being added. This change corrects the IAM service prefix from `bedrockagent:` to `bedrock:` for existing Bedrock Agent actions. The actions themselves (`startIngestionJob`, `getIngestionJob`, etc.) remain the same. ### Description of how you validated changes **Unit Tests:** - Added new test case `'IAM policy for bedrockagent'` that verifies correct IAM policy generation - All existing tests pass, confirming no regressions - Test follows established pattern used by other service mapping tests **Manual Testing:** - Verified that `CallAwsService` with `service: 'bedrockagent'` now generates `bedrock:startIngestionJob` instead of `bedrockagent:startIngestionJob` - Confirmed IAM policy structure matches expected format **Test Results:** - New test: `IAM policy for bedrockagent` - PASSED - All 15 existing tests - PASSED - No regressions detected ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…vided (#35297) ### Issue # (if applicable) Closes #35292. ### Reason for this change This change addresses a security vulnerability in the ECS patterns where providing a custom load balancer would still result in the creation of overly permissive internet access rules, potentially bypassing user-intended security controls. **The Security Issue:** The `openListener` property controls whether CDK automatically creates security group ingress rules allowing internet traffic to reach the load balancer: - **`openListener: true` (current default)**: CDK automatically creates an `AWS::EC2::SecurityGroupIngress` rule with `CidrIp: '0.0.0.0/0'`, allowing **anyone on the internet** to access the load balancer on the listener port - **`openListener: false`**: CDK does **not** create automatic ingress rules, leaving security group management entirely to the user **The Problem:** Currently, `openListener` always defaults to `true`, regardless of whether users have provided custom load balancers with their own security groups. This creates a security gap where: 1. Users carefully configure custom load balancers with restrictive security groups 2. CDK still automatically adds `0.0.0.0/0` ingress rules, potentially bypassing the user's intended access controls 3. The load balancer becomes accessible from the internet even when users intended to restrict access **Why This Matters:** When users provide custom load balancers, they typically want to manage security group rules themselves. The automatic creation of `0.0.0.0/0` rules can unintentionally expose services to the internet, creating a security vulnerability that users may not immediately notice. ### Description of changes This implementation adds a smart default mechanism for the `openListener` property in `ApplicationLoadBalancedServiceBase` that detects when users provide custom load balancers (which typically have custom security groups) and automatically defaults `openListener` to `false` for improved security. **Key changes made:** - **Smart Default Logic**: Added detection for custom load balancers in `ApplicationLoadBalancedServiceBase.ts` - **Feature Flag Protection**: Implemented `@aws-cdk/aws-ecs-patterns:smartDefaultOpenListener` feature flag to ensure backward compatibility - **Secure Default Behavior**: When feature flag is enabled and custom load balancer is detected, `openListener` defaults to `false` instead of `true` - **Override Capability**: Users can still explicitly set `openListener: true` to override the smart default if needed - **Comprehensive Testing**: Added 5 new test cases covering all scenarios including backward compatibility **Technical implementation details:** - The smart default logic checks if the feature flag is enabled and if a custom load balancer is provided - When both conditions are met, `openListener` defaults to `false`, preventing automatic creation of `AWS::EC2::SecurityGroupIngress` rules with `CidrIp: '0.0.0.0/0'` - When feature flag is disabled or no custom load balancer is provided, behavior remains unchanged (defaults to `true`) - The implementation uses existing CDK patterns and requires no new dependencies **CloudFormation Impact:** - **Before (or with `openListener: true`)**: CDK generates `AWS::EC2::SecurityGroupIngress` resources allowing internet access (`CidrIp: '0.0.0.0/0'`) - **After (with smart default `openListener: false`)**: No automatic ingress rules are created, users maintain full control over security group configuration **Design decisions made:** - **Feature Flag Approach**: Chose feature flag implementation to ensure zero breaking changes for existing users - **Custom Load Balancer Detection**: Used `props.loadBalancer !== undefined` as the detection mechanism since custom load balancers typically indicate custom security group management - **Explicit Override Support**: Maintained ability for users to explicitly set `openListener: true` to override smart defaults when needed - **Conservative Approach**: Only applies smart default when feature flag is explicitly enabled, ensuring opt-in behavior **Alternatives considered and rejected:** - **Always-on behavior**: Rejected due to potential breaking changes for existing users - **Security group inspection**: Rejected due to complexity and potential for false positives - **Warning-only approach**: Rejected as it doesn't actually fix the security vulnerability **Problem Description:** ```mermaid flowchart TD A[User Creates ECS Service] --> B[User Provides Custom Load Balancer<br/>with Custom Security Groups] B --> C[User Configures Restrictive Rules<br/>e.g., only VPC access] C --> D[CDK Always Defaults openListener = true] D --> E[CDK Creates 0.0.0.0/0 Ingress Rule<br/>⚠️ BYPASSES User's Security Intent] E --> F[🚨 Unintended Internet Exposure<br/>Security Vulnerability] style E fill:#ffebee style F fill:#ffcdd2 ``` **Smart Default Logic (Solution):** ```mermaid flowchart TD A[ECS Service Created] --> B{Feature Flag Enabled?} B -->|No| C[Legacy: openListener = true<br/>Creates 0.0.0.0/0 ingress rules] B -->|Yes| D{Custom Load Balancer Provided?} D -->|No| E[Default: openListener = true<br/>🌐 Creates 0.0.0.0/0 ingress rules] D -->|Yes| F[Smart Default: openListener = false<br/>🔒 No automatic ingress rules] style F fill:#e8f5e8 style E fill:#fff3e0 style C fill:#f5f5f5 ``` ### Describe any new or updated permissions being added N/A - This change does not introduce new IAM permissions or modify existing permission requirements. The change only affects the default behavior of security group rule creation, using existing ECS and ELB permissions. ### Description of how you validated changes **Unit tests**: Added comprehensive test coverage with 5 new test cases: - Smart default with custom load balancer (feature flag enabled) - verifies `openListener` defaults to `false` - Smart default without custom load balancer (feature flag enabled) - verifies `openListener` defaults to `true` - Explicit override with `openListener: true` (feature flag enabled) - verifies explicit values override smart defaults - Redirect listener behavior with smart defaults - verifies redirect functionality works with smart defaults - Backward compatibility test (feature flag disabled) - verifies no behavior change when feature flag is disabled **Integration tests**: Created comprehensive integration test (`integ.alb-fargate-service-smart-defaults.ts`) that: - Deploys 4 different ECS service configurations to validate real AWS behavior - Uses AWS SDK calls to verify actual security group