aws · mergify · Oct 29, 2025 · Oct 28, 2025 · Oct 29, 2025 · Oct 29, 2025
diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml
@@ -65,7 +65,7 @@ jobs:
           sudo sysctl -w vm.max_map_count=2251954
 
       - name: Build
-        run: /bin/bash ./build.sh --ci
+        run: /bin/bash ./build.sh --ci --concurrency=10
 
       - name: Run Rosetta
         run: /bin/bash ./scripts/run-rosetta.sh

diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md
@@ -2,6 +2,8 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.221.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.221.0-alpha.0...v2.221.1-alpha.0) (2025-10-29)
+
 ## [2.221.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.220.0-alpha.0...v2.221.0-alpha.0) (2025-10-24)
 
 

diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md
@@ -2,14 +2,21 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.221.1](https://github.com/aws/aws-cdk/compare/v2.221.0...v2.221.1) (2025-10-29)
+
+
+### Bug Fixes
+
+* compilation failure in Go ([#35871](https://github.com/aws/aws-cdk/issues/35871)) ([4379f66](https://github.com/aws/aws-cdk/commit/4379f66f42ee9adaffbc2836399c75f86d6bf784)), closes [aws/aws-cdk#35770](https://github.com/aws/aws-cdk/issues/35770) [#35862](https://github.com/aws/aws-cdk/issues/35862)
+
 ## [2.221.0](https://github.com/aws/aws-cdk/compare/v2.220.0...v2.221.0) (2025-10-24)
 
 
 ### ⚠ BREAKING CHANGES
 
 * ** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:
 - **aws-datazone**: AWS::DataZone::ProjectProfile: Id property removed.
-- **aws-logs**: AWS::Logs::DeliveryDestination: DeliveryDestinationType attribute removed. 
+- **aws-logs**: AWS::Logs::DeliveryDestination: DeliveryDestinationType attribute removed.
 - **aws-s3**: AWS::S3::AccessGrantsLocation: IamRoleArn property is now required.
 - **aws-s3**: AWS::S3::AccessGrantsLocation: LocationScope property is now required.
 - **aws-servicecatalog**: AWS::ServiceCatalog::TagOptionAssociation: Id attribute removed.
@@ -39,16 +46,16 @@ All notable changes to this project will be documented in this file. See [standa
 
 ### ⚠ BREAKING CHANGES
 
-* ** 
+* **
 L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:
 
-- **aws-neptune**: AWS::Neptune::EventSubscription: SnsTopicArn property is now required.  
-- **aws-neptune**: AWS::Neptune::EventSubscription: Id attribute removed.  
+- **aws-neptune**: AWS::Neptune::EventSubscription: SnsTopicArn property is now required.
+- **aws-neptune**: AWS::Neptune::EventSubscription: Id attribute removed.
 - **aws-servicecatalog**: AWS::ServiceCatalog::PortfolioShare: Id attribute removed.
 - **aws-lex**: AWS::Lex::ResourcePolicy: ResourceArn property is now immutable.
 
 Co-authored-by: aws-cdk-automation <aws-cdk-automation@users.noreply.github.com>
-* ** 
+* **
 ### Features
 
 * **batch:** ec2 Managed Compute Environment support default instance classes, deprecate `useOptimalInstanceClasses` ([#35537](https://github.com/aws/aws-cdk/issues/35537)) ([9d59dd8](https://github.com/aws/aws-cdk/commit/9d59dd8676bdfbba6f562d82411a527e1f7b6296)), closes [#35515](https://github.com/aws/aws-cdk/issues/35515)

diff --git a/allowed-breaking-changes.txt b/allowed-breaking-changes.txt
@@ -966,3 +966,6 @@ removed:aws-cdk-lib.lambda_layer_kubectl.KubectlLayer
 # Fixing the JsonSchema interface to be consistent with JSON Schema spec
 changed-type:aws-cdk-lib.aws_apigateway.JsonSchema.additionalItems
 strengthened:aws-cdk-lib.aws_apigateway.JsonSchema
+
+# Revert a failing change
+strengthened:aws-cdk-lib.aws_stepfunctions.StateMachineProps
diff --git a/packages/aws-cdk-lib/aws-stepfunctions/lib/state-machine.ts b/packages/aws-cdk-lib/aws-stepfunctions/lib/state-machine.ts
@@ -117,7 +117,7 @@ export interface StateMachineProps {
    *
    * @default A role is automatically created
    */
-  readonly role?: iam.IRoleRef & iam.IGrantable;
+  readonly role?: iam.IRole;
 
