chore(release): 2.222.0 #35897
Closed
chore(release): 2.222.0 #35897
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change The readme was incorrectly showing that the default capacity is managed node group, but this is not the case in v2. in V2 the default is EKS auto mode, so the readme was updated to show the current default as the architecture, with some clarification on the other possible capacity modes. ### Description of changes Updated the readme to reflect the state of eks v2. ### Describe any new or updated permissions being added None ### Description of how you validated changes None ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
#35783) ### Issue # (if applicable) Closes #35699 Related to: #35742 ### Reason for this change CfnClusterCapacityProviderAssociations is not needed when using only managed instances as a capacity provider, but it was being created anyway with empty values. It is needed if default capacity providers are set, or the capacity provider is not of the managed instances type. ### Description of changes Removed the `clusterScopedCapacityProviderNames` check when creating CfnClusterCapacityProviderAssociations. Destructive changes: CfnClusterCapacityProviderAssociations will be deleted if user does not provide default capacity providers or default fargate and uses only ManagedInstancesCapacityProvider. ### Describe any new or updated permissions being added None ### Description of how you validated changes ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change ### Description of changes Move EKS v2 Alpha to developer preview ### Describe any new or updated permissions being added None ### Description of how you validated changes N/A ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's releases</a>.</em></p> <blockquote> <h2>v5.0.0</h2> <h2>What's Changed</h2> <p><strong>BREAKING CHANGE:</strong> this update supports Node <code>v24.x</code>. This is not a breaking change per-se but we're treating it as such.</p> <ul> <li>Update README.md by <a href="https://github.com/GhadimiR"><code>@GhadimiR</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/681">actions/upload-artifact#681</a></li> <li>Update README.md by <a href="https://github.com/nebuk89"><code>@nebuk89</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/712">actions/upload-artifact#712</a></li> <li>Readme: spell out the first use of GHES by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/727">actions/upload-artifact#727</a></li> <li>Update GHES guidance to include reference to Node 20 version by <a href="https://github.com/patrikpolyak"><code>@patrikpolyak</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/725">actions/upload-artifact#725</a></li> <li>Bump <code>@actions/artifact</code> to <code>v4.0.0</code></li> <li>Prepare <code>v5.0.0</code> by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/734">actions/upload-artifact#734</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/GhadimiR"><code>@GhadimiR</code></a> made their first contribution in <a href="https://redirect.github.com/actions/upload-artifact/pull/681">actions/upload-artifact#681</a></li> <li><a href="https://github.com/nebuk89"><code>@nebuk89</code></a> made their first contribution in <a href="https://redirect.github.com/actions/upload-artifact/pull/712">actions/upload-artifact#712</a></li> <li><a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> made their first contribution in <a href="https://redirect.github.com/actions/upload-artifact/pull/727">actions/upload-artifact#727</a></li> <li><a href="https://github.com/patrikpolyak"><code>@patrikpolyak</code></a> made their first contribution in <a href="https://redirect.github.com/actions/upload-artifact/pull/725">actions/upload-artifact#725</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v4...v5.0.0">https://github.com/actions/upload-artifact/compare/v4...v5.0.0</a></p> <h2>v4.6.2</h2> <h2>What's Changed</h2> <ul> <li>Update to use artifact 2.3.2 package & prepare for new upload-artifact release by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/685">actions/upload-artifact#685</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> made their first contribution in <a