chore(release): 2.224.0 #36040
Merged
chore(release): 2.224.0 #36040
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Issue # (if applicable) Relates #32569 ### Reason for this change Should use typed error rather than non typed error. ### Description of changes Modify to use typed error. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Re-run unit tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #35990 ### Reason for this change To support ML-DSA keys for KeySpec. ### Description of changes - Add ML-DSA keys validation rule ### Description of how you validated changes Added both unit tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…to obtain a literal (unresolved by CloudFormation) dynamic reference key (#34397) (#35105) ### Issue # (if applicable) Closes #34397 ### Reason for this change [Dynamic references](https://docs.aws.amazon.com/secretsmanager/latest/userguide/cfn-example_reference-secret.html) allow an AWS Secrets Manager Secret to be retrieved for use in another AWS CloudFormation resource. Currently the key strings for dynamic references must be created using string manipulation, eg ```ts const passwordKey = `${mySecret.secretArn}:SecretString:password`; ``` ### Description of changes The existing static [secretsManager](https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/core/lib/secret-value.ts#L98C17-L98C31) function in `aws-cdk-lib/core` includes code to generate a dynamic reference key string. This code was therefore extracted into a new static `cfnDynamicReferenceKey` function to make it available outside the `secretsManager` function. Using this new static function the above code example becomes ```ts const passwordKey = SecretValue.cfnDynamicReferenceKey(mySecret.secretArn, { jsonField: 'password' }); ``` A new instance method `cfnDynamicReferenceKey` was also created in the [Secret](https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-secretsmanager/lib/secret.ts#L499) class in `aws-cdk-lib/aws-secretsmanager`, which calls the new static `cfnDynamicReferenceKey` function for the secret that it represents. Using this new instance method the above example becomes ```ts const passwordKey = mySecret.cfnDynamicReferenceKey({ jsonField: 'password' }); ``` ### Description of how you validated changes Unit tests and an integration test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…llocations (#35944) ### Reason for this change For integration test deployment workflow, atmosphere sessions are limited to 1 hour. After that the role credentials expire. ### Description of changes Integ tests will be run in batches of 3, as by default the integ runner will run 3 integ tests in parallel. Each batch will acquire its own session from atmosphere. Credentials this way will be refreshed to prevent overrunning the session credential time limit. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes - No regression added as shown in this job: https://github.com/Abogical/aws-cdk/actions/runs/19173861766/job/54813366672 - Unit tests added to ensure that a maximum of <integ test#>/3 batches are executed. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…g updates (#35997) ### Reason for this change Isolated Modules makes testing faster. We used to configure this via `ts-jest` but they are moving towards the native TS config. ### Description of changes - Set `isolatedModules: true` for all packages. Updated exports where needed. - Update workspace file to include mixins-preview package and replace deprecated jest config - Update mixins-preview eslint & jest config and README ### Describe any new or updated permissions being added n/a ### Description of how you validated changes Tests are passing. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… Infrastructure Configuration (#35882) ### Issue # (aws/aws-cdk-rfcs#789) ### Reason for this change This change adds a new alpha module for EC2 Image Builder L2 Constructs (`@aws-cdk/aws-imagebuilder-alpha`), as outlined in aws/aws-cdk-rfcs#789. This PR specifically implements the `InfrastructureConfiguration` construct. ### Description of changes This change implements the `InfrastructureConfiguration` construct, which is a higher-level construct of [`CfnInfrastructureConfiguration`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_imagebuilder.CfnInfrastructureConfiguration.html). Note - I have also added the YAML library as a dependency to the module. This will be used for the component/workflow resources, which need to pass JSON objects in a YAML string format when creating the resource. #### Example ```ts const infrastructureConfiguration = new imagebuilder.InfrastructureConfiguration(this, 'InfrastructureConfiguration', { infrastructureConfigurationName: 'test-infrastructure-configuration', description: 'An Infrastructure Configuration', // Optional - instance types to use for build/test instanceTypes: [ ec2.InstanceType.of(ec2.InstanceClass.STANDARD7_INTEL, ec2.InstanceSize.LARGE), ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE3, ec2.InstanceSize.LARGE) ], // Optional - create an instance profile with necessary permissions instanceProfile: new iam.InstanceProfile(this, 'InstanceProfile', { instanceProfileName: 'test-instance-profile', role: new iam.Role(this, 'InstanceProfileRole', { assumedBy: iam.ServicePrincipal.fromStaticServicePrincipleName('ec2.amazonaws.com'), managedPolicies: [ iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonSSMManagedInstanceCore'), iam.ManagedPolicy.fromAwsManagedPolicyName('EC2InstanceProfileForImageBuilder') ] }) }), // Use VPC network configuration vpc, subnetSelection: { subnetType: ec2.SubnetType.PUBLIC }, securityGroups: [ec2.SecurityGroup.fromSecurityGroupId(this, 'SecurityGroup', vpc.vpcDefaultSecurityGroup)], keyPair: ec2.KeyPair.fromKeyPairName(this, 'KeyPair', 'imagebuilder-instance-key-pair'), terminateInstanceOnFailure: true, // Optional - IMDSv2 settings httpTokens: imagebuilder.HttpTokens.REQUIRED, httpPutResponseHopLimit: 1, // Optional - publish image completion messages to an SNS topic notificationTopic: sns.Topic.fromTopicArn( this, 'Topic', this.formatArn({ service: 'sns', resource: 'image-builder-topic' }) ), // Optional - log settings. Logging is enabled by default logging: { s3Bucket: s3.Bucket.fromBucketName(this, 'LogBucket', `imagebuilder-logging-${Aws.ACCOUNT_ID}`), s3KeyPrefix: 'imagebuilder-logs' }, // Optional - host placement settings ec2InstanceAvailabilityZone: Stack.of(this).availabilityZones[0], ec2InstanceHostId: dedicatedHost.attrHostId, ec2InstanceTenancy: imagebuilder.Tenancy.HOST, resourceTags: { Environment: 'production' } }); ``` ### Describe any new or updated permissions being added N/A - new L2 construct in alpha module ### Description of how you validated changes Validated with unit tests and integration tests. Manually verified generated CFN templates as well. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change You can't remove placement strategies from an ECS service using CDK once they've been set. ### Description of changes Same fix as #30382 but for `placementStrategies`. Apparently this was not done at that time because CloudFormation [previously did not have the appropriate semantics](#27572 (comment)) for setting PlacementStrategies to the empty array as it did for PlacementConstraints, but that is no longer the case. The CloudFormation docs [state](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ecs-service.html#cfn-ecs-service-placementstrategies): > To remove this property from your service resource, specify an empty PlacementStrategy array. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Unit and integration tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change Refactoring some spec2cdk code to make it more re-usable for mixins codegen. ### Description of changes - Updates `jsii` and `@cdklabs/typewriter` to the latest versions - Fixes multiple issue (and typos) in `@aws-cdk/custom-resource-handlers` that arouse after the typewriter update. It's a private package and the changed generated code is also private, so this is safe. - Refactor `spec2cdk` code to make it more reusable. ### Describe any new or updated permissions being added n/a ### Description of how you validated changes Existing tests passing. Additionally compared generated code by hand. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…#36002) ### Issue 53 submodules of `aws-cdk-lib` used the wrong .NET package name. Example: ``` # ❌ wrong Amazon.CDK.aws_bedrockagentcore # ✅ correct Amazon.CDK.AWS.BedrockAgentCore ``` ❌ wrong <img width="514" height="150" alt="image" src="https://github.com/user-attachments/assets/97477ced-3bf0-4076-abfb-12e46ec55fa9" /> ✅ correct <img width="453" height="123" alt="image" src="https://github.com/user-attachments/assets/8a76b027-faf4-47bd-aeea-7c1d7b4824db" /> Full list of affected submodules: ``` aws-aiops aws-applicationsignals aws-apptest aws-arcregionswitch aws-arczonalshift aws-b2bi aws-backupgateway aws-bcmdataexports aws-bedrock aws-bedrockagentcore aws-billing aws-cleanrooms aws-cleanroomsml aws-codeconnections aws-connectcampaignsv2 aws-datazone aws-deadline aws-dsql aws-entityresolution aws-evs aws-gameliftstreams aws-healthimaging aws-invoicing aws-launchwizard aws-mediapackagev2 aws-mpa aws-neptunegraph aws-notifications aws-notificationscontacts aws-observabilityadmin aws-odb aws-osis aws-paymentcryptography aws-pcaconnectorad aws-pcaconnectorscep aws-pcs aws-proton aws-qbusiness aws-rbin aws-route53profiles aws-rtbfabric aws-s3express aws-s3tables aws-s3vectors aws-securitylake aws-shield aws-smsvoice aws-ssmguiconnect aws-ssmquicksetup aws-verifiedpermissions aws-workspacesinstances aws-workspacesthinclient aws-workspacesweb ``` ### Reason for this change The name of submodules is determined by a `.jsiirc.json` inside the submodule directory. If not present, the export name is appended to the name of the parent module. However for most jsii languages this convention is not great: JavaScript export names don't translate well into other ecosystems. For `aws-cdk-lib` we therefore have added `.jsiirc.json` files into each submodule. For new services, this file is generated when the service is first added. Due to a bug, this generated file was incorrectly adding the key `package` to the `dotnet` target configuration. It should have been `namespace` instead. Since this was a mistake, we are fixing this now. It means that the package names for the listed 53 submodules are changing for .NET users. ### Description of changes Update the package names of the listed 53 submodules to use the correct configuration. Adjusted the order of targets in other `.jsiirc.json` files to be the same as generated ones. ### Describe any new or updated permissions being added n/a ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) ### Reason for this change Adds Node.js 24 runtime to the available [Lambda Runtimes constants](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Runtime.html#initializer) ### Description of changes Have added integration tests to validate the runtime support ### Describe any new or updated permissions being added N/A ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… aws-signer (#36009) Upgrade the `integ-runner` version to use the latest version, so that the `--strict` flag can be used in the integration test workflow. **Note:** The snapshot is updated because a feature flag was included in `integ-runner` in a recent version, which changes the snapshot of one test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change Previously `integration-test-deployment` was passing in silent if some of the test were not found. We want to make sure that all the changed integ tests in a PR ran, or workflow should fail. ### Change `integration-test-deployment` to use `integ-runner` with `--strict` flag so that workflow fails in case of test not found. ### Testing Test run on fork: https://github.com/Abogical/aws-cdk/actions/runs/19229944532/job/54965890882?pr=19 ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…sion (#35468) ### Issue # (if applicable) Closes #34974 ### Reason for this change Adding an optional architecture parameter to EvaluateExpressionProps which allows users to specify their desired architecture when using the EvaluateExpression construct. This enables support for ARM64 Lambda functions, which can provide better price-performance for certain workloads. ### Description of changes - Add optional architecture parameter to EvaluateExpressionProps - Support ARM_64 and X86_64 Lambda architectures - Add comprehensive unit and integration tests - Update documentation with usage examples - Pass architecture parameter through to EvalNodejsSingletonFunction ### Describe any new or updated permissions being added No new or updated IAM permissions are required. The existing Lambda invoke permissions remain unchanged as the architecture parameter only affects the Lambda function configuration, not the required permissions. ### Description of how you validated changes - Added unit tests covering both ARM_64 and X86_64 architectures - Created integration tests for ARM64, X86_64, and default (no value specified) architecture scenarios - Verified CloudFormation templates generate correct architecture specifications - Tested that existing functionality remains unchanged when architecture is not specified (defaults to X86_64) ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…grants (#35983) ### Issue # (if applicable) Closes #35967. ### Reason for this change In CDK 2.222.0, PR #35554 fixed `addToResourcePolicy()` to actually work (it was previously a no-op). This exposed a circular dependency issue when using `grantReadData()` or other grant methods with `AccountRootPrincipal`. When `AccountRootPrincipal` is used with grant methods, the IAM Grant system adds the policy to the table's resource policy (since it's in the same account). The resource policy statement included the table's ARN (`!GetAtt Table.Arn`), creating a circular dependency: Table → ResourcePolicy → Table.Arn → Table. This is a regression that breaks existing user code that worked in 2.221.1. ### Description of changes Applied the established KMS grant pattern to DynamoDB by adding `resourceSelfArns: ['*']` parameter to `Grant.addToPrincipalOrResource()` calls in the `combinedGrant` method. **How it works:** - `resourceArns` contains actual table ARNs → used for **principal policies** (IAM user/role policies) - `resourceSelfArns: ['*']` → used for **resource policies** (table's resource policy) - IAM Grant system automatically chooses which to use based on context - No circular dependency because resource policy uses wildcard instead of `!GetAtt Table.Arn` **Why wildcard is safe:** - Wildcard is scoped to the table's resource policy (not global) - Resource policy is attached to specific table resource - Principal and Action fields still enforce access control - Same pattern used by KMS for years in production **Files modified:** - `packages/aws-cdk-lib/aws-dynamodb/lib/table.ts` - Added `resourceSelfArns: ['*']` to `combinedGrant` method - `packages/aws-cdk-lib/aws-dynamodb/lib/table-v2-base.ts` - Applied identical change for Table V2 - `packages/aws-cdk-lib/aws-dynamodb/README.md` - Added documentation about grant methods and resource policy interaction **Before (causes circular dependency):** ```typescript const table = new dynamodb.Table(this, 'Table', { partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING }, }); // This caused circular dependency error in 2.222.0 table.grantReadData(new iam.AccountRootPrincipal()); // Error: Circular dependency between resources: [Table] ``` **After (no circular dependency):** ```typescript const table = new dynamodb.Table(this, 'Table', { partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING }, }); // This now works correctly table.grantReadData(new iam.AccountRootPrincipal()); // ✓ Resource policy uses wildcard, no circular dependency ``` **CloudFormation template change:** ```json { "Resources": { "Table": { "Type": "AWS::DynamoDB::Table", "Properties": { "ResourcePolicy": { "PolicyDocument": { "Statement": [{ "Action": ["dynamodb:BatchGetItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan"], "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::ACCOUNT:root" }, "Resource": "*" }] } } } } } } ``` ### Describe any new or updated permissions being added N/A - This fix does not add new permissions. It resolves how existing grant methods generate resource policies to avoid circular dependencies. ### Description of how you validated changes - **Unit tests**: Added 2 new tests validating `AccountRootPrincipal` with grant methods - `packages/aws-cdk-lib/aws-dynamodb/test/dynamodb.test.ts`: Test for Table V1 - `packages/aws-cdk-lib/aws-dynamodb/test/table-v2.test.ts`: Test for Table V2 - Both tests verify resource policy uses wildcard (`*`) to avoid circular dependency - All 348 unit tests pass (346 existing + 2 new) - **Integration tests**: Enhanced existing integration test with grant scenario - `packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.add-to-resource-policy.ts` - Added TEST 3: Validates `grantWriteData(new AccountRootPrincipal())` works without circular dependency - Successfully deployed to AWS (us-east-1) - CloudFormation synthesis succeeds, no circular dependency errors - Snapshots updated with GrantTable resource - **Regression testing**: All 346 existing tests pass - Grant methods with IAM Users still work - Grant methods with IAM Roles still work - Grant methods with Service Principals still work - Tables with indexes work correctly - Global tables (Table V2) work correctly - Encrypted tables work correctly ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change Currently, `.jsiirc.json` files in aws-cdk-lib submodules contain historical naming deviations (e.g., `Amazon.CDK.AWS.Sagemaker` instead of the standard `Amazon.CDK.AWS.SageMaker`). These files are manually maintained and scattered across hundreds of subdirectories, making it: - **Difficult to discover** what deviations exist and why - **Risky to change** because there's no central source of truth - **Hard to maintain consistency** when adding new modules - **Impossible to audit** without checking every subdirectory This creates technical debt and makes it harder to evolve the codebase. ### Description of changes Centralizes all jsii target configurations into a single `scope-map.json` file that serves as the source of truth. The submodule generation script now always regenerates `.jsiirc.json` files from this central configuration, ensuring consistency and making deviations explicit and auditable. Supporting changes: - Created `module-topology.ts` to manage the scope map - Moved jsii utilities from `util/pkglint.ts` to `util/jsii.ts` - Removed unused `cfn2ts` CLI tool - Updated all imports to use the new module topology exports This makes historical deviations visible in one place and prevents future drift. ### Describe any new or updated permissions being added No new permissions are being added. ### Description of how you validated changes - Verified that the scope-map.json correctly captures all existing module configurations - Confirmed that regenerated .jsiirc.json files match the expected format - Ensured all imports and type references were updated correctly Basically the proof that this works is that (aside from `scope-map.json`) only codegen files have changed. In particular `jsii-diff` doesn't report anything and no `.jsiirc.json` files changed. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change Refactor repeated pattern of anonymous classes that throw `UnscopedValidationError` when accessing `node` or `env` properties. This pattern exists because certain legacy CDK APIs like `ManagedPolicy.fromAwsManagedPolicyName()` and CloudFront's `fromManagedCachePolicy()` return construct-like objects without requiring a `scope` parameter. These APIs predate modern CDK patterns where all constructs require a scope. They cannot be changed without breaking existing customer code, so they return "detached" constructs that throw errors when used in APIs that require a proper construct tree context. But we also sometimes add new features to resource interfaces like `IManagedPolicy`. When this happens, we have to update this fake implementation in a number of places. It also prevents us (and users) from providing augmentations for the `IConstruct` interface like proposed in #36013. With this change, we have reduced the number of places to update to one. It's now also possible to augment `IConstruct`. ### Description of changes - Created `DetachedConstruct` base class in `core/lib/private/detached-construct.ts` that encapsulates the pattern of throwing `UnscopedValidationError` when accessing `node` or `env` - Refactored CloudFront policy classes (`CachePolicy`, `OriginRequestPolicy`, `ResponseHeadersPolicy`) to extend `DetachedConstruct` instead of implementing the pattern inline - Refactored `ManagedPolicy.fromAwsManagedPolicyName()` to use `DetachedConstruct` - Refactored `ElasticBeanstalkDeployAction` to use `DetachedConstruct` for managed policy reference - Added unit tests for `DetachedConstruct` to verify error throwing behavior This change reduces code duplication and makes the pattern more maintainable. The `DetachedConstruct` class is marked as internal and documented to discourage use in new APIs. ### Describe any new or updated permissions being added No new or updated permissions. ### Description of how you validated changes - Added unit tests in `core/test/private/detached-construct.test.ts` that verify `UnscopedValidationError` is thrown when accessing `node` and `env` properties - Existing tests continue to pass, ensuring no behavioral changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #35717 ### Reason for this change Amazon EKS now supports Kubernetes version 1.34. CDK users need the ability to create EKS clusters with this latest managed Kubernetes version to take advantage of new features and improvements. This PR adds the 1.34 support for both `aws-eks` and `aws-eks-v2-alpha` modules. ### Description of changes This PR adds support for Kubernetes version 1.34 to `aws-eks` and `aws-eks-v2-alpha` modules. **Changes made**: - Added `KubernetesVersion.V1_34` constant to stable EKS module (`aws-cdk-lib/aws-eks`) - Added `KubernetesVersion.V1_34` constant to alpha EKS module (`@aws-cdk/aws-eks-v2-alpha`) - Updated integration test framework to support v1.34 with kubectl-v34 layer - Added dependency on `@aws-cdk/lambda-layer-kubectl-v34@^2.0.0` **Implementation details**: - 6 files modified (4 core files + 2 integration test files) - 23 insertions, 2 deletions - Purely additive change with zero breaking changes - Maintains full backward compatibility with all existing versions (1.29-1.33) **Usage example**: ```typescript import * as eks from 'aws-cdk-lib/aws-eks'; import { KubectlV34Layer } from '@aws-cdk/lambda-layer-kubectl-v34'; const cluster = new eks.Cluster(this, 'MyCluster', { version: eks.KubernetesVersion.V1_34, kubectlLayer: new KubectlV34Layer(this, 'KubectlLayer'), }); ``` ### Describe any new or updated permissions being added N/A - No IAM permissions or resource access changes. This is a version constant addition only. ### Description of how you validated changes - **Unit tests**: All 365 existing unit tests pass without modification. The existing test suite validates version constant enumeration and format. - **Integration tests**: Integration test framework updated and validated: - Added kubectl-v34 layer dependency to test package - Updated version mapping configuration - Integration tests ready to generate snapshots in CI/CD - Build successful with zero errors - **Build validation**: - TypeScript compilation: No errors - JSII compatibility: Verified - ESLint: Passed - All builds successful ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Implements SageMaker Serverless Inference endpoints as requested in issue #23148. - Add ServerlessProductionVariantProps interface with maxConcurrency, memorySizeInMB, and provisionedConcurrency - Extend EndpointConfig to support serverless variants alongside existing instance variants - Add comprehensive validation for serverless configuration parameters - Enforce mutual exclusivity between instance and serverless variants - Add CloudFormation template generation for ServerlessConfig properties - Include extensive test coverage for validation scenarios and error cases ### Issue # 23148 Closes #23148. ### Reason for this change AWS SageMaker Serverless Inference is not supported in the CDK SageMaker L2 constructs. Users can only configure instance-based endpoints, missing the serverless option for intermittent/unpredictable traffic patterns that could benefit from cost-effective serverless inference. This feature was explicitly planned in the original [SageMaker Endpoint L2 construct RFC](https://github.com/aws/aws-cdk-rfcs/blob/master/text/0431-sagemaker-l2-endpoint.md#feature-additions) with Instance-prefixed classes designed to make room for Serverless-prefixed analogs. ### Description of changes Implements AWS SageMaker Serverless Inference support in CDK SageMaker L2 constructs, enabling cost-effective serverless endpoints for intermittent workloads: - **New `ServerlessProductionVariantProps` interface** extending `ProductionVariantProps` with AWS-compliant serverless properties: - `maxConcurrency`: 1-200 range (required) - `memorySizeInMB`: 1024-6144MB in 1GB increments (required) - `provisionedConcurrency`: 1-200 range, optional, must be ≤ maxConcurrency - **New `addServerlessProductionVariant()` method** with comprehensive input validation - **Extended `EndpointConfigProps`** with optional `serverlessProductionVariant` property - **Mutual exclusivity enforcement** between instance and serverless variants per AWS constraints - **Single serverless variant limit** per endpoint configuration (AWS limitation) - **Comprehensive synthesis-time validation** with clear, actionable error messages - **CloudFormation integration** leveraging existing L1 construct `ServerlessConfig` support **Usage Example**: ```typescript import * as sagemaker from '@aws-cdk/aws-sagemaker-alpha'; declare const model: sagemaker.IModel; // Create serverless endpoint configuration const endpointConfig = new sagemaker.EndpointConfig(this, 'ServerlessEndpointConfig', { serverlessProductionVariant: { model: model, variantName: 'serverlessVariant', maxConcurrency: 10, memorySizeInMB: 2048, provisionedConcurrency: 5, // optional }, }); ``` ### Describe any new or updated permissions being added N/A - No new IAM permissions required. Leverages existing SageMaker model and endpoint permissions. ### Description of how you validated changes - **Unit tests**: Added 12 comprehensive serverless variant tests covering all validation scenarios: - Memory size validation (1024-6144MB in 1GB increments) - Concurrency range validation (1-200 for both max and provisioned) - Mutual exclusivity enforcement between instance and serverless variants - Single serverless variant limit per AWS constraints - Cross-environment model compatibility validation - Error condition testing with clear error messages - CloudFormation template generation verification - **Integration tests**: Extended existing integration test with serverless endpoint configuration, verified CloudFormation template generation with correct `ServerlessConfig` properties: ```yaml ServerlessEndpointConfig: Type: AWS::SageMaker::EndpointConfig Properties: ProductionVariants: - ServerlessConfig: MaxConcurrency: 10 MemorySizeInMB: 2048 ProvisionedConcurrency: 5 VariantName: serverlessVariant ``` - **Comprehensive testing results**: 63/63 unit tests pass (100% success rate), 4/4 integration tests pass, no regressions detected across 16,024+ CDK tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change Follow-up to #35997 in which I missed many tsconfigs and also didn't actually remove the deprecated `ts-jest` config. ### Description of changes - Added `"isolatedModules": true` to all `tsconfig.json` and `tsconfig.dev.json` files across packages and tools - Removed the redundant `isolatedModules` override from the Jest configuration in `cdk-build-tools` since it's now set globally in TypeScript configs ### Describe any new or updated permissions being added None ### Description of how you validated changes This is a build configuration change that enables stricter TypeScript compilation checks. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
The introduction of reference interfaces (`IBucketRef`, `IRoleRef`, etc) led to an increased potential for cyclic references between service modules. Cyclic references are a problem in both Python and Go, and prevents us from taking this idea as far as we want to go.
In this PR, we introduce a new submodule `aws-cdk-lib.interfaces` where all reference interfaces will live. Because some services have resources with the same name, there are submodules inside the `interfaces` submodule, so actual interface references will look like `aws-cdk-lib.interfaces.aws_s3.IBucketRef`.
Because moving the canonical location for these interfaces will be breaking, we leave behind aliases for them in the old location, so TypeScript code can still do `import { IBucketRef } from 'aws-cdk-lib/aws-s3';`. Unfortunately we cannot do the same for other languages because (a) jsii doesn't understand type aliases yet and (b) even if it did, type aliases can not be rendered appropriately in either Java or C#. This means that this change might be backwards breaking for some consumers that implement L2 interfaces in jsii client languages, but we are assuming that most people doing this would be using TypeScript which will remain unaffected. It is unfortunate that we have to do this, but we have painted ourselves into a corner that we otherwise cannot get out of.
## Implementation notes
This PR contains heavy refactoring in `spec2cdk` around determining file paths and import paths. We used to have to pass import paths into every service module that we code generated; but if we determine the file names ahead of time, we can also just use `path.posix.relative()` to determine the right import location, which is much easier to use.
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) N/A ### Reason for this change Update the `cdk-generate-synthetic-examples` package to use the latest tag so we always get the latest features and improvements. ### Description of changes Updated the version constraint in `scripts/run-rosetta.sh` from `^0.1.292` to `latest` for the `cdk-generate-synthetic-examples` package. ### Describe any new or updated permissions being added None ### Description of how you validated changes This is a dependency version update. The script will use the latest version of the package when generating synthetic examples. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) N/A ### Reason for this change The `loadPatchedSpec` function was missing an explicit return type annotation, which caused the integration test PRs in https://github.com/cdklabs/awscdk-service-spec to fail ([example](https://github.com/cdklabs/awscdk-service-spec/actions/runs/19285484055/job/55145432926?pr=2203#step:10:73)). This is a fairly obscure scenario and doesn't happen that often. But I don't really have a good way to prevent this kind of issue in future. For now, let's stop the bleeding. ### Description of changes Added explicit `Promise<SpecDatabase>` return type annotation to the `loadPatchedSpec` function in `tools/@aws-cdk/spec2cdk/lib/generate.ts`. ### Describe any new or updated permissions being added None. ### Description of how you validated changes Type-only change, verified manually with linked `awscdk-service-spec` packages. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…rect (#36036) ### Reason for this change Go packaging was failing with ``` #STDERR> awsimagebuilder/internal/types.go:4:2: "github.com/aws/aws-cdk-go/awscdk/interfaces/awsimagebuilder" imported and not used #STDERR> awsimagebuilder/internal/types.go:8:28: undefined: IComponentRef ``` However as it turns out the generated `jsiirc` were using the wrong path. They were missing the required `.` (fullstop) prefix, thus the written package names were not being considered by jsii at all. For go, we also need to update the interfaces package name to a unique name: Before: ``` package awsimagebuilder ``` After: ``` package interfacesawsimagebuilder ``` ### Description of changes Use the correct `jsiirc` filename. Ensure a unique package name for go is used. ### Describe any new or updated permissions being added n/a ### Description of how you validated changes Test pipeline is passing. Manually tested go packaging. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`
**L1 CloudFormation resource definition changes:**
```
├[~] service aws-rtbfabric
│ └ resources
│ ├[~] resource AWS::RTBFabric::Link
│ │ ├ - documentation: Resource Type definition for AWS::RTBFabric::Link Resource Type
│ │ │ + documentation: Creates a new link between gateways.
│ │ │ Establishes a connection that allows gateways to communicate and exchange bid requests and responses.
│ │ ├ properties
│ │ │ ├ GatewayId: (documentation changed)
│ │ │ ├ HttpResponderAllowed: (documentation changed)
│ │ │ ├ LinkAttributes: (documentation changed)
│ │ │ ├ LinkLogSettings: (documentation changed)
│ │ │ ├ PeerGatewayId: (documentation changed)
│ │ │ └ Tags: (documentation changed)
│ │ ├ attributes
│ │ │ └ LinkId: (documentation changed)
│ │ └ types
│ │ ├[~] type Action
│ │ │ ├ - documentation: undefined
│ │ │ │ + documentation: Describes a bid action.
│ │ │ └ properties
│ │ │ ├ HeaderTag: (documentation changed)
│ │ │ └ NoBid: (documentation changed)
│ │ ├[~] type ApplicationLogs
│ │ │ ├ - documentation: undefined
│ │ │ │ + documentation: Describes the configuration of a link application log.
│ │ │ └ properties
│ │ │ └ LinkApplicationLogSampling: (documentation changed)
│ │ ├[~] type Filter
│ │ │ ├ - documentation: undefined
│ │ │ │ + documentation: Describes the configuration of a filter.
│ │ │ └ properties
│ │ │ └ Criteria: (documentation changed)
│ │ ├[~] type FilterCriterion
│ │ │ ├ - documentation: undefined
│ │ │ │ + documentation: Describes the criteria for a filter.
│ │ │ └ properties
│ │ │ ├ Path: (documentation changed)
│ │ │ └ Values: (documentation changed)
│ │ ├[~] type HeaderTagAction
│ │ │ ├ - documentation: undefined
│ │ │ │ + documentation: Describes the header tag for a bid action.
│ │ │ └ properties
│ │ │ ├ Name: (documentation changed)
│ │ │ └ Value: (documentation changed)
│ │ ├[~] type LinkApplicationLogSampling
│ │ │ ├ - documentation: undefined
│ │ │ │ + documentation: Describes a link application log sample.
│ │ │ └ properties
│ │ │ ├ ErrorLog: (documentation changed)
│ │ │ └ FilterLog: (documentation changed)
│ │ ├[~] type LinkAttributes
│ │ │ ├ - documentation: undefined
│ │ │ │ + documentation: Describes the attributes of a link.
│ │ │ └ properties
│ │ │ ├ CustomerProvidedId: (documentation changed)
│ │ │ └ ResponderErrorMasking: (documentation changed)
│ │ ├[~] type LinkLogSettings
│ │ │ ├ - documentation: undefined
│ │ │ │ + documentation: Describes the settings for a link log.
│ │ │ └ properties
│ │ │ └ ApplicationLogs: (documentation changed)
│ │ ├[~] type ModuleConfiguration
│ │ │ ├ - documentation: undefined
│ │ │ │ + documentation: Describes the configuration of a module.
│ │ │ └ properties
│ │ │ ├ DependsOn: (documentation changed)
│ │ │ ├ ModuleParameters: (documentation changed)
│ │ │ ├ Name: (documentation changed)
│ │ │ └ Version: (documentation changed)
│ │ ├[~] type ModuleParameters
│ │ │ ├ - documentation: undefined
│ │ │ │ + documentation: Describes the parameters of a module.
│ │ │ └ properties
│ │ │ ├ NoBid: (documentation changed)
│ │ │ └ OpenRtbAttribute: (documentation changed)
│ │ ├[~] type NoBidAction
│ │ │ ├ - documentation: undefined
│ │ │ │ + documentation: Describes a no bid action.
│ │ │ └ properties
│ │ │ └ NoBidReasonCode: (documentation changed)
│ │ ├[~] type NoBidModuleParameters
│ │ │ ├ - documentation: undefined
│ │ │ │ + documentation: Describes the parameters of a no bid module.
│ │ │ └ properties
│ │ │ ├ PassThroughPercentage: (documentation changed)
│ │ │ ├ Reason: (documentation changed)
│ │ │ └ ReasonCode: (documentation changed)
│ │ ├[~] type OpenRtbAttributeModuleParameters
│ │ │ ├ - documentation: undefined
│ │ │ │ + documentation: Describes the parameters of an open RTB attribute module.
│ │ │ └ properties
│ │ │ ├ Action: (documentation changed)
│ │ │ ├ FilterConfiguration: (documentation changed)
│ │ │ ├ FilterType: (documentation changed)
│ │ │ └ HoldbackPercentage: (documentation changed)
│ │ └[~] type ResponderErrorMaskingForHttpCode
│ │ ├ - documentation: undefined
│ │ │ + documentation: Describes the masking for HTTP error codes.
│ │ └ properties
│ │ ├ Action: (documentation changed)
│ │ ├ HttpCode: (documentation changed)
│ │ ├ LoggingTypes: (documentation changed)
│ │ └ ResponseLoggingPercentage: (documentation changed)
│ ├[~] resource AWS::RTBFabric::RequesterGateway
│ │ ├ - documentation: Resource Type definition for AWS::RTBFabric::RequesterGateway Resource Type.
│ │ │ + documentation: Creates a requester gateway.
│ │ └ properties
│ │ ├ Description: (documentation changed)
│ │ ├ SecurityGroupIds: (documentation changed)
│ │ ├ SubnetIds: (documentation changed)
│ │ ├ Tags: (documentation changed)
│ │ └ VpcId: (documentation changed)
│ └[~] resource AWS::RTBFabric::ResponderGateway
│ ├ - documentation: Resource Type definition for AWS::RTBFabric::ResponderGateway Resource Type
│ │ + documentation: Creates a responder gateway.
│ │ > A domain name or managed endpoint is required.
│ ├ properties
│ │ ├ Description: (documentation changed)
│ │ ├ DomainName: (documentation changed)
│ │ ├ ManagedEndpointConfiguration: (documentation changed)
│ │ ├ Port: (documentation changed)
│ │ ├ Protocol: (documentation changed)
│ │ ├ SecurityGroupIds: (documentation changed)
│ │ ├ SubnetIds: (documentation changed)
│ │ ├ Tags: (documentation changed)
│ │ ├ TrustStoreConfiguration: (documentation changed)
│ │ └ VpcId: (documentation changed)
│ └ types
│ ├[~] type AutoScalingGroupsConfiguration
│ │ ├ - documentation: undefined
│ │ │ + documentation: Describes the configuration of an auto scaling group.
│ │ └ properties
│ │ ├ AutoScalingGroupNameList: (documentation changed)
│ │ └ RoleArn: (documentation changed)
│ ├[~] type EksEndpointsConfiguration
│ │ ├ - documentation: undefined
│ │ │ + documentation: Describes the configuration of an Amazon Elastic Kubernetes Service endpoint.
│ │ └ properties
│ │ ├ ClusterApiServerCaCertificateChain: (documentation changed)
│ │ ├ ClusterApiServerEndpointUri: (documentation changed)
│ │ ├ ClusterName: (documentation changed)
│ │ ├ EndpointsResourceName: (documentation changed)
│ │ ├ EndpointsResourceNamespace: (documentation changed)
│ │ └ RoleArn: (documentation changed)
│ ├[~] type ManagedEndpointConfiguration
│ │ ├ - documentation: undefined
│ │ │ + documentation: Describes the configuration of a managed endpoint.
│ │ └ properties
│ │ ├ AutoScalingGroupsConfiguration: (documentation changed)
│ │ └ EksEndpointsConfiguration: (documentation changed)
│ └[~] type TrustStoreConfiguration
│ ├ - documentation: undefined
│ │ + documentation: Describes the configuration of a trust store.
│ └ properties
│ └ CertificateAuthorityCertificates: (documentation changed)
├[~] service aws-s3tables
│ └ resources
│ ├[~] resource AWS::S3Tables::Table
│ │ ├ - tagInformation: undefined
│ │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ │ └ properties
│ │ └[+] Tags: Array<tag>
│ └[~] resource AWS::S3Tables::TableBucket
│ ├ - tagInformation: undefined
│ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ └ properties
│ └[+] Tags: Array<tag>
├[~] service aws-s3vectors
│ └ resources
│ ├[~] resource AWS::S3Vectors::Index
│ │ ├ - documentation: Resource Type definition for AWS::S3Vectors::Index
│ │ │ + documentation: The `AWS::S3Vectors::Index` resource defines a vector index within an Amazon S3 vector bucket. For more information, see [Creating a vector index in a vector bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-vectors-create-index.html) in the *Amazon Simple Storage Service User Guide* .
│ │ │ You must specify either `VectorBucketName` or `VectorBucketArn` to identify the bucket that contains the index.
│ │ │ To control how AWS CloudFormation handles the vector index when the stack is deleted, you can set a deletion policy for your index. You can choose to *retain* the index or to *delete* the index. For more information, see [DeletionPolicy attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html) .
│ │ │ - **Permissions** - The required permissions for CloudFormation to use are based on the operations that are performed on the stack.
│ │ │ - Create
│ │ │ - s3vectors:CreateIndex
│ │ │ - s3vectors:GetIndex
│ │ │ - Read
│ │ │ - s3vectors:GetIndex
│ │ │ - Delete
│ │ │ - s3vectors:DeleteIndex
│ │ │ - s3vectors:GetIndex
│ │ │ - List
│ │ │ - s3vectors:ListIndexes
│ │ ├ properties
│ │ │ ├ DataType: (documentation changed)
│ │ │ ├ Dimension: (documentation changed)
│ │ │ ├ DistanceMetric: (documentation changed)
│ │ │ ├ IndexName: (documentation changed)
│ │ │ └ VectorBucketArn: (documentation changed)
│ │ ├ attributes
│ │ │ ├ CreationTime: (documentation changed)
│ │ │ └ IndexArn: (documentation changed)
│ │ └ types
│ │ └[~] type MetadataConfiguration
│ │ ├ - documentation: The metadata configuration for the vector index.
│ │ │ + documentation: The metadata configuration for the vector index. This configuration allows you to specify which metadata keys should be treated as non-filterable.
│ │ └ properties
│ │ └ NonFilterableMetadataKeys: (documentation changed)
│ ├[~] resource AWS::S3Vectors::VectorBucket
│ │ ├ - documentation: Resource Type definition for AWS::S3Vectors::VectorBucket
│ │ │ + documentation: Defines an Amazon S3 vector bucket in the same AWS Region where you create the AWS CloudFormation stack.
│ │ │ Vector buckets are specialized storage containers designed for storing and managing vector data used in machine learning and AI applications. They provide optimized storage and retrieval capabilities for high-dimensional vector data.
│ │ │ To control how AWS CloudFormation handles the bucket when the stack is deleted, you can set a deletion policy for your bucket. You can choose to *retain* the bucket or to *delete* the bucket. For more information, see [DeletionPolicy attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html) .
│ │ │ > You can only delete empty vector buckets. Deletion fails for buckets that have contents.
│ │ │ - **Permissions** - The required permissions for CloudFormation to use are based on the operations that are performed on the stack.
│ │ │ - Create
│ │ │ - s3vectors:CreateVectorBucket
│ │ │ - s3vectors:GetVectorBucket
│ │ │ - kms:GenerateDataKey (if using KMS encryption)
│ │ │ - Read
│ │ │ - s3vectors:GetVectorBucket
│ │ │ - kms:GenerateDataKey (if using KMS encryption)
│ │ │ - Delete
│ │ │ - s3vectors:DeleteVectorBucket
│ │ │ - s3vectors:GetVectorBucket
│ │ │ - kms:GenerateDataKey (if using KMS encryption)
│ │ │ - List
│ │ │ - s3vectors:ListVectorBuckets
│ │ │ - kms:GenerateDataKey (if using KMS encryption)
│ │ │ - arnTemplate: undefined
│ │ │ + arnTemplate: arn:${Partition}:s3vectors:${Region}:${Account}:bucket/${BucketName}
│ │ ├ properties
│ │ │ └ VectorBucketName: (documentation changed)
│ │ ├ attributes
│ │ │ ├ CreationTime: (documentation changed)
│ │ │ └ VectorBucketArn: (documentation changed)
│ │ └ types
│ │ └[~] type EncryptionConfiguration
│ │ ├ - documentation: The encryption configuration for the vector bucket.
│ │ │ + documentation: Specifies the encryption configuration for the vector bucket. By default, all new vectors in Amazon S3 vector buckets use server-side encryption with Amazon S3 managed keys (SSE-S3), specifically AES256.
│ │ └ properties
│ │ ├ KmsKeyArn: (documentation changed)
│ │ └ SseType: (documentation changed)
│ └[~] resource AWS::S3Vectors::VectorBucketPolicy
│ ├ - documentation: Resource Type definition for AWS::S3Vectors::VectorBucketPolicy
│ │ + documentation: The `AWS::S3Vectors::VectorBucketPolicy` resource defines an Amazon S3 vector bucket policy to control access to an Amazon S3 vector bucket.
│ │ Vector bucket policies are written in JSON and allow you to grant or deny permissions across all (or a subset of) objects within a vector bucket.
│ │ You must specify either `VectorBucketName` or `VectorBucketArn` to identify the target bucket.
│ │ To control how AWS CloudFormation handles the vector bucket policy when the stack is deleted, you can set a deletion policy for your policy. You can choose to *retain* the policy or to *delete* the policy. For more information, see [DeletionPolicy attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html) .
│ │ - **Permissions** - The required permissions for CloudFormation to use are based on the operations that are performed on the stack.
│ │ - Create
│ │ - s3vectors:GetVectorBucketPolicy
│ │ - s3vectors:PutVectorBucketPolicy
│ │ - Read
│ │ - s3vectors:GetVectorBucketPolicy
│ │ - Update
│ │ - s3vectors:GetVectorBucketPolicy
│ │ - s3vectors:PutVectorBucketPolicy
│ │ - Delete
│ │ - s3vectors:GetVectorBucketPolicy
│ │ - s3vectors:DeleteVectorBucketPolicy
│ │ - List
│ │ - s3vectors:GetVectorBucketPolicy
│ │ - s3vectors:ListVectorBuckets
│ └ properties
│ ├ Policy: (documentation changed)
│ ├ VectorBucketArn: (documentation changed)
│ └ VectorBucketName: (documentation changed)
├[~] service aws-securityhub
│ └ resources
│ ├[~] resource AWS::SecurityHub::AutomationRule
│ │ ├ - documentation: The `AWS::SecurityHub::AutomationRule` resource specifies an automation rule based on input parameters. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the *AWS Security Hub User Guide* .
│ │ │ + documentation: The `AWS::SecurityHub::AutomationRule` resource specifies an automation rule based on input parameters. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the *Security Hub User Guide* .
│ │ └ types
│ │ ├[~] type AutomationRulesAction
│ │ │ └ - documentation: One or more actions that AWS Security Hub takes when a finding matches the defined criteria of a rule.
│ │ │ + documentation: One or more actions that Security Hub takes when a finding matches the defined criteria of a rule.
│ │ ├[~] type AutomationRulesFindingFilters
│ │ │ └ properties
│ │ │ ├ Confidence: (documentation changed)
│ │ │ ├ CreatedAt: (documentation changed)
│ │ │ ├ Criticality: (documentation changed)
│ │ │ ├ FirstObservedAt: (documentation changed)
│ │ │ ├ LastObservedAt: (documentation changed)
│ │ │ ├ NoteUpdatedAt: (documentation changed)
│ │ │ ├ Type: (documentation changed)
│ │ │ └ UpdatedAt: (documentation changed)
│ │ ├[~] type DateFilter
│ │ │ └ properties
│ │ │ ├ End: (documentation changed)
│ │ │ └ Start: (documentation changed)
│ │ ├[~] type MapFilter
│ │ │ ├ - documentation: A map filter for filtering AWS Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
│ │ │ │ + documentation: A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
│ │ │ └ properties
│ │ │ └ Comparison: (documentation changed)
│ │ └[~] type StringFilter
│ │ ├ - documentation: A string filter for filtering AWS Security Hub findings.
│ │ │ + documentation: A string filter for filtering Security Hub findings.
│ │ └ properties
│ │ └ Comparison: (documentation changed)
│ ├[~] resource AWS::SecurityHub::AutomationRuleV2
│ │ └ types
│ │ ├[~] type DateFilter
│ │ │ └ properties
│ │ │ ├ End: (documentation changed)
│ │ │ └ Start: (documentation changed)
│ │ ├[~] type MapFilter
│ │ │ ├ - documentation: A map filter for filtering AWS Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
│ │ │ │ + documentation: A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
│ │ │ └ properties
│ │ │ └ Comparison: (documentation changed)
│ │ └[~] type StringFilter
│ │ ├ - documentation: A string filter for filtering AWS Security Hub findings.
│ │ │ + documentation: A string filter for filtering Security Hub findings.
│ │ └ properties
│ │ └ Comparison: (documentation changed)
│ ├[~] resource AWS::SecurityHub::ConfigurationPolicy
│ │ ├ - documentation: The `AWS::SecurityHub::ConfigurationPolicy` resource creates a central configuration policy with the defined settings. Only the AWS Security Hub delegated administrator can create this resource in the home Region. For more information, see [Central configuration in Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html) in the *AWS Security Hub User Guide* .
│ │ │ + documentation: The `AWS::SecurityHub::ConfigurationPolicy` resource creates a central configuration policy with the defined settings. Only the Security Hub delegated administrator can create this resource in the home Region. For more information, see [Central configuration in Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html) in the *Security Hub User Guide* .
│ │ ├ properties
│ │ │ ├ ConfigurationPolicy: (documentation changed)
│ │ │ └ Tags: (documentation changed)
│ │ └ types
│ │ ├[~] type ParameterConfiguration
│ │ │ └ properties
│ │ │ └ ValueType: (documentation changed)
│ │ ├[~] type Policy
│ │ │ └ - documentation: An object that defines how AWS Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).
│ │ │ + documentation: An object that defines how Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).
│ │ ├[~] type SecurityControlsConfiguration
│ │ │ └ - documentation: An object that defines which security controls are enabled in an AWS Security Hub configuration policy. The enablement status of a control is aligned across all of the enabled standards in an account.
│ │ │ This property is required only if `ServiceEnabled` is set to `true` in your configuration policy.
│ │ │ + documentation: An object that defines which security controls are enabled in an Security Hub configuration policy. The enablement status of a control is aligned across all of the enabled standards in an account.
│ │ │ This property is required only if `ServiceEnabled` is set to `true` in your configuration policy.
│ │ └[~] type SecurityHubPolicy
│ │ └ - documentation: An object that defines how AWS Security Hub is configured. The configuration policy includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).
│ │ + documentation: An object that defines how Security Hub is configured. The configuration policy includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).
│ ├[~] resource AWS::SecurityHub::DelegatedAdmin
│ │ └ - documentation: The `AWS::SecurityHub::DelegatedAdmin` resource designates the delegated AWS Security Hub administrator account for an organization. You must enable the integration between Security Hub and AWS Organizations before you can designate a delegated Security Hub administrator. Only the management account for an organization can designate the delegated Security Hub administrator account. For more information, see [Designating the delegated Security Hub administrator](https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html#designate-admin-instructions) in the *AWS Security Hub User Guide* .
│ │ To change the delegated administrator account, remove the current delegated administrator account, and then designate the new account.
│ │ To designate multiple delegated administrators in different organizations and AWS Regions , we recommend using [AWS CloudFormation mappings](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/mappings-section-structure.html) .
│ │ Tags aren't supported for this resource.
│ │ + documentation: The `AWS::SecurityHub::DelegatedAdmin` resource designates the delegated Security Hub administrator account for an organization. You must enable the integration between Security Hub and AWS Organizations before you can designate a delegated Security Hub administrator. Only the management account for an organization can designate the delegated Security Hub administrator account. For more information, see [Designating the delegated Security Hub administrator](https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html#designate-admin-instructions) in the *Security Hub User Guide* .
│ │ To change the delegated administrator account, remove the current delegated administrator account, and then designate the new account.
│ │ To designate multiple delegated administrators in different organizations and AWS Regions , we recommend using [AWS CloudFormation mappings](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/mappings-section-structure.html) .
│ │ Tags aren't supported for this resource.
│ ├[~] resource AWS::SecurityHub::FindingAggregator
│ │ └ - documentation: The `AWS::SecurityHub::FindingAggregator` resource enables cross-Region aggregation. When cross-Region aggregation is enabled, you can aggregate findings, finding updates, insights, control compliance statuses, and security scores from one or more linked Regions to a single aggregation Region. You can then view and manage all of this data from the aggregation Region. For more details about cross-Region aggregation, see [Cross-Region aggregation](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html) in the *AWS Security Hub User Guide*
│ │ This resource must be created in the Region that you want to designate as your aggregation Region.
│ │ Cross-Region aggregation is also a prerequisite for using [central configuration](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html) in Security Hub .
│ │ + documentation: The `AWS::SecurityHub::FindingAggregator` resource enables cross-Region aggregation. When cross-Region aggregation is enabled, you can aggregate findings, finding updates, insights, control compliance statuses, and security scores from one or more linked Regions to a single aggregation Region. You can then view and manage all of this data from the aggregation Region. For more details about cross-Region aggregation, see [Cross-Region aggregation](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html) in the *Security Hub User Guide*
│ │ This resource must be created in the Region that you want to designate as your aggregation Region.
│ │ Cross-Region aggregation is also a prerequisite for using [central configuration](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html) in Security Hub .
│ ├[~] resource AWS::SecurityHub::Hub
│ │ └ - documentation: The `AWS::SecurityHub::Hub` resource specifies the enablement of the AWS Security Hub service in your AWS account . The service is enabled in the current AWS Region or the specified Region. You create a separate `Hub` resource in each Region in which you want to enable Security Hub .
│ │ When you use this resource to enable Security Hub , default security standards are enabled. To disable default standards, set the `EnableDefaultStandards` property to `false` . You can use the [`AWS::SecurityHub::Standard`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-standard.html) resource to enable additional standards.
│ │ When you use this resource to enable Security Hub , new controls are automatically enabled for your enabled standards. To disable automatic enablement of new controls, set the `AutoEnableControls` property to `false` .
│ │ You must create an `AWS::SecurityHub::Hub` resource for an account before you can create other types of Security Hub resources for the account through AWS CloudFormation . Use a [DependsOn attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html) , such as `"DependsOn": "Hub"` , to ensure that you've created an `AWS::SecurityHub::Hub` resource before creating other Security Hub resources for an account.
│ │ + documentation: The `AWS::SecurityHub::Hub` resource specifies the enablement of the Security Hub service in your AWS account . The service is enabled in the current AWS Region or the specified Region. You create a separate `Hub` resource in each Region in which you want to enable Security Hub .
│ │ When you use this resource to enable Security Hub , default security standards are enabled. To disable default standards, set the `EnableDefaultStandards` property to `false` . You can use the [`AWS::SecurityHub::Standard`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-standard.html) resource to enable additional standards.
│ │ When you use this resource to enable Security Hub , new controls are automatically enabled for your enabled standards. To disable automatic enablement of new controls, set the `AutoEnableControls` property to `false` .
│ │ You must create an `AWS::SecurityHub::Hub` resource for an account before you can create other types of Security Hub resources for the account through AWS CloudFormation . Use a [DependsOn attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html) , such as `"DependsOn": "Hub"` , to ensure that you've created an `AWS::SecurityHub::Hub` resource before creating other Security Hub resources for an account.
│ ├[~] resource AWS::SecurityHub::Insight
│ │ ├ - documentation: The `AWS::SecurityHub::Insight` resource creates a custom insight in AWS Security Hub . An insight is a collection of findings that relate to a security issue that requires attention or remediation. For more information, see [Insights in AWS Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-insights.html) in the *AWS Security Hub User Guide* .
│ │ │ Tags aren't supported for this resource.
│ │ │ + documentation: The `AWS::SecurityHub::Insight` resource creates a custom insight in Security Hub . An insight is a collection of findings that relate to a security issue that requires attention or remediation. For more information, see [Insights in Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-insights.html) in the *Security Hub User Guide* .
│ │ │ Tags aren't supported for this resource.
│ │ └ types
│ │ ├[~] type AwsSecurityFindingFilters
│ │ │ ├ - documentation: A collection of filters that are applied to all active findings aggregated by AWS Security Hub .
│ │ │ │ You can filter by up to ten finding attributes. For each attribute, you can provide up to 20 filter values.
│ │ │ │ + documentation: A collection of filters that are applied to all active findings aggregated by Security Hub .
│ │ │ │ You can filter by up to ten finding attributes. For each attribute, you can provide up to 20 filter values.
│ │ │ └ properties
│ │ │ ├ CreatedAt: (documentation changed)
│ │ │ ├ FirstObservedAt: (documentation changed)
│ │ │ ├ LastObservedAt: (documentation changed)
│ │ │ ├ ProcessLaunchedAt: (documentation changed)
│ │ │ ├ ProcessTerminatedAt: (documentation changed)
│ │ │ ├ ResourceContainerLaunchedAt: (documentation changed)
│ │ │ ├ ThreatIntelIndicatorLastObservedAt: (documentation changed)
│ │ │ └ UpdatedAt: (documentation changed)
│ │ ├[~] type DateFilter
│ │ │ └ properties
│ │ │ ├ End: (documentation changed)
│ │ │ └ Start: (documentation changed)
│ │ ├[~] type MapFilter
│ │ │ ├ - documentation: A map filter for filtering AWS Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
│ │ │ │ + documentation: A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
│ │ │ └ properties
│ │ │ └ Comparison: (documentation changed)
│ │ └[~] type StringFilter
│ │ ├ - documentation: A string filter for filtering AWS Security Hub findings.
│ │ │ + documentation: A string filter for filtering Security Hub findings.
│ │ └ properties
│ │ └ Comparison: (documentation changed)
│ ├[~] resource AWS::SecurityHub::OrganizationConfiguration
│ │ └ - documentation: The `AWS::SecurityHub::OrganizationConfiguration` resource specifies the way that your AWS organization is configured in AWS Security Hub . Specifically, you can use this resource to specify the configuration type for your organization and whether to automatically Security Hub and security standards in new member accounts. For more information, see [Managing administrator and member accounts](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts.html) in the *AWS Security Hub User Guide* .
│ │ + documentation: The `AWS::SecurityHub::OrganizationConfiguration` resource specifies the way that your AWS organization is configured in Security Hub . Specifically, you can use this resource to specify the configuration type for your organization and whether to automatically Security Hub and security standards in new member accounts. For more information, see [Managing administrator and member accounts](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts.html) in the *Security Hub User Guide* .
│ ├[~] resource AWS::SecurityHub::PolicyAssociation
│ │ ├ - documentation: The `AWS::SecurityHub::PolicyAssociation` resource specifies associations for a configuration policy or a self-managed configuration. You can associate a AWS Security Hub configuration policy or self-managed configuration with the organization root, organizational units (OUs), or AWS accounts . After a successful association, the configuration policy takes effect in the specified targets. For more information, see [Creating and associating Security Hub configuration policies](https://docs.aws.amazon.com/securityhub/latest/userguide/create-associate-policy.html) in the *AWS Security Hub User Guide* .
│ │ │ + documentation: The `AWS::SecurityHub::PolicyAssociation` resource specifies associations for a configuration policy or a self-managed configuration. You can associate a Security Hub configuration policy or self-managed configuration with the organization root, organizational units (OUs), or AWS accounts . After a successful association, the configuration policy takes effect in the specified targets. For more information, see [Creating and associating Security Hub configuration policies](https://docs.aws.amazon.com/securityhub/latest/userguide/create-associate-policy.html) in the *Security Hub User Guide* .
│ │ └ attributes
│ │ └ AssociationType: (documentation changed)
│ ├[~] resource AWS::SecurityHub::ProductSubscription
│ │ └ - documentation: The `AWS::SecurityHub::ProductSubscription` resource creates a subscription to a third-party product that generates findings that you want to receive in AWS Security Hub . For a list of integrations to third-party products, see [Available third-party partner product integrations](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) in the *AWS Security Hub User Guide* .
│ │ To change a product subscription, remove the current product subscription resource, and then create a new one.
│ │ Tags aren't supported for this resource.
│ │ + documentation: The `AWS::SecurityHub::ProductSubscription` resource creates a subscription to a third-party product that generates findings that you want to receive in Security Hub . For a list of integrations to third-party products, see [Available third-party partner product integrations](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html) in the *Security Hub User Guide* .
│ │ To change a product subscription, remove the current product subscription resource, and then create a new one.
│ │ Tags aren't supported for this resource.
│ ├[~] resource AWS::SecurityHub::SecurityControl
│ │ ├ - documentation: The `AWS::SecurityHub::SecurityControl` resource specifies custom parameter values for an AWS Security Hub control. For a list of controls that support custom parameters, see [Security Hub controls reference](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html) . You can also use this resource to specify the use of default parameter values for a control. For more information about custom parameters, see [Custom control parameters](https://docs.aws.amazon.com/securityhub/latest/userguide/custom-control-parameters.html) in the *AWS Security Hub User Guide* .
│ │ │ Tags aren't supported for this resource.
│ │ │ + documentation: The `AWS::SecurityHub::SecurityControl` resource specifies custom parameter values for an Security Hub control. For a list of controls that support custom parameters, see [Security Hub controls reference](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html) . You can also use this resource to specify the use of default parameter values for a control. For more information about custom parameters, see [Custom control parameters](https://docs.aws.amazon.com/securityhub/latest/userguide/custom-control-parameters.html) in the *Security Hub User Guide* .
│ │ │ Tags aren't supported for this resource.
│ │ └ types
│ │ └[~] type ParameterConfiguration
│ │ └ properties
│ │ └ ValueType: (documentation changed)
│ └[~] resource AWS::SecurityHub::Standard
│ ├ - documentation: The `AWS::SecurityHub::Standard` resource specifies the enablement of a security standard. The standard is identified by the `StandardsArn` property. To view a list of Security Hub standards and their Amazon Resource Names (ARNs), use the [`DescribeStandards`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API operation.
│ │ You must create a separate `AWS::SecurityHub::Standard` resource for each standard that you want to enable.
│ │ For more information about Security Hub standards, see [Security Hub standards reference](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-reference.html) in the *AWS Security Hub User Guide* .
│ │ + documentation: The `AWS::SecurityHub::Standard` resource specifies the enablement of a security standard. The standard is identified by the `StandardsArn` property. To view a list of Security Hub standards and their Amazon Resource Names (ARNs), use the [`DescribeStandards`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API operation.
│ │ You must create a separate `AWS::SecurityHub::Standard` resource for each standard that you want to enable.
│ │ For more information about Security Hub standards, see [Security Hub standards reference](https://docs.aws.amazon.com/securityhub/latest/userguide/standards-reference.html) in the *Security Hub User Guide* .
│ └ types
│ └[~] type StandardsControl
│ └ - documentation: Provides details about an individual security control. For a list of Security Hub controls, see [Security Hub controls reference](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html) in the *AWS Security Hub User Guide* .
│ + documentation: Provides details about an individual security control. For a list of Security Hub controls, see [Security Hub controls reference](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html) in the *Security Hub User Guide* .
├[~] service aws-servicecatalog
│ └ resources
│ ├[~] resource AWS::ServiceCatalog::CloudFormationProduct
│ │ ├ attributes
│ │ │ └ Id: (documentation changed)
│ │ └ types
│ │ ├[+] type Info
│ │ │ ├ documentation: Specify the template source with one of the following options, but not both. Keys accepted: [ LoadTemplateFromURL, ImportFromPhysicalId ] The URL of the AWS CloudFormation template in Amazon S3 in JSON format. Specify the URL in JSON format as follows:
│ │ │ │ "LoadTemplateFromURL": "https://s3.amazonaws.com/cf-templates-ozkq9d3hgiq2-us-east-1/..."
│ │ │ │ ImportFromPhysicalId: The physical id of the resource that contains the template. Currently only supports AWS CloudFormation stack arn. Specify the physical id in JSON format as follows: ImportFromPhysicalId: "arn:aws:cloudformation:[us-east-1]:[accountId]:stack/[StackName]/[resourceId]
│ │ │ │ name: Info
│ │ │ └ properties
│ │ │ ├ LoadTemplateFromURL: string
│ │ │ └ ImportFromPhysicalId: string
│ │ └[~] type ProvisioningArtifactProperties
│ │ └ properties
│ │ └ Info: - json (required)
│ │ + Info ⇐ json (required)
│ └[~] resource AWS::ServiceCatalog::PortfolioPrincipalAssociation
│ └ attributes
│ └[-] Id: string
├[~] service aws-ses
│ └ resources
│ └[+] resource AWS::SES::MultiRegionEndpoint
│ ├ name: MultiRegionEndpoint
│ │ cloudFormationType: AWS::SES::MultiRegionEndpoint
│ │ documentation: Creates a multi-region endpoint (global-endpoint).
│ │ The primary region is going to be the AWS-Region where the operation is executed. The secondary region has to be provided in request's parameters. From the data flow standpoint there is no difference between primary and secondary regions - sending traffic will be split equally between the two. The primary region is the region where the resource has been created and where it can be managed.
│ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ ├ properties
│ │ ├ EndpointName: string (required, immutable)
│ │ ├ Tags: Array<tag>
│ │ └ Details: Details (required, immutable)
│ └ types
│ ├ type Details
│ │ ├ documentation: An object that contains configuration details of multi-region endpoint (global-endpoint).
│ │ │ name: Details
│ │ └ properties
│ │ └ RouteDetails: Array<RouteDetailsItems> (required)
│ └ type RouteDetailsItems
│ ├ name: RouteDetailsItems
│ └ properties
│ └ Region: string (required)
├[~] service aws-vpclattice
│ └ resources
│ └[~] resource AWS::VpcLattice::ServiceNetworkVpcAssociation
│ ├ properties
│ │ ├[+] DnsOptions: DnsOptions (immutable)
│ │ └[+] PrivateDnsEnabled: boolean (immutable)
│ └ types
│ └[+] type DnsOptions
│ ├ name: DnsOptions
│ └ properties
│ ├ PrivateDnsPreference: string (immutable)
│ └ PrivateDnsSpecifiedDomains: Array<string> (immutable)
├[~] service aws-wafv2
│ └ resources
│ └[~] resource AWS::WAFv2::WebACL
│ ├ properties
│ │ └[+] ApplicationConfig: ApplicationConfig
│ └ types
│ ├[+] type ApplicationAttribute
│ │ ├ documentation: Application details defined during the web ACL creation process. Application attributes help AWS WAF give recommendations for protection packs.
│ │ │ name: ApplicationAttribute
│ │ └ properties
│ │ ├ Name: string (required)
│ │ └ Values: Array<string> (required)
│ └[+] type ApplicationConfig
│ ├ documentation: A list of `ApplicationAttribute` s that contains information about the application.
│ │ name: ApplicationConfig
│ └ properties
│ └ Attributes: Array<ApplicationAttribute> (required)
└[~] service aws-workspacesthinclient
└ resources
└[~] resource AWS::WorkSpacesThinClient::Environment
└ properties
├ DesktopArn: (documentation changed)
└ DesktopEndpoint: (documentation changed)
```
**CHANGES TO L1 RESOURCES:** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:
aws-opensearchserverless: AWS::OpenSearchServerless::Collection: StandbyReplicas property is now immutable.
aws-servicecatalog: AWS::ServiceCatalog::PortfolioPrincipalAssociation: Id attribute removed.
… rest and http lambda integrations (#36021) ### Issue # (if applicable) Fixes #9327 Fixes #19535 ### Reason for this change The maximum Lambda permission policy size can be exceeded for APIs which reuse the same Lambda function for multiple operations, as the integration adds a new permission for each operation, scoped down to the specific operation. ### Description of changes This change updates both the REST and HTTP API lambda integrations with options to scope the permission to any operation on the API, adding a single statement and avoiding overflowing the maximum policy size. Raised this as a new PR to replace #35705 so we have a clearer history in case we ever wanted to consider the more automatic implementation which collapses permissions. ### Describe any new or updated permissions being added Permission for API Gateway to invoke the lambda is scoped to any resource/method/stage when `scopePermissionToMethod` (for REST) or `scopePermissionToRoute` (for HTTP) is set to `false`. ### Description of how you validated changes Unit tests, Integ tests Added an integration test for both REST and HTTP (`integ.lambda-permission-consolidation`). ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) When running `yarn package` inside `aws-cdk-lib`, a pre package command is executed to minify all source files. This command unintentionally minifies checked-in files that should not be minified, as demonstrated by the diff that is present afterwards. <img width="514" height="204" alt="image" src="https://github.com/user-attachments/assets/67fc4c24-2345-4859-85e4-f74475bfa512" /> ### Reason for this change Fix the above bug. ### Description of changes Adjusted the `find` command to exclude files we don't want to minify. ### Describe any new or updated permissions being added n/a ### Description of how you validated changes Now no unintentionally minified files are showing up in the diff. I have compared the outputs of the previous and updated `find` commands: ``` < ./aws-appsync/test/integ-assets/appsync-js-pipeline.js < ./aws-appsync/test/integ-assets/appsync-js-resolver.js < ./aws-appsync/test/integ-assets/js-resolver-assertion/index.js < ./aws-appsync/test/verify/eventapi-lambda-direct/handler.js < ./aws-appsync/test/verify/eventapi-lambda-ds/handler.js < ./aws-appsync/test/verify/iam-query/iam-query.js < ./aws-appsync/test/verify/lambda-tutorial/lambda-tutorial.js 418d410 < ./aws-cloudfront/test/function-code.js 1110d1101 < ./aws-iam/test/custom-resource/index.js 1938,1940d1928 < ./aws-synthetics/test/canaries/canary.js < ./aws-synthetics/test/canaries/playwright/canary.js < ./aws-synthetics/test/canaries/puppeteer/canary.js 2137d2124 < ./core/test/custom-resource-provider/mock-provider/index.js 2500d2486 < ./jest.config.js ``` As we can see, only the files we wanted to exclude are not present in the list anymore. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws-cdk-automation
added
auto-approve
pr/no-squash
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
leonmk-aws
added
pr/do-not-merge
leonmk-aws
removed
the
pr/do-not-merge
Contributor
|
Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork). |
Contributor
|
Comments on closed issues and PRs are hard for our team to see. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
16 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See CHANGELOG