   /**
    * Maximum run time for this state machine
@@ -427,6 +427,11 @@ export class StateMachine extends StateMachineBase {
    */
   public static readonly PROPERTY_INJECTION_ID: string = 'aws-cdk-lib.aws-stepfunctions.StateMachine';
 
+  /**
+   * Execution role of this state machine
+   */
+  public readonly role: iam.IRole;
+
   /**
    * The name of the state machine
    * @attribute
@@ -450,11 +455,6 @@ export class StateMachine extends StateMachineBase {
    */
   public readonly stateMachineRevisionId: string;
 
-  /**
-   * Execution role of this state machine
-   */
-  private readonly _role: iam.IRoleRef & iam.IGrantable;
-
   constructor(scope: Construct, id: string, props: StateMachineProps) {
     super(scope, id, {
       physicalName: props.stateMachineName,
@@ -476,7 +476,7 @@ export class StateMachine extends StateMachineBase {
       this.validateLogOptions(props.logs);
     }
 
-    this._role = props.role || new iam.Role(this, 'Role', {
+    this.role = props.role || new iam.Role(this, 'Role', {
       assumedBy: new iam.ServicePrincipal('states.amazonaws.com'),
     });
 
@@ -494,7 +494,7 @@ export class StateMachine extends StateMachineBase {
     }
 
     if (props.encryptionConfiguration instanceof CustomerManagedEncryptionConfiguration) {
-      this._role.grantPrincipal.addToPrincipalPolicy(new iam.PolicyStatement({
+      this.role.addToPrincipalPolicy(new iam.PolicyStatement({
         effect: iam.Effect.ALLOW,
         actions: [
           'kms:Decrypt', 'kms:GenerateDataKey',
@@ -513,7 +513,7 @@ export class StateMachine extends StateMachineBase {
       }));
 
       if (props.logs && props.logs.level !== LogLevel.OFF) {
-        this._role.grantPrincipal.addToPrincipalPolicy(new iam.PolicyStatement({
+        this.role.addToPrincipalPolicy(new iam.PolicyStatement({
           effect: iam.Effect.ALLOW,
           actions: [
             'kms:GenerateDataKey',
@@ -540,10 +540,10 @@ export class StateMachine extends StateMachineBase {
     const resource = new CfnStateMachine(this, 'Resource', {
       stateMachineName: this.physicalName,
       stateMachineType: props.stateMachineType ?? undefined,
-      roleArn: this._role.roleRef.roleArn,
+      roleArn: this.role.roleArn,
       loggingConfiguration: props.logs ? this.buildLoggingConfiguration(props.logs) : undefined,
       tracingConfiguration: this.buildTracingConfiguration(props.tracingEnabled),
-      ...definitionBody.bind(this, this._role.grantPrincipal, props, graph),
+      ...definitionBody.bind(this, this.role, props, graph),
       definitionSubstitutions: props.definitionSubstitutions,
       encryptionConfiguration: buildEncryptionConfiguration(props.encryptionConfiguration),
     });
@@ -569,27 +569,15 @@ export class StateMachine extends StateMachineBase {
    * The principal this state machine is running as
    */
   public get grantPrincipal() {
-    return this._role.grantPrincipal;
-  }
-
-  /**
-   * Execution role of this state machine
-   *
-   * Will throw if the Role object that was given does not implement IRole
-   */
-  public get role(): iam.IRole {
-    if (!isIRole(this._role)) {
-      throw new ValidationError(`The role given to this StateMachine is not an IRole, but ${this._role.constructor.name}`, this);
-    }
-    return this._role;
+    return this.role.grantPrincipal;
   }
 