href="https://redirect.github.com/actions/upload-artifact/pull/685">actions/upload-artifact#685</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v4...v4.6.2">https://github.com/actions/upload-artifact/compare/v4...v4.6.2</a></p> <h2>v4.6.1</h2> <h2>What's Changed</h2> <ul> <li>Update to use artifact 2.2.2 package by <a href="https://github.com/yacaovsnc"><code>@yacaovsnc</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/673">actions/upload-artifact#673</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v4...v4.6.1">https://github.com/actions/upload-artifact/compare/v4...v4.6.1</a></p> <h2>v4.6.0</h2> <h2>What's Changed</h2> <ul> <li>Expose env vars to control concurrency and timeout by <a href="https://github.com/yacaovsnc"><code>@yacaovsnc</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/662">actions/upload-artifact#662</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v4...v4.6.0">https://github.com/actions/upload-artifact/compare/v4...v4.6.0</a></p> <h2>v4.5.0</h2> <h2>What's Changed</h2> <ul> <li>fix: deprecated <code>Node.js</code> version in action by <a href="https://github.com/hamirmahal"><code>@hamirmahal</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/578">actions/upload-artifact#578</a></li> <li>Add new <code>artifact-digest</code> output by <a href="https://github.com/bdehamer"><code>@bdehamer</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/656">actions/upload-artifact#656</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/hamirmahal"><code>@hamirmahal</code></a> made their first contribution in <a href="https://redirect.github.com/actions/upload-artifact/pull/578">actions/upload-artifact#578</a></li> </ul> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/upload-artifact/commit/330a01c490aca151604b8cf639adc76d48f6c5d4"><code>330a01c</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/734">#734</a> from actions/danwkennedy/prepare-5.0.0</li> <li><a href="https://github.com/actions/upload-artifact/commit/03f282445299bbefc96171af272a984663b63a26"><code>03f2824</code></a> Update <code>github.dep.yml</code></li> <li><a href="https://github.com/actions/upload-artifact/commit/905a1ecb5915b264cbc519e4eb415b5d82916018"><code>905a1ec</code></a> Prepare <code>v5.0.0</code></li> <li><a href="https://github.com/actions/upload-artifact/commit/2d9f9cdfa99fedaddba68e9b5b5c281eca26cc63"><code>2d9f9cd</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/725">#725</a> from patrikpolyak/patch-1</li> <li><a href="https://github.com/actions/upload-artifact/commit/9687587dec67f2a8bc69104e183d311c42af6d6f"><code>9687587</code></a> Merge branch 'main' into patch-1</li> <li><a href="https://github.com/actions/upload-artifact/commit/2848b2cda0e5190984587ec6bb1f36730ca78d50"><code>2848b2c</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/727">#727</a> from danwkennedy/patch-1</li> <li><a href="https://github.com/actions/upload-artifact/commit/9b511775fd9ce8c5710b38eea671f856de0e70a7"><code>9b51177</code></a> Spell out the first use of GHES</li> <li><a href="https://github.com/actions/upload-artifact/commit/cd231ca1eda77976a84805c4194a1954f56b0727"><code>cd231ca</code></a> Update GHES guidance to include reference to Node 20 version</li> <li><a href="https://github.com/actions/upload-artifact/commit/de65e23aa2b7e23d713bb51fbfcb6d502f8667d8"><code>de65e23</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/712">#712</a> from actions/nebuk89-patch-1</li> <li><a href="https://github.com/actions/upload-artifact/commit/8747d8cd7632611ad6060b528f3e0f654c98869c"><code>8747d8c</code></a> Update README.md</li> <li>Additional commits viewable in <a href="https://github.com/actions/upload-artifact/compare/v4...v5">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
### Issue # (if applicable) Closes #32923. ### Reason for this change To support express brokers. ### Description of changes Add `express` property and validations about express limitations. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Add unit tests and an integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Very nit fix, I happened to notice ;) ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This PR updates the enum values for ec2.
### Reason for this change There is a rosetta error due to a missing dependency. ### Description of changes Added dependency. ### Describe any new or updated permissions being added No new permissions added ### Description of how you validated changes Tested locally. Rosetta process succeeds. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change Name was incorrectly configured. ### Description of changes Name is fixed. ### Describe any new or updated permissions being added No new permissions are added. ### Description of how you validated changes Check works on my fork using the mergify dashboard. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…nation (#35762) ### Issue # (if applicable) Related to #35729. ### Reason for this change A PassRole policy is created whenever a cloudwatch destination is setup for a VPC flow destination. This is not needed as indicated from the [VPC flow docs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-iam-role.html). ### Description of changes Removed policy. ### Describe any new or updated permissions being added PassRole policy is removed. ### Description of how you validated changes Unit tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…nvironment (#35817) Previously, `construct.env` was declared in the `IResource` interface. Downside is that `IResource` also: - requires providing `stack: Stack` (which is a bit pointless to begin with since we can always call `Stack.of(x)`); and - `applyRemovalPolicy()` which doesn't belong on this interface but now is required to implement. Therefore, we extract `IResource#env` out to its own interface, `IEnvironmentAware`; make `IXxxRef` extend that interface, simplify `IResourceWithPolicy` to only be `IEnvironmentAware` and not an entire `IResource`. Lessening the requirements on `IResourceWithPolicy` also lessens its guarantees, which makes that a breaking change. In order to make this code change, we do the following: - Introduce `IResourceWithPolicyV2` to be the version of `IResourceWithPolicy` we should have had. - Accept `IResourceWithPolicyV2` everywhere - Make `IResourceWithPolicy` extend `IResourcWithPolicyV2` ``` ┌──────────────────────────┐ │ IEnvironmentAware │ └──────────────────────────┘ ▲ ┌───────────────────┴────────────────────┐ │ │ ┌──────────────────────────┐ ┌──────────────────────────┐ │ IResourceWithPolicyV2 │ │ IResource │ └──────────────────────────┘ └──────────────────────────┘ ▲ ▲ └──────────────────┬────────────────────┘ │ ┌──────────────────────────┐ │ IResourceWithPolicy │ └──────────────────────────┘ ``` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…by default (under feature flag) (#34675) ### Issue # (if applicable) Closes #34606. ### Reason for this change Currently, CDK's L2 constructs allow setting security groups for NLBs, but this requires explicit configuration. ```ts declare const sg1: ec2.ISecurityGroup; const lb = new elbv2.NetworkLoadBalancer(this, 'LB', { vpc, securityGroups: [sg1], // configure SG explicitly }); ``` This was not originally intended - NLB security group support was implemented later, and the current specification exists to maintain backward compatibility. #27978 #28494 However, when comparing NLBs without security groups to NLBs with security groups configured, the latter has significantly more advantages. Furthermore, once an NLB is created without security groups, it's impossible to add security group configuration later. Therefore, I propose using feature flags to make security group configuration the default for NLBs in CDK. ### Description of changes - Add `@aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault` feature flag - Create security groups by default when feature flags are enabled ### Describe any new or updated permissions being added None ### Description of how you validated changes Add both unit and integ tests ### Other information [This implementation](#34606 (comment)) was also proposed in the issue, but it was not implemented because it was difficult to detect when referenced from other Connectables as follows case2. ```ts declare const nlb: elbv2.INetworkLoadBalancer; declare const other: IConnectable; // case1 nlb.connections.allowTo(other, ec2.Port.tcp(1234)); // case2 other.connections.allowTo(nlb, ec2.Port.tcp(2181)); ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ose's `IDeliveryStream` (#33798) ### Issue # (if applicable) Related to #33757 and #33758 ### Reason for this change The module has the `KinesisFirehoseStreamV2` target class for Firehose delivery stream. But it has following issues: - Kinesis Data Firehose is now Amazon Data Firehose. Therefore the class should not be called Kinesis. Also, KinesisFirehoseStream is confusable with Kinesis Data Stream. - The constructor receives internally defined `IDeliveryStream` which is a subset of `aws_kinesisfirehose.IDeliveryStream` without inheritance. This may cause jsii type compatibility problem. ### Description of changes - Added a new `FirehoseDeliveryStream` target class derived from `KinesisFirehoseStreamV2` but receives `aws_kinesisfirehose.IDeliveryStream` instead. - Deprecated `KinesisFirehoseStreamV2` and internal `IDeliveryStream`. - Added missing unit tests for `FirehoseDeliveryStream` - Updated the integ test to use `FirehoseDeliveryStream` and assertions. - Added an missing README entry refers Amazon Data Firehose. ### Describe any new or updated permissions being added N/A - `FirehoseDeliveryStream` adds same permissions as `KinesisFirehoseStreamV2` ### Description of how you validated changes Unit tests and integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #35062. ### Reason for this change The `addToResourcePolicy()` method for DynamoDB tables had no effect - it was not adding resource policies to the synthesized CloudFormation template. Users calling `table.addToResourcePolicy()` found that their policies were ignored, forcing them to use insecure workarounds. ### Description of changes Fixed the `addToResourcePolicy()` method to properly update the CloudFormation table's resource policy: - **Fixed core bug**: Added missing `this.table.resourcePolicy = { policyDocument: this.resourcePolicy }` line in `addToResourcePolicy()` method - **Restored intended functionality**: Resource policies now appear in synthesized CloudFormation templates - **Applied to both Table V1 and V2**: Consistent behavior across all DynamoDB table constructs - **Avoids circular dependencies**: Uses wildcard resources (`*`) pattern to prevent CloudFormation circular dependency issues with auto-generated table names - **Added comprehensive tests**: 5 new tests covering both wildcard and scoped resource scenarios - **Updated README.md**: Completely rewrote `addToResourcePolicy` documentation: - Removed problematic examples that would create circular dependencies - Added correct wildcard resource pattern following KMS approach - Documented the CloudFormation limitation and workarounds - Provided clear examples for both standard and scoped resource policies **Before** (broken): ```typescript // This had no effect - policy was ignored table.addToResourcePolicy(new iam.PolicyStatement({ actions: ['dynamodb:GetItem'], principals: [new iam.AccountRootPrincipal()], resources: [table.tableArn], // This would also create circular dependency })); // CloudFormation template: No ResourcePolicy property ``` **After** (fixed): ```typescript // Now works correctly - policy appears in CloudFormation table.addToResourcePolicy(new iam.PolicyStatement({ actions: ['dynamodb:GetItem'], principals: [new iam.AccountRootPrincipal()], resources: ['*'], // Wildcard avoids circular dependency (KMS pattern) })); // CloudFormation template: ResourcePolicy.PolicyDocument properly set ``` **For scoped resources** (requires explicit table name): ```typescript const table = new dynamodb.Table(this, 'MyTable', { tableName: 'my-explicit-table-name', // Explicit name enables scoped resources partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING }, }); table.addToResourcePolicy(new iam.PolicyStatement({ actions: ['dynamodb:GetItem'], principals: [new iam.AccountRootPrincipal()], resources: [ Fn.sub('arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/my-explicit-table-name') ], })); ``` **Architecture Note**: DynamoDB tables use inline `ResourcePolicy` properties (like KMS keys) rather than separate policy resources. Due to CloudFormation's circular dependency limitations, resource policies must use wildcard resources (`*`) when table names are auto-generated, or explicit table names must be specified for scoped resources. ### Describe any new or updated permissions being added N/A - No new IAM permissions required. This change only affects how existing resource policies are structured. ### Description of how you validated changes - **Unit tests**: Added new `addToResourcePolicy` tests: - Standard wildcard resource usage (`resources: ['*']`) - Explicit table name workaround for scoped resources - Comprehensive limitation documentation - **Integration tests**: Added comprehensive integration test covering both wildcard and scoped resource patterns - **Full test suite**: All DynamoDB unit tests pass, confirming no regressions - **CloudFormation validation**: Verified synthesis works without circular dependency errors - **Deployment testing**: Confirmed resource policies are properly applied at deployment time ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This PR updates the enum values for ecs.
