chore(release): split the bump pr #33152
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This PR pulls out changes to `packages/aws-cdk` and `packages/@aws-cdk/cli-lib-alpha` from #32919 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --------- Co-authored-by: Momo Kornher <[email protected]> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> (cherry picked from commit 3a711b0)
…sting/framework-integ/test/aws-route53-targets/test/integ.elastic-beanstalk-environment-target-assets (#32846) Bumps [path-to-regexp](https://github.com/pillarjs/path-to-regexp) to 0.1.12 and updates ancestor dependency [express](https://github.com/expressjs/express). These dependencies need to be updated together. Updates `path-to-regexp` from 0.1.10 to 0.1.12 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pillarjs/path-to-regexp/releases">path-to-regexp's releases</a>.</em></p> <blockquote> <h2>Fix backtracking (again)</h2> <p><strong>Fixed</strong></p> <ul> <li>Improved backtracking protection for 0.1.x, will break some previously valid paths (see previous advisory: <a href="https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j">https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j</a>)</li> </ul> <p><a href="https://github.com/pillarjs/path-to-regexp/compare/v0.1.11...v0.1.12">https://github.com/pillarjs/path-to-regexp/compare/v0.1.11...v0.1.12</a></p> <h2>Error on bad input</h2> <p><strong>Changed</strong></p> <ul> <li>Add error on bad input values 8f09549</li> </ul> <p><a href="https://github.com/pillarjs/path-to-regexp/compare/v0.1.10...v0.1.11">https://github.com/pillarjs/path-to-regexp/compare/v0.1.10...v0.1.11</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pillarjs/path-to-regexp/commit/640e694c6fd971f78268439df9cf44040855e669"><code>640e694</code></a> 0.1.12</li> <li><a href="https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4"><code>f01c26a</code></a> Merge commit from fork</li> <li><a href="https://github.com/pillarjs/path-to-regexp/commit/0c7119248b7cb528a0aea3ba45ed4e2db007cba4"><code>0c71192</code></a> 0.1.11</li> <li><a href="https://github.com/pillarjs/path-to-regexp/commit/8f095497d678c2ec3495a99ab3928748731e73ee"><code>8f09549</code></a> Add error on bad input values</li> <li>See full diff in <a href="https://github.com/pillarjs/path-to-regexp/compare/v0.1.10...v0.1.12">compare view</a></li> </ul> </details> <br /> Updates `express` from 4.21.1 to 4.21.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/expressjs/express/releases">express's releases</a>.</em></p> <blockquote> <h2>4.21.2</h2> <h2>What's Changed</h2> <ul> <li>Add funding field (v4) by <a href="https://github.com/bjohansebas"><code>@bjohansebas</code></a> in <a href="https://github.com/expressjs/express/pull/6065">expressjs/express#6065</a></li> <li>deps: [email protected] by <a href="https://github.com/blakeembrey"><code>@blakeembrey</code></a> in <a href="https://github.com/expressjs/express/pull/5956">expressjs/express#5956</a></li> <li>deps: bump [email protected] by <a href="https://github.com/jonchurch"><code>@jonchurch</code></a> in <a href="https://github.com/expressjs/express/pull/6209">expressjs/express#6209</a></li> <li>Release: 4.21.2 by <a href="https://github.com/UlisesGascon"><code>@UlisesGascon</code></a> in <a href="https://github.com/expressjs/express/pull/6094">expressjs/express#6094</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/expressjs/express/compare/4.21.1...4.21.2">https://github.com/expressjs/express/compare/4.21.1...4.21.2</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/expressjs/express/blob/4.21.2/History.md">express's changelog</a>.</em></p> <blockquote> <h1>4.21.2 / 2024-11-06</h1> <ul> <li>deps: [email protected] <ul> <li>Fix backtracking protection</li> </ul> </li> <li>deps: [email protected] <ul> <li>Throws an error on invalid path values</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/expressjs/express/commit/1faf228935aa0a13111f92c28ee795be64ce3f0f"><code>1faf228</code></a> 4.21.2</li> <li><a href="https://github.com/expressjs/express/commit/2e0fb646d03184dd9a5285813460210c0e7ae654"><code>2e0fb64</code></a> deps: bump [email protected] (<a href="https://github.com/expressjs/express/issues/6209">#6209</a>)</li> <li><a href="https://github.com/expressjs/express/commit/59fc27028ec5d212be653d35d7e3f73a2c3ac3c0"><code>59fc270</code></a> deps: [email protected] (<a href="https://github.com/expressjs/express/issues/5956">#5956</a>)</li> <li><a href="https://github.com/expressjs/express/commit/51fc39ccf834eec44547b0f4fed8027e7c05a009"><code>51fc39c</code></a> docs: add funding (<a href="https://github.com/expressjs/express/issues/6065">#6065</a>)</li> <li>See full diff in <a href="https://github.com/expressjs/express/compare/4.21.1...4.21.2">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~jonchurch">jonchurch</a>, a new releaser for express since your current version.</p> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit e742ceb)