   /**
    * Add the given statement to the role's policy
    */
   @MethodMetadata()
   public addToRolePolicy(statement: iam.PolicyStatement) {
-    this._role.grantPrincipal.addToPrincipalPolicy(statement);
+    this.role.addToPrincipalPolicy(statement);
   }
 
   private validateStateMachineName(stateMachineName: string) {
@@ -858,9 +846,3 @@ export class ChainDefinitionBody extends DefinitionBody {
     };
   }
 }
-
-function isIRole(x: iam.IRoleRef): x is iam.IRole {
-  const xx = x as iam.IRole;
-  return (!!xx.addManagedPolicy && !!xx.addToPrincipalPolicy && !!xx.assumeRoleAction && !!xx.attachInlinePolicy
-   && !!xx.grant && !!xx.policyFragment);
-}
diff --git a/packages/awslint/bin/awslint.ts b/packages/awslint/bin/awslint.ts
@@ -2,15 +2,12 @@
 /* eslint-disable no-console */
 import * as child_process from 'child_process';
 import * as path from 'path';
-import { JsiiFeature } from '@jsii/spec';
 import * as chalk from 'chalk';
 import * as fs from 'fs-extra';
 import * as reflect from 'jsii-reflect';
 import * as yargs from 'yargs';
 import { ALL_RULES_LINTER, DiagnosticLevel, RuleFilterSet } from '../lib';
 
-const FEATURES: JsiiFeature[] = ['intersection-types'];
-
 let stackTrace = false;
 
 async function main() {
@@ -250,7 +247,7 @@ main().catch(e => {
 
 async function loadModule(dir: string) {
   const ts = new reflect.TypeSystem();
-  await ts.load(dir, { validate: false, supportedFeatures: FEATURES }); // Don't validate to save 66% of execution time (20s vs 1min).
+  await ts.load(dir, { validate: false }); // Don't validate to save 66% of execution time (20s vs 1min).
   // We run 'awslint' during build time, assemblies are guaranteed to be ok.
 
   // We won't load any more assemblies. Lock the typesystem to benefit from performance improvements.

diff --git a/packages/awslint/lib/rules/api.ts b/packages/awslint/lib/rules/api.ts
@@ -139,11 +139,6 @@ apiLinter.add({
         return;
       }
 
-      if (type.intersectionOfTypes) {
-        // Type intersections are okay
-        return;
-      }
-
       throw new Error(`invalid type reference: ${type.toString()}`);
     }
   },

diff --git a/scripts/run-rosetta.sh b/scripts/run-rosetta.sh
@@ -73,7 +73,7 @@ time $ROSETTA extract \
 
 if $infuse; then
     echo "💎 Generating synthetic examples for the remainder" >&2
-    time npx cdk-generate-synthetic-examples \
+    time npx cdk-generate-synthetic-examples@^0.1.292 \
         $(cat $jsii_pkgs_file)
 
     time $ROSETTA extract \

diff --git a/version.v2.json b/version.v2.json
@@ -1,4 +1,4 @@
 {
-  "version": "2.221.0",
-  "alphaVersion": "2.221.0-alpha.0"
+  "version": "2.221.1",
+  "alphaVersion": "2.221.1-alpha.0"
 }
Original file line number	Diff line number	Diff line change
Expand Up		@@ -2,6 +2,8 @@

		All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.

		## [2.221.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.221.0-alpha.0...v2.221.1-alpha.0) (2025-10-29)

		## [2.221.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.220.0-alpha.0...v2.221.0-alpha.0) (2025-10-24)


Expand Down
-Original file line number
+Diff line change
@@ Expand Up / @@ -139,11 +139,6 @@ apiLinter.add({ @@
             return;
           }
-          if (type.intersectionOfTypes) {
-            // Type intersections are okay
-            return;
-          }
           throw new Error(`invalid type reference: ${type.toString()}`);
         }
       },
@@ Expand Down @@