chore(release): 2.225.0 #36083
Merged
chore(release): 2.225.0 #36083
+8,097
−123,892
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ming (#36029) ### Issue # (if applicable) Closes #36025. ### Reason for this change The `Table` class in aws-dynamodb was incorrectly renamed to `Table_` in .NET bindings starting from v2.222.0, breaking all .NET CDK applications using DynamoDB tables. This regression was introduced in PR #35554 when the internal `table` field was changed from `private` to `protected`, creating a JSII naming conflict in .NET where property names cannot match class names. ### Description of changes This PR reverts the `table` field visibility from `protected` back to `private` at line 1213 in `packages/aws-cdk-lib/aws-dynamodb/lib/table.ts`. **Technical details**: - Changed `protected readonly table: CfnTable;` to `private readonly table: CfnTable;` - This is a single-line change that resolves the JSII naming conflict - The field is only used internally within the Table class (7 internal usages verified) - No subclasses of Table exist in the codebase - JSII compilation now succeeds without renaming the Table class in .NET **Impact**: - Fixes .NET class name from `Table_` back to `Table` - Restores v2.221.1 behavior - No impact on TypeScript, Python, Java, or Go bindings - No functional or API changes - Better encapsulation by keeping internal implementation details private ### Description of how you validated changes - **Unit tests**: All 348 existing unit tests in aws-dynamodb pass without modification - Test suites: 6 passed - Tests: 348 passed, 0 failed - **Build validation**: - TypeScript compilation: SUCCESS - **JSII verification**: Confirmed no JSII warnings for Table class in build output, indicating .NET bindings will use correct class name ``` % npx lerna run build --scope=aws-cdk-lib --skip-nx-cache 2>&1 | grep -i "table" | grep -i "warning\|conflict\|rename" ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) N/A Closes N/A ### Reason for this change Fix the incorrect table of contents for "Common Issues" as it was wrong. Fix the old name "Troubleshooting," as the link was broken. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change https://aws.amazon.com/about-aws/whats-new/2025/11/amazon-rds-postgres-sql-minor-versions/ ### Description of changes Postgres add 17.7, 16.11, 15.15, 14.20, and 13.23 ### Description of how you validated changes ```console $ aws rds describe-db-engine-versions --engine postgres --output table --query 'DBEngineVersions[*].{Engine:Engine,EngineVersion:EngineVersion}' ------------------------------------ | DescribeDBEngineVersions | +-----------+----------------------+ | Engine | EngineVersion | +-----------+----------------------+ ... | postgres | 13.23 | ... | postgres | 14.20 | ... | postgres | 15.15 | ... | postgres | 16.11 | ... | postgres | 17.7 | +-----------+----------------------+ ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
The CDK framework creates a temporary directory in `/tmp` for every unit test, and never cleans those up. In this PR, register all temporary assembly directories created by doing `new Stack()` or `new App()` without an `outdir`, and delete them when the Node process exits. This will only affect unit tests: if the `outdir` property is set explicitly, or the CDK App is being synthesized by the CLI (and `$CDK_OUTDIR` is set), the assembly directory will not be cleaned. For users: if you set `outdir` you are reponsible for cleaning up the directory. If you don't set `outdir`, it will be automatically removed at some point. This will benefit both `aws-cdk` development itself, as well as users writing unit tests against CDK. Relates to #802. Also in this PR: cleanup of other temporary directories we create during tests. These will only benefit development on `aws-cdk` itself. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
## Issue Closes #36056 ## Summary Adds support for R8GD (Graviton4-based) instance types in OpenSearch Service domains by updating validation logic to recognize R8GD instances as having local NVMe storage, eliminating the requirement for EBS volumes. ## Reason for this change When attempting to create an OpenSearch domain with R8GD instance types (e.g., `r8gd.medium.search`), CDK throws a validation error requiring EBS volumes. However, R8GD instances have local NVMe storage (indicated by the "d" suffix) and should not require EBS volumes, similar to other instance families like R6GD, R7GD, I3, I4G, I4I, I8G, and IM4GN. AWS announced R8GD instance availability for OpenSearch Service in October 2025 across 23 regions, but CDK's validation logic was not updated to recognize these new Graviton4-based instances. ## Description of changes - **Core Change**: Added `ec2.InstanceClass.R8GD` to the `unSupportEbsInstanceType` array in `domain.ts` - **Unit Tests**: Updated parameterized tests to include R8GD test cases for both positive (no EBS) and negative (with EBS) scenarios - **Error Messages**: Updated validation error message patterns to include R8GD - **Integration Tests**: Added R8GD test case to `integ.opensearch.ebs.ts` for CloudFormation synthesis validation ### Files Modified 1. `packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts` - Added R8GD to validation array 2. `packages/aws-cdk-lib/aws-opensearchservice/test/domain.test.ts` - Updated unit tests with R8GD cases 3. `packages/@aws-cdk-testing/framework-integ/test/aws-opensearchservice/test/integ.opensearch.ebs.ts` - Added integration test ## Description of how you validated changes - **Unit Tests**: All 1736 unit tests pass, including 30 R8GD-specific test cases - Verified error thrown when R8GD used WITH EBS enabled - Verified no error when R8GD used WITHOUT EBS enabled - Validated error messages include "R8GD" in validation text - **Integration Tests**: CloudFormation template synthesis validated with R8GD instance type - **Pattern Validation**: Follows exact pattern from R7GD addition (commit e364d2b) - **Regression Testing**: No impact on existing instance type validation ## Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) --- ### AWS CDK Automation *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change A new MySQL engine version is available. No announcements are published yet. ### Description of changes - Added a MySQL engine version 8.4.7 ### Describe any new or updated permissions being added N/A ### Description of how you validated changes ``` console $ aws --region us-east-1 rds describe-db-engine-versions --engine 'mysql' --query 'DBEngine Versions[].EngineVersion' --output table -------------------------- |DescribeDBEngineVersions| +------------------------+ | 5.7.44-rds.20240408 | | 5.7.44-rds.20240529 | | 