chore(release): 2.122.0 #28754

aws-cdk-automation · 2024-01-18T11:04:07Z

…28669) `--debug` exists for exactly one purpose: Printing source-mapped traces so we can find the code that is going wrong. Let's always enabled tracing when debugging. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…28672) ECS now supports managed instance draining which facilitates graceful termination of Amazon ECS instances for Capacity Providers. Add a new constructor property, `enableManagedDraining`, to `AsgCapacityProvider`, to allow users to enable this feature. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…28660) > Can't destroy a stack that includes a rds database and rds parameter group where the database has removalPolicy property set to RemovalPolicy.RETAIN ### The following is the current behaviour: ``` const parameterGroup = new ParameterGroup(this, 'ParameterGroup', { ... } const database = new DatabaseInstance(this, 'DatabaseInstance', { parameterGroup: parameterGroup, removalPolicy: RemovalPolicy.RETAIN, ... }) ``` When destroying the stack ``` When I destroy this stack I see the following errors: 2:04:24 PM | DELETE_FAILED | AWS::RDS::DBParameterGroup | ParameterGroup5E32DECB One or more database instances are still members of this parameter group xxx-database-parametergroup5e32decb-daetrwpaqpgw, so the group cannot be deleted (Service: Rd s, Status Code: 400, Request ID: 389b18db-ea82-482b-a0e6-f64887da6f82) 2:19:21 PM | DELETE_FAILED | AWS::EC2::SecurityGroup | DatabaseInstanceSecurityGroup8BDF0112 resource sg-0bfc8aacb3d3e3d4a has a dependent object (Service: AmazonEC2; Status Code: 400; Error Code: DependencyViolation; Request ID: 1eac5393-83df-48cf-bd75-41f25abb04 7a; Proxy: null) ``` As pointed out in the issue linked below, we cannot simply use the clusterRds' or instanceRds' removal policy because the parameter group can be simultaneously binded to a cluster and an instance. ### New behaviour: Add an optional property `removalPolicy` to the L2 Parameter Group resource and set the deletion policy to the generated L1 Parameter Group (Either cluster or instance) depending on the usage. Added unit test and integration test to verify that it works as expected. Closes #22141 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.119.0/CHANGELOG.md)

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-acmpca │ └ resources │ └[~] resource AWS::ACMPCA::CertificateAuthority │ └ types │ ├[~] type CrlConfiguration │ │ └ properties │ │ └[+] CrlDistributionPointExtensionConfiguration: CrlDistributionPointExtensionConfiguration │ └[+] type CrlDistributionPointExtensionConfiguration │ ├ documentation: Configures the default behavior of the CRL Distribution Point extension for certificates issued by your certificate authority │ │ name: CrlDistributionPointExtensionConfiguration │ └ properties │ └OmitExtension: boolean (required) ├[~] service aws-aps │ └ resources │ └[~] resource AWS::APS::Workspace │ └ properties │ └[+] KmsKeyArn: string (immutable) ├[~] service aws-cloudtrail │ └ resources │ ├[~] resource AWS::CloudTrail::EventDataStore │ │ └ types │ │ └[~] type AdvancedFieldSelector │ │ └ properties │ │ └ Field: (documentation changed) │ └[~] resource AWS::CloudTrail::Trail │ └ types │ └[~] type AdvancedFieldSelector │ └ properties │ └ Field: (documentation changed) ├[~] service aws-codebuild │ └ resources │ └[~] resource AWS::CodeBuild::Project │ └ types │ └[~] type Environment │ └ properties │ └ Type: (documentation changed) ├[~] service aws-dlm │ └ resources │ └[~] resource AWS::DLM::LifecyclePolicy │ └ properties │ └ DefaultPolicy: (documentation changed) ├[~] service aws-docdb │ └ resources │ └[~] resource AWS::DocDB::DBCluster │ └ properties │ └[+] StorageType: string ├[~] service aws-ec2 │ └ resources │ └[~] resource AWS::EC2::NetworkInterface │ ├ properties │ │ ├[+] ConnectionTrackingSpecification: ConnectionTrackingSpecification │ │ └ EnablePrimaryIpv6: (documentation changed) │ ├ attributes │ │ └ PrimaryIpv6Address: (documentation changed) │ └ types │ └[+] type ConnectionTrackingSpecification │ ├ documentation: A security group connection tracking specification that enables you to set the idle timeout for connection tracking on an Elastic network interface. For more information, see [Connection tracking timeouts](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html#connection-tracking-timeouts) in the *Amazon Elastic Compute Cloud User Guide* . │ │ name: ConnectionTrackingSpecification │ └ properties │ ├TcpEstablishedTimeout: integer │ ├UdpStreamTimeout: integer │ └UdpTimeout: integer ├[~] service aws-ecs │ └ resources │ ├[~] resource AWS::ECS::CapacityProvider │ │ └ types │ │ └[~] type AutoScalingGroupProvider │ │ └ properties │ │ └ ManagedDraining: (documentation changed) │ └[~] resource AWS::ECS::TaskSet │ └ - documentation: Create a task set in the specified cluster and service. This is used when a service uses the `EXTERNAL` deployment controller type. For more information, see [Amazon ECS deployment types](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-types.html) in the *Amazon Elastic Container Service Developer Guide* . │ + documentation: Create a task set in the specified cluster and service. This is used when a service uses the `EXTERNAL` deployment controller type. For more information, see [Amazon ECS deployment types](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-types.html) in the *Amazon Elastic Container Service Developer Guide* . │ You can create a maximum of 5 tasks sets for a deployment. ├[~] service aws-elasticache │ └ resources │ └[~] resource AWS::ElastiCache::ServerlessCache │ └ properties │ └ SubnetIds: (documentation changed) ├[~] service aws-fis │ └ resources │ └[~] resource AWS::FIS::ExperimentTemplate │ ├ - documentation: Describes an experiment template. │ │ + documentation: Specifies an experiment template. │ │ An experiment template includes the following components: │ │ - *Targets* : A target can be a specific resource in your AWS environment, or one or more resources that match criteria that you specify, for example, resources that have specific tags. │ │ - *Actions* : The actions to carry out on the target. You can specify multiple actions, the duration of each action, and when to start each action during an experiment. │ │ - *Stop conditions* : If a stop condition is triggered while an experiment is running, the experiment is automatically stopped. You can define a stop condition as a CloudWatch alarm. │ │ For more information, see [Experiment templates](https://docs.aws.amazon.com/fis/latest/userguide/experiment-templates.html) in the *AWS Fault Injection Service User Guide* . │ └ types │ ├[~] type ExperimentTemplateAction │ │ └ - documentation: Describes an action for an experiment template. │ │ + documentation: Specifies an action for an experiment template. │ │ For more information, see [Actions](https://docs.aws.amazon.com/fis/latest/userguide/actions.html) in the *AWS Fault Injection Service User Guide* . │ ├[~] type ExperimentTemplateLogConfiguration │ │ ├ - documentation: Describes the configuration for experiment logging. │ │ │ + documentation: Specifies the configuration for experiment logging. │ │ │ For more information, see [Experiment logging](https://docs.aws.amazon.com/fis/latest/userguide/monitoring-logging.html) in the *AWS Fault Injection Service User Guide* . │ │ └ properties │ │ ├ CloudWatchLogsConfiguration: (documentation changed) │ │ └ S3Configuration: (documentation changed) │ ├[~] type ExperimentTemplateStopCondition │ │ └ - documentation: Describes a stop condition for an experiment template. │ │ + documentation: Specifies a stop condition for an experiment template. │ │ For more information, see [Stop conditions](https://docs.aws.amazon.com/fis/latest/userguide/stop-conditions.html) in the *AWS Fault Injection Service User Guide* . │ ├[~] type ExperimentTemplateTarget │ │ ├ - documentation: Describes a target for an experiment template. │ │ │ + documentation: Specifies a target for an experiment. You must specify at least one Amazon Resource Name (ARN) or at least one resource tag. You cannot specify both ARNs and tags. │ │ │ For more information, see [Targets](https://docs.aws.amazon.com/fis/latest/userguide/targets.html) in the *AWS Fault Injection Service User Guide* . │ │ └ properties │ │ └ Parameters: (documentation changed) │ └[~] type ExperimentTemplateTargetFilter │ └ - documentation: Describes a filter used for the target resources in an experiment template. │ + documentation: Specifies a filter used for the target resource input in an experiment template. │ For more information, see [Resource filters](https://docs.aws.amazon.com/fis/latest/userguide/targets.html#target-filters) in the *AWS Fault Injection Service User Guide* . ├[~] service aws-fsx │ └ resources │ ├[~] resource AWS::FSx::FileSystem │ │ ├ - documentation: The `AWS::FSx::FileSystem` resource is an Amazon FSx resource type that specifies an Amazon FSx file system. You can create any of the following supported file system types: │ │ │ - Amazon FSx for Lustre │ │ │ - Amazon FSx for NetApp ONTAP │ │ │ - Amazon FSx for OpenZFS │ │ │ - Amazon FSx for Windows File Server │ │ │ + documentation: The `AWS::FSx::FileSystem` resource is an Amazon FSx resource type that specifies an Amazon FSx file system. You can create any of the following supported file system types: │ │ │ - Amazon FSx for Lustre │ │ │ - Amazon FSx for NetApp ONTAP │ │ │ - FSx for OpenZFS │ │ │ - Amazon FSx for Windows File Server │ │ └ properties │ │ ├ LustreConfiguration: (documentation changed) │ │ ├ StorageCapacity: (documentation changed) │ │ └ WindowsConfiguration: (documentation changed) │ └[~] resource AWS::FSx::Volume │ └ types │ ├[~] type AggregateConfiguration │ │ ├ - documentation: Used to specify configuration options for a volume’s storage aggregate or aggregates. │ │ │ + documentation: Use to specify configuration options for a volume’s storage aggregate or aggregates. │ │ └ properties │ │ └ ConstituentsPerAggregate: (documentation changed) │ └[~] type OntapConfiguration │ └ properties │ ├ AggregateConfiguration: (documentation changed) │ ├ SizeInBytes: (documentation changed) │ ├ StorageEfficiencyEnabled: (documentation changed) │ └ VolumeStyle: (documentation changed) ├[~] service aws-guardduty │ └ resources │ └[~] resource AWS::GuardDuty::IPSet │ └ properties │ └ Name: - string (required) │ + string ├[~] service aws-iot │ └ resources │ └[~] resource AWS::IoT::DomainConfiguration │ ├ properties │ │ └[-] ServerCertificateConfig: ServerCertificateConfig │ └ types │ └[-] type ServerCertificateConfig │ ├ name: ServerCertificateConfig │ └ properties │ └EnableOCSPCheck: boolean ├[~] service aws-lambda │ └ resources │ └[~] resource AWS::Lambda::Function │ └ types │ └[~] type LoggingConfig │ └ properties │ ├ ApplicationLogLevel: (documentation changed) │ └ SystemLogLevel: (documentation changed) ├[~] service aws-location │ └ resources │ └[~] resource AWS::Location::Map │ └ types │ └[~] type MapConfiguration │ └ properties │ └ Style: (documentation changed) ├[~] service aws-quicksight │ └ resources │ ├[~] resource AWS::QuickSight::Analysis │ │ └ properties │ │ ├[+] Errors: Array<AnalysisError> │ │ └[+] Sheets: Array<Sheet> │ └[~] resource AWS::QuickSight::Topic │ └ properties │ └[+] UserExperienceVersion: string ├[~] service aws-rds │ └ resources │ └[~] resource AWS::RDS::EventSubscription │ └ properties │ └ SnsTopicArn: (documentation changed) ├[~] service aws-redshift │ └ resources │ └[~] resource AWS::Redshift::Cluster │ ├ properties │ │ ├ ManageMasterPassword: (documentation changed) │ │ ├ MasterPasswordSecretKmsKeyId: (documentation changed) │ │ └ NamespaceResourcePolicy: (documentation changed) │ └ attributes │ ├ ClusterNamespaceArn: (documentation changed) │ └ Id: (documentation changed) ├[~] service aws-redshiftserverless │ └ resources │ └[~] resource AWS::RedshiftServerless::Workgroup │ └ types │ └[~] type Workgroup │ └ properties │ └ ConfigParameters: (documentation changed) ├[~] service aws-route53 │ └ resources │ ├[~] resource AWS::Route53::RecordSet │ │ └ properties │ │ └ GeoLocation: (documentation changed) │ └[~] resource AWS::Route53::RecordSetGroup │ ├ attributes │ │ └ Id: (documentation changed) │ └ types │ └[~] type RecordSet │ └ properties │ └ GeoLocation: (documentation changed) ├[~] service aws-sagemaker │ └ resources │ ├[~] resource AWS::SageMaker::FeatureGroup │ │ ├ properties │ │ │ └[+] ThroughputConfig: ThroughputConfig │ │ └ types │ │ └[+] type ThroughputConfig │ │ ├ name: ThroughputConfig │ │ └ properties │ │ ├ThroughputMode: string (required) │ │ ├ProvisionedReadCapacityUnits: integer │ │ └ProvisionedWriteCapacityUnits: integer │ ├[~] resource AWS::SageMaker::Model │ │ └ types │ │ ├[+] type ModelAccessConfig │ │ │ ├ documentation: The access configuration file for the ML model. You can explicitly accept the model end-user license agreement (EULA) within the `ModelAccessConfig` . For more information, see [End-user license agreements](https://docs.aws.amazon.com/sagemaker/latest/dg/jumpstart-foundation-models-choose.html#jumpstart-foundation-models-choose-eula) . │ │ │ │ name: ModelAccessConfig │ │ │ └ properties │ │ │ └AcceptEula: boolean (required) │ │ └[~] type S3DataSource │ │ └ properties │ │ ├[+] ModelAccessConfig: ModelAccessConfig │ │ └ S3Uri: (documentation changed) │ └[~] resource AWS::SageMaker::ModelPackage │ └ types │ └[~] type S3DataSource │ └ properties │ └ S3Uri: (documentation changed) ├[~] service aws-ssm │ └ resources │ └[~] resource AWS::SSM::Parameter │ └ properties │ └ Type: (documentation changed) └[~] service aws-transfer └ resources └[~] resource AWS::Transfer::Connector └ - documentation: Creates the connector, which captures the parameters for a connection for the AS2 or SFTP protocol. For AS2, the connector is required for sending files to an externally hosted AS2 server. For SFTP, the connector is required when sending files to an SFTP server or receiving files from an SFTP server. For more details about connectors, see [Create AS2 connectors](https://docs.aws.amazon.com/transfer/latest/userguide/create-b2b-server.html#configure-as2-connector) and [Create SFTP connectors](https://docs.aws.amazon.com/transfer/latest/userguide/configure-sftp-connector.html) . > You must specify exactly one configuration object: either for AS2 ( `As2Config` ) or SFTP ( `SftpConfig` ). + documentation: Creates the connector, which captures the parameters for a connection for the AS2 or SFTP protocol. For AS2, the connector is required for sending files to an externally hosted AS2 server. For SFTP, the connector is required when sending files to an SFTP server or receiving files from an SFTP server. For more details about connectors, see [Configure AS2 connectors](https://docs.aws.amazon.com/transfer/latest/userguide/configure-as2-connector.html) and [Create SFTP connectors](https://docs.aws.amazon.com/transfer/latest/userguide/configure-sftp-connector.html) . > You must specify exactly one configuration object: either for AS2 ( `As2Config` ) or SFTP ( `SftpConfig` ). ```

add abstraction team to mergify and merit badger ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* Co-authored-by: GZ <[email protected]>

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::IPAMPool │ │ ├ properties │ │ │ └[+] SourceResource: SourceResource (immutable) │ │ └ types │ │ └[+] type SourceResource │ │ ├ documentation: The resource associated with this pool's space. Depending on the ResourceType, setting a SourceResource changes which space can be provisioned in this pool and which types of resources can receive allocations │ │ │ name: SourceResource │ │ └ properties │ │ ├ResourceId: string (required) │ │ ├ResourceType: string (required) │ │ ├ResourceRegion: string (required) │ │ └ResourceOwner: string (required) │ └[~] resource AWS::EC2::NetworkInterface │ ├ properties │ │ └ ConnectionTrackingSpecification: (documentation changed) │ └ types │ └[~] type ConnectionTrackingSpecification │ └ - documentation: A security group connection tracking specification that enables you to set the idle timeout for connection tracking on an Elastic network interface. For more information, see [Connection tracking timeouts](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html#connection-tracking-timeouts) in the *Amazon Elastic Compute Cloud User Guide* . │ + documentation: Configurable options for connection tracking on a network interface. For more information, see [Connection tracking timeouts](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html#connection-tracking-timeouts) in the *Amazon Elastic Compute Cloud User Guide* . ├[~] service aws-ecs │ └ resources │ └[~] resource AWS::ECS::TaskDefinition │ └ types │ └[~] type Volume │ └ properties │ └[+] ConfiguredAtLaunch: boolean ├[~] service aws-fsx │ └ resources │ ├[~] resource AWS::FSx::FileSystem │ │ ├ properties │ │ │ └ SecurityGroupIds: (documentation changed) │ │ └ types │ │ ├[~] type OntapConfiguration │ │ │ └ properties │ │ │ └ RouteTableIds: (documentation changed) │ │ └[~] type UserAndGroupQuotas │ │ ├ - documentation: The configuration for how much storage a user or group can use on the volume. │ │ │ + documentation: Used to configure quotas that define how much storage a user or group can use on an FSx for OpenZFS volume. For more information, see [Volume properties](https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/managing-volumes.html#volume-properties) in the FSx for OpenZFS User Guide. │ │ └ properties │ │ ├ Id: (documentation changed) │ │ ├ StorageCapacityQuotaGiB: (documentation changed) │ │ └ Type: (documentation changed) │ └[~] resource AWS::FSx::Volume │ └ types │ ├[~] type OntapConfiguration │ │ └ properties │ │ ├ AggregateConfiguration: (documentation changed) │ │ ├ OntapVolumeType: (documentation changed) │ │ ├ SizeInBytes: (documentation changed) │ │ ├ SizeInMegabytes: (documentation changed) │ │ ├ SnapshotPolicy: (documentation changed) │ │ └ VolumeStyle: (documentation changed) │ ├[~] type OpenZFSConfiguration │ │ └ properties │ │ └ UserAndGroupQuotas: (documentation changed) │ └[~] type UserAndGroupQuotas │ ├ - documentation: An object specifying how much storage users or groups can use on the volume. │ │ + documentation: Configures how much storage users and groups can use on the volume. │ └ properties │ ├ Id: (documentation changed) │ ├ StorageCapacityQuotaGiB: (documentation changed) │ └ Type: (documentation changed) ├[~] service aws-guardduty │ └ resources │ └[~] resource AWS::GuardDuty::ThreatIntelSet │ └ properties │ └ Name: - string (required) │ + string ├[~] service aws-imagebuilder │ └ resources │ └[~] resource AWS::ImageBuilder::LifecyclePolicy │ └ types │ └[~] type RecipeSelection │ └ properties │ └ SemanticVersion: - string │ + string (required) ├[~] service aws-kendra │ └ resources │ └[~] resource AWS::Kendra::DataSource │ └ types │ └[~] type S3DataSourceConfiguration │ └ - documentation: Provides the configuration information to connect to an Amazon S3 bucket. │ + documentation: Provides the configuration information to connect to an Amazon S3 bucket. │ > `S3DataSourceConfiguration` is deprecated. Amazon VPC is not supported if you configure your Amazon S3 connector with this method. Use [TemplateConfiguration](https://docs.aws.amazon.com/kendra/latest/APIReference/API_TemplateConfiguration.html) to configure your Amazon S3 connector instead. See [Amazon S3 template schema](https://docs.aws.amazon.com/kendra/latest/dg/ds-schemas.html#ds-s3-schema) for more details. ├[~] service aws-managedblockchain │ └ resources │ └[~] resource AWS::ManagedBlockchain::Accessor │ └ properties │ └ NetworkType: (documentation changed) ├[~] service aws-networkmanager │ └ resources │ └[~] resource AWS::NetworkManager::Device │ └ attributes │ └ CreatedAt: (documentation changed) ├[~] service aws-redshiftserverless │ └ resources │ └[~] resource AWS::RedshiftServerless::Workgroup │ ├ properties │ │ └ ConfigParameters: (documentation changed) │ └ types │ ├[~] type ConfigParameter │ │ └ properties │ │ └ ParameterKey: (documentation changed) │ └[~] type Workgroup │ └ properties │ └ ConfigParameters: (documentation changed) ├[~] service aws-sagemaker │ └ resources │ └[~] resource AWS::SageMaker::FeatureGroup │ ├ properties │ │ └ ThroughputConfig: (documentation changed) │ └ types │ └[~] type ThroughputConfig │ ├ - documentation: undefined │ │ + documentation: Used to set feature group throughput configuration. There are two modes: `ON_DEMAND` and `PROVISIONED` . With on-demand mode, you are charged for data reads and writes that your application performs on your feature group. You do not need to specify read and write throughput because Feature Store accommodates your workloads as they ramp up and down. You can switch a feature group to on-demand only once in a 24 hour period. With provisioned throughput mode, you specify the read and write capacity per second that you expect your application to require, and you are billed based on those limits. Exceeding provisioned throughput will result in your requests being throttled. │ │ Note: `PROVISIONED` throughput mode is supported only for feature groups that are offline-only, or use the [`Standard`](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_OnlineStoreConfig.html#sagemaker-Type-OnlineStoreConfig-StorageType) tier online store. │ └ properties │ ├ ProvisionedReadCapacityUnits: (documentation changed) │ ├ ProvisionedWriteCapacityUnits: (documentation changed) │ └ ThroughputMode: (documentation changed) └[~] service aws-verifiedpermissions └ resources ├[~] resource AWS::VerifiedPermissions::Policy │ └ properties │ └ PolicyStoreId: - string (immutable) │ + string (required, immutable) └[~] resource AWS::VerifiedPermissions::PolicyStore └ properties └[+] Description: string ```

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.120.0/CHANGELOG.md)

Make the sync workflow a bit more efficient, by only fetching the branches we're actually planning on syncing from `upstream`. Also document the limitations of GitHub Actions tokens more clearly. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

When executing the CDK app program fails, we don't print any useful debug information. This makes sense because we are passing all output from the program to the shell, expecting this would be enough to debug any faults. However the program might be faulty in a way that no (useful) output is printed. To help with this case print the failing command when `--debug` is enabled. This might require a follow up with a better DX for the generic non debug case. For now this will improve the situation. Related to #28637 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… to install latest sdk version (#28688) This introduced uncertainty into the resource behavior, adds at least 60s to the execution time and will cause deployments in CN regions to fail. No tests add because the existing tests run with the `@aws-cdk/customresources:installLatestAwsSdkDefault` feature flag set to the recommended value. This change is merely change the `OpenSearchAccessPolicy` config for users that don't set the feature flag. We can safely do this, because we control the code for this custom resource and know it works with the provided SDK version. Related to #27597 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Adds parameter to configure a dual stack vpc, `vpcProtocol: ec2.VpcProtocol.DUAL_STACK`. By default a dual stack vpc will: - Create an Amazon provided IPv6 CIDR block (/56) and associate it to the VPC. - Assign a portion of the block to each of the subnets (/64) - Enable autoassigning an IPv6 address for each subnet - **Disable autoassigning public IPv4 addresses** for each subnet - Create an Egress Only Internet Gateway for private subnets - Configure IPv6 routes for IGWs and EIGWs Addresses #894. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.121.0/CHANGELOG.md)

…igrate (#28678) Apps generated from cdk migrate with resources that aren't already part of a stack will (soon) create a migrate.json file. This file contains the list of resources that should be imported upon creation of the new app. If this file is present and the source is either `localfile` or the ARN environment matches the deployment environment, running `cdk deploy` will: 1. Create a new stack and import the resources listed in migrate.json. 2. Apply outputs and CDKMetadata through a normal deployment. Note: `localfile` is a placeholder value so that we can run integration tests on this change. Once some of the other in-progress work is finished, this will be updated. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Reverts #27310 which allows setting up LogGroups for the state machine configured by the waiter custom-resource. Refs: bfeef00 This reverts commit bfeef00. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…n separate stacks (#28560) This PR fixed an error when deploying EFS and Lambda in separate stacks. ## Cause of the bug Currently, when using EFS from Lambda, deploying EFS and Lambda in separate stacks creates incorrect resource dependencies and cannot be deployed correctly. This error is caused by adding a security group setting in the Function construct to allow EFS and Lambda to communicate correctly. By calling the `Connections.allowDefaultPortFrom` method of the Filesystem in the LambdaStack, IngressRule is created in the scope of the EfsStack. Note that the `remoteRule` flag is false when calling `SecurityGroupBase.addIngressRule` at this time. https://github.com/aws/aws-cdk/blob/dde59755cb71aee73a58f3b2c2068f2ae01e9b72/packages/aws-cdk-lib/aws-lambda/lib/function.ts#L1416 https://github.com/aws/aws-cdk/blob/dde59755cb71aee73a58f3b2c2068f2ae01e9b72/packages/aws-cdk-lib/aws-ec2/lib/connections.ts#L157 https://github.com/aws/aws-cdk/blob/dde59755cb71aee73a58f3b2c2068f2ae01e9b72/packages/aws-cdk-lib/aws-ec2/lib/security-group.ts#L84 Here is the minimal code to reproduce this error without EFS and Lambda. ```ts #!/usr/bin/env node import 'source-map-support/register'; import { App, Stack, StackProps } from 'aws-cdk-lib'; import { Construct } from 'constructs'; import * as ec2 from 'aws-cdk-lib/aws-ec2'; export class EfsStack extends Stack { public vpc: ec2.Vpc; public efsSg: ec2.SecurityGroup; constructor(scope: Construct, id: string, props?: StackProps) { super(scope, id, props); this.vpc = new ec2.Vpc(this, 'Vpc'); this.efsSg = new ec2.SecurityGroup(this, 'SecurityGroup', { vpc: this.vpc, allowAllOutbound: true, }); } } interface LambdaStackProps extends StackProps { vpc: ec2.Vpc; efsSg: ec2.SecurityGroup; } export class LambdaStack extends Stack { constructor(scope: Construct, id: string, props: LambdaStackProps) { super(scope, id, props); const lambdaSg = new ec2.SecurityGroup(this, 'SecurityGroup', { vpc: props.vpc, allowAllOutbound: true, }); // Since `remoteRule` flag is set to false here, IngressRule is deployed in EfsStack scope. props.efsSg.addIngressRule(lambdaSg, ec2.Port.tcp(2049), '', false); } } const app = new App(); const efsStack = new EfsStack(app, 'EfsStack'); const lambdaStack = new LambdaStack(app, 'LambdaStack', { vpc: efsStack.vpc, efsSg: efsStack.efsSg, }); ``` By calling the `SecurityGroupBase.addIngressRule` method with the `remoteRule` flag true, the IngressRule will be deployed in the scope of the Lambda stack and the deployment will complete successfully. ## Changes Fixed the SecurityGroup Rule configuration part in the Function construct to fix this error. By changing the Function construct to call the `Connections.allowTo` method, the `remoteRule` flag is set to true when `allowTo` method calls `allowFrom` method and the EFS Security Group Ingress Rule will be correctly created in the scope of the Lambda stack. https://github.com/aws/aws-cdk/blob/dde59755cb71aee73a58f3b2c2068f2ae01e9b72/packages/aws-cdk-lib/aws-ec2/lib/connections.ts#L139 https://github.com/aws/aws-cdk/blob/dde59755cb71aee73a58f3b2c2068f2ae01e9b72/packages/aws-cdk-lib/aws-ec2/lib/connections.ts#L141 Closes #18759 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.121.1/CHANGELOG.md)

…8676) There isn't an easy way to get the new created log group of an DatabaseInstance if the DatabaseInstance has the cloudwatchLogsExport property set. Right now users would have to manual figure out the log group name by constructing `/aws/rds/instance/${this.databaseInstance.instanceIdentifier}/postgresql`. Same applies to RDS cluster resource. This is also dangerous as it relies on the naming convention unmodified. It would break the application if the naming convention was somehow changed. Add a new property `cloudwatchLogGroups` to RDS instance and cluster. Closes #<#20358>. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…28567) Add ADOT Lambda Layer ARNs for recent release - https://aws-otel.github.io/docs/ReleaseBlogs/aws-distro-for-opentelemetry-lambda-layer-v0.36.0 - aws-observability/aws-otel-lambda#818 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

In this PR, I have added support for creating one zone filesystems. [As discussed in the issue](#15864 (comment)), I considered including `availabilityZoneName` in the props, but for now, I have added only the `oneZone` argument. The `efs.FileSystem` construct also generates a mount target simultaneously. However, when creating a one zone file system, both the mount target and the file system should be located in the same Availability Zone. The issue arises because the name of the Availability Zone where the mount target will be placed (obtained from `props.vpc.selectSubnets()`) remains token, making it impossible to compare it with the given `availabilityZoneName`. Please let me know if there is a smart way to resolve this. Closes #15864 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

# Summary Implement an `IConnectable` interface to a NetworkLoadBalancer. # Why need this change? AWS CDK has great features for abstraction. `IConnectable` interface is one of this. `IConnectable` simplifies the management of security groups. AWS CDK add support security group to NLB at #27978. However, Currently NLB not implement `IConnectable`, so customers can't use useful interface in AWS CDK. # Example use case ```ts declare const lb: elbv2.NetworkLoadBalancer; declare const asg: autoscaling.AutoScalingGroup; asg.connections.allowFrom(lb, ec2.Port.tcp(8088)); // currently can not ``` Closes #26735 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Currently, if you select the wrong AMI type you get the following: ``` Error: The specified AMI does not match the instance types architecture, either specify one of AL2_x86_64, BOTTLEROCKET_x86_64, WINDOWS_CORE_2019_x86_64, WINDOWS_CORE_2022_x86_64, WINDOWS_FULL_2019_x86_64, WINDOWS_FULL_2022_x86_64 or don't specify any ``` IMO the error messages should give the enum values defined [here](https://github.com/aws/aws-cdk/blob/e25c5b6758068b561f55c4d7b2654d951e8ea313/packages/aws-cdk-lib/aws-eks/lib/managed-nodegroup.ts#L28-L73), not the string value. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…t source action (#28008) Custom Events were added to the CodeCommit Source action to trigger pipelines via custom event rules. Closes [#12045](#12045). ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

support zero buffering ([announcement](https://aws.amazon.com/about-aws/whats-new/2023/12/amazon-kinesis-data-firehose-zero-buffering/), [documentation](https://docs.aws.amazon.com/firehose/latest/dev/buffering-hints.html)) Closes #28714 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Missing dependency when exporting `@aws-cdk/cloudformation-diff` in custom AWS Construct Library. Closes #28679 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

#28661) Update docs for use of `sfn.JsonPath.DISCARD` in place of `null` in `TaskInput.fromObject`s field value for languages that do not support `null` like Python. Doc: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.TaskInput.html#:~:text=to%20a%20task.-,static%20fromObject(obj),-public%20static%20fromObject Closes #16253. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Update progress on VPC L2 support for IPv6 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…28658) Error: ```bash Error: Cannot find entry file at /node_modules/@aws-cdk/custom-resource-handlers/dist/ aws-amplify-alpha/asset-deployment-handler/index.js ``` In #27955, we migrated the aws-amplify-alpha custom resource to `@aws-cdk/custom-resource-handlers`, our internal package for storing all custom resources. However, this migration was half-baked. The reason is because we seem to have depended on our `@aws-cdk/custom-resource-handlers` package directly. That works locally, as we have `custom-resource-handlers` readily available. ``` |-- @aws-cdk |-- aws-amplify-alpha |-- custom-resource-handlers ``` `aws-amplify-alpha` directly went into `custom-resource-handlers` to grab the necessary entry file. This works locally, because we have access to all folders with impunity. Of course, when packaged and published, we publish only `aws-amplify-alpha` with no other outside folders: ``` |-- @aws-cdk |-- aws-amplify-alpha ``` Thus, the published module would not have access to the file under `custom-resource-handlers`, and predictably fails at synth time. In `aws-cdk-lib`, we airlift the necessary files _into_ the package and release it alongside `aws-cdk-lib`: ``` |-- aws-cdk-lib |-- aws-synthetics |-- custom-resource-handlers/dist/aws-synthetics/custom-resource-handler // this was airlifted into aws-cdk-lib ``` We are supposed to do the same airlift mechanism for `aws-amplify-alpha` but somehow that was forgotten. This PR adds in the necessary structure, so now `aws-amplify-alpha` looks like this: ``` |-- @aws-cdk |-- aws-amplify-alpha |-- custom-resource-handlers/dist/aws-amplify-alpha // airlifted in via this PR |-- custom-resource-handlers/dist |-- aws-amplify-alpha ``` (please excuse my horrible ascii notation) Fixes #28633. Fixes #28089. I tested my locally packaged `aws-amplify-alpha` on a local CDK app to confirm that the necessary structure exists in the packaged module. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…up` (#28737) #28039 introduced support for custom logging configurations for AWS Lambda Functions. This change deprecates the `logRetention`, `logRetentionRole` and `logRetentionRetryOptions` properties in favor of using a custom logging configuration. By default, Lambda functions send logs to an automatically created default log group named `/aws/lambda/<function name>`. However you cannot change the properties of this auto-created log group using the AWS CDK, e.g. you cannot set a different log retention. To overcome the limitation, a custom resource was introduced and configuration exposed via the `logRetention` properties. This is what we are deprecating in this change. With the introduction of custom logging configuration and the new `logGroup` property, users can now create a fully customizable `LogGroup` ahead of time, and instruct the Lambda function to send logs to it. Migrating from `logRetention` to `logGroup` will cause the name of the log group to change. Don't attempt to use the name of the auto-created log group, this will cause subtle issue. We recommend using auto-naming for lambda log groups, they can easily be accessed via the Lambda Console. If you want use a well-known name, we recommend using a pattern like `/<your service>/lambda/<function name>`. Be aware that a names log group can prevent a stack from being recreated without manual intervention after it has been deployed (error `Resource already exists`). This is because `LogGroups` are retained by default. Either way, users will have to adjust and documentation will need to be updated. Any code referencing the old log group name verbatim will have to be changed as well. Keep in mind that in AWS CDK code, you can access the log group name directly from the `LogGroup` construct: ```ts declare const myLogGroup: logs.LogGroup; myLogGroup.logGroupName; ``` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.

To simplify ECS customer experience, customers need the ability to utilize highly available (HA) durable, high-performance, cost effective block storage for their workloads. To address these needs, ECS will provide support for Elastic Block Storage (EBS) task attachments. This PR adds the L2 constructs for EBS task attach. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Linter rules caught that CDK standardizes resource name prop as `[resource]Name`. Previously this module only used `name` for the prop. Follow up from #28671. BREAKING CHANGE: `ApplicationProps.name` renamed to `ApplicationProps.applicationName` - **appconfig**: `EnvironmentProps.name` renamed to `EnvironmentProps.environmentName` - **appconfig**: `DeploymentStrategyProps.name` renamed to `DeploymentStrategyProps.deploymentStrategyName` - **appconfig**: `ExtensionProps.name` renamed to `ExtensionProps.extensionName` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…her than a string (#28743) Previously, we were typing this as a `string` and providing an enum for `PredefinedDeploymentStrategyId`s. This is a CDK anti-pattern because this makes the enum undiscoverable, since users see that it is typed only as a `string`. It also may not work in non-TS languages. Instead, we are moving the type to explicitly be an enum-like class. Follow up from #28671. BREAKING CHANGE: `deploymentStrategyId` prop in `fromDeploymentStrategyId` now takes a `DeploymentStrategyId` rather than a `string`. To import a predefined deployment strategy id, use `DeploymentStrategyId.CANARY_10_PERCENT_20_MINUTES`. Otherwise, use `DeploymentStrategyId.fromString('abc123')`. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

The max value of `iops` for `io2` EBS volume is wrong. And I fixed the reference URL. - 64000 -> 256000 https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-volume.html#cfn-ec2-volume-iops ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

In this PR, I have implemented support for weighted routing. By passing the `weight` and `setIdentifier` parameters when registering a record, it is possible to perform weighted routing among records that share the same name and type. ```ts new route53.ARecord(this, `WeightedRecord${index}`, { zone: hostedZone, recordName: 'www', weight: 20, // added setIdentifier: 'uniqueId', // added target: route53.RecordTarget.fromIpAddresses('1.2.3.4'), }); ``` Closes #26753. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This PR adds support for `TransitionToArchive` property for `AWS::EFS::FileSystem` Also updated `LifecyclePolicy` to add missing values for `TransitionToArchive` and `TransitionToIA` [Docs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-efs-filesystem-lifecyclepolicy.html#cfn-efs-filesystem-lifecyclepolicy-transitiontoarchive) Closes #28720. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…28671) Auditing awslint errors. Reasons for keeping current list of exemptions: * "no-unused-type:@aws-cdk/aws-appconfig-alpha.PredefinedDeploymentStrategyId" - will be fixed in a separate PR. * "props-physical-name:@aws-cdk/aws-appconfig-alpha.ApplicationProps" "props-physical-name:@aws-cdk/aws-appconfig-alpha.DeploymentStrategyProps" "props-physical-name:@aws-cdk/aws-appconfig-alpha.EnvironmentProps" "props-physical-name:@aws-cdk/aws-appconfig-alpha.ExtensionProps" - will be fixed in a separate PR. * "events-method-signature" - exempting because appconfig handles their events without cloudwatch events * "events-generic" - exempting because appconfig handles their events without cloudwatch events Closes #27894 alongside #28742 and #28743 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This PR bumps the default version for aws-cn partition. ``` % aws --profile bjs serverlessrepo get-application --application-id arn:aws-cn:serverlessrepo:cn-north-1:193023089310:applications/SecretsManagerRDSPostgreSQLRotationSingleUser --query Version.SemanticVersion --output text 1.1.212 ``` Closes #28696 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ider for autoscaling (#28437) ### Why is this needed? When adding a auto scaling group as a capacity provider using `Cluster.addAsgCapacityProvider` and when the task definition being run uses the AWS_VPC network mode, it results in the metadata service at `169.254.169.254` being blocked . This is a security best practice as detailed [here](https://docs.aws.amazon.com/AmazonECS/latest/bestpracticesguide/security-iam-roles.html). This practice is implemented [here](https://github.com/aws/aws-cdk/blame/2d9de189e583186f2b77386ae4fcfff42c864568/packages/aws-cdk-lib/aws-ecs/lib/cluster.ts#L502-L504). However by doing this, some applications such as those raised in #28270 as well as the aws-otel package will not be able to source for the AWS region and thus, cause the application to crash and exit. ### What does it implement? This PR add an override to the addContainer method when using the Ec2TaskDefinition to add in the AWS_REGION environment variable to the container if the network mode is set as AWS_VPC. The region is sourced by referencing to the stack which includes this construct at synth time.This environment variable is only required in the EC2 Capacity Provider mode and not in Fargate as this issue of not being able to source for the region on startup is only present when using the EC2 Capacity Provider with the AWS_VPC networking mode. The initial issue addresses this during the `addAsgCapacityProvider` action which targets the cluster. However, we cannot mutate the task definition at that point in time thus, this change addresses it when the task definition is actually added to a service that meets all the requirements whereby the failure to source for region will occur. Updated the relevant integration tests to reflect the new environment variable being created alongside user-defined environment variables. Closes #28270 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

The .NET docstring generator fails to escape the stray `\`, leading to a compilation error: ``` #STDOUT> /tmp/npm-packYlIY9W/Amazon.CDK.Lib/Amazon/CDK/AWS/Lambda/FunctionOptions.cs(437,339): error CS1009: Unrecognized escape sequence [/tmp/npm-packYlIY9W/Amazon.CDK.Lib/Amazon.CDK.Lib.csproj] ``` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

aws-cdk-automation · 2024-01-18T11:30:05Z

AWS CodeBuild CI Report

CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
Commit ID: dc2dde6
Result: SUCCEEDED
Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

mergify · 2024-01-18T11:30:20Z

Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork).

mrgrain and others added 30 commits January 11, 2024 20:20

Merge branch 'main' into merge-back/2.119.0

0420292

chore(merge-back): 2.119.0 (#28675)

c4f2a86

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.119.0/CHANGELOG.md)

chore: add abstraction team to mergify and merit badger (#28674)

a0f6f22

add abstraction team to mergify and merit badger ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* Co-authored-by: GZ <[email protected]>

Merge branch 'main' into merge-back/2.120.0

15d7ac3

chore(merge-back): 2.120.0 (#28685)

e718c90

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.120.0/CHANGELOG.md)

Merge branch 'main' into merge-back/2.121.0

6a9ced3

chore(merge-back): 2.121.0 (#28698)

f1275a7

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.121.0/CHANGELOG.md)

Merge branch 'main' into merge-back/2.121.1

12a1a8f

chore(merge-back): 2.121.1 (#28702)

e25c5b6

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.121.1/CHANGELOG.md)

paulhcsun and others added 16 commits January 16, 2024 21:42

chore(ROADMAP): update progress (#28726)

66c1109

Update progress on VPC L2 support for IPv6 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

chore: npm-check-updates && yarn upgrade (#28738)

c9af3ef

Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.

chore(release): 2.122.0

dc2dde6

aws-cdk-automation added auto-approve pr/no-squash This PR should be merged instead of squash-merging it labels Jan 18, 2024

github-actions bot added the p2 label Jan 18, 2024

aws-cdk-automation requested a review from a team January 18, 2024 11:04

github-actions bot approved these changes Jan 18, 2024

View reviewed changes

aws-cdk-automation had a problem deploying to test-pipeline January 18, 2024 11:04 — with GitHub Actions Failure

mergify bot merged commit 7e77e02 into v2-release Jan 18, 2024
28 of 29 checks passed

mergify bot deleted the bump/2.122.0 branch January 18, 2024 11:30

github-actions bot mentioned this pull request Feb 1, 2024

Monthly PR metrics report - Jan 2024 #28952

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(release): 2.122.0 #28754

chore(release): 2.122.0 #28754

aws-cdk-automation commented Jan 18, 2024 •

edited

Loading

aws-cdk-automation commented Jan 18, 2024

mergify bot commented Jan 18, 2024

chore(release): 2.122.0 #28754

chore(release): 2.122.0 #28754

Conversation

aws-cdk-automation commented Jan 18, 2024 • edited Loading

aws-cdk-automation commented Jan 18, 2024

AWS CodeBuild CI Report

mergify bot commented Jan 18, 2024

aws-cdk-automation commented Jan 18, 2024 •

edited

Loading