chore(release): reset #33135

moelasmar · 2025-01-24T12:49:06Z

No description provided.

This PR does not currently change CLI functionality. The function `convertToCliArgs` is not used in the CLI yet which is why this PR is not fixing a regression. It will eventually be used to strongly-type cli arguments. Previously, aliased commands, like `cdk ack` instead of `cdk acknowledge` would fall through the cracks of the generated convert function. The switch statement was only switching on command names so we would not store any options associated with an aliased command. Specifically, `cdk synth --exclusively` would _not_ store the `exclusively` flag in the ensuing `CliArguments` object because `synth` is an alias. Now we do. This is an additional step forward to being able to use `CliArguments` in `cli.ts` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This PR does not change the functionality of the CLI (yet) It does however articulate a schema for what `cdk.json` should look like in the future. I'm aware that we honor a slightly different set of rules in `cdk.json` that _is not documented anywhere_, and we will have to honor those rules ad-hoc. However, this will hopefully move us towards a strongly-typed future where `cdk.json` contents mirror CLI argument options. - global options are specified at the base level of `cdk.json` - command specific options will be prefixed by their command name. NOTE: some options are honored at the base level today. I will have to, in a separate PR, find each of these instances and take care of them but ensuring we still map them to the correct place in `CliArguments`. ```json { "app": "npx ts-node -P tsconfig.json --prefer-ts-exts src/main.ts", "output": "cdk.out", "build": "npx projen bundle", "watch": { "exclude": [ "README.md", "cdk*.json", "**/*.d.ts", "**/*.js", "tsconfig.json", "package*.json", "yarn.lock", "node_modules" ] } ``` This will turn into the following `CliArgument` object: ```ts { globalOptions: { app: 'npx ts-node -P tsconfig.json --prefer-ts-exts src/main.ts', output: 'cdk.out', build: 'npx projen bundle', watch: { exclude: [ "README.md", "cdk*.json", "**/*.d.ts", "**/*.js", "tsconfig.json", "package*.json", "yarn.lock", "node_modules", ], }, }; ``` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --------- Co-authored-by: Momo Kornher <[email protected]>

### Issue # (if applicable) None ### Reason for this change AWS AppConfig environment supports [deletion protection](https://docs.aws.amazon.com/appconfig/latest/userguide/deletion-protection.html) and this feature is not configurable from AWS CDK. ### Description of changes - Add `DeletionProtectionCheck` enum - Add `deletionProtectionCheck` prop to `EnvironmentOption` There are two entities, `EnvironmentOptions` and `EnvironmentProps`, where `EnvironmentProps` is designed as an extension of `EnvironmentOptions` with the addition of an `application` prop. ```ts export interface EnvironmentProps extends EnvironmentOptions { /** * The application to be associated with the environment. */ readonly application: IApplication; } abstract class ApplicationBase extends cdk.Resource implements IApplication, IExtensible { public addEnvironment(id: string, options: EnvironmentOptions = {}): IEnvironment { return new Environment(this, id, { application: this, ...options, }); } ``` Therefore, the current argument addition has also been made to `EnvironmentOptions`. ### Describe any new or updated permissions being added None ### Description of how you validated changes Add both unit and integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.175.0/CHANGELOG.md)

… does not allow IPv6 inbound traffic (under feature flag) (#32765) ### Issue # (if applicable) Closes #32197 . ### Reason for this change Default generated security group ingress rules for open, dual-stack-without-public-ipv4 ALB does not allow IPv6 traffic. Only a rule for IPv4 ingress traffic is added to the security group rules currently. ### Description of changes Introduced a new feature flag which is enabled by default so that default generated security group ingress rules now have an additional rule that allows IPv6 ingress from anywhere. ### Describe any new or updated permissions being added No new IAM permissions. Added IPv6 security group ingress rules for open, internet-facing ALBs if IP address type is `dual-stack-without-public-ipv4` and feature flag is set to `true` (default). ### Description of how you validated changes Added unit test which checks the security group rules for both cases where feature flag is enabled/disabled. Updated integration test snapshot. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- Co-authored-by: Clare Liguori <[email protected]> *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This PR does not change CLI functionality because we are not using `CliArguments` yet. This PR includes the following related changes: - `CliArguments` are renamed `UserInput` to reflect what the schema represents -- they are options available to be specified via CLI options or `cdk.json`. - the tool previously known as `cli-arg-gen` is now named `user-input-gen` to reflect this change. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…32823) As a product we have standardized on `cdk synth`. This change reflects that while not changing behavior of the CDK CLI at all. It will however matter for the behavior of a future feature where we allow defaults specified in a schematic way in `cdk.json`. The payoff is that instead of requiring `synthesize: { ... }` we instead will require `synth: { ... }`. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This does not change CLI functionality because `UserInput` is not in use yet. Since we have full control over `UserInput`, i.e. we control the input functions from the CLI or `cdk.json`, we can rename properties however we like. `_` is a relic of `yargs`, we do not need to maintain that convention. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue #32210 Closes #32210 ### Reason for this change Incorrect grammar in a SnapStart warning that appears during cdk deployment. ### Description of changes Corrected the line: `SnapStart only support published Lambda versions. Ignore if function already have published versions` to: `SnapStart only supports published Lambda versions. Ignore if function already has published versions.` ### Describe any new or updated permissions being added No permissions changes. ### Description of how you validated changes No testing needed, only changed text in a warning. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…terScalabilityType (#32825) ### Issue #32415 Closes #32415 . ### Reason for this change Misspelling of the `ClusterScalabilityType` type, enum, and prop. ### Description of changes Deprecated misspellings of **ClusterScailabilityType**/**clusterScailabilityType** and aliased the misspelling for backwards compatibility. The misspelled name will be removed in the next MV release. ### Describe any new or updated permissions being added No permissions changes. ### Description of how you validated changes Added unit tests for the new spelling (ClusterScalabilityType/clusterScalabilityType), and kept unit tests that tested the misspelling. ```zsh # in packages/aws-cdk-lib yarn test aws-rds ``` <img width="822" alt="Screenshot 2025-01-09 at 16 10 04" src="https://github.com/user-attachments/assets/9626a0c1-0a5f-45fb-a052-1b1697a5fbdd" /> Ran the relevant integration test. ```zsh # in packages/@aws-cdk-testing/framework-integ yarn integ test/aws-rds/test/integ.cluster-limitless.js ``` <img width="916" alt="Screenshot 2025-01-09 at 17 03 44" src="https://github.com/user-attachments/assets/0ed33a38-f6d8-44ee-a210-81e37af5439f" /> Ran Rosetta to verify README changes. ```zsh ./scripts/run-rosetta.sh ``` No complications from README changes in these commits. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) N/A ### Reason for this change Fixed typos in the README.md ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Reverts #32636 It leads to a problem in case of applications where there are no top-level stacks, but only stacks in nested stages: #32836. Closes #32836.