### Issue # (if applicable) Related to aws/aws-cdk-rfcs#825 ### Reason for this change Adding a new alpha package for Amazon Bedrock AgentCore and add support for memory. ### Description of changes - Create a new alpha package - Add L2 constructs for memory - Add documentation - Add tests ### Describe any new or updated permissions being added Using permissions for agent core defined in https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockagentcore.html ### Description of how you validated changes Unit tests, integration tests, manual tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This applies the code for L1 resource relationships, originally applied in #35713 and reverted in #35832. The reason is that another PR is also making changes in this area, branched in between the original application and its revert, and is now experiencing severe merge conflicts. In this PR, reintroduce the large refactorings made in the original PR, but disable their application by making the list of services we apply the relationships to empty. ```ts export const RELATIONSHIP_SERVICES: string[] = []; ``` There were some changes to L2s in the original PR that are not included in this PR; they will need to be reapplied when restoring the feature. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… instead of string identifiers (#35860) ### Issue # (if applicable) Closes #35854 . ### Reason for this change Improve the Cognito authorizer configuration by accepting Cognito construct references instead of string identifiers, providing better type safety and integration with the CDK ecosystem. Additionally, add support for multi-clients. ### Description of changes - Enhanced `RuntimeAuthorizerConfiguration.usingCognito()` to accept `IUserPool` and `IUserPoolClient` constructs instead of string parameters - Added support for multiple Cognito clients through an array parameter The implementation now provides better CDK integration and type safety by using construct references rather than raw string identifiers. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Add unit tests and integ test. BREAKING CHANGE: The signature of `RuntimeAuthorizerConfiguration.usingCognito()` has changed to accept IUserPool and IUserPoolClient constructs instead of string parameters, and now supports multiple clients. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Newly supported protocol. https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-bedrockagentcore-runtime.html#cfn-bedrockagentcore-runtime-protocolconfiguration ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…roys and recreates policies on every deployment (#35842) ### Issue # (if applicable) Closes #35844 ### Reason for this change The current `addToRolePolicy` for Runtime with imported role destroys and recreates policies on every deployment. The reason is that `Date.now()` is used for a construct ID of a new Policy in the situation: https://github.com/aws/aws-cdk/blob/v2.221.0/packages/%40aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-base.ts#L253 ```ts public addToRolePolicy(statement: iam.PolicyStatement): IBedrockAgentRuntime { // Check if role is a concrete Role instance if (this.role instanceof iam.Role) { this.role.addToPolicy(statement); } else { // For imported roles (IRole), we need to attach via a new policy const policy = new iam.Policy(this, `CustomPolicy${Date.now()}`, { statements: [statement], }); ``` #### Reproduction 1. Deploy your stack with the following CDK code: ```ts const app = new cdk.App(); const stack = new cdk.Stack(app, 'aws-cdk-bedrock-agentcore-runtime-with-imported-role'); const runtimeArtifact = agentcore.AgentRuntimeArtifact.fromAsset( path.join(__dirname, 'testArtifact'), ); const role = new iam.Role(stack, 'ExecutionRole', { assumedBy: new iam.ServicePrincipal('bedrock-agentcore.amazonaws.com'), }); const imported = iam.Role.fromRoleArn(stack, 'ImportedRole', role.roleArn); const runtime = new agentcore.Runtime(stack, 'TestRuntime', { runtimeName: 'integ_test_runtime', agentRuntimeArtifact: runtimeArtifact, executionRole: imported, }); runtime.addToRolePolicy(new iam.PolicyStatement({ actions: ['dynamodb:Query'], resources: ['arn:aws:dynamodb:us-east-1:123456789012:table/my-table'], })); ``` 2. Deploy or diff the stack with the same CDK code again. 3. The change will occur: ``` [-] AWS::IAM::Policy TestRuntimeCustomPolicy1761380931769044921D2 destroy [+] AWS::IAM::Policy TestRuntimeCustomPolicy1761381522330E0DC0D40 ``` ### Description of changes Use `addToPrincipalPolicy` directly instead. ### Describe any new or updated permissions being added ### Description of how you validated changes Both unit tests and an integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Ref: [TwelveLabs’ Marengo Embed 3.0 for advanced video understanding now in Amazon Bedrock](https://aws.amazon.com/about-aws/whats-new/2025/10/twelvelabs-marengo3-embed-amazon-bedrock/) ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…#35894) When anyone modifies a workflow, mergify will fail to update the PR via a merge commit because of Github security which makes it look like Mergify is updating the workflows, which is disallowed without the `workflows` permission. This switches to rebase by default.
…xisting roles (#35123) ### Issue # (if applicable) Closes #35120 ### Reason for this change Dependency on permission was only applied to new roles, not to existing roles. ### Description of changes The dependency on permission now applies to both new and existing roles. ### Describe any new or updated permissions being added Not applicable. ### Description of how you validated changes I've added an integration test for an agent with an existing/custom role attached to it. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws-cdk-automation
added
the
pr/no-squash
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
aws-cdk-automation
requested a deployment
to
test-pipeline
GitHub Actions
Waiting
aws-cdk-automation
requested a deployment
to
test-pipeline
GitHub Actions
Waiting
aws-cdk-automation
requested a deployment
to
test-pipeline
GitHub Actions
Waiting
Contributor
|
Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork). |
Contributor
|
Comments on closed issues and PRs are hard for our team to see. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
11 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See CHANGELOG