See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.176.0/CHANGELOG.md) Co-authored-by: AWS CDK Team <[email protected]> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> (cherry picked from commit e915084)
### Issue # (if applicable) None ### Reason for this change Fixed typos in code comments. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit b2b0577)
…#32245) ### Issue # (if applicable) None ### Reason for this change AWS Synthetics begins supporting the NodeJS Playwright runtime. https://aws.amazon.com/about-aws/whats-new/2024/11/amazon-cloudwatch-synthetics-playwright-runtime-canaries-nodejs/ And Python Selenium runtime v4.1 is also released. https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Library_python_selenium.html#CloudWatch_Synthetics_runtimeversion-syn-python-selenium-4.1 ### Description of changes Add two runtimes to `Runtime` class - SYNTHETICS_PYTHON_SELENIUM_4_1 - SYNTHETICS_NODEJS_PLAYWRIGHT_1_0 ### Description of how you validated changes Execute describe-runtime AWS CLI. ```sh aws synthetics describe-runtime-versions --region us-east-1 | grep VersionName "VersionName": "syn-python-selenium-4.1", ..., "VersionName": "syn-nodejs-playwright-1.0", ... ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit d68020b)
…2919) ### Description of changes Initial code for the Programmatic Toolkit. This won't be released just yet. Contains a mix of extensions and hard copies to the current CLI code. After this PR we are moving the appropriate tests over from the CLI. ### Describe any new or updated permissions being added n/a ### Description of how you validated changes For the changes to `aws-cdk` we run the existing tests and the integration tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 35275c3)
### Issue # (if applicable) None ### Reason for this change Fixed typos in code comments. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 62a9d66)
### Description of changes Removing some unintentional public exports from the deploy action. Re-organizing files to improve project structure. Making the `.gitignore` file more readable. **No functional code changes!** ### Describe any new or updated permissions being added n/a ### Description of how you validated changes It builds. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 717d91d)
### Issue # (if applicable) Closes #1680. ### Reason for this change AWS S3 supports configuring [object replication](https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication.html) , but the `s3.Bucket` construct does not support it. ### Description of changes Added `replicationRules` to `BucketProps`. #### Replication configuration version There are two versions of [replication configuration](https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-add-config.html#replication-backward-compat-considerations). This PR uses only the V2 replication configuration to enable the specification of the Filter element and S3 Replication Time Control (S3 RTC). To use V2 replication configuration, this PR explicitly specifies [Filter.Prefix](https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-replicationrulefilter.html#cfn-s3-bucket-replicationrulefilter-prefix) property. ```ts const prefix = rule.prefixFilter ?? ''; const filter = isAndFilter ? { and: { prefix, tagFilters: rule.tagFilter, }, } : { prefix, }; ``` V2 replication configuration has some restriction: - Must specify [DeleteMarkerReplication](https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-replicationrule.html#cfn-s3-bucket-replicationrule-deletemarkerreplication) ```sh ReplicationStack | 4/7 | 9:22:08 PM | CREATE_FAILED | AWS::S3::Bucket | SourceBucket (SourceBucketDDD2130A) Resource handler returned message: Delete marker replication is not supported if any Tag filter is specified. Please refer to S3 Developer Guide for more information. (Service: S3, Status Code: 400, Request ID: XXX, Extended Request ID: XXX) ``` - Must specify [Priority](https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-replicationrule.html#cfn-s3-bucket-replicationrule-priority) ```sh