5.7.44-rds.20240808 | | 5.7.44-rds.20250103 | | 5.7.44-rds.20250213 | | 5.7.44-rds.20250508 | | 5.7.44-rds.20250818 | | 8.0.37 | | 8.0.39 | | 8.0.40 | | 8.0.41 | | 8.0.42 | | 8.0.43 | | 8.4.3 | | 8.4.4 | | 8.4.5 | | 8.4.6 | | 8.4.7 | +------------------------+ ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…n non-PLUS plans (#36027) ### Issue # (if applicable) Closes #36023. ### Reason for this change CDK v2.181.0 introduced validation that blocks deployments of existing Cognito User Pools with threat protection enabled on LITE feature plans. This validation incorrectly assumes all user pools must follow current AWS requirements, but existing user pools on LITE plans are grandfathered and can legitimately use threat protection. This regression prevents users from upgrading CDK beyond v2.160.0. ### Description of changes Removed two CDK-level validation blocks in `UserPool` construct that incorrectly rejected threat protection configurations on non-PLUS feature plans: - Removed validation blocking `advancedSecurityMode` (deprecated property) on LITE/ESSENTIALS plans - Removed validation blocking `standardThreatProtectionMode` and `customThreatProtectionMode` on LITE/ESSENTIALS plans - Kept validation preventing simultaneous use of deprecated and new threat protection properties - Updated unit tests to verify CloudFormation template generation instead of expecting validation errors **Rationale**: CDK cannot determine the actual feature plan of existing user pools at synthesis time. CloudFormation validates feature plan requirements at deployment time, which correctly allows grandfathered user pools to continue working while still catching invalid configurations for new resources. ### Describe any new or updated permissions being added N/A - No IAM permissions or resource access changes. ### Description of how you validated changes - **Unit tests**: Updated 3 test blocks (12 test cases) to verify CloudFormation template generation for all combinations of feature plans and threat protection modes. All 339 unit tests in aws-cognito module pass. - **Build validation**: TypeScript compilation, JSII compatibility, and linting all pass successfully. - **Regression testing**: Verified that validation for conflicting properties (using deprecated and new threat protection properties together) still works correctly. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change This PR implements the foundational infrastructure for the CDK Mixins framework, introducing a composable abstraction system for applying functionality to CDK constructs. It is based on the _current_ state of the [RFC](aws/aws-cdk-rfcs#824). While the RFC is not yet approved and finalized, this PR aims to implement it including all its flaws so we can move forward with other implementing depending on this. We will update the package as the RFC evolves. ### Description of changes **Core Framework:** - Implemented `IMixin` interface and `Mixin` base class for creating composable abstractions - Added `Mixins.of()` API for applying mixins to constructs with `apply()` and `mustApply()` methods - Created `ConstructSelector` for filtering constructs by type, ID pattern, or CloudFormation resource type - Added comprehensive error handling and validation support - Added `.with()` augmentation to constructs for fluent mixin application **Testing:** - Comprehensive unit tests for core framework, selectors, and all built-in mixins - Integration tests demonstrating real-world usage patterns - Property manipulation utility tests including edge cases **Documentation:** - Updated README with usage examples, API reference, and best practices - Added Rosetta fixture for documentation code examples ### Description of how you validated changes - All new code is covered by unit tests - Integration tests validate end-to-end functionality - Rosetta fixture ensures documentation examples are valid ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) --- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…36054) In cdk-lib aws-s3-deployment, creating a Source.jsonData() will fail if the JSON has any null fields in it due to `escapeTokens` trying to build an object from it, resulting in `TypeError: Cannot convert undefined or null to object` ### Issue # (if applicable) Closes #36052. ### Reason for this change Can't create a Source.jsonData() when `null` values are present in the JSON data itself ### Description of changes Added a null check around `escapeTokens()` to prevent it from trying to process `null` values ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Tested by hand via modifying the compiled JS in my project to add the check, and was able to successfully upload a JSON file to S3 with a null value contained inside. Also added coverage via unit tests/integration tests for the PR build to chew through. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…antDelegation (#35129) ### Issue # (if applicable) Closes #28078. ### Reason for this change Allowing the option to restrict the hosted zone names the delegation role can create records for encourages minimum permissions setup. The linked issue establishes a fairly common usecase - different roles for `dev.example.come` and `prod.example.com`, ### Description of changes Adds the interface `GrantDelegationOptions`, with optional readonly prop `delegatedZoneNames`. This interface is used as an optional prop to `hostedZone.grantDelegation()`. Example usage: ```ts declare const zone: IHostedZone declare const role: Role zone.grantDelegation(role, { delegatedZoneNames: ['a.example.com'], }) ``` Added some validation that ensures each of the `delegatedZoneNames` is a valid subdomain of the parent hosted zone. Additionally, updated the README with usage instructions and fixed an outdated code example for how to use `grantDelegation`. This code example was giving too broad permissions that what was necessary. ### Describe any new or updated permissions being added when `delegatedZoneNames` is provided with `[a.example.com]`, the following condition is added: ```diff "ForAllValues:StringEquals": { "route53:ChangeResourceRecordSetsRecordTypes": [ "NS" ], "route53:ChangeResourceRecordSetsActions": [ "UPSERT", "DELETE" ], + "route53:ChangeResourceRecordSetsNormalizedRecordNames": [ + "a.example.com" + ] ``` ### Description of how you validated changes Updated Integ and unit tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
current [link](https://docs.aws.amazon.com/cdk/latest/guide/cli.html#version_reporting) is not working. should be https://docs.aws.amazon.com/cdk/v2/guide/cli.html#version-reporting however im linking to https://docs.aws.amazon.com/cdk/v2/guide/cdktelemetry.html instead, as we recently also introduced cli telemetry.
### Reason for this change https://aws.amazon.com/about-aws/whats-new/2025/11/amazon-rds-postgresql-major-version-18/ ### Description of changes Postgres add version 18 ### Description of how you validated changes ```console $ aws rds describe-db-engine-versions --engine postgres --output table --query 'DBEngineVersions[*].{Engine:Engine,EngineVersion:EngineVersion}' ------------------------------------ | DescribeDBEngineVersions | +-----------+----------------------+ | Engine | EngineVersion | +-----------+----------------------+ ... | postgres | 18.1 | +-----------+----------------------+ ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…5.3-5 (#35953) ### Reason for this change Some Aurora PostgreSQL versions have been removed from available engine versions. ### Description of changes - Deprecated Aurora PostgreSQL versions 13.11-13, 14.8-10, 15.3-5 ### Describe any new or updated permissions being added N/A ### Description of how you validated changes ``` console $ aws --region us-east-1 rds describe-db-engine-versions --engine 'aurora-postgresql' --query 'DBEngineVersions[].EngineVersion' --output table -------------------------- |DescribeDBEngineVersions| +------------------------+ | 11.9 | | 11.21 | | 12.9 | | 12.22 | | 13.9 | | 13.14 | | 13.15 | | 13.16 | | 13.18 | | 13.20 | | 13.21 | | 14.6 | | 14.11 | | 14.12 | | 14.13 | | 14.15 | | 14.17 | | 14.18 | | 15.6 | | 15.7 | | 15.8 | | 15.10 | | 15.12 | | 15.13 | | 16.1 | | 16.2 | | 16.3 | | 16.4 | | 16.4-limitless | | 16.6 | | 16.6-limitless | | 16.8 | | 16.8-limitless | | 16.9 | | 16.9-limitless | | 17.4 | | 17.5 | +------------------------+ ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change Some Aurora MySQL versions have been removed from available engine versions. ### Description of changes - Deprecated Aurora MySQL versions 3.05.2, 3.06.0-1, 3.07.0-1. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes ``` console $ aws --region us-east-1 rds describe-db-engine-versions --engine 'aurora-mysql' --query 'DBEngineVersions[].EngineVersion' --output table ----------------------------- | DescribeDBEngineVersions | +---------------------------+ | 5.7.mysql_aurora.2.11.1 | | 5.7.mysql_aurora.2.11.2 | | 5.7.mysql_aurora.2.11.3 | | 5.7.mysql_aurora.2.11.4 | | 5.7.mysql_aurora.2.11.5 | | 5.7.mysql_aurora.2.11.6 | | 5.7.mysql_aurora.2.12.0 | | 5.7.mysql_aurora.2.12.1 | | 5.7.mysql_aurora.2.12.2 | | 5.7.mysql_aurora.2.12.3 | | 5.7.mysql_aurora.2.12.4 | | 5.7.mysql_aurora.2.12.5 | | 8.0.mysql_aurora.3.04.0 | | 8.0.mysql_aurora.3.04.1 | | 8.0.mysql_aurora.3.04.2 | | 8.0.mysql_aurora.3.04.3 | | 8.0.mysql_aurora.3.04.4 | | 8.0.mysql_aurora.3.08.0 | | 8.0.mysql_aurora.3.08.1 | | 8.0.mysql_aurora.3.08.2 | | 8.0.mysql_aurora.3.09.0 | | 8.0.mysql_aurora.3.10.0 | | 8.0.mysql_aurora.3.10.1 | +---------------------------+ ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change New MariaDB versions are available. https://aws.amazon.com/about-aws/whats-new/2025/08/amazon-rds-mariadb-community-minor-versions/ Some MariaDB versions are removed from available engine versions. ### Description of changes - Added MariaDB versions: 10.6.23, 10.11.14, and 11.4.8 - Marked as deprecated MariaDB versions: 10.5.20-24, 10.6.13-17, 10.11.4-7 ### Describe any new or updated permissions being added N/A ### Description of how you validated changes ``` console $ aws --region us-east-1 rds describe-db-engine-versions --engine 'mariadb' --query 'DBEngineVersions[].EngineVersion' --output table -------------------------- |DescribeDBEngineVersions| +------------------------+ | 10.5.25 | | 10.5.26 | | 10.5.27 | | 10.5.28 | | 10.5.29 | | 10.6.18 | | 10.6.19 | | 10.6.20 | | 10.6.21 | | 10.6.22 | | 10.6.23 | | 10.11.8 | | 10.11.9 | | 10.11.10 | | 10.11.11 | | 10.11.13 | | 10.11.14 | | 11.4.3 | | 11.4.4 | | 11.4.5 | | 11.4.7 | | 11.4.8 | | 11.8.3 | +------------------------+ ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…14, 12.22-rds.20250814 (#35951) ### Reason for this change New PostgreSQL extended support versions are available. https://aws.amazon.com/about-aws/whats-new/2025/09/amazon-rds-postgresql-extended-support-versions-12.22-rds-20250814-11.22-rds-20250814/ Some PostgreSQL versions have been removed from available engine versions. ### Description of changes - Added PostgreSQL versions 11.22-rds.20250814, 12.22-rds.20250814 - Added a missing PostgreSQL version 12.22-rds.20250220 - Deprecated versions 11.22, 13.15-16, 14.12-13, 15.7-8, 16.3-4 ### Describe any new or updated permissions being added N/A ### Description of how you validated changes ``` console $ aws --region us-east-1 rds describe-db-engine-versions --engine 'postgres' --query 'DBEngineVersions[].EngineVersion' --output table -------------------------- |DescribeDBEngineVersions| +------------------------+ | 11.22-rds.20240418 | | 11.22-rds.20240509 | | 11.22-rds.20240808 | | 11.22-rds.20241121 | | 11.22-rds.20250220 | | 11.22-rds.20250508 | | 11.22-rds.20250814 | | 12.22 | | 12.22-rds.20250220 | | 12.22-rds.20250508 | | 12.22-rds.20250814 | | 13.18 | | 13.20 | | 13.21 | | 13.22 | | 14.15 | | 14.17 | | 14.18 | | 14.19 | | 15.10 | | 15.12 | | 15.13 | | 15.14 | | 16.6 | | 16.8 | | 16.9 | | 16.10 | | 17.2 | | 17.4 | | 17.5 | | 17.6 | +------------------------+ ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change Some MySQL versions have been removed from available engine versions. ### Description of changes Deprecate following MySQL versions: - 5.7.44 - 8.0.32-36 ### Describe any new or updated permissions being added N/A ### Description of how you validated changes ``` console $ aws --region us-east-1 rds describe-db-engine-versions --engine 'mysql' --query 'DBEngineVersions[].EngineVersion' --output table -------------------------- |DescribeDBEngineVersions| +------------------------+ | 5.7.44-rds.20240408 | | 5.7.44-rds.20240529 | | 5.7.44-rds.20240808 | | 5.7.44-rds.20250103 | | 5.7.44-rds.20250213 | | 5.7.44-rds.20250508 | | 5.7.44-rds.20250818 | | 8.0.37 | | 8.0.39 | | 8.0.40 | | 8.0.41 | | 8.0.42 | | 8.0.43 | | 8.4.3 | | 8.4.4 | | 8.4.5 | | 8.4.6 | +------------------------+ ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change
Add support for newly supported 8.0.mysql_aurora.3.11.0.
### Description of changes
Add a new version as a new property to AuroraMysqlEngineVersion class.
### Description of how you validated changes
I used the AWS CLI to verify that the new version is available.
```
aws rds describe-db-engine-versions --engine aurora-mysql --query "DBEngineVersions[?EngineVersion=='8.0.mysql_aurora.3.11.0']"
[
{
"Engine": "aurora-mysql",
"MajorEngineVersion": "8.0",
"EngineVersion": "8.0.mysql_aurora.3.11.0",
"DBParameterGroupFamily": "aurora-mysql8.0",
"DBEngineDescription": "Aurora MySQL",
"DBEngineVersionDescription": "Aurora MySQL 3.11.0 (compatible with MySQL 8.0.43)",
"ValidUpgradeTarget": [],
"ExportableLogTypes": [
"audit",
"error",
"general",
"iam-db-auth-error",
"instance",
"slowquery"
],
"SupportsLogExportsToCloudwatchLogs": true,
"SupportsReadReplica": false,
"SupportedEngineModes": [
"provisioned"
],
"SupportedFeatureNames": [
"Bedrock"
],
"Status": "available",
"SupportsParallelQuery": true,
"SupportsGlobalDatabases": true,
"SupportsBabelfish": false,
"SupportsLimitlessDatabase": false,
"SupportsCertificateRotationWithoutRestart": true,
"SupportedCACertificateIdentifiers": [
"rds-ca-ecc384-g1",
"rds-ca-rsa4096-g1",
"rds-ca-rsa2048-g1"
],
"SupportsLocalWriteForwarding": true,
"SupportsIntegrations": true,
"ServerlessV2FeaturesSupport": {
"MinCapacity": 0.0,
"MaxCapacity": 256.0
}
}
]
```
### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Add new VPC inteface endpoints. Ref: [Amazon Cognito user pools now supports private connectivity with AWS PrivateLink](https://aws.amazon.com/about-aws/whats-new/2025/11/amazon-cognito-user-pools-private-connectivity-aws-privatelink/) ```bash $ aws ec2 describe-vpc-endpoint-services --filters "Name=service-name,Values=*cognito*" --region us-east-1 --query "ServiceNames[]" [ "com.amazonaws.us-east-1.cognito-idp", "com.amazonaws.us-east-1.cognito-idp-fips" ] ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…35252) Issue # (if applicable) Closes #34018. ### Reason for this change AWS customers deploying multi-account infrastructure often need to assume cross-account roles for AwsCustomResource operations. However, without proper security measures, this can lead to "confused deputy" attacks where a malicious actor tricks the service into performing actions on behalf of a different account. External IDs are a security best practice recommended by AWS to prevent these attacks by requiring an additional secret value when assuming cross-account roles. Currently, AwsCustomResource supports assumedRoleArn but lacks the externalId parameter, forcing customers to choose between cross-account functionality and security best practices. ### Description of changes This change adds External ID support to AwsCustomResource to enable secure cross-account role assumptions: Core Interface Changes: Added optional externalId property to the AwsSdkCall interface in aws-custom-resource.ts Enhanced the interface with comprehensive documentation explaining security benefits and usage patterns Lambda Handler Implementation: Modified utils.ts in custom-resource-handlers to pass External ID to STS AssumeRole calls Updated construct-types.ts interface to maintain type safety between CDK construct and Lambda handler Enhanced getCredentials function to include ExternalId parameter when provided Security Features: External ID support for all lifecycle operations (onCreate, onUpdate, onDelete) Different external IDs can be specified for different operations Maintains full backward compatibility - external ID is optional Works seamlessly with existing assumedRoleArn and region configurations Documentation and Examples: Added comprehensive README section explaining External ID security benefits Included practical examples for single and per-operation external ID usage Added links to AWS IAM documentation for security best practices Documented integration with cross-account scenarios Design Decisions: Made externalId an optional property to maintain backward compatibility Follows existing pattern used by assumedRoleArn for consistency External ID is only used when assumedRoleArn is specified Enables different external IDs per operation for fine-grained security control Alternatives Considered and Rejected: Separate construct: Would fragment the API and require maintaining two similar constructs Global external ID configuration: Less secure and flexible than per-operation configuration Required external ID: Would break backward compatibility for existing users Describe any new or updated permissions being added No new IAM permissions are required for this feature. The External ID is a security parameter used during the existing STS AssumeRole operation and does not require additional permissions. The feature works within the existing permission model: The Lambda function still uses its existing IAM role The assumedRoleArn role requires the same permissions as before External ID is validated by STS as part of the standard AssumeRole process No additional AWS service calls or permissions are needed Description of how you validated changes #### Unit Testing (10 comprehensive test cases): External ID parameter passing through to CloudFormation template Different external IDs for different lifecycle operations Backward compatibility when external ID is not specified Integration with existing assumedRoleArn functionality CloudFormation template generation with correct parameters Edge cases and error handling scenarios Integration Tests (4 real-world scenarios): Cross-account role assumption with external ID STS GetCallerIdentity operation with external ID validation Integration test with proper CDK snapshot validation End-to-end workflow demonstrating security enhancement Lambda Handler Tests (7 utility function tests): getCredentials function correctly passes External ID to STS AssumeRole call includes ExternalId parameter when provided Backward compatibility when external ID is not specified Type safety between construct interface and Lambda implementation #### Manual Testing: Deployed test stack with cross-account External ID configuration Verified STS AssumeRole calls include External ID parameter Confirmed prevention of confused deputy attack scenarios Validated integration with existing AWS CDK patterns Security Validation: Reviewed AWS security documentation alignment Tested confused deputy attack prevention Validated with enterprise multi-account use cases ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) - [x] Added comprehensive unit tests for all new functionality - [x] Added integration tests demonstrating real-world usage - [x] Updated documentation with usage examples - [x] Ensured backward compatibility with existing code - [x] Included proper asset hash invalidation - [x] Followed existing AWS CDK patterns and conventions - [x] No breaking changes introduced ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`
**L1 CloudFormation resource definition changes:**
```
├[~] service aws-apigateway
│ └ resources
│ ├[~] resource AWS::ApiGateway::DomainName
│ │ └ properties
│ │ └[+] EndpointAccessMode: string
│ ├[~] resource AWS::ApiGateway::DomainNameV2
│ │ └ properties
│ │ └[+] EndpointAccessMode: string
│ ├[~] resource AWS::ApiGateway::Method
│ │ └ types
│ │ └[~] type Integration
│ │ └ properties
│ │ └[+] IntegrationTarget: string
│ └[~] resource AWS::ApiGateway::RestApi
│ └ properties
│ └[+] EndpointAccessMode: string
├[~] service aws-aps
│ └ resources
│ └[~] resource AWS::APS::Scraper
│ └ types
│ ├[~] type Source
│ │ └ properties
│ │ ├ EksConfiguration: - EksConfiguration (required)
│ │ │ + EksConfiguration
│ │ └[+] VpcConfiguration: VpcConfiguration
│ └[+] type VpcConfiguration
│ ├ documentation: Configuration for VPC metrics source
│ │ name: VpcConfiguration
│ └ properties
│ ├ SecurityGroupIds: Array<string> (required)
│ └ SubnetIds: Array<string> (required)
├[~] service aws-batch
│ └ resources
│ └[~] resource AWS::Batch::ComputeEnvironment
│ └ types
│ └[~] type Ec2ConfigurationObject
│ └ properties
│ └ ImageType: (documentation changed)
├[~] service aws-bedrockagentcore
│ └ resources
│ └[~] resource AWS::BedrockAgentCore::GatewayTarget
│ ├ attributes
│ │ └[+] LastSynchronizedAt: string
│ └ types
│ ├[+] type McpServerTargetConfiguration
│ │ ├ name: McpServerTargetConfiguration
│ │ └ properties
│ │ └ Endpoint: string (required)
│ └[~] type McpTargetConfiguration
│ └ properties
│ └[+] McpServer: McpServerTargetConfiguration
├[~] service aws-connectcampaignsv2
│ └ resources
│ └[~] resource AWS::ConnectCampaignsV2::Campaign
│ └ types
│ └[~] type TelephonyOutboundMode
│ └ properties
│ └ PreviewConfig: (documentation changed)
├[~] service aws-controltower
│ └ resources
│ └[~] resource AWS::ControlTower::LandingZone
│ └ properties
│ └[+] RemediationTypes: Array<string>
├[~] service aws-directoryservice
│ └ resources
│ └[~] resource AWS::DirectoryService::MicrosoftAD
│ └ - arnTemplate: arn:${Partition}:ds:${Region}:${Account}:${DirectoryId}
│ + arnTemplate: arn:${Partition}:ds:${Region}:${Account}:directory/${DirectoryId}
├[~] service aws-dsql
│ └ resources
│ └[~] resource AWS::DSQL::Cluster
│ ├ properties
│ │ └[+] PolicyDocument: string
│ └ attributes
│ └[+] PolicyVersion: string
├[~] service aws-dynamodb
│ └ resources
│ └[~] resource AWS::DynamoDB::GlobalTable
│ └ types
│ └[~] type ReplicaStreamSpecification
│ └ properties
│ └ ResourcePolicy: - ResourcePolicy
│ + ResourcePolicy (required)
├[~] service aws-ec2
│ └ resources
│ └[~] resource AWS::EC2::IPAMScope
│ ├ properties
│ │ └[+] ExternalAuthorityConfiguration: IpamScopeExternalAuthorityConfiguration
│ └ types
│ └[+] type IpamScopeExternalAuthorityConfiguration
│ ├ documentation: The configuration that links an Amazon VPC IPAM scope to an external authority system. It specifies the type of external system and the external resource identifier that identifies your account or instance in that system.
│ │ In IPAM, an external authority is a third-party IP address management system that provides CIDR blocks when you provision address space for top-level IPAM pools. This allows you to use your existing IP management system to control which address ranges are allocated to AWS while using Amazon VPC IPAM to manage subnets within those ranges.
│ │ name: IpamScopeExternalAuthorityConfiguration
│ └ properties
│ ├ IpamScopeExternalAuthorityType: string (required)
│ └ ExternalResourceIdentifier: string (required)
├[~] service aws-elasticloadbalancingv2
│ └ resources
│ ├[~] resource AWS::ElasticLoadBalancingV2::Listener
│ │ └ types
│ │ ├[~] type Action
│ │ │ └ properties
│ │ │ └[+] JwtValidationConfig: JwtValidationConfig
│ │ ├[+] type JwtValidationActionAdditionalClaim
│ │ │ ├ name: JwtValidationActionAdditionalClaim
│ │ │ └ properties
│ │ │ ├ Format: string (required)
│ │ │ ├ Values: Array<string> (required)
│ │ │ └ Name: string (required)
│ │ └[+] type JwtValidationConfig
│ │ ├ name: JwtValidationConfig
│ │ └ properties
│ │ ├ JwksEndpoint: string (required)
│ │ ├ Issuer: string (required)
│ │ └ AdditionalClaims: Array<JwtValidationActionAdditionalClaim>
│ ├[~] resource AWS::ElasticLoadBalancingV2::ListenerRule
│ │ └ types
│ │ ├[~] type Action
│ │ │ └ properties
│ │ │ └[+] JwtValidationConfig: JwtValidationConfig
│ │ ├[+] type JwtValidationActionAdditionalClaim
│ │ │ ├ name: JwtValidationActionAdditionalClaim
│ │ │ └ properties
│ │ │ ├ Format: string (required)
│ │ │ ├ Name: string (required)
│ │ │ └ Values: Array<string> (required)
│ │ └[+] type JwtValidationConfig
│ │ ├ name: JwtValidationConfig
│ │ └ properties
│ │ ├ JwksEndpoint: string (required)
│ │ ├ Issuer: string (required)
│ │ └ AdditionalClaims: Array<JwtValidationActionAdditionalClaim>
│ └[~] resource AWS::ElasticLoadBalancingV2::TargetGroup
│ └ types
│ └[~] type TargetDescription
│ └ properties
│ └[+] QuicServerId: string
├[~] service aws-glue
│ └ resources
│ └[+] resource AWS::Glue::IdentityCenterConfiguration
│ ├ name: IdentityCenterConfiguration
│ │ cloudFormationType: AWS::Glue::IdentityCenterConfiguration
│ │ documentation: Resource Type definition for AWS::Glue::IdentityCenterConfiguration
│ ├ properties
│ │ ├ InstanceArn: string (required, immutable)
│ │ ├ Scopes: Array<string>
│ │ └ UserBackgroundSessionsEnabled: boolean
│ └ attributes
│ ├ ApplicationArn: string
│ └ AccountId: string
├[~] service aws-iotwireless
│ └ resources
│ └[~] resource AWS::IoTWireless::WirelessDeviceImportTask
│ └ - arnTemplate: arn:${Partition}:iotwireless:${Region}:${Account}:WirelessDeviceImportTask/${WirelessDeviceImportTaskId}
│ + arnTemplate: arn:${Partition}:iotwireless:${Region}:${Account}:ImportTask/${ImportTaskId}
├[~] service aws-kinesis
│ └ resources
│ └[~] resource AWS::Kinesis::Stream
│ ├ properties
│ │ └[+] WarmThroughputMiBps: integer
│ ├ attributes
│ │ └[+] WarmThroughputObject: WarmThroughputObject
│ └ types
│ └[+] type WarmThroughputObject
│ ├ documentation: Represents the warm throughput configuration on the stream. This is only present for On-Demand Kinesis Data Streams in accounts that have `MinimumThroughputBillingCommitment` enabled.
│ │ name: WarmThroughputObject
│ └ properties
│ ├ TargetMiBps: integer
│ └ CurrentMiBps: integer
├[~] service aws-kms
│ └ resources
│ └[~] resource AWS::KMS::Key
│ └ properties
│ └ KeySpec: (documentation changed)
├[~] service aws-mediaconnect
│ └ resources
│ ├[~] resource AWS::MediaConnect::Flow
│ │ └ types
│ │ ├[+] type FlowTransitEncryption
│ │ │ ├ documentation: The configuration that defines how content is encrypted during transit between the MediaConnect router and a MediaConnect flow.
│ │ │ │ name: FlowTransitEncryption
│ │ │ └ properties
│ │ │ ├ EncryptionKeyType: string
│ │ │ └ EncryptionKeyConfiguration: FlowTransitEncryptionKeyConfiguration (required)
│ │ ├[+] type FlowTransitEncryptionKeyConfiguration
│ │ │ ├ name: FlowTransitEncryptionKeyConfiguration
│ │ │ └ properties
│ │ │ ├ SecretsManager: SecretsManagerEncryptionKeyConfiguration
│ │ │ └ Automatic: json
│ │ ├[+] type SecretsManagerEncryptionKeyConfiguration
│ │ │ ├ documentation: The configuration settings for transit encryption of a flow source using AWS Secrets Manager, including the secret ARN and role ARN.
│ │ │ │ name: SecretsManagerEncryptionKeyConfiguration
│ │ │ └ properties
│ │ │ ├ SecretArn: string (required)
│ │ │ └ RoleArn: string (required)
│ │ └[~] type Source
│ │ └ properties
│ │ ├[+] RouterIntegrationState: string
│ │ └[+] RouterIntegrationTransitDecryption: FlowTransitEncryption
│ ├[~] resource AWS::MediaConnect::FlowOutput
│ │ ├ properties
│ │ │ ├[+] RouterIntegrationState: string
│ │ │ └[+] RouterIntegrationTransitEncryption: FlowTransitEncryption
│ │ └ types
│ │ ├[+] type FlowTransitEncryption
│ │ │ ├ documentation: The configuration that defines how content is encrypted during transit between the MediaConnect router and a MediaConnect flow.
│ │ │ │ name: FlowTransitEncryption
│ │ │ └ properties
│ │ │ ├ EncryptionKeyType: string
│ │ │ └ EncryptionKeyConfiguration: FlowTransitEncryptionKeyConfiguration (required)
│ │ ├[+] type FlowTransitEncryptionKeyConfiguration
│ │ │ ├ name: FlowTransitEncryptionKeyConfiguration
│ │ │ └ properties
│ │ │ ├ SecretsManager: SecretsManagerEncryptionKeyConfiguration
│ │ │ └ Automatic: json
│ │ └[+] type SecretsManagerEncryptionKeyConfiguration
│ │ ├ documentation: The configuration settings for transit encryption of a flow output using AWS Secrets Manager, including the secret ARN and role ARN.
│ │ │ name: SecretsManagerEncryptionKeyConfiguration
│ │ └ properties
│ │ ├ SecretArn: string (required)
│ │ └ RoleArn: string (required)
│ └[+] resource AWS::MediaConnect::RouterNetworkInterface
│ ├ name: RouterNetworkInterface
│ │ cloudFormationType: AWS::MediaConnect::RouterNetworkInterface
│ │ documentation: Represents a router network interface in AWS Elemental MediaConnect that is used to define a network boundary for router resources
│ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ ├ properties
│ │ ├ Configuration: RouterNetworkInterfaceConfiguration (required)
│ │ ├ Name: string (required)
│ │ ├ RegionName: string (immutable)
│ │ └ Tags: Array<tag>
│ ├ attributes
│ │ ├ Arn: string
│ │ ├ AssociatedInputCount: integer
│ │ ├ AssociatedOutputCount: integer
│ │ ├ CreatedAt: string
│ │ ├ Id: string
│ │ ├ NetworkInterfaceType: string
│ │ ├ State: string
│ │ └ UpdatedAt: string
│ └ types
│ ├ type PublicRouterNetworkInterfaceConfiguration
│ │ ├ documentation: The configuration settings for a public router network interface, including the list of allowed CIDR blocks.
│ │ │ name: PublicRouterNetworkInterfaceConfiguration
│ │ └ properties
│ │ └ AllowRules: Array<PublicRouterNetworkInterfaceRule> (required)
│ ├ type PublicRouterNetworkInterfaceRule
│ │ ├ documentation: A rule that allows a specific CIDR block to access the public router network interface.
│ │ │ name: PublicRouterNetworkInterfaceRule
│ │ └ properties
│ │ └ Cidr: string (required)
│ ├ type RouterNetworkInterfaceConfiguration
│ │ ├ name: RouterNetworkInterfaceConfiguration
│ │ └ properties
│ │ ├ Public: PublicRouterNetworkInterfaceConfiguration
│ │ └ Vpc: VpcRouterNetworkInterfaceConfiguration
│ └ type VpcRouterNetworkInterfaceConfiguration
│ ├ documentation: The configuration settings for a router network interface within a VPC, including the security group IDs and subnet ID.
│ │ name: VpcRouterNetworkInterfaceConfiguration
│ └ properties
│ ├ SecurityGroupIds: Array<string> (required)
│ └ SubnetId: string (required)
├[~] service aws-msk
│ └ resources
│ └[~] resource AWS::MSK::Cluster
│ ├ properties
│ │ └[+] Rebalancing: Rebalancing
│ ├ attributes
│ │ └[+] CurrentVersion: string
│ └ types
│ └[+] type Rebalancing
│ ├ name: Rebalancing
│ └ properties
│ └ Status: string (required)
├[~] service aws-pinpoint
│ └ resources
│ ├[~] resource AWS::Pinpoint::EmailTemplate
│ │ └ - arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/EMAIL
│ │ + arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/SMS
│ ├[~] resource AWS::Pinpoint::InAppTemplate
│ │ └ - arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/EMAIL
│ │ + arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/SMS
│ └[~] resource AWS::Pinpoint::PushTemplate
│ └ - arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/PUSH
│ + arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/SMS
├[~] service aws-ram
│ └ resources
│ └[~] resource AWS::RAM::Permission
│ └ - arnTemplate: arn:${Partition}:ram::${Account}:permission/${ResourcePath}
│ + arnTemplate: arn:${Partition}:ram:${Region}:${Account}:permission/${ResourcePath}
├[~] service aws-rekognition
│ └ resources
│ └[~] resource AWS::Rekognition::Project
│ ├ - tagInformation: undefined
│ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ └ properties
│ └[+] Tags: Array<tag>
├[~] service aws-rtbfabric
│ └ resources
│ └[+] resource AWS::RTBFabric::InboundExternalLink
│ ├ name: InboundExternalLink
│ │ cloudFormationType: AWS::RTBFabric::InboundExternalLink
│ │ documentation: Resource Type definition for AWS::RTBFabric::InboundExternalLink Resource Type
│ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ ├ properties
│ │ ├ Tags: Array<tag>
│ │ ├ GatewayId: string (required)
│ │ ├ LinkAttributes: LinkAttributes
│ │ └ LinkLogSettings: LinkLogSettings (required)
│ ├ attributes
│ │ ├ LinkId: string
│ │ ├ Arn: string
│ │ ├ LinkStatus: string
│ │ ├ CreatedTimestamp: string
│ │ └ UpdatedTimestamp: string
│ └ types
│ ├ type ApplicationLogs
│ │ ├ name: ApplicationLogs
│ │ └ properties
│ │ └ LinkApplicationLogSampling: LinkApplicationLogSampling (required)
│ ├ type LinkApplicationLogSampling
│ │ ├ name: LinkApplicationLogSampling
│ │ └ properties
│ │ ├ ErrorLog: number (required)
│ │ └ FilterLog: number (required)
│ ├ type LinkAttributes
│ │ ├ name: LinkAttributes
│ │ └ properties
│ │ ├ ResponderErrorMasking: Array<ResponderErrorMaskingForHttpCode>
│ │ └ CustomerProvidedId: string
│ ├ type LinkLogSettings
│ │ ├ name: LinkLogSettings
│ │ └ properties
│ │ └ ApplicationLogs: ApplicationLogs (required)
│ └ type ResponderErrorMaskingForHttpCode
│ ├ name: ResponderErrorMaskingForHttpCode
│ └ properties
│ ├ HttpCode: string (required)
│ ├ Action: string (required)
│ ├ LoggingTypes: Array<string> (required)
│ └ ResponseLoggingPercentage: number
└[~] service aws-s3tables
└ resources
└[~] resource AWS::S3Tables::TableBucket
├ properties
│ └[+] MetricsConfiguration: MetricsConfiguration
└ types
└[+] type MetricsConfiguration
├ documentation: Settings governing the Metric configuration for the table bucket.
│ name: MetricsConfiguration
└ properties
└ Status: string (default="Disabled")
```
**CHANGES TO L1 RESOURCES:** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:
- **aws-dynamodb**: AWS::DynamoDB::GlobalTable: ResourcePolicy property is now required.
aws-cdk-automation
added
auto-approve
pr/no-squash
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
leonmk-aws
added
pr/do-not-merge
Contributor
|
Comments on closed issues and PRs are hard for our team to see. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
14 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See CHANGELOG