configurations - Confirms that custom security groups do not contain 0.0.0.0/0 ingress rules when smart defaults are applied - Validates that the feature works correctly in real AWS environments - **Integration test results**: Successfully deployed and all assertions passed **Manual validation**: - Verified CloudFormation template generation with and without feature flag enabled - Confirmed that SecurityGroupIngress resources are not created when custom load balancers are used with smart defaults - Tested explicit `openListener: true` override functionality - Validated that existing behavior is unchanged when feature flag is disabled **Regression testing**: - All existing unit tests continue to pass (226/226 tests passed) - Existing integration tests verified to ensure no functionality is broken - Confirmed backward compatibility by testing with feature flag disabled **Performance testing**: - No performance impact - only adds a simple conditional check during construct creation - Build times and synthesis times remain unchanged ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #34344 ### Reason for this change Cognito added support for short-lived refresh tokens. ### Description of changes Added refreshTokenRotationGracePeriod property to UserPoolClient ### Describe any new or updated permissions being added NA ### Description of how you validated changes Unit + integration tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ectProvider` (#35310) Closes #20460. ### Reason for this change `OpenIdConnectProvider`, which uses `CustomResource`, is on the path to deprecation. It is still used in EKS, but is superseded by `OIDCProviderNative`, which provides the same functionality by using the native CloudFormation resource, with less infrastructure complexity. See #28634 (comment) for why it cannot be deprecated. ### Description of changes Added a big comment block explaining why we should not support non-critical changes to `OpenIdConnectProvider` ### Describe any new or updated permissions being added None. ### Description of how you validated changes No validations, added comments only. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…0.6460.7.v1,14.00.3495.9.v1,15.00.4435.7.v1,16.00.4195.2.v1,16.00.4205.1.v1, mysql 8.0.43, 8.4.6 (#35013) ### Issue # (if applicable) Close #35065 ### Reason for this change https://aws.amazon.com/about-aws/whats-new/2025/07/amazon-rds-sql-server-supports-cumulative-update-19-sql-server-2022/ https://aws.amazon.com/about-aws/whats-new/2025/05/amazon-rds-postgresql-supports-new-minor-versions/ https://aws.amazon.com/about-aws/whats-new/2025/08/amazon-rds-mySQL-8-0-43-and-8-4-6/ https://aws.amazon.com/about-aws/whats-new/2025/08/amazon-rds-sqlserver-supports-cu-gdr/ ### Description of how you validated changes ```console $ aws rds describe-db-engine-versions --engine sqlserver-ee --output table --query 'DBEngineVersions[*].{Engine:Engine,EngineVersion:EngineVersion}' -------------------------------------- | DescribeDBEngineVersions | +---------------+--------------------+ | Engine | EngineVersion | +---------------+--------------------+ | sqlserver-ee | 13.00.6460.7.v1 | ... | sqlserver-ee | 14.00.3495.9.v1 | ... | sqlserver-ee | 15.00.4435.7.v1 | ... | sqlserver-ee | 16.00.4195.2.v1 | | sqlserver-ee | 16.00.4205.1.v1 | +---------------+--------------------+ ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…35306) ### Reason for this change Updates from 'related-issues-bot-for-aws' are counted as engagement and modifes the update date of the issue/PR ### Description of changes Excludes updates from 'related-issues-bot-for-aws' ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Test passing. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…orker types (#35082) ### Issue # (if applicable) Closes #35071. ### Reason for this change AWS Glue now supports new workers for larger and memory intensive workloads. https://aws.amazon.com/about-aws/whats-new/2025/07/aws-glue-supports-new-workers-larger-memory-intensive-workloads/ But these worker types are missing. ### Description of changes Add worker types. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change Adding new feature ### Description of changes Add to the bedrock alpha construct support for bedrock guardrails through a new L2 construct ### Describe any new or updated permissions being added ### Description of how you validated changes ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…the constructors of WorkerType and JobType (#34734) ### Issue # (if applicable) Closes part of #33356. ### Reason for this change Recent changes to the aws-glue-alpha package removed WorkerType.of() and JobType.of() but the documentation remained leading to some confusion when investigating compilation errors. After reviewing the PR that initially removed the methods I believe this is the preferred direction for the package. ### Description of changes Removed the comments referring to these methods. If it would be preferable to re add the WorkerType.of() and JobType.of() methods I'm happy to adjust this PR accordingly. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Removed comments, ensured that yarn build still completed ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…35326) ### Issue # (if applicable) Closes #35268. ### Reason for this change When moving the builds to github actions, `need-xxx-review` labels were not added anymore. ### Description of changes Fetch the build status from the github action, remove support for `StatusEvent` Github actions don't use it (only the direct Codebuild integration used it) ### Description of how you validated changes Manually ran the script for a few PR's locally, updated unit tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change Adding new feature for DynamoDB Contributor Insights Mode: https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-dynamodb-table-contributorinsightsspecification.html#cfn-dynamodb-table-contributorinsightsspecification-mode ### Description of changes Changes to Table and TableV2 to provide CCI Mode ### Describe any new or updated permissions being added ### Description of how you validated changes Yes, integ and unit tests. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…eWidget code (#35333) ### Issue #35262 Closes #35262. ### Reason for this change `YAxisProps` indicated a default value of 0 for `min`, and No maximum value for `max`. This does not hold true for any class that uses this property. If the default value of 0 for min were true, then omitting it should produce the same behavior in graphs as if `min: 0` were assigned. This is not the case. See cdklabs/construct-hub#1775 for a counterexample. #### [AlarmWidget](https://github.com/aws/aws-cdk/blob/ec18b8300e94330587b36cfe7ce3f05b63b42d0f/packages/aws-cdk-lib/aws-cloudwatch/lib/graph.ts#L102) The default is [no minimum or maximum for the y-axis](https://github.com/aws/aws-cdk/blob/ec18b8300e94330587b36cfe7ce3f05b63b42d0f/packages/aws-cdk-lib/aws-cloudwatch/lib/graph.ts#L130-L131), as we do NOT pass min and max by default. #### [GaugeWidget](https://github.com/aws/aws-cdk/blob/ec18b8300e94330587b36cfe7ce3f05b63b42d0f/packages/aws-cdk-lib/aws-cloudwatch/lib/graph.ts#L180) The default is [0 as the `min` and 100 as the `max`](https://github.com/aws/aws-cdk/blob/ec18b8300e94330587b36cfe7ce3f05b63b42d0f/packages/aws-cdk-lib/aws-cloudwatch/lib/graph.ts#L278-L279). #### [GraphWidget](https://github.com/aws/aws-cdk/blob/ec18b8300e94330587b36cfe7ce3f05b63b42d0f/packages/aws-cdk-lib/aws-cloudwatch/lib/graph.ts#L312) Here, we do NOT pass `min` and `max` by default, and they are automatically configured in CloudWatch if not provided. ### Description of changes Corrected the `@default` to "Auto" for both `min` and `max`. Simplified the logic for passing `YAxisProps` in GaugeWidget, as there was previously dead code. ### Describe any new or updated permissions being added None. ### Description of how you validated changes Ran unit tests, which have sufficient coverage for the change to GaugeWidget. No testing needed for documentation change. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…xts (#34781) ### Issue # (if applicable) Related to #34780 ### Reason for this change After thorough investigation, the original issue was caused by a misunderstanding of taint effect format differences between AWS EKS API and Kubernetes manifests. The `TaintEffect` enum is working correctly as designed for its intended purpose (EKS NodeGroups). ### Description of changes **Documentation Changes:** - Added comprehensive documentation to the `TaintEffect` enum explaining the format differences between AWS EKS API and Kubernetes manifests - Clarified that the enum is specifically designed for EKS NodeGroups (AWS API format) - Provided guidance on when to use the enum vs string literals **Key findings from investigation:** - AWS EKS API expects: `NO_SCHEDULE`, `PREFER_NO_SCHEDULE`, `NO_EXECUTE` - Kubernetes manifests expect: `NoSchedule`, `PreferNoSchedule`, `NoExecute` - This difference is documented in the [AWS EKS User Guide](https://docs.aws.amazon.com/eks/latest/userguide/node-taints-managed-node-groups.html) - Integration tests confirmed that changing enum values breaks EKS NodeGroup deployments **Why the original approach was incorrect:** The `TaintEffect` enum cannot be changed because it would break all existing EKS NodeGroup deployments. The enum is correctly designed for AWS EKS API, not for direct Kubernetes manifests. **Correct solution for users:** - Use `TaintEffect` enum for **EKS NodeGroups** (AWS API format) - Use string literals with PascalCase for **Kubernetes manifests** (Kubernetes format) ### Describe any new or updated permissions being added No new or updated IAM permissions are needed for this change. ### Description of how you validated changes - **Integration Testing**: Confirmed that attempting to change enum values causes EKS API validation failures - **AWS Documentation Review**: Verified the format differences in official AWS documentation - **Code Analysis**: Confirmed that the enum is used correctly throughout the codebase for EKS NodeGroups ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) --- -- By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-appintegrations │ └ resources │ └[~] resource AWS::AppIntegrations::Application │ └ properties │ └ IsService: (documentation changed) ├[~] service aws-aps │ └ resources │ ├[+] resource AWS::APS::ResourcePolicy │ │ ├ name: ResourcePolicy │ │ │ cloudFormationType: AWS::APS::ResourcePolicy │ │ │ documentation: Use resource-based policies to grant permissions to other AWS accounts or services to access your workspace. │ │ │ Only Prometheus-compatible APIs can be used for workspace sharing. You can add non-Prometheus-compatible APIs to the policy, but they will be ignored. For more information, see [Prometheus-compatible APIs](https://docs.aws.amazon.com/prometheus/latest/userguide/AMP-APIReference-Prometheus-Compatible-Apis.html) in the *Amazon Managed Service for Prometheus User Guide* . │ │ │ If your workspace uses customer-managed AWS KMS keys for encryption, you must grant the principals in your resource-based policy access to those AWS KMS keys. You can do this by creating AWS KMS grants. For more information, see [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) in the *AWS KMS API Reference* and [Encryption at rest](https://docs.aws.amazon.com/prometheus/latest/userguide/encryption-at-rest-Amazon-Service-Prometheus.html) in the *Amazon Managed Service for Prometheus User Guide* . │ │ │ For more information about working with IAM , see [Using Amazon Managed Service for Prometheus with IAM](https://docs.aws.amazon.com/prometheus/latest/userguide/security_iam_service-with-iam.html) in the *Amazon Managed Service for Prometheus User Guide* . │ │ └ properties │ │ ├ WorkspaceArn: string (required, immutable) │ │ └ PolicyDocument: string (required) │ └[~] resource AWS::APS::Workspace │ ├ properties │ │ └ LoggingConfiguration: (documentation changed) │ └ types │ └[~] type LoggingFilter │ └ properties │ └ QspThreshold: (documentation changed) ├[~] service aws-b2bi │ └ resources │ └[~] resource AWS::B2BI::Transformer │ └ types │ ├[~] type OutputConversion │ │ └ properties │ │ └[+] AdvancedOptions: AdvancedOptions │ ├[~] type X12AdvancedOptions │ │ └ properties │ │ └[+] ValidationOptions: X12ValidationOptions │ ├[+] type X12CodeListValidationRule │ │ ├ name: X12CodeListValidationRule │ │ └ properties │ │ ├ ElementId: string (required) │ │ ├ CodesToAdd: Array<string> │ │ └ CodesToRemove: Array<string> │ ├[+] type X12ElementLengthValidationRule │ │ ├ name: X12ElementLengthValidationRule │ │ └ properties │ │ ├ ElementId: string (required) │ │ ├ MaxLength: number (required) │ │ └ MinLength: number (required) │ ├[+] type X12ElementRequirementValidationRule │ │ ├ name: X12ElementRequirementValidationRule │ │ └ properties │ │ ├ ElementPosition: string (required) │ │ └ Requirement: string (required) │ ├[+] type X12ValidationOptions │ │ ├ name: X12ValidationOptions │ │ └ properties │ │ └ ValidationRules: Array<X12ValidationRule> │ └[+] type X12ValidationRule │ ├ name: X12ValidationRule │ └ properties │ ├ CodeListValidationRule: X12CodeListValidationRule │ ├ ElementLengthValidationRule: X12ElementLengthValidationRule │ └ ElementRequirementValidationRule: X12ElementRequirementValidationRule ├[~] service aws-batch │ └ resources │ └[~] resource AWS::Batch::ComputeEnvironment │ └ types │ ├[~] type ComputeResources │ │ └ properties │ │ └ InstanceTypes: (documentation changed) │ └[~] type LaunchTemplateSpecificationOverride │ └ properties │ └ TargetInstanceTypes: (documentation changed) ├[~] service aws-datazone │ └ resources │ └[+] resource AWS::DataZone::PolicyGrant │ ├ name: PolicyGrant │ │ cloudFormationType: AWS::DataZone::PolicyGrant │ │ documentation: Policy Grant in AWS DataZone is an explicit authorization assignment that allows a specific principal (user, group, or project) to perform particular actions (such as creating glossary terms, managing projects, or accessing resources) on governed resources within a certain scope (like a Domain Unit or Project). Policy Grants are essentially the mechanism by which DataZone enforces fine-grained, role-based access control beyond what is possible through AWS IAM alone. │ ├ properties │ │ ├ EntityType: string (required, immutable) │ │ ├ PolicyType: string (required, immutable) │ │ ├ EntityIdentifier: string (required, immutable) │ │ ├ Detail: PolicyGrantDetail (immutable) │ │ ├ Principal: PolicyGrantPrincipal (immutable) │ │ └ DomainIdentifier: string (required, immutable) │ ├ attributes │ │ ├ GrantId: string │ │ ├ CreatedAt: string │ │ └ CreatedBy: string │ └ types │ ├ type AddToProjectMemberPoolPolicyGrantDetail │ │ ├ name: AddToProjectMemberPoolPolicyGrantDetail │ │ └ properties │ │ └ IncludeChildDomainUnits: boolean │ ├ type CreateAssetTypePolicyGrantDetail │ │ ├ name: CreateAssetTypePolicyGrantDetail │ │ └ properties │ │ └ IncludeChildDomainUnits: boolean │ ├ type CreateDomainUnitPolicyGrantDetail │ │ ├ name: CreateDomainUnitPolicyGrantDetail │ │ └ properties │ │ └ IncludeChildDomainUnits: boolean │ ├ type CreateEnvironmentProfilePolicyGrantDetail │ │ ├ name: CreateEnvironmentProfilePolicyGrantDetail │ │ └ properties │ │ └ DomainUnitId: string │ ├ type CreateFormTypePolicyGrantDetail │ │ ├ name: CreateFormTypePolicyGrantDetail │ │ └ properties │ │ └ IncludeChildDomainUnits: boolean │ ├ type CreateGlossaryPolicyGrantDetail │ │ ├ name: CreateGlossaryPolicyGrantDetail │ │ └ properties │ │ └ IncludeChildDomainUnits: boolean │ ├ type CreateProjectFromProjectProfilePolicyGrantDetail │ │ ├ name: CreateProjectFromProjectProfilePolicyGrantDetail │ │ └ properties │ │ ├ ProjectProfiles: Array<string> │ │ └ IncludeChildDomainUnits: boolean │ ├ type CreateProjectPolicyGrantDetail │ │ ├ name: CreateProjectPolicyGrantDetail │ │ └ properties │ │ └ IncludeChildDomainUnits: boolean │ ├ type DomainUnitFilterForProject │ │ ├ name: DomainUnitFilterForProject │ │ └ properties │ │ ├ DomainUnit: string (required) │ │ └ IncludeChildDomainUnits: boolean (default=false) │ ├ type DomainUnitGrantFilter │ │ ├ name: DomainUnitGrantFilter │ │ └ properties │ │ └ AllDomainUnitsGrantFilter: json (required) │ ├ type DomainUnitPolicyGrantPrincipal │ │ ├ name: DomainUnitPolicyGrantPrincipal │ │ └ properties │ │ ├ DomainUnitGrantFilter: DomainUnitGrantFilter │ │ ├ DomainUnitDesignation: string │ │ └ DomainUnitIdentifier: string │ ├ type GroupPolicyGrantPrincipal │ │ ├ name: GroupPolicyGrantPrincipal │ │ └ properties │ │ └ GroupIdentifier: string (required) │ ├ type OverrideDomainUnitOwnersPolicyGrantDetail │ │ ├ name: OverrideDomainUnitOwnersPolicyGrantDetail │ │ └ properties │ │ └ IncludeChildDomainUnits: boolean │ ├ type OverrideProjectOwnersPolicyGrantDetail │ │ ├ name: OverrideProjectOwnersPolicyGrantDetail │ │ └ properties │ │ └ IncludeChildDomainUnits: boolean │ ├ type PolicyGrantDetail │ │ ├ name: PolicyGrantDetail │ │ └ properties │ │ ├ CreateDomainUnit: CreateDomainUnitPolicyGrantDetail │ │ ├ OverrideDomainUnitOwners: OverrideDomainUnitOwnersPolicyGrantDetail │ │ ├ AddToProjectMemberPool: AddToProjectMemberPoolPolicyGrantDetail │ │ ├ OverrideProjectOwners: OverrideProjectOwnersPolicyGrantDetail │ │ ├ CreateGlossary: CreateGlossaryPolicyGrantDetail │ │ ├ CreateFormType: CreateFormTypePolicyGrantDetail │ │ ├ CreateAssetType: CreateAssetTypePolicyGrantDetail │ │ ├ CreateProject: CreateProjectPolicyGrantDetail │ │ ├ CreateEnvironmentProfile: CreateEnvironmentProfilePolicyGrantDetail │ │ ├ DelegateCreateEnvironmentProfile: json │ │ ├ CreateEnvironment: json │ │ ├ CreateEnvironmentFromBlueprint: json │ │ └ CreateProjectFromProjectProfile: CreateProjectFromProjectProfilePolicyGrantDetail │ ├ type PolicyGrantPrincipal │ │ ├ name: PolicyGrantPrincipal │ │ └ properties │ │ ├ User: UserPolicyGrantPrincipal │ │ ├ Group: GroupPolicyGrantPrincipal │ │ ├ Project: ProjectPolicyGrantPrincipal │ │ └ DomainUnit: DomainUnitPolicyGrantPrincipal │ ├ type ProjectGrantFilter │ │ ├ name: ProjectGrantFilter │ │ └ properties │ │ └ DomainUnitFilter: DomainUnitFilterForProject (required) │ ├ type ProjectPolicyGrantPrincipal │ │ ├ name: ProjectPolicyGrantPrincipal │ │ └ properties │ │ ├ ProjectIdentifier: string │ │ ├ ProjectDesignation: string │ │ └ ProjectGrantFilter: ProjectGrantFilter │ └ type UserPolicyGrantPrincipal │ ├ name: UserPolicyGrantPrincipal │ └ properties │ ├ UserIdentifier: string │ └ AllUsersGrantFilter: json ├[~] service aws-deadline │ └ resources │ ├[~] resource AWS::Deadline::Fleet │ │ └ attributes │ │ └ StatusMessage: (documentation changed) │ └[~] resource AWS::Deadline::LicenseEndpoint │ └ properties │ └ VpcId: (documentation changed) ├[~] service aws-dynamodb │ └ resources │ ├[~] resource AWS::DynamoDB::GlobalTable │ │ └ types │ │ └[~] type ContributorInsightsSpecification │ │ └ properties │ │ └ Mode: (documentation changed) │ └[~] resource AWS::DynamoDB::Table │ ├ properties │ │ ├ ContributorInsightsSpecification: (documentation changed) │ │ └ StreamSpecification: (documentation changed) │ └ types │ ├[~] type ContributorInsightsSpecification │ │ ├ - documentation: The settings used to enable or disable CloudWatch Contributor Insights. │ │ │ + documentation: Configures contributor insights settings for a table or one of its indexes. │ │ └ properties │ │ └ Mode: (documentation changed) │ ├[~] type GlobalSecondaryIndex │ │ └ properties │ │ └ ContributorInsightsSpecification: (documentation changed) │ └[~] type StreamSpecification │ └ properties │ └ ResourcePolicy: (documentation changed) ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::IpPoolRouteTableAssociation │ │ ├ - documentation: Resource Type definition for AWS::EC2::IpPoolRouteTableAssociation │ │ │ + documentation: A route server association is the connection established between a route server and a VPC. │ │ ├ properties │ │ │ ├ PublicIpv4Pool: (documentation changed) │ │ │ └ RouteTableId: (documentation changed) │ │ └ attributes │ │ └ AssociationId: (documentation changed) │ └[~] resource AWS::EC2::VPNConnection │ └ properties │ └[+] PreSharedKeyStorage: string (immutable) ├[~] service aws-ecs │ └ resources │ └[~] resource AWS::ECS::Service │ └ properties │ └ AvailabilityZoneRebalancing: - string (default="ENABLED") │ + string (default="DISABLED") ├[~] service aws-eks │ └ resources │ └[~] resource AWS::EKS::Addon │ ├ properties │ │ └[+] NamespaceConfig: NamespaceConfig (immutable) │ └ types │ └[+] type NamespaceConfig │ ├ documentation: The custom namespace configuration to use with the add-on │ │ name: NamespaceConfig │ └ properties │ └ Namespace: string (required) ├[~] service aws-entityresolution │ └ resources │ └[~] resource AWS::EntityResolution::IdMappingWorkflow │ ├ properties │ │ └[+] IdMappingIncrementalRunConfig: IdMappingIncrementalRunConfig │ └ types │ └[+] type IdMappingIncrementalRunConfig │ ├ name: IdMappingIncrementalRunConfig │ └ properties │ └ IncrementalRunType: string (required) ├[~] service aws-events │ └ resources │ └[~] resource AWS::Events::Rule │ ├ - tagInformation: undefined │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ └ properties │ └[+] Tags: Array<tag> ├[~] service aws-fsx │ └ resources │ └[~] resource AWS::FSx::FileSystem │ ├ properties │ │ └[+] NetworkType: string │ └ types │ └[~] type OpenZFSConfiguration │ └ properties │ └[+] EndpointIpv6AddressRange: string ├[~] service aws-glue │ └ resources │ ├[~] resource AWS::Glue::Connection │ │ └ types │ │ └[~] type ConnectionInput │ │ └ properties │ │ └ ConnectionType: (documentation changed) │ └[~] resource AWS::Glue::TableOptimizer │ └ types │ ├[+] type IcebergRetentionConfiguration │ │ ├ name: IcebergRetentionConfiguration │ │ └ properties │ │ ├ SnapshotRetentionPeriodInDays: integer │ │ ├ NumberOfSnapshotsToRetain: integer │ │ └ CleanExpiredFiles: boolean │ └[~] type RetentionConfiguration │ └ properties │ └ IcebergConfiguration: - IcebergConfiguration │ + IcebergConfiguration ⇐ IcebergRetentionConfiguration ├[~] service aws-guardduty │ └ resources │ ├[~] resource AWS::GuardDuty::IPSet │ │ ├ - documentation: The `AWS::GuardDuty::IPSet` resource specifies a new `IPSet` . An `IPSet` is a list of trusted IP addresses from which secure communication is allowed with AWS infrastructure and applications. │ │ │ + documentation: The `AWS::GuardDuty::IPSet` resource helps you create a list of trusted IP addresses that you can use for secure communication with AWS infrastructure and applications. Once you activate this list, GuardDuty will not generate findings when there is an activity associated with these safe IP addresses. │ │ │ Only the users of the GuardDuty administrator account can manage this list. These settings are also applied to the member accounts. │ │ └ properties │ │ ├ Activate: (documentation changed) │ │ ├ Format: (documentation changed) │ │ ├ Name: (documentation changed) │ │ └ Tags: (documentation changed) │ ├[~] resource AWS::GuardDuty::ThreatEntitySet │ │ ├ - documentation: Resource Type definition for AWS::GuardDuty::ThreatEntitySet │ │ │ + documentation: The `AWS::GuardDuty::ThreatEntitySet` resource helps you create a list of known malicious IP addresses and domain names in your AWS environment. Once you activate this list, GuardDuty will use the entries in this list as an additional source of threat detection and generate findings when there is an activity associated with these known malicious IP addresses and domain names. GuardDuty continues to monitor independently of this custom threat entity set. │ │ │ Only the users of the GuardDuty administrator account can manage this list. These settings automatically apply to the member accounts. │ │ ├ properties │ │ │ ├ Activate: (documentation changed) │ │ │ ├ DetectorId: (documentation changed) │ │ │ ├ ExpectedBucketOwner: (documentation changed) │ │ │ ├ Format: (documentation changed) │ │ │ ├ Location: (documentation changed) │ │ │ ├ Name: (documentation changed) │ │ │ └ Tags: (documentation changed) │ │ ├ attributes │ │ │ ├ CreatedAt: (documentation changed) │ │ │ ├ ErrorDetails: (documentation changed) │ │ │ ├ Id: (documentation changed) │ │ │ ├ Status: (documentation changed) │ │ │ └ UpdatedAt: (documentation changed) │ │ └ types │ │ └[~] type TagItem │ │ ├ - documentation: undefined │ │ │ + documentation: Describes a tag. For more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) . │ │ └ properties │ │ ├ Key: (documentation changed) │ │ └ Value: (documentation changed) │ ├[~] resource AWS::GuardDuty::ThreatIntelSet │ │ ├ - documentation: The `AWS::GuardDuty::ThreatIntelSet` resource specifies a new `ThreatIntelSet` . A `ThreatIntelSet` consists of known malicious IP addresses. GuardDuty generates findings based on the `ThreatIntelSet` after it is activated. │ │ │ + documentation: The `AWS::GuardDuty::ThreatIntelSet` resource helps you create a list of known malicious IP addresses in your AWS environment. Once you activate this list, GuardDuty will use list the entries in this list as an additional source for threat detection and generate findings when there is an activity associated with these known malicious IP addresses. GuardDuty continues to monitor independently of this custom threat intelligence set. │ │ │ Only the users of the GuardDuty administrator account can manage this list. These settings automatically apply to the member accounts. │ │ └ properties │ │ ├ Activate: (documentation changed) │ │ ├ DetectorId: (documentation changed) │ │ ├ Format: (documentation changed) │ │ ├ Name: (documentation changed) │ │ └ Tags: (documentation changed) │ └[~] resource AWS::GuardDuty::TrustedEntitySet │ ├ - documentation: Resource Type definition for AWS::GuardDuty::TrustedEntitySet │ │ + documentation: The `AWS::GuardDuty::TrustedEntitySet` resource helps you create a list of IP addresses and domain names that you can use for secure communication with your AWS infrastructure and applications. Once you activate this list, GuardDuty will not generate findings when there is an activity associated with these safe IP addresses and domain names. At any given time, you can have only one trusted entity set. │ │ Only the users of the GuardDuty administrator account can manage the entity sets. These settings automatically apply member accounts. │ ├ properties │ │ ├ Activate: (documentation changed) │ │ ├ DetectorId: (documentation changed) │ │ ├ ExpectedBucketOwner: (documentation changed) │ │ ├ Format: (documentation changed) │ │ ├ Location: (documentation changed) │ │ ├ Name: (documentation changed) │ │ └ Tags: (documentation changed) │ ├ attributes │ │ ├ CreatedAt: (documentation changed) │ │ ├ ErrorDetails: (documentation changed) │ │ ├ Status: (documentation changed) │ │ └ UpdatedAt: (documentation changed) │ └ types │ └[~] type TagItem │ ├ - documentation: undefined │ │ + documentation: Describes a tag. For more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html) . │ └ properties │ ├ Key: (documentation changed) │ └ Value: (documentation changed) ├[~] service aws-inspectorv2 │ └ resources │ ├[~] resource AWS::InspectorV2::CodeSecurityIntegration │ │ ├ - documentation: Inspector CodeSecurityIntegration resource schema │ │ │ + documentation: Creates a code security integration with a source code repository provider. │ │ ├ properties │ │ │ ├ CreateIntegrationDetails: (documentation changed) │ │ │ ├ Name: (documentation changed) │ │ │ ├ Tags: (documentation changed) │ │ │ ├ Type: (documentation changed) │ │ │ └ UpdateIntegrationDetails: (documentation changed) │ │ ├ attributes │ │ │ ├ Arn: (documentation changed) │ │ │ ├ AuthorizationUrl: (documentation changed) │ │ │ ├ CreatedAt: (documentation changed) │ │ │ ├ LastUpdatedAt: (documentation changed) │ │ │ ├ Status: (documentation changed) │ │ │ └ StatusReason: (documentation changed) │ │ └ types │ │ ├[~] type CreateDetails │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Contains details required to create a code security integration with a specific repository provider. │ │ │ └ properties │ │ │ └ gitlabSelfManaged: (documentation changed) │ │ ├[~] type CreateGitLabSelfManagedIntegrationDetail │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Contains details required to create an integration with a self-managed GitLab instance. │ │ │ └ properties │ │ │ ├ accessToken: (documentation changed) │ │ │ └ instanceUrl: (documentation changed) │ │ ├[~] type UpdateDetails │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Contains details required to update a code security integration with a specific repository provider. │ │ │ └ properties │ │ │ ├ github: (documentation changed) │ │ │ └ gitlabSelfManaged: (documentation changed) │ │ ├[~] type UpdateGitHubIntegrationDetail │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Contains details required to update an integration with GitHub. │ │ │ └ properties │ │ │ ├ code: (documentation changed) │ │ │ └ installationId: (documentation changed) │ │ └[~] type UpdateGitLabSelfManagedIntegrationDetail │ │ ├ - documentation: undefined │ │ │ + documentation: Contains details required to update an integration with a self-managed GitLab instance. │ │ └ properties │ │ └ authCode: (documentation changed) │ └[~] resource AWS::InspectorV2::CodeSecurityScanConfiguration │ ├ - documentation: Inspector CodeSecurityScanConfiguration resource schema │ │ + documentation: Creates a scan configuration for code security scanning. │ ├ properties │ │ ├ Configuration: (documentation changed) │ │ ├ Level: (documentation changed) │ │ ├ Name: (documentation changed) │ │ ├ ScopeSettings: (documentation changed) │ │ └ Tags: (documentation changed) │ ├ attributes │ │ └ Arn: (documentation changed) │ └ types │ ├[~] type CodeSecurityScanConfiguration │ │ ├ - documentation: undefined │ │ │ + documentation: Contains the configuration settings for code security scans. │ │ └ properties │ │ ├ continuousIntegrationScanConfiguration: (documentation changed) │ │ ├ periodicScanConfiguration: (documentation changed) │ │ └ ruleSetCategories: (documentation changed) │ ├[~] type ContinuousIntegrationScanConfiguration │ │ ├ - documentation: undefined │ │ │ + documentation: Configuration settings for continuous integration scans that run automatically when code changes are made. │ │ └ properties │ │ └ supportedEvents: (documentation changed) │ ├[~] type PeriodicScanConfiguration │ │ ├ - documentation: undefined │ │ │ + documentation: Configuration settings for periodic scans that run on a scheduled basis. │ │ └ properties │ │ ├ frequency: (documentation changed) │ │ └ frequencyExpression: (documentation changed) │ └[~] type ScopeSettings │ ├ - documentation: undefined │ │ + documentation: The scope settings that define which repositories will be scanned. If the `ScopeSetting` parameter is `ALL` the scan configuration applies to all existing and future projects imported into Amazon Inspector . │ └ properties │ └ projectSelectionScope: (documentation changed) ├[~] service aws-kinesisanalyticsv2 │ └ resources │ └[~] resource AWS::KinesisAnalyticsV2::Application │ └ types │ ├[~] type ApplicationConfiguration │ │ └ properties │ │ └[+] ApplicationEncryptionConfiguration: ApplicationEncryptionConfiguration │ └[+] type ApplicationEncryptionConfiguration │ ├ documentation: Describes whether customer managed key is enabled and key details for customer data encryption │ │ name: ApplicationEncryptionConfiguration │ └ properties │ ├ KeyId: string │ └ KeyType: string (required) ├[~] service aws-logs │ └ resources │ ├[~] resource AWS::Logs::DeliveryDestination │ │ └ types │ │ └[~] type DestinationPolicy │ │ ├ - documentation: undefined │ │ │ + documentation: An IAM policy that grants permissions to CloudWatch Logs to deliver logs cross-account to a specified destination in this account. │ │ └ properties │ │ ├ DeliveryDestinationName: (documentation changed) │ │ └ DeliveryDestinationPolicy: (documentation changed) │ └[~] resource AWS::Logs::LogGroup │ └ properties │ ├ DataProtectionPolicy: (documentation changed) │ ├ ResourcePolicyDocument: (documentation changed) │ └ RetentionInDays: (documentation changed) ├[~] service aws-mediapackagev2 │ └ resources │ └[~] resource AWS::MediaPackageV2::Channel │ └ types │ └[~] type InputSwitchConfiguration │ └ properties │ └ MQCSInputSwitching: (documentation changed) ├[~] service aws-networkfirewall │ └ resources │ └[~] resource AWS::NetworkFirewall::TLSInspectionConfiguration │ └ types │ ├[~] type CheckCertificateRevocationStatus │ │ └ - documentation: When enabled, Network Firewall checks if the server certificate presented by the server in the SSL/TLS connection has a revoked or unkown status. If the certificate has an unknown or revoked status, you must specify the actions that Network Firewall takes on outbound traffic. To check the certificate revocation status, you must also specify a `CertificateAuthorityArn` in [ServerCertificateConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-servercertificateconfiguration.html) . │ │ + documentation: When enabled, Network Firewall checks if the server certificate presented by the server in the SSL/TLS connection has a revoked or unkown status. If the certificate has an unknown or revoked status, you must specify the actions that Network Firewall takes on outbound traffic. To check the certificate revocation status, you must also specify a `CertificateAuthorityArn` in [ServerCertificateConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-networkfirewall-servercertificateconfiguration.html) . │ ├[~] type ServerCertificate │ │ └ - documentation: Any AWS Certificate Manager (ACM) Secure Sockets Layer/Transport Layer Security (SSL/TLS) server certificate that's associated with a [ServerCertificateConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration.html) . Used in a [TLSInspectionConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-tlsinspectionconfiguration.html) for inspection of inbound traffic to your firewall. You must request or import a SSL/TLS certificate into ACM for each domain Network Firewall needs to decrypt and inspect. AWS Network Firewall uses the SSL/TLS certificates to decrypt specified inbound SSL/TLS traffic going to your firewall. For information about working with certificates in AWS Certificate Manager , see [Request a public certificate](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html) or [Importing certificates](https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html) in the *AWS Certificate Manager User Guide* . │ │ + documentation: Any AWS Certificate Manager (ACM) Secure Sockets Layer/Transport Layer Security (SSL/TLS) server certificate that's associated with a [ServerCertificateConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-networkfirewall-tlsinspectionconfiguration-servercertificateconfiguration.html) . Used in a [TLSInspectionConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-networkfirewall-tlsinspectionconfiguration.html) for inspection of inbound traffic to your firewall. You must request or import a SSL/TLS certificate into ACM for each domain Network Firewall needs to decrypt and inspect. AWS Network Firewall uses the SSL/TLS certificates to decrypt specified inbound SSL/TLS traffic going to your firewall. For information about working with certificates in AWS Certificate Manager , see [Request a public certificate](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html) or [Importing certificates](https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html) in the *AWS Certificate Manager User Guide* . │ └[~] type ServerCertificateConfiguration │ ├ - documentation: Configures the AWS Certificate Manager certificates and scope that Network Firewall uses to decrypt and re-encrypt traffic using a [TLSInspectionConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-tlsinspectionconfiguration.html) . You can configure `ServerCertificates` for inbound SSL/TLS inspection, a `CertificateAuthorityArn` for outbound SSL/TLS inspection, or both. For information about working with certificates for TLS inspection, see [Using SSL/TLS server certficiates with TLS inspection configurations](https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html) in the *AWS Network Firewall Developer Guide* . │ │ > If a server certificate that's associated with your [TLSInspectionConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-tlsinspectionconfiguration.html) is revoked, deleted, or expired it can result in client-side TLS errors. │ │ + documentation: Configures the AWS Certificate Manager certificates and scope that Network Firewall uses to decrypt and re-encrypt traffic using a [TLSInspectionConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-networkfirewall-tlsinspectionconfiguration.html) . You can configure `ServerCertificates` for inbound SSL/TLS inspection, a `CertificateAuthorityArn` for outbound SSL/TLS inspection, or both. For information about working with certificates for TLS inspection, see [Using SSL/TLS server certficiates with TLS inspection configurations](https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html) in the *AWS Network Firewall Developer Guide* . │ │ > If a server certificate that's associated with your [TLSInspectionConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-networkfirewall-tlsinspectionconfiguration.html) is revoked, deleted, or expired it can result in client-side TLS errors. │ └ properties │ └ CheckCertificateRevocationStatus: (documentation changed) ├[~] service aws-route53 │ └ resources │ └[~] resource AWS::Route53::HealthCheck │ └ - tagInformation: undefined │ + tagInformation: {"tagPropertyName":"HealthCheckTags","variant":"standard"} ├[~] service aws-s3 │ └ resources │ ├[~] resource AWS::S3::Bucket │ │ └ properties │ │ └ ObjectLockConfiguration: (documentation changed) │ └[~] resource AWS::S3::BucketPolicy │ └ - documentation: Applies an Amazon S3 bucket policy to an Amazon S3 bucket. If you are using an identity other than the root user of the AWS account that owns the bucket, the calling identity must have the `PutBucketPolicy` permissions on the specified bucket and belong to the bucket owner's account in order to use this operation. │ If you don't have `PutBucketPolicy` permissions, Amazon S3 returns a `403 Access Denied` error. If you have the correct permissions, but you're not using an identity that belongs to the bucket owner's account, Amazon S3 returns a `405 Method Not Allowed` error. │ > As a security precaution, the root user of the AWS account that owns a bucket can always use this operation, even if the policy explicitly denies the root user the ability to perform this action. │ When using the `AWS::S3::BucketPolicy` resource, you can create, update, and delete bucket policies for S3 buckets located in regions different from the stack's region. This cross-region bucket policy modification functionality is supported for backward compatibility with existing workflows. │ > If the [DeletionPolicy attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html) is not specified or set to `Delete` , the bucket policy will be removed when the stack is deleted. If set to `Retain` , the bucket policy will be preserved even after the stack is deleted. │ For example, a CloudFormation stack in `us-east-1` can use the `AWS::S3::BucketPolicy` resource to manage the bucket policy for an S3 bucket in `us-west-2` . The retention or removal of the bucket policy during the stack deletion is determined by the `DeletionPolicy` attribute specified in the stack template. │ For more information, see [Bucket policy examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html) . │ The following operations are related to `PutBucketPolicy` : │ - [CreateBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html) │ - [DeleteBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html) │ + documentation: Applies an Amazon S3 bucket policy to an Amazon S3 bucket. If you are using an identity other than the root user of the AWS account that owns the bucket, the calling identity must have the `PutBucketPolicy` permissions on the specified bucket and belong to the bucket owner's account in order to use this operation. │ If you don't have `PutBucketPolicy` permissions, Amazon S3 returns a `403 Access Denied` error. If you have the correct permissions, but you're not using an identity that belongs to the bucket owner's account, Amazon S3 returns a `405 Method Not Allowed` error. │ > As a security precaution, the root user of the AWS account that owns a bucket can always use this operation, even if the policy explicitly denies the root user the ability to perform this action. │ When using the `AWS::S3::BucketPolicy` resource, you can create, update, and delete bucket policies for S3 buckets located in Regions that are different from the stack's Region. However, the CloudFormation stacks should be deployed in the US East (N. Virginia) or `us-east-1` Region. This cross-region bucket policy modification functionality is supported for backward compatibility with existing workflows. │ > If the [DeletionPolicy attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html) is not specified or set to `Delete` , the bucket policy will be removed when the stack is deleted. If set to `Retain` , the bucket policy will be preserved even after the stack is deleted. │ For example, a CloudFormation stack in `us-east-1` can use the `AWS::S3::BucketPolicy` resource to manage the bucket policy for an S3 bucket in `us-west-2` . The retention or removal of the bucket policy during the stack deletion is determined by the `DeletionPolicy` attribute specified in the stack template. │ For more information, see [Bucket policy examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html) . │ The following operations are related to `PutBucketPolicy` : │ - [CreateBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html) │ - [DeleteBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html) ├[~] service aws-sagemaker │ └ resources │ └[~] resource AWS::SageMaker::Cluster │ └ types │ ├[+] type AlarmDetails │ │ ├ documentation: The details of the alarm to monitor during the AMI update. │ │ │ name: AlarmDetails │ │ └ properties │ │ └ AlarmName: string (required) │ ├[+] type CapacitySizeConfig │ │ ├ documentation: The configuration of the size measurements of the AMI update. Using this configuration, you can specify whether SageMaker should update your instance group by an amount or percentage of instances. │ │ │ name: CapacitySizeConfig │ │ └ properties │ │ ├ Type: string (required) │ │ └ Value: integer (required) │ ├[~] type ClusterInstanceGroup │ │ └ properties │ │ └[+] ScheduledUpdateConfig: ScheduledUpdateConfig │ ├[+] type DeploymentConfig │ │ ├ documentation: The deployment configuration for an endpoint, which contains the desired deployment strategy and rollback configurations. │ │ │ name: DeploymentConfig │ │ └ properties │ │ ├ AutoRollbackConfiguration: Array<AlarmDetails> │ │ ├ RollingUpdatePolicy: RollingUpdatePolicy │ │ └ WaitIntervalInSeconds: integer │ ├[+] type RollingUpdatePolicy │ │ ├ documentation: Specifies a rolling deployment strategy for updating a SageMaker endpoint. │ │ │ name: RollingUpdatePolicy │ │ └ properties │ │ ├ MaximumBatchSize: CapacitySizeConfig (required) │ │ └ RollbackMaximumBatchSize: CapacitySizeConfig │ └[+] type ScheduledUpdateConfig │ ├ documentation: The configuration object of the schedule that SageMaker follows when updating the AMI. │ │ name: ScheduledUpdateConfig │ └ properties │ ├ ScheduleExpression: string (required) │ └ DeploymentConfig: DeploymentConfig ├[~] service aws-servicediscovery │ └ resources │ ├[~] resource AWS::ServiceDiscovery::HttpNamespace │ │ └ - documentation: The `HttpNamespace` resource is an AWS Cloud Map resource type that contains information about an HTTP namespace. Service instances that you register using an HTTP namespace can be discovered using a `DiscoverInstances` request but can't be discovered using DNS. │ │ For the current quota on the number of namespaces that you can create using the same AWS account, see [AWS Cloud Map quotas](https://docs.aws.amazon.com/cloud-map/latest/dg/cloud-map-limits.html) in the ** . │ │ + documentation: Creates an HTTP namespace. Service instances registered using an HTTP namespace can be discovered using a `DiscoverInstances` request but can't be discovered using DNS. │ │ For the current quota on the number of namespaces that you can create using the same AWS account , see [AWS Cloud Map quotas](https://docs.aws.amazon.com/cloud-map/latest/dg/cloud-map-limits.html) in the *AWS Cloud Map Developer Guide* . │ ├[~] resource AWS::ServiceDiscovery::Instance │ │ └ properties │ │ └ ServiceId: (documentation changed) │ └[~] resource AWS::ServiceDiscovery::Service │ ├ - documentation: A complex type that contains information about a service, which defines the configuration of the following entities: │ │ - For public and private DNS namespaces, one of the following combinations of DNS records in Amazon Route 53: │ │ - A │ │ - AAAA │ │ - A and AAAA │ │ - SRV │ │ - CNAME │ │ - Optionally, a health check │ │ + documentation: A complex type that contains information about the specified service. │ ├ properties │ │ ├ NamespaceId: (documentation changed) │ │ └ ServiceAttributes: (documentation changed) │ └ types │ └[~] type DnsConfig │ └ properties │ └ NamespaceId: (documentation changed) ├[~] service aws-ssm │ └ resources │ └[~] resource AWS::SSM::PatchBaseline │ └ properties │ └ RejectedPatchesAction: (documentation changed) ├[~] service aws-ssmquicksetup │ └ resources │ └[~] resource AWS::SSMQuickSetup::ConfigurationManager │ └ types │ └[~] type ConfigurationDefinition │ └ properties │ └ Parameters: (documentation changed) ├[~] service aws-synthetics │ └ resources │ └[~] resource AWS::Synthetics::Canary │ └ types │ └[~] type Dependency │ ├ - documentation: undefined │ │ + documentation: A structure that contains information about a dependency for a canary. │ └ properties │ ├ Reference: (documentation changed) │ └ Type: (documentation changed) ├[~] service aws-vpclattice │ └ resources │ └[~] resource AWS::VpcLattice::ResourceGateway │ └ properties │ └[+] Ipv4AddressesPerEni: integer └[~] service aws-workspacesweb └ resources ├[~] resource AWS::WorkSpacesWeb::Portal │ └ properties │ └ SessionLoggerArn: (documentation changed) └[~] resource AWS::WorkSpacesWeb::SessionLogger ├ - documentation: Definition of AWS::WorkSpacesWeb::SessionLogger Resource Type │ + documentation: The session logger resource. ├ properties │ ├ AdditionalEncryptionContext: (documentation changed) │ ├ CustomerManagedKey: (documentation changed) │ ├ DisplayName: (documentation changed) │ ├ EventFilter: (documentation changed) │ └ LogConfiguration: (documentation changed) ├ attributes │ ├ AssociatedPortalArns: (documentation changed) │ ├ CreationDate: (documentation changed) │ └ SessionLoggerArn: (documentation changed) └ types ├[~] type EventFilter │ ├ - documentation: undefined │ │ + documentation: The filter that specifies the events to monitor. │ └ properties │ ├ All: (documentation changed) │ └ Include: (documentation changed) ├[~] type LogConfiguration │ ├ - documentation: undefined │ │ + documentation: The configuration of the log. │ └ properties │ └ S3: (documentation changed) └[~] type S3LogConfiguration ├ - documentation: undefined │ + documentation: The S3 log configuration. └ properties ├ Bucket: (documentation changed) ├ BucketOwner: (documentation changed) ├ FolderStructure: (documentation changed) ├ KeyPrefix: (documentation changed) └ LogFileFormat: (documentation changed) ``` CHANGES TO L1 RESOURCES: L1 resources are automatically generated from public CloudFormation Resource Schemas. They are build to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed: - **aws-ecs**: AWS::ECS::Service: AvailabilityZoneRebalancing property default value changed from "ENABLED" to "DISABLED".
The heading levels for Auto Mode are inappropriate. I think the Auto Mode sections would be better placed under `Provision Clusters` to align with other node types. <img width="263" alt="image" src="https://github.com/user-attachments/assets/7eedd31f-de0c-4d18-b14f-379816305c67" /> ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #35078. ### Reason for this change We want to use ACM exportable public certificates to replace all those certificates purchased from another vendor ### Description of changes Add `certificateExportEnabled` in `acm.Certificate` Construct ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Unit updated to cover new `certificateExportEnabled` property ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change AWS RDS now supports for retaining automated backups when cluster is deleted. https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Backups.Retaining.html ### Description of changes - Add `deleteAutomatedBackups` prop to `ClusterBaseProps`. ### Describe any new or updated permissions being added None ### Description of how you validated changes Added both unit and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #35093. ### Reason for this change Improve doc string to clarity what inputs are accepted for `contentType`. ### Description of changes Simple documentation additions. ### Describe any new or updated permissions being added None ### Description of how you validated changes None, only documentation changes. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
It is mysteriously broken on PR builds, but not on my own machine. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…licy (#35308) ### Issue # (if applicable) None ### Reason for this change When creating a `ResponseHeadersPolicy`, if we set `accessControlAllowCredentials` to true in the CORS configuration and include a string containing `*` in `accessControlAllowHeaders`, it causes a deployment error. I added validation to prevent this in advance. ```console 10:57:02 PM | CREATE_FAILED | AWS::CloudFront::ResponseHeadersPolicy | Dev-PriCo ach/MainS...ponseHeadersPolicy Resource handler returned message: "Invalid request provided: AWS::CloudFront::ResponseHeade rsPolicy: The parameter Access-Control-Allow-Headers cannot contain * when allowCredentials is true. (Service: CloudFront, Status Code: 400, Request ID: 9298af67-dfb6-4ddc-9cd6-b301e8f eed3e) (SDK Attempt Count: 1)" (RequestToken: 2cbce7b6-8501-7bf8-aeb8-6781277473a0, HandlerE rrorCode: InvalidRequest) ``` ### Description of changes Add validation for `ResponseHeadersPolicy`. ### Describe any new or updated permissions being added None ### Description of how you validated changes Add unit test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…5309) ### Issue # (if applicable) None ### Reason for this change The `targets.AwsApi()` method enables us to call AWS API from EventBridge directly but there is no documentation about this feature. ### Description of changes Update README.md ### Describe any new or updated permissions being added None ### Description of how you validated changes None ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws-cdk-automation
added
auto-approve
pr/no-squash
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
aws-cdk-automation
had a problem deploying
to
test-pipeline
GitHub Actions
Failure
aws-cdk-automation
had a problem deploying
to
test-pipeline
GitHub Actions
Failure
aws-cdk-automation
had a problem deploying
to
test-pipeline
GitHub Actions
Failure
alvazjor
had a problem deploying
to
test-pipeline
GitHub Actions
Failure
alvazjor
temporarily deployed
to
test-pipeline
GitHub Actions
Inactive
Collaborator
Author
|
➡️ PR build request submitted to A maintainer must now check the pipeline and add the |
Contributor
|
Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork). |
Contributor
|
Comments on closed issues and PRs are hard for our team to see. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
22 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See CHANGELOG