ReplicationStack | 4/7 | 9:12:08 PM | CREATE_FAILED | AWS::S3::Bucket | SourceBucket (SourceBucketDDD2130A) Resource handler returned message: Priority must be specified for this version of Cross Region Replication configuration schema. Please refer to S3 Developer Guide for more information. (Service: S3, Status Code: 400, Request ID: XXX, Extended Request ID: XXX) ``` These restriction is not documented but there are some posts about these points. - https://repost.aws/questions/QUiEc8wFE_Q16fX5WG-YWnrA/cloudformation-support-for-s3-replication-to-multiple-destination-buckets To resolve these problems,I made the `priority` required and explicitly set the `deleteMarkerReplication`. ```ts const prefix = rule.prefixFilter ?? ''; // set empty string to use V2 replication configuration const filter = isAndFilter ? { and: { prefix, tagFilters: rule.tagFilter, }, } : { prefix, }; return { id: rule.id, priority: rule.priority, status: 'Enabled', destination: { bucket: rule.destination.bucket.bucketArn, account: rule.destination.account, storageClass: rule.storageClass?.toString(), accessControlTranslation: rule.destination.accessControlTransition ? { owner: 'Destination', } : undefined, encryptionConfiguration: rule.kmsKey ? { replicaKmsKeyId: rule.kmsKey.keyArn, } : undefined, replicationTime: rule.replicationTimeControl !== undefined ? { status: rule.replicationTimeControl ? 'Enabled' : 'Disabled', time: { minutes: 15, }, } : undefined, metrics: rule.replicationTimeControlMetrics !== undefined ? { status: rule.replicationTimeControlMetrics ? 'Enabled' : 'Disabled', eventThreshold: { minutes: 15, }, } : undefined, }, filter, // To avoid deploy error when there are multiple replication rules with undefined deleteMarkerReplication, // CDK explicitly set the deleteMarkerReplication if it is undefined. deleteMarkerReplication: { status: rule.deleteMarkerReplication ? 'Enabled' : 'Disabled', }, sourceSelectionCriteria, }; ``` #### IAM permission There is a [documentation to setup IAM permissions for service role](https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html). ```json { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:GetReplicationConfiguration", "s3:ListBucket" ], "Resource":[ "arn:aws:s3:::SRC-BUCKET" ] }, { "Effect":"Allow", "Action":[ "s3:GetObjectVersionForReplication", "s3:GetObjectVersionAcl", "s3:GetObjectVersionTagging" ], "Resource":[ "arn:aws:s3:::SRC-BUCKET/*" ] }, { "Effect":"Allow", "Action":[ "s3:ReplicateObject", "s3:ReplicateDelete", "s3:ReplicateTags" ], "Resource":"arn:aws:s3:::DST-BUCKET/*" } ] } ``` However, there are discrepancies between the automatically generated IAM policies in the management console and the IAM policies in the documentation. Generated Policy: ```json { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetReplicationConfiguration", "s3:GetObjectVersionForReplication", "s3:GetObjectVersionAcl", "s3:GetObjectVersionTagging", "s3:GetObjectRetention", "s3:GetObjectLegalHold" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::SRC-BUCKET", "arn:aws:s3:::SRC-BUCKET/*" ] }, { "Action": [ "s3:ReplicateObject", "s3:ReplicateDelete", "s3:ReplicateTags", "s3:GetObjectVersionTagging", "s3:ObjectOwnerOverrideToBucketOwner" ], "Effect": "Allow", "Condition": { "StringLikeIfExists": { "s3:x-amz-server-side-encryption": [ "aws:kms", "aws:kms:dsse", "AES256" ] } }, "Resource": [ "arn:aws:s3:::DST-BUCKET/*" ] }, { "Action": [ "kms:Decrypt" ], "Effect": "Allow", "Condition": { "StringLike": { "kms:ViaService": "s3.ap-northeast-1.amazonaws.com", "kms:EncryptionContext:aws:s3:arn": [ "arn:aws:s3:::SRC-BUCKET/*" ] } }, "Resource": [ "arn:aws:kms:ap-northeast-1:123456789012:key/hogehuga" ] }, { "Action": [ "kms:Encrypt" ], "Effect": "Allow", "Condition": { "StringLike": { "kms:ViaService": [ "s3.ap-northeast-1.amazonaws.com" ], "kms:EncryptionContext:aws:s3:arn": [ "arn:aws:s3:::DST-BUCKET*" ] } }, "Resource": [ "arn:aws:kms:ap-northeast-1:123456789012:key/hogefuga" ] } ] } ``` I adopted the policy from the document. I look forward to hearing your thoughts on this matter. ### Description of how you validated changes Added both unit and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 9d8a7e2)
…or iam OIDC connection (under feature flag) (#32921) ### Issue # (if applicable) Closes #32920 ### Reason for this change Follow security best practices to disable allow unauthorized connection ### Description of changes Create a new feature flag that starting in the new feature, we will disable unauthorized connections ### Describe any new or updated permissions being added N/A ### Description of how you validated changes New integ and unit tests. Updated old tests. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 3e4f377)