### Issue # (if applicable) ### Reason for this change There's a duplicate entry in Feature flag markdown file. ### Description of changes Remove duplicate entry ### Description of how you validated changes N/A ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Removing the aws-iot1click package for the shut down service https://docs.aws.amazon.com/iot/latest/developerguide/iot-legacy-services.html This PR is required to fix the Spec update PR cdklabs/awscdk-service-spec#1559 I updated the Spec2Cdk tool to accept extra parameter to maintain the list of services we want to skip generating them. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-appconfig │ └ resources │ └[~] resource AWS::AppConfig::Deployment │ ├ attributes │ │ └[-] Id: string │ └ types │ └[~] type Tags │ ├ - documentation: Metadata to assign to the deployment strategy. Tags help organize and categorize your AWS AppConfig resources. Each tag consists of a key and an optional value, both of which you define. │ │ + documentation: undefined │ └ properties │ ├ Key: (documentation changed) │ └ Value: (documentation changed) ├[~] service aws-appsync │ └ resources │ └[~] resource AWS::AppSync::DataSource │ └ properties │ └ ServiceRoleArn: (documentation changed) ├[~] service aws-backup │ └ resources │ └[~] resource AWS::Backup::LogicallyAirGappedBackupVault │ ├ properties │ │ ├[-] VaultState: string │ │ └[-] VaultType: string │ └ attributes │ ├[+] VaultState: string │ └[+] VaultType: string ├[~] service aws-cleanrooms │ └ resources │ ├[~] resource AWS::CleanRooms::Collaboration │ │ ├ properties │ │ │ └ CreatorMLMemberAbilities: (documentation changed) │ │ └ types │ │ ├[~] type MemberSpecification │ │ │ └ properties │ │ │ └ MLMemberAbilities: (documentation changed) │ │ ├[~] type MLMemberAbilities │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: The ML member abilities for a collaboration member. │ │ │ └ properties │ │ │ └ CustomMLMemberAbilities: (documentation changed) │ │ ├[~] type MLPaymentConfig │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: An object representing the collaboration member's machine learning payment responsibilities set by the collaboration creator. │ │ │ └ properties │ │ │ ├ ModelInference: (documentation changed) │ │ │ └ ModelTraining: (documentation changed) │ │ ├[~] type ModelInferencePaymentConfig │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: An object representing the collaboration member's model inference payment responsibilities set by the collaboration creator. │ │ │ └ properties │ │ │ └ IsResponsible: (documentation changed) │ │ ├[~] type ModelTrainingPaymentConfig │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: An object representing the collaboration member's model training payment responsibilities set by the collaboration creator. │ │ │ └ properties │ │ │ └ IsResponsible: (documentation changed) │ │ └[~] type PaymentConfiguration │ │ └ properties │ │ └ MachineLearning: (documentation changed) │ └[~] resource AWS::CleanRooms::Membership │ └ types │ ├[~] type MembershipMLPaymentConfig │ │ ├ - documentation: undefined │ │ │ + documentation: An object representing the collaboration member's machine learning payment responsibilities set by the collaboration creator. │ │ └ properties │ │ ├ ModelInference: (documentation changed) │ │ └ ModelTraining: (documentation changed) │ ├[~] type MembershipModelInferencePaymentConfig │ │ ├ - documentation: undefined │ │ │ + documentation: An object representing the collaboration member's model inference payment responsibilities set by the collaboration creator. │ │ └ properties │ │ └ IsResponsible: (documentation changed) │ ├[~] type MembershipModelTrainingPaymentConfig │ │ ├ - documentation: undefined │ │ │ + documentation: An object representing the collaboration member's model training payment responsibilities set by the collaboration creator. │ │ └ properties │ │ └ IsResponsible: (documentation changed) │ └[~] type MembershipPaymentConfiguration │ └ properties │ └ MachineLearning: (documentation changed) ├[~] service aws-cloudformation │ └ resources │ └[~] resource AWS::CloudFormation::Macro │ └ properties │ └ LogGroupName: (documentation changed) ├[~] service aws-cloudwatch │ └ resources │ ├[~] resource AWS::CloudWatch::Alarm │ │ ├ properties │ │ │ └ Period: (documentation changed) │ │ └ types │ │ ├[~] type MetricDataQuery │ │ │ └ properties │ │ │ └ Period: (documentation changed) │ │ └[~] type MetricStat │ │ └ properties │ │ └ Period: (documentation changed) │ └[~] resource AWS::CloudWatch::AnomalyDetector │ └ types │ ├[~] type MetricDataQuery │ │ └ properties │ │ └ Period: (documentation changed) │ └[~] type MetricStat │ └ properties │ └ Period: (documentation changed) ├[~] service aws-cognito │ └ resources │ ├[~] resource AWS::Cognito::LogDeliveryConfiguration │ │ ├ - documentation: Sets up or modifies the logging configuration of a user pool. User pools can export user notification logs and advanced security features user activity logs. │ │ │ + documentation: Sets up or modifies the logging configuration of a user pool. User pools can export user notification logs and, when threat protection is active, user-activity logs. For more information, see [Exporting user pool logs](https://docs.aws.amazon.com/cognito/latest/developerguide/exporting-quotas-and-usage.html) . │ │ └ types │ │ ├[~] type FirehoseConfiguration │ │ │ ├ - documentation: Configuration for the Amazon Data Firehose stream destination of user activity log export with advanced security features. │ │ │ │ + documentation: Configuration for the Amazon Data Firehose stream destination of user activity log export with threat protection. │ │ │ └ properties │ │ │ └ StreamArn: (documentation changed) │ │ ├[~] type LogConfiguration │ │ │ ├ - documentation: The configuration of user event logs to an external AWS service like Amazon Data Firehose, Amazon S3, or Amazon CloudWatch Logs. │ │ │ │ This data type is a request parameter of [SetLogDeliveryConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetLogDeliveryConfiguration.html) and a response parameter of [GetLogDeliveryConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetLogDeliveryConfiguration.html) . │ │ │ │ + documentation: The configuration of user event logs to an external AWS service like Amazon Data Firehose, Amazon S3, or Amazon CloudWatch Logs. │ │ │ │ This data type is a request parameter of `API_SetLogDeliveryConfiguration` and a response parameter of `API_GetLogDeliveryConfiguration` . │ │ │ └ properties │ │ │ ├ CloudWatchLogsConfiguration: (documentation changed) │ │ │ ├ FirehoseConfiguration: (documentation changed) │ │ │ └ S3Configuration: (documentation changed) │ │ └[~] type S3Configuration │ │ ├ - documentation: Configuration for the Amazon S3 bucket destination of user activity log export with advanced security features. │ │ │ + documentation: Configuration for the Amazon S3 bucket destination of user activity log export with threat protection. │ │ └ properties │ │ └ BucketArn: (documentation changed) │ ├[~] resource AWS::Cognito::ManagedLoginBranding │ │ └ types │ │ └[~] type AssetType │ │ └ - documentation: An image file from a managed login branding style in a user pool. │ │ This data type is a request parameter of [CreateManagedLoginBranding](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateManagedLoginBranding.html) and [UpdateManagedLoginBranding](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateManagedLoginBranding.html) , and a response parameter of [DescribeManagedLoginBranding](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeManagedLoginBranding.html) . │ │ + documentation: An image file from a managed login branding style in a user pool. │ │ This data type is a request parameter of `API_CreateManagedLoginBranding` and `API_UpdateManagedLoginBranding` , and a response parameter of `API_DescribeManagedLoginBranding` . │ ├[~] resource AWS::Cognito::UserPool │ │ ├ properties │ │ │ ├ AdminCreateUserConfig: (documentation changed) │ │ │ ├ AliasAttributes: (documentation changed) │ │ │ ├ AutoVerifiedAttributes: (documentation changed) │ │ │ ├ MfaConfiguration: (documentation changed) │ │ │ ├ Policies: (documentation changed) │ │ │ ├ SmsConfiguration: (documentation changed) │ │ │ ├ UserPoolAddOns: (documentation changed) │ │ │ └ UserPoolName: (documentation changed) │ │ └ types │ │ ├[~] type AdminCreateUserConfig │ │ │ ├ - documentation: The settings for administrator creation of users in a user pool. Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire. │ │ │ │ This data type is a request and response parameter of [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and a response parameter of [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) . │ │ │ │ + documentation: The settings for administrator creation of users in a user pool. Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire. │ │ │ │ This data type is a request and response parameter of `API_CreateUserPool` and `API_UpdateUserPool` , and a response parameter of `API_DescribeUserPool` . │ │ │ └ properties │ │ │ ├ AllowAdminCreateUserOnly: (documentation changed) │ │ │ └ UnusedAccountValidityDays: (documentation changed) │ │ ├[~] type AdvancedSecurityAdditionalFlows │ │ │ ├ - documentation: Advanced security configuration options for additional authentication types in your user pool, including custom authentication. │ │ │ │ + documentation: Threat protection configuration options for additional authentication types in your user pool, including custom authentication. │ │ │ └ properties │ │ │ └ CustomAuthMode: (documentation changed) │ │ ├[~] type DeviceConfiguration │ │ │ ├ - documentation: The device-remembering configuration for a user pool. A [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) request returns a null value for this object when the user pool isn't configured to remember devices. When device remembering is active, you can remember a user's device with a [ConfirmDevice](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmDevice.html) API request. Additionally. when the property `DeviceOnlyRememberedOnUserPrompt` is `true` , you must follow `ConfirmDevice` with an [UpdateDeviceStatus](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateDeviceStatus.html) API request that sets the user's device to `remembered` or `not_remembered` . │ │ │ │ To sign in with a remembered device, include `DEVICE_KEY` in the authentication parameters in your user's [InitiateAuth](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html) request. If your app doesn't include a `DEVICE_KEY` parameter, the [response](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html#API_InitiateAuth_ResponseSyntax) from Amazon Cognito includes newly-generated `DEVICE_KEY` and `DEVICE_GROUP_KEY` values under `NewDeviceMetadata` . Store these values to use in future device-authentication requests. │ │ │ │ > When you provide a value for any property of `DeviceConfiguration` , you activate the device remembering for the user pool. │ │ │ │ > │ │ │ │ > This data type is a request and response parameter of [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and a response parameter of [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) . │ │ │ │ + documentation: The device-remembering configuration for a user pool. │ │ │ │ A `API_DescribeUserPool` request returns a null value for this object when the user pool isn't configured to remember devices. When device remembering is active, you can remember a user's device with a `API_ConfirmDevice` API request. Additionally. when the property `DeviceOnlyRememberedOnUserPrompt` is `true` , you must follow `ConfirmDevice` with an `API_UpdateDeviceStatus` API request that sets the user's device to `remembered` or `not_remembered` . │ │ │ │ To sign in with a remembered device, include `DEVICE_KEY` in the authentication parameters in your user's `API_InitiateAuth` request. If your app doesn't include a `DEVICE_KEY` parameter, the `API_InitiateAuth` from Amazon Cognito includes newly-generated `DEVICE_KEY` and `DEVICE_GROUP_KEY` values under `NewDeviceMetadata` . Store these values to use in future device-authentication requests. │ │ │ │ > When you provide a value for any property of `DeviceConfiguration` , you activate the device remembering for the user pool. │ │ │ │ > │ │ │ │ > This data type is a request and response parameter of `API_CreateUserPool` and `API_UpdateUserPool` , and a response parameter of `API_DescribeUserPool` . │ │ │ └ properties │ │ │ └ DeviceOnlyRememberedOnUserPrompt: (documentation changed) │ │ ├[~] type LambdaConfig │ │ │ └ - documentation: A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible stages of user pool operations. Triggers can modify the outcome of the operations that invoked them. │ │ │ This data type is a request and response parameter of [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and a response parameter of [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) . │ │ │ + documentation: A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible stages of user pool operations. Triggers can modify the outcome of the operations that invoked them. │ │ │ This data type is a request and response parameter of `API_CreateUserPool` and `API_UpdateUserPool` , and a response parameter of `API_DescribeUserPool` . │ │ ├[~] type NumberAttributeConstraints │ │ │ └ - documentation: The minimum and maximum values of an attribute that is of the number type, for example `custom:age` . │ │ │ This data type is part of [SchemaAttributeType](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SchemaAttributeType.html) . It defines the length constraints on number-type attributes that you configure in [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and displays the length constraints of all number-type attributes in the response to [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) │ │ │ + documentation: The minimum and maximum values of an attribute that is of the number type, for example `custom:age` . │ │ │ This data type is part of `API_SchemaAttributeType` . It defines the length constraints on number-type attributes that you configure in `API_CreateUserPool` and `API_UpdateUserPool` , and displays the length constraints of all number-type attributes in the response to `API_DescribeUserPool` │ │ ├[~] type PasswordPolicy │ │ │ ├ - documentation: The password policy settings for a user pool, including complexity, history, and length requirements. │ │ │ │ This data type is a request and response parameter of [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and a response parameter of [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) . │ │ │ │ + documentation: The password policy settings for a user pool, including complexity, history, and length requirements. │ │ │ │ This data type is a request and response parameter of `API_CreateUserPool` and `API_UpdateUserPool` , and a response parameter of `API_DescribeUserPool` . │ │ │ └ properties │ │ │ └ PasswordHistorySize: (documentation changed) │ │ ├[~] type Policies │ │ │ ├ - documentation: A list of user pool policies. Contains the policy that sets password-complexity requirements. │ │ │ │ This data type is a request and response parameter of [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and a response parameter of [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) . │ │ │ │ + documentation: A list of user pool policies. Contains the policy that sets password-complexity requirements. │ │ │ │ This data type is a request and response parameter of `API_CreateUserPool` and `API_UpdateUserPool` , and a response parameter of `API_DescribeUserPool` . │ │ │ └ properties │ │ │ └ SignInPolicy: (documentation changed) │ │ ├[~] type PreTokenGenerationConfig │ │ │ └ - documentation: The properties of a pre token generation Lambda trigger. │ │ │ This data type is a request and response parameter of [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and a response parameter of [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) . │ │ │ + documentation: The properties of a pre token generation Lambda trigger. │ │ │ This data type is a request and response parameter of `API_CreateUserPool` and `API_UpdateUserPool` , and a response parameter of `API_DescribeUserPool` . │ │ ├[~] type RecoveryOption │ │ │ └ - documentation: A recovery option for a user. The `AccountRecoverySettingType` data type is an array of this object. Each `RecoveryOptionType` has a priority property that determines whether it is a primary or secondary option. │ │ │ For example, if `verified_email` has a priority of `1` and `verified_phone_number` has a priority of `2` , your user pool sends account-recovery messages to a verified email address but falls back to an SMS message if the user has a verified phone number. The `admin_only` option prevents self-service account recovery. │ │ │ This data type is a request and response parameter of [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and a response parameter of [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) . │ │ │ + documentation: A recovery option for a user. The `AccountRecoverySettingType` data type is an array of this object. Each `RecoveryOptionType` has a priority property that determines whether it is a primary or secondary option. │ │ │ For example, if `verified_email` has a priority of `1` and `verified_phone_number` has a priority of `2` , your user pool sends account-recovery messages to a verified email address but falls back to an SMS message if the user has a verified phone number. The `admin_only` option prevents self-service account recovery. │ │ │ This data type is a request and response parameter of `API_CreateUserPool` and `API_UpdateUserPool` , and a response parameter of `API_DescribeUserPool` . │ │ ├[~] type SchemaAttribute │ │ │ └ - documentation: A list of the user attributes and their properties in your user pool. The attribute schema contains standard attributes, custom attributes with a `custom:` prefix, and developer attributes with a `dev:` prefix. For more information, see [User pool attributes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html) . │ │ │ Developer-only `dev:` attributes are a legacy feature of user pools, and are read-only to all app clients. You can create and update developer-only attributes only with IAM-authenticated API operations. Use app client read/write permissions instead. │ │ │ This data type is a request and response parameter of [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and a response parameter of [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) . │ │ │ + documentation: A list of the user attributes and their properties in your user pool. The attribute schema contains standard attributes, custom attributes with a `custom:` prefix, and developer attributes with a `dev:` prefix. For more information, see [User pool attributes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html) . │ │ │ Developer-only `dev:` attributes are a legacy feature of user pools, and are read-only to all app clients. You can create and update developer-only attributes only with IAM-authenticated API operations. Use app client read/write permissions instead. │ │ │ This data type is a request and response parameter of `API_CreateUserPool` and `API_UpdateUserPool` , and a response parameter of `API_DescribeUserPool` . │ │ ├[~] type SignInPolicy │ │ │ └ - documentation: The policy for allowed types of authentication in a user pool. To activate this setting, your user pool must be in the [Essentials tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html) or higher. │ │ │ This data type is a request and response parameter of [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and a response parameter of [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) . │ │ │ + documentation: The policy for allowed types of authentication in a user pool. To activate this setting, your user pool must be in the [Essentials tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html) or higher. │ │ │ This data type is a request and response parameter of `API_CreateUserPool` and `API_UpdateUserPool` , and a response parameter of `API_DescribeUserPool` . │ │ ├[~] type SmsConfiguration │ │ │ └ - documentation: User pool configuration for delivery of SMS messages with Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account . │ │ │ This data type is a request parameter of [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) , [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and [SetUserPoolMfaConfig](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html) , and a response parameter of [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) , [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and [GetUserPoolMfaConfig](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUserPoolMfaConfig.html) . │ │ │ + documentation: User pool configuration for delivery of SMS messages with Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account . │ │ │ This data type is a request parameter of `API_CreateUserPool` , `API_UpdateUserPool` , and `API_SetUserPoolMfaConfig` , and a response parameter of `API_CreateUserPool` , `API_UpdateUserPool` , and `API_GetUserPoolMfaConfig` . │ │ ├[~] type StringAttributeConstraints │ │ │ └ - documentation: The minimum and maximum length values of an attribute that is of the string type, for example `custom:department` . │ │ │ This data type is part of [SchemaAttributeType](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SchemaAttributeType.html) . It defines the length constraints on string-type attributes that you configure in [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and displays the length constraints of all string-type attributes in the response to [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) │ │ │ + documentation: The minimum and maximum length values of an attribute that is of the string type, for example `custom:department` . │ │ │ This data type is part of `API_SchemaAttributeType` . It defines the length constraints on string-type attributes that you configure in `API_CreateUserPool` and `API_UpdateUserPool` , and displays the length constraints of all string-type attributes in the response to `API_DescribeUserPool` │ │ ├[~] type UserAttributeUpdateSettings │ │ │ └ properties │ │ │ └ AttributesRequireVerificationBeforeUpdate: (documentation changed) │ │ ├[~] type UsernameConfiguration │ │ │ └ - documentation: Case sensitivity of the username input for the selected sign-in option. When case sensitivity is set to `False` (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, `username` , `USERNAME` , or `UserName` , or for email, `[email protected]` or `[email protected]` . For most use cases, set case sensitivity to `False` (case insensitive) as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user. │ │ │ This configuration is immutable after you set it. For more information, see [UsernameConfigurationType](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UsernameConfigurationType.html) . │ │ │ + documentation: Case sensitivity of the username input for the selected sign-in option. When case sensitivity is set to `False` (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, `username` , `USERNAME` , or `UserName` , or for email, `[email protected]` or `[email protected]` . For most use cases, set case sensitivity to `False` (case insensitive) as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user. │ │ │ This configuration is immutable after you set it. For more information, see `API_UsernameConfigurationType` . │ │ ├[~] type UserPoolAddOns │ │ │ ├ - documentation: User pool add-ons. Contains settings for activation of threat protection. To log user security information but take no action, set to `AUDIT` . To configure automatic security responses to risky traffic to your user pool, set to `ENFORCED` . │ │ │ │ For more information, see [Adding advanced security to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html) . To activate this setting, your user pool must be on the [Plus tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html) . │ │ │ │ This data type is a request and response parameter of [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and a response parameter of [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) . │ │ │ │ + documentation: Contains settings for activation of threat protection, including the operating mode and additional authentication types. To log user security information but take no action, set to `AUDIT` . To configure automatic security responses to potentially unwanted traffic to your user pool, set to `ENFORCED` . │ │ │ │ For more information, see [Adding advanced security to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html) . To activate this setting, your user pool must be on the [Plus tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html) . │ │ │ │ This data type is a request and response parameter of `API_CreateUserPool` and `API_UpdateUserPool` , and a response parameter of `API_DescribeUserPool` . │ │ │ └ properties │ │ │ ├ AdvancedSecurityAdditionalFlows: (documentation changed) │ │ │ └ AdvancedSecurityMode: (documentation changed) │ │ └[~] type VerificationMessageTemplate │ │ └ - documentation: The template for the verification message that your user pool delivers to users who set an email address or phone number attribute. │ │ This data type is a request and response parameter of [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and a response parameter of [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) . │ │ + documentation: The template for the verification message that your user pool delivers to users who set an email address or phone number attribute. │ │ This data type is a request and response parameter of `API_CreateUserPool` and `API_UpdateUserPool` , and a response parameter of `API_DescribeUserPool` . │ ├[~] resource AWS::Cognito::UserPoolClient │ │ ├ properties │ │ │ ├ AllowedOAuthFlows: (documentation changed) │ │ │ ├ AllowedOAuthFlowsUserPoolClient: (documentation changed) │ │ │ ├ AllowedOAuthScopes: (documentation changed) │ │ │ ├ CallbackURLs: (documentation changed) │ │ │ ├ EnablePropagateAdditionalUserContextData: (documentation changed) │ │ │ ├ EnableTokenRevocation: (documentation changed) │ │ │ ├ ExplicitAuthFlows: (documentation changed) │ │ │ ├ GenerateSecret: (documentation changed) │ │ │ ├ LogoutURLs: (documentation changed) │ │ │ ├ ReadAttributes: (documentation changed) │ │ │ ├ SupportedIdentityProviders: (documentation changed) │ │ │ └ WriteAttributes: (documentation changed) │ │ └ types │ │ ├[~] type AnalyticsConfiguration │ │ │ └ - documentation: The settings for Amazon Pinpoint analytics configuration. With an analytics configuration, your application can collect user-activity metrics for user notifications with a Amazon Pinpoint campaign. │ │ │ Amazon Pinpoint isn't available in all AWS Regions. For a list of available Regions, see [Amazon Cognito and Amazon Pinpoint Region availability](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html#cognito-user-pools-find-region-mappings) . │ │ │ This data type is a request parameter of [CreateUserPoolClient](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html) and [UpdateUserPoolClient](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolClient.html) , and a response parameter of [DescribeUserPoolClient](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPoolClient.html) . │ │ │ + documentation: The settings for Amazon Pinpoint analytics configuration. With an analytics configuration, your application can collect user-activity metrics for user notifications with a Amazon Pinpoint campaign. │ │ │ Amazon Pinpoint isn't available in all AWS Regions. For a list of available Regions, see [Amazon Cognito and Amazon Pinpoint Region availability](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html#cognito-user-pools-find-region-mappings) . │ │ │ This data type is a request parameter of `API_CreateUserPoolClient` and `API_UpdateUserPoolClient` , and a response parameter of `API_DescribeUserPoolClient` . │ │ └[~] type TokenValidityUnits │ │ └ - documentation: The time units you use when you set the duration of ID, access, and refresh tokens. The default unit for RefreshToken is days, and the default for ID and access tokens is hours. │ │ + documentation: The units that validity times are represented in. The default unit for refresh tokens is days, and the default for ID and access tokens are hours. │ ├[~] resource AWS::Cognito::UserPoolDomain │ │ ├ properties │ │ │ ├ CustomDomainConfig: (documentation changed) │ │ │ ├ Domain: (documentation changed) │ │ │ └ UserPoolId: (documentation changed) │ │ └ types │ │ └[~] type CustomDomainConfigType │ │ └ - documentation: The configuration for a hosted UI custom domain. │ │ This data type is a request parameter of [CreateUserPoolDomain](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolDomain.html) and [UpdateUserPoolDomain](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolDomain.html) . │ │ + documentation: The configuration for a hosted UI custom domain. │ │ This data type is a request parameter of `API_CreateUserPoolDomain` and `API_UpdateUserPoolDomain` . │ ├[~] resource AWS::Cognito::UserPoolGroup │ │ └ - documentation: A user pool group. Contains details about the group and the way that it contributes to IAM role decisions with identity pools. Identity pools can make decisions about the IAM role to assign based on groups: users get credentials for the role associated with their highest-priority group. │ │ This data type is a response parameter of [AdminListGroupsForUser](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminListGroupsForUser.html) , [CreateGroup](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateGroup.html) , [GetGroup](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetGroup.html) , [ListGroups](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListGroups.html) , and [UpdateGroup](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateGroup.html) . │ │ + documentation: A user pool group. Contains details about the group and the way that it contributes to IAM role decisions with identity pools. Identity pools can make decisions about the IAM role to assign based on groups: users get credentials for the role associated with their highest-priority group. │ │ This data type is a response parameter of `API_AdminListGroupsForUser` , `API_CreateGroup` , `API_GetGroup` , `API_ListGroups` , and `API_UpdateGroup` . │ ├[~] resource AWS::Cognito::UserPoolResourceServer │ │ └ types │ │ └[~] type ResourceServerScopeType │ │ └ - documentation: One custom scope associated with a user pool resource server. This data type is a member of `ResourceServerScopeType` . For more information, see [Scopes, M2M, and API authorization with resource servers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html) . │ │ This data type is a request parameter of [CreateResourceServer](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateResourceServer.html) and a response parameter of [DescribeResourceServer](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeResourceServer.html) . │ │ + documentation: One custom scope associated with a user pool resource server. This data type is a member of `ResourceServerScopeType` . For more information, see [Scopes, M2M, and API authorization with resource servers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html) . │ │ This data type is a request parameter of `API_CreateResourceServer` and a response parameter of `API_DescribeResourceServer` . │ ├[~] resource AWS::Cognito::UserPoolRiskConfigurationAttachment │ │ ├ properties │ │ │ ├ AccountTakeoverRiskConfiguration: (documentation changed) │ │ │ └ CompromisedCredentialsRiskConfiguration: (documentation changed) │ │ └ types │ │ ├[~] type AccountTakeoverActionsType │ │ │ ├ - documentation: A list of account-takeover actions for each level of risk that Amazon Cognito might assess with advanced security features. │ │ │ │ This data type is a request parameter of [SetRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html) and a response parameter of [DescribeRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html) . │ │ │ │ + documentation: A list of account-takeover actions for each level of risk that Amazon Cognito might assess with threat protection features. │ │ │ │ This data type is a request parameter of `API_SetRiskConfiguration` and a response parameter of `API_DescribeRiskConfiguration` . │ │ │ └ properties │ │ │ ├ HighAction: (documentation changed) │ │ │ ├ LowAction: (documentation changed) │ │ │ └ MediumAction: (documentation changed) │ │ ├[~] type AccountTakeoverActionType │ │ │ └ - documentation: The automated response to a risk level for adaptive authentication in full-function, or `ENFORCED` , mode. You can assign an action to each risk level that advanced security features evaluates. │ │ │ This data type is a request parameter of [SetRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html) and a response parameter of [DescribeRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html) . │ │ │ + documentation: The automated response to a risk level for adaptive authentication in full-function, or `ENFORCED` , mode. You can assign an action to each risk level that threat protection evaluates. │ │ │ This data type is a request parameter of `API_SetRiskConfiguration` and a response parameter of `API_DescribeRiskConfiguration` . │ │ ├[~] type AccountTakeoverRiskConfigurationType │ │ │ ├ - documentation: The settings for automated responses and notification templates for adaptive authentication with advanced security features. │ │ │ │ This data type is a request parameter of [SetRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html) and a response parameter of [DescribeRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html) . │ │ │ │ + documentation: The settings for automated responses and notification templates for adaptive authentication with threat protection features. │ │ │ │ This data type is a request parameter of `API_SetRiskConfiguration` and a response parameter of `API_DescribeRiskConfiguration` . │ │ │ └ properties │ │ │ ├ Actions: (documentation changed) │ │ │ └ NotifyConfiguration: (documentation changed) │ │ ├[~] type CompromisedCredentialsActionsType │ │ │ └ - documentation: Settings for user pool actions when Amazon Cognito detects compromised credentials with advanced security features in full-function `ENFORCED` mode. │ │ │ This data type is a request parameter of [SetRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html) and a response parameter of [DescribeRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html) . │ │ │ + documentation: Settings for user pool actions when Amazon Cognito detects compromised credentials with threat protection in full-function `ENFORCED` mode. │ │ │ This data type is a request parameter of `API_SetRiskConfiguration` and a response parameter of `API_DescribeRiskConfiguration` . │ │ ├[~] type CompromisedCredentialsRiskConfigurationType │ │ │ └ - documentation: Settings for compromised-credentials actions and authentication-event sources with advanced security features in full-function `ENFORCED` mode. │ │ │ This data type is a request parameter of [SetRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html) and a response parameter of [DescribeRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html) . │ │ │ + documentation: Settings for compromised-credentials actions and authentication-event sources with threat protection in full-function `ENFORCED` mode. │ │ │ This data type is a request parameter of `API_SetRiskConfiguration` and a response parameter of `API_DescribeRiskConfiguration` . │ │ ├[~] type NotifyConfigurationType │ │ │ └ - documentation: The configuration for Amazon SES email messages that advanced security features sends to a user when your adaptive authentication automated response has a *Notify* action. │ │ │ This data type is a request parameter of [SetRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html) and a response parameter of [DescribeRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html) . │ │ │ + documentation: The configuration for Amazon SES email messages that threat protection sends to a user when your adaptive authentication automated response has a *Notify* action. │ │ │ This data type is a request parameter of `API_SetRiskConfiguration` and a response parameter of `API_DescribeRiskConfiguration` . │ │ ├[~] type NotifyEmailType │ │ │ └ - documentation: The template for email messages that advanced security features sends to a user when your threat protection automated response has a *Notify* action. │ │ │ This data type is a request parameter of [SetRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html) and a response parameter of [DescribeRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html) . │ │ │ + documentation: The template for email messages that threat protection sends to a user when your threat protection automated response has a *Notify* action. │ │ │ This data type is a request parameter of `API_SetRiskConfiguration` and a response parameter of `API_DescribeRiskConfiguration` . │ │ └[~] type RiskExceptionConfigurationType │ │ └ - documentation: Exceptions to the risk evaluation configuration, including always-allow and always-block IP address ranges. │ │ This data type is a request parameter of [SetRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html) and a response parameter of [DescribeRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html) . │ │ + documentation: Exceptions to the risk evaluation configuration, including always-allow and always-block IP address ranges. │ │ This data type is a request parameter of `API_SetRiskConfiguration` and a response parameter of `API_DescribeRiskConfiguration` . │ ├[~] resource AWS::Cognito::UserPoolUICustomizationAttachment │ │ ├ - documentation: A container for the UI customization information for the hosted UI in a user pool. │ │ │ This data type is a response parameter of [GetUICustomization](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPoolClient.html) . │ │ │ + documentation: A container for the UI customization information for the hosted UI in a user pool. │ │ │ This data type is a response parameter of `API_DescribeUserPoolClient` . │ │ └ properties │ │ ├ CSS: (documentation changed) │ │ └ UserPoolId: (documentation changed) │ └[~] resource AWS::Cognito::UserPoolUser │ ├ properties │ │ ├ UserAttributes: (documentation changed) │ │ └ ValidationData: (documentation changed) │ └ types │ └[~] type AttributeType │ └ - documentation: The name and value of a user attribute. │ This data type is a request parameter of [AdminUpdateUserAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html) and [UpdateUserAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html) . │ + documentation: The name and value of a user attribute. │ This data type is a request parameter of `API_AdminUpdateUserAttributes` and `API_UpdateUserAttributes` . ├[~] service aws-customerprofiles │ └ resources │ └[+] resource AWS::CustomerProfiles::EventTrigger │ ├ name: EventTrigger │ │ cloudFormationType: AWS::CustomerProfiles::EventTrigger │ │ documentation: An event trigger resource of Amazon Connect Customer Profiles │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ ├ properties │ │ ├ DomainName: string (required, immutable) │ │ ├ EventTriggerName: string (required, immutable) │ │ ├ ObjectTypeName: string (required) │ │ ├ Description: string │ │ ├ EventTriggerConditions: Array<EventTriggerCondition> (required) │ │ ├ EventTriggerLimits: EventTriggerLimits │ │ ├ SegmentFilter: string │ │ └ Tags: Array<tag> │ ├ attributes │ │ ├ CreatedAt: string │ │ └ LastUpdatedAt: string │ └ types │ ├ type EventTriggerCondition │ │ ├ documentation: Specifies the circumstances under which the event should trigger the destination. │ │ │ name: EventTriggerCondition │ │ └ properties │ │ ├ EventTriggerDimensions: Array<EventTriggerDimension> (required) │ │ └ LogicalOperator: string (required) │ ├ type EventTriggerDimension │ │ ├ documentation: A specific event dimension to be assessed. │ │ │ name: EventTriggerDimension │ │ └ properties │ │ └ ObjectAttributes: Array<ObjectAttribute> (required) │ ├ type EventTriggerLimits │ │ ├ documentation: Defines limits controlling whether an event triggers the destination, based on ingestion latency and the number of invocations per profile over specific time periods. │ │ │ name: EventTriggerLimits │ │ └ properties │ │ ├ EventExpiration: integer │ │ └ Periods: Array<Period> │ ├ type ObjectAttribute │ │ ├ documentation: The criteria that a specific object attribute must meet to trigger the destination. │ │ │ name: ObjectAttribute │ │ └ properties │ │ ├ Source: string │ │ ├ FieldName: string │ │ ├ ComparisonOperator: string (required) │ │ └ Values: Array<string> (required) │ └ type Period │ ├ documentation: Defines a limit and the time period during which it is enforced. │ │ name: Period │ └ properties │ ├ Unit: string (required) │ ├ Value: integer (required) │ ├ MaxInvocationsPerProfile: integer │ └ Unlimited: boolean ├[~] service aws-docdb │ └ resources │ └[~] resource AWS::DocDB::DBCluster │ └ properties │ ├ ManageMasterUserPassword: (documentation changed) │ ├ MasterUserSecretKmsKeyId: (documentation changed) │ └ RotateMasterUserPassword: (documentation changed) ├[~] service aws-dynamodb │ └ resources │ ├[~] resource AWS::DynamoDB::GlobalTable │ │ └ types │ │ └[~] type PointInTimeRecoverySpecification │ │ └ properties │ │ └[+] RecoveryPeriodInDays: integer │ └[~] resource AWS::DynamoDB::Table │ └ types │ └[~] type PointInTimeRecoverySpecification │ └ properties │ └ RecoveryPeriodInDays: (documentation changed) ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::EC2Fleet │ │ └ types │ │ └[~] type InstanceRequirementsRequest │ │ └ properties │ │ └ AcceleratorTypes: (documentation changed) │ ├[~] resource AWS::EC2::LaunchTemplate │ │ └ types │ │ └[~] type InstanceRequirements │ │ └ properties │ │ └ AcceleratorTypes: (documentation changed) │ └[~] resource AWS::EC2::SpotFleet │ └ types │ └[~] type InstanceRequirementsRequest │ └ properties │ └ AcceleratorTypes: (documentation changed) ├[~] service aws-healthlake │ └ resources │ └[~] resource AWS::HealthLake::FHIRDatastore │ ├ properties │ │ ├ DatastoreName: (documentation changed) │ │ ├ DatastoreTypeVersion: (documentation changed) │ │ ├ IdentityProviderConfiguration: (documentation changed) │ │ ├ PreloadDataConfig: (documentation changed) │ │ └ SseConfiguration: (documentation changed) │ └ types │ ├[~] type IdentityProviderConfiguration │ │ ├ - documentation: The identity provider configuration that you gave when the data store was created. │ │ │ + documentation: The identity provider configuration selected when the data store was created. │ │ └ properties │ │ ├ AuthorizationStrategy: (documentation changed) │ │ ├ FineGrainedAuthorizationEnabled: (documentation changed) │ │ ├ IdpLambdaArn: (documentation changed) │ │ └ Metadata: (documentation changed) │ ├[~] type KmsEncryptionConfig │ │ └ properties │ │ └ KmsKeyId: (documentation changed) │ ├[~] type PreloadDataConfig │ │ └ - documentation: Optional parameter to preload data upon creation of the data store. Currently, the only supported preloaded data is synthetic data generated from Synthea. │ │ + documentation: An optional parameter to preload (import) open source Synthea FHIR data upon creation of the data store. │ └[~] type SseConfiguration │ ├ - documentation: The server-side encryption key configuration for a customer provided encryption key. │ │ + documentation: The server-side encryption key configuration for a customer-provided encryption key. │ └ properties │ └ KmsEncryptionConfig: (documentation changed) ├[-] service aws-iot1click │ ├ capitalized: IoT1Click │ │ cloudFormationNamespace: AWS::IoT1Click │ │ name: aws-iot1click │ │ shortName: iot1click │ └ resources │ ├ resource AWS::IoT1Click::Device │ │ ├ name: Device │ │ │ cloudFormationType: AWS::IoT1Click::Device │ │ │ documentation: > AWS IoT 1-Click was discontinued on Dec 16, 2024. For more information, see [AWS IoT 1-Click](https://docs.aws.amazon.com//iot/latest/developerguide/iot-legacy-services.html) . │ │ │ The `AWS::IoT1Click::Device` resource controls the enabled state of an AWS IoT 1-Click compatible device. For more information, see [Device](https://docs.aws.amazon.com/iot-1-click/1.0/devices-apireference/devices-deviceid.html) in the *AWS IoT 1-Click Devices API Reference* . │ │ ├ properties │ │ │ ├ DeviceId: string (required, immutable) │ │ │ └ Enabled: boolean (required) │ │ └ attributes │ │ ├ DeviceId: string │ │ ├ Enabled: boolean │ │ └ Arn: string │ ├ resource AWS::IoT1Click::Placement │ │ ├ name: Placement │ │ │ cloudFormationType: AWS::IoT1Click::Placement │ │ │ documentation: > AWS IoT 1-Click was discontinued on Dec 16, 2024. For more information, see [AWS IoT 1-Click](https://docs.aws.amazon.com//iot/latest/developerguide/iot-legacy-services.html) . │ │ │ The `AWS::IoT1Click::Placement` resource creates a placement to be associated with an AWS IoT 1-Click project. A placement is an instance of a device in a location. For more information, see [Projects, Templates, and Placements](https://docs.aws.amazon.com/iot-1-click/latest/developerguide/1click-PTP.html) in the *AWS IoT 1-Click Developer Guide* . │ │ ├ properties │ │ │ ├ PlacementName: string (immutable) │ │ │ ├ ProjectName: string (required, immutable) │ │ │ ├ AssociatedDevices: json (immutable) │ │ │ └ Attributes: json │ │ └ attributes │ │ ├ PlacementName: string │ │ ├ ProjectName: string │ │ └ Id: string │ └ resource AWS::IoT1Click::Project │ ├ name: Project │ │ cloudFormationType: AWS::IoT1Click::Project │ │ documentation: > AWS IoT 1-Click was discontinued on Dec 16, 2024. For more information, see [AWS IoT 1-Click](https://docs.aws.amazon.com//iot/latest/developerguide/iot-legacy-services.html) . │ │ The `AWS::IoT1Click::Project` resource creates an empty project with a placement template. A project contains zero or more placements that adhere to the placement template defined in the project. For more information, see [CreateProject](https://docs.aws.amazon.com/iot-1-click/latest/projects-apireference/API_CreateProject.html) in the *AWS IoT 1-Click Projects API Reference* . │ ├ properties │ │ ├ Description: string │ │ ├ PlacementTemplate: PlacementTemplate (required) │ │ └ ProjectName: string (immutable) │ ├ attributes │ │ ├ ProjectName: string │ │ ├ Arn: string │ │ └ Id: string │ └ types │ ├ type DeviceTemplate │ │ ├ name: DeviceTemplate │ │ └ properties │ │ ├ DeviceType: string │ │ └ CallbackOverrides: json │ └ type PlacementTemplate │ ├ documentation: > AWS IoT 1-Click was discontinued on Dec 16, 2024. For more information, see [AWS IoT 1-Click](https://docs.aws.amazon.com//iot/latest/developerguide/iot-legacy-services.html) . │ │ In AWS CloudFormation , use the `PlacementTemplate` property type to define the template for an AWS IoT 1-Click project. │ │ `PlacementTemplate` is a property of the `AWS::IoT1Click::Project` resource. │ │ name: PlacementTemplate │ └ properties │ ├ DeviceTemplates: Map<string, DeviceTemplate> (immutable) │ └ DefaultAttributes: json ├[~] service aws-lex │ └ resources │ └[~] resource AWS::Lex::Bot │ ├ properties │ │ └[+] Replication: Replication │ └ types │ └[+] type Replication │ ├ documentation: Parameter used to create a replication of the source bot in the secondary region. │ │ name: Replication │ └ properties │ └ ReplicaRegions: Array<string> (required) ├[~] service aws-mediaconvert │ └ resources │ └[~] resource AWS::MediaConvert::Queue │ └ properties │ └ ConcurrentJobs: (documentation changed) ├[~] service aws-organizations │ └ resources │ └[~] resource AWS::Organizations::Organization │ └ properties │ └ FeatureSet: (documentation changed) ├[~] service aws-resiliencehub │ └ resources │ └[~] resource AWS::ResilienceHub::App │ └ properties │ └[+] RegulatoryPolicyArn: string ├[~] service aws-rolesanywhere │ └ resources │ └[~] resource AWS::RolesAnywhere::Profile │ └ properties │ └ RequireInstanceProperties: - boolean │ + boolean (immutable) ├[~] service aws-s3 │ └ resources │ └[~] resource AWS::S3::Bucket │ └ types │ └[~] type Transition │ └ properties │ └ TransitionInDays: (documentation changed) ├[~] service aws-ses │ └ resources │ └[~] resource AWS::SES::ConfigurationSet │ └ types │ └[~] type TrackingOptions │ └ properties │ └[+] HttpsPolicy: string ├[~] service aws-ssm │ └ resources │ └[~] resource AWS::SSM::Parameter │ ├ - documentation: The `AWS::SSM::Parameter` resource creates an SSM parameter in AWS Systems Manager Parameter Store. │ │ > To create an SSM parameter, you must have the AWS Identity and Access Management ( IAM ) permissions `ssm:PutParameter` and `ssm:AddTagsToResource` . On stack creation, AWS CloudFormation adds the following three tags to the parameter: `aws:cloudformation:stack-name` , `aws:cloudformation:logical-id` , and `aws:cloudformation:stack-id` , in addition to any custom tags you specify. │ │ > │ │ > To add, update, or remove tags during stack update, you must have IAM permissions for both `ssm:AddTagsToResource` and `ssm:RemoveTagsFromResource` . For more information, see [Managing Access Using Policies](https://docs.aws.amazon.com/systems-manager/latest/userguide/security-iam.html#security_iam_access-manage) in the *AWS Systems Manager User Guide* . │ │ For information about valid values for parameters, see [About requirements and constraints for parameter names]…

### Issue # (if applicable) None ### Reason for this change Fixed typos in code comments. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.175.1/CHANGELOG.md)

### Issue # (if applicable) None ### Reason for this change Fixed typos in code comments. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) N/A ### Reason for this change Fixed typos in error message. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

) The comment regarding IAM permissions was not properly commented out. So I've fixed. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) N/A ### Reason for this change Fixed typos in README and code comments. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) Closes #32618. ### Reason for this change Container Insights with enhanced observability was recently announced and released for ECS. Cloudformation and the L1 CFN construct support setting this at cluster level. This adds the Container Insights with enhanced observability as an option for the existing L2 Cluster construct. ### Description of changes ENHANCED was added to the ContainerInsights enum. A new containerInsightsV2 property was added to the Cluster construct with the type ContainerInsights. The existing containerInsights property was marked as deprecated. ### Description of how you validated changes Unit and Integration tests were added. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) N/A ### Reason for this change Fixed typos in code comments. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

#32674) Our current process for codecov statuses is that they block the merge of a PR if the are failing. This PR attempts to move this failure further forward in the PR process, so that the PRlinter fails and alerts the author. It also means that we can include an exemption label to merge a PR that we allow to be in breach of the codecov report. Currently, to do so we must change the branch protection rules. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Add a CLI integ test to validate that `cdk deploy` works in a fully network-isolated environment, with only a proxy to go through. This validates that no parts of the CLI setup ignore the proxy configuration, which would otherwise be hard to test. We achieve the network isolation by running the code inside a Docker container where we use `iptables` to drop all network traffic that doesn't go through the Docker host, where we run a proxy. I temporarily bumped the `tsconfig` `target` to try out the `using` syntax (didn't work out with Jest), but that caused some compiler errors around class member initialization that I fixed as well. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> (cherry picked from commit 9e220c8)

### Reason for this change This file is completely unused in our code base. The test also doesn't test anything by indirection. ### Description of changes Removed the unused file and test. ### Describe any new or updated permissions being added n/a ### Description of how you validated changes Searched for the function on GitHub and internally. All found references are copies of the CDK code base and don't represent actual usage of the exported function. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 8506d31)

### Reason for this change Cleaning up the CLI code base in preparation for splitting out the library parts. It's currently quite hard to reason about the existing api code as its spread across many files and deep subpath imports. This change attempts to partly rectify the situation by grouping files with strong interdependencies together and creating a unified import location. The change deliberately gives up on potential feature reusability of some helpers in order to create locality. ### Description of changes Collating existing files and APIs into a new submodule `api/deployments`. Updated imports accordingly. No functional changes. ### Describe any new or updated permissions being added n/a ### Description of how you validated changes exiting tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit ac90399)

…rops (#32841) ### Issue #32840 Closes #32840 ### Reason for this change When initializing a new RDS DB Cluster, the [current implementation](https://github.com/aws/aws-cdk/pull/32151/files#diff-49b4a9e1bf0b7db3ab71f4f08580da0cb2191d84605dc82a70c324bd122d5cf7R805-R828) fails on the first validation error, making it possible for the user to encounter another failure after fixing known validation issues. ### Description of changes Implemented a [validation function](https://github.com/aws/aws-cdk/pull/32841/files#diff-5d08d37e744e173239879212c59fd45cb9a279349f3dfb1c66923cb015ed3a3a) that collects all validation errors and presents them to the user. Used this function in RDS Database Cluster initialization. I will implement this separately for SQS Queue initialization as a POC for usability. There are several other places that can make use of this shared code, to show users all validation errors at once. Here's a non-exhaustive list: - [aws-ec2](https://github.com/aws/aws-cdk/blob/3e4f3773bfa48b75bf0adc7d53d46bbec7714a9e/packages/aws-cdk-lib/aws-ec2/lib/volume.ts#L672-L743) - [eventbridge-scheduler](https://github.com/aws/aws-cdk/blob/3e4f3773bfa48b75bf0adc7d53d46bbec7714a9e/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/eventbridge-scheduler/create-schedule.ts#L324-L362) - [aws-fsx](https://github.com/aws/aws-cdk/blob/3e4f3773bfa48b75bf0adc7d53d46bbec7714a9e/packages/aws-cdk-lib/aws-fsx/lib/lustre-file-system.ts#L360-L380) ### Describe any new or updated permissions being added No permissions changes. ### Description of how you validated changes Added unit tests and modified existing unit tests. <img width="698" alt="Screenshot 2025-01-16 at 14 51 47" src="https://github.com/user-attachments/assets/a724a16a-7ccc-43b6-8fee-599ec007566d" /> ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 344d916)

Add a new option, `--untrust`, to the `bootstrap` command. Passing a list of account IDs as values to this option removes those account IDs from the trust relationships in the bootstrap roles. Closes #22703. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 4713bdd)

introduces rollback to the programatic toolkit, plus tests ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 6a9cbc2)

enforces spacing at beginning of comments. we are exempting situations that have `///` because they are special comments that jsii recognizes, and situations that have `////////` to delineate a split of some sport. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 1e2c1ae)

The following models are now legacy for all regions: * Claude v2, Claude v2.1 * Claude Instant Ref: https://docs.aws.amazon.com/bedrock/latest/userguide/model-lifecycle.html Note: Since Claude 3 Sonnet is legacy only in specific regions, I did not add a deprecated label. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit c0ed449)

### Issue #33098 Closes #33098. ### Reason for this change When initializing a new SQS Queue, props validation throws an error at the first validation issue encountered. If there are multiple validation issues, the user is only informed of the first one. ### Description of changes Using `validateAllProps` presents all validation errors to the user at once. If `redriveAllowPolicy` is enabled, the policy will also be evaluated in the same way. ### Describe any new or updated permissions being added No permissions changes. ### Description of how you validated changes Adjusted and added unit tests. Ran integration tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit b77e937)

PR linter now checks for lowercase scope. Valid: `fix(s3): blah` Invalid: `fix(S3): blah` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 6409246)

#33102) Updates the PR linter to remove `Revert` as a valid title prefix, in favor of `revert`. To be fair, this is a stylistic change, but I think its unclean to have every other valid prefix as lowercase except for `Revert`. The reason is because github automatically titles revert PRs with `Revert`, but I don't think it's much effort for engineers to update the title so it fits in the style with everything else. In addition, I've updated the failure message to make it clear what it's looking for, rather than a link to conventionalcommits. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 809a7f0)

…nts (#33105) Many changes here: - The PR linter now removes the text of previous reviews, so that they are not distracting. - The PR linter now deletes old comments; before the rewrite, it used to create both comments and reviews. The comments should be deleted. - There were a bunch of missing `await`s, add those. - The missing `await`s slipped in because in the past someone tried to turn off *some* linter rules, and in doing so disabled *all* linter rules. For now, just re-enable the ones that have to do with promises. - Fix a typo in a global constant - Only log the relevant details of reviews, instead of the entire GitHub object ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 7b9f6c8)

### Issue `aws-s3*` for #32569 ### Description of changes ValidationErrors everywhere ### Describe any new or updated permissions being added n/a ### Description of how you validated changes Existing tests. Exemptions granted as this is basically a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit aea8f3b)

…typed errors (#33076) ### Issue `aws-apigatewayv2-authorizers` for #32569 ### Description of changes ValidationErrors everywhere ### Describe any new or updated permissions being added n/a ### Description of how you validated changes Existing tests. Exemptions granted as this is basically a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit dd34d2e)

Investigation has shown that `check_suite` only triggers on main repo events, never on forks. Let's see what `check_run` does. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit c0a2cbf)

### Reason for this change When running the CDK CLI in trace mode (with `-vv`), e.g. `cdk deploy -vv` we log all SDK calls and their inputs. For file uploads, the input contains the buffer of the file to be uploaded. This results in really bad output: ``` [20:14:31] [sdk info] S3.PutObject({"Bucket":"cdk-hnb659fds-assets-us-east-1","Key":"220c435f80d2dd2cfc5dd0e8e29bfbb6ec58892bd813f5d6a008fdda38f6c02f.zip","Body":{"type":"Buffer","data":[80,75,3,4,20,0,8,0,8,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,100,97,116,97,46,116,120,116,75,73,44,73,52,227,2,0,80,75,7,8,165,92,116,66,8,0,0,0,6,0,0,0,80,75,1,2,45,3,20,0,8,0,8,0,0,0,33,0,165,92,116,66,8,0,0,0,6,0,0,0,8,0,0,0,0,0,0,0,0,0,32,0,164,129,0,0,0,0,100,97,116,97,46,116,120,116,80,75,5,6,0,0,0,0,1,0,1,0,54,0,0,0,62,0,0,0,0,0]},"ContentType":"application/zip","ChecksumAlgorithm":"SHA256","ServerSideEncryption":"aws:kms"}) -> OK ``` Now in this case we are only uploading 138 bytes. Imagine what this log looks like for files of 10MiB or 100MiB. Reportedly this also crashed every terminal. ### Description of changes There's no need to log the buffer bytes. Instead replace it with a string indicating its a buffer and the buffer length: ``` [20:14:31] [sdk info] S3.PutObject({"Body":"<Buffer 138 Bytes>"}) -> OK ``` ### Describe any new or updated permissions being added n/a ### Description of how you validated changes Tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit d95add3)

This triggers a bazillion times. Let's save some money. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 4eb87b6)

This has the advantage that failing CodeCov checks can be ignored with a label. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 34ae997)

mergify · 2025-01-24T12:49:47Z

⚠️ The sha of the head commit of this PR conflicts with #33134. Mergify cannot evaluate rules on this PR. ⚠️

github-actions · 2025-01-24T17:01:38Z

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

kaizencc and others added 30 commits January 9, 2025 17:04

Merge branch 'main' into merge-back/2.175.0

4766663

chore(merge-back): 2.175.0 (#32826)

f63ec29

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.175.0/CHANGELOG.md)

fix(cli): "no stack found in the main cloud assembly" (#32839)

3c0acce

Reverts #32636 It leads to a problem in case of applications where there are no top-level stacks, but only stacks in nested stages: #32836. Closes #32836.

Merge branch 'main' into merge-back/2.175.1

5b157e6

Merge branch 'main' into merge-back/2.175.1

3727472

chore(merge-back): 2.175.1 (#32845)

0da7a51

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.175.1/CHANGELOG.md)

rix0rrr and others added 19 commits January 24, 2025 04:32

chore(toolkit): rollback implementation and tests (#33074)

5186758

introduces rollback to the programatic toolkit, plus tests ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 6a9cbc2)

chore: remove check_run workflow (#33127)

0c061a1

This triggers a bazillion times. Let's save some money. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 4eb87b6)

chore(featureflags): fix release number

530808f

aws-cdk-automation requested a review from a team January 24, 2025 12:49

github-actions bot added the p2 label Jan 24, 2025

moelasmar had a problem deploying to test-pipeline January 24, 2025 12:50 — with GitHub Actions Failure

aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jan 24, 2025

moelasmar closed this Jan 24, 2025

github-actions bot locked as resolved and limited conversation to collaborators Jan 24, 2025

mergify bot added the contribution/core This is a PR that came from AWS. label Jan 24, 2025

moelasmar deleted the melasmar/main-test2 branch February 5, 2025 23:28

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(release): reset #33135

chore(release): reset #33135

Uh oh!

moelasmar commented Jan 24, 2025

Uh oh!

mergify bot commented Jan 24, 2025

Uh oh!

github-actions bot commented Jan 24, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

30 participants

chore(release): reset #33135

chore(release): reset #33135

Uh oh!

Conversation

moelasmar commented Jan 24, 2025

Uh oh!

mergify bot commented Jan 24, 2025

Uh oh!

github-actions bot commented Jan 24, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

30 participants