### Reason for this change Using project references in `aws-cdk-lib` improves the experience for other monorepo packages depending on `aws-cdk-lib`. A project reference to a composite package is an explicit instruction to only look at the build declaration files of the references project and not compile declarations from the .ts files again. This is opt-in from the _calling_ package, but must be allowed from the target for some reason. Practically this improves performance for the dependant package, but also means that the package do not have to share the same TS config anymore. The latter is particularly useful if a newer package wants to impose stricter rules. Previously all these packages were effectively bound to the same (low-ish) standards. The original opt-out was historically enabled in #8625 However the situation has drastically changes since then. Particularly `aws-cdk-lib` is now a single mega package, and thus much easier to handle. ### Description of this change Enables project references in `aws-cdk-lib`. This exposed that we are still using some deprecated APIs in some downstream packages. Previously we didn't notice because ts compiler of the downstream package would look at the uncompiled source, which still had the deprecated type. However as part of the jsii compilation these are then removed from the type declarations (and thus jsii bindings). With project references we are now looking at the declaration files and thus any usage of deprecated APIs causes a build failure. This PR is also fixing all of these instances. ### Describe any new or updated permissions being added n/a ### Description of how you validated changes existing tests and build ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit b049fa8)
### Reason for this change Fix Code Scanner issue ``` By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'. ``` ### Description of changes Create a new group and attach the user to the group. The dockerfile already gives necessary permissions with statements like `chmod 777` ### Description of how you validated changes N/A ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit ddaad47)
### Issue # (if applicable) Closes #13983. Closes #31689. ### Reason for this change When we want to receive HTTP 404 response where the requested object does not exist, s3:ListBucket permission is needed in the S3 bucket policy. Unlike `errorResponses` to convert 403 response to 404, This is useful to distinguish between responses blocked by WAF (403) and responses where the file does not exist (404). ### Description of changes Added a new `AccessLevel.LIST` to allow s3:ListBucket. ### Description of how you validated changes Unit test and integration test. The integ test also tests the response is 404. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 2b2443d)
) ### Issue #32848 Closes #32848 Reason for this change The current sample schema is incorrect and causes the stack deployment to fail. Description of changes I modified the sample GraphQL schema so that it is successfully deployed. Describe any new or updated permissions being added <!— What new or updated IAM permissions are needed to support the changes being introduced ? --> Description of how you validated changes I was able to successfully deploy the stack after making the changes I already proposed in the PR. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit e8e058c)
### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change Anecdotally, contributors often encounter the "This branch is out-of-date with the base branch" message, which can be confusing. Since I couldn’t find a clear explanation, I sought clarification from one of the admins in [this comment](#32889 (comment)). I’ve summarized their guidance to help other contributors navigate this issue more easily. ### Description of changes Added clarification on a common "error" in the contributor guidelines. ### Describe any new or updated permissions being added ### Description of how you validated changes An admin provided guidance on the issue, and it resolved the problem effectively in my case. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 74bd8ce)
The PR linter code was a bit of a mess; evaluating rules and mutating the PR was interspersed, generic GitHub code was mixed with CDK-specific code, the linter could be triggered from multiple sources, none of them were documented very well. Try to rectify all of that in this PR to make it easier to extend the PR linter in the future: - Split the linter into clear evaluate/act responsibilities. - Split code across more than 1 file. - Document how the "PR Linter Trigger" works - Streamline how we get a PR number into the linter. - Give an example of how to run it locally to test the rule evaluation on real PRs Not every crazy design decision has been rectified yet, but at least we have a start of something a little more comprehensible. Another change I made: the old PR linter creates a comment + a review with the same content (but not quite). In this PR, make it just do reviews and don't do comments. This started from a PR that had CodeCov changes added, but I want to do a refactor without feature changes first before adding new code. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 680b6ba)
Almost every PR immediately looks like it's failing with a red cross, because the PR linter fails if it is requesting changes. The "Changes Requested" review by itself is enough to prevent a PR from getting merged by the Mergify config, so we don't actually need to fail the PR linter as well. Instead: the PR linter succeeds if it runs to the end, and it may request changes on the PR. If it fails, then it's because it was unable to do its job for some reason (that should and will still block merging, so we are not accidentally failing open if something is wrong with the linter). ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 2afdf25)
### Issue Closes #32940 ### Description of changes Define the API for the synth action. Includes DX improvements for some other APIs. ### Describe any new or updated permissions being added n/a ### Description of how you validated changes These are the tests! ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 63b0936)
Since the buffered console captures stdout/stderr, in some call sequences it keeps recursing forever and overflows memory. It does not repro in this repository, but it repros in a different one. The fix is to stop capturing while we print results. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 776620d)
I suspect that `check_suite` is a useful event to use for the PR linter. Add a workflow that will trigger on `check_suite` and prints some relevant information, so we can spy on. This workflow was created by AI, we'll see how it does. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit c9d1684)
In lack of a public docs page, use typedoc for now. ### Description of how you validated changes Docs only ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 88fe797)
…dk package (#32989) Instead use local file references. We still have it listed as a dev dependency, because we do need the cli build in the monorepo before the toolkit. Also adds a script to publish a "public" version locally ### Describe any new or updated permissions being added n/a ### Description of how you validated changes It builds and the "published" package can be used successfully ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit d16482f)
### Issue #32994 Closes #32994 ### Reason for this change Previously it was not possible to provide external context. ### Description of changes Cloud Assembly Source Builder now optionally take a Context object that is provided to the source when the assembly is produced. ### Describe any new or updated permissions being added n/a ### Description of how you validated changes Unit tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit ebe9580)
adds toolkit tests for deploy ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 794520c)
Caused much confusion as to whether the docs or the code was wrong. 99% sure its the docs. Will make the same changes in toolkit in a separate PR. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 4a76fee)
These are tests ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 8c1be1e)
…ions (#32838) ### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change When you update multiple aspects of a Lambda function by modifying an `aws-cdk-lib.aws-lambda` L2 construct and deploying in a single CDK deployment, you may encounter a short period of time where errors occur due to all aspects not being updated together. ### Description of changes Add documentation in `aws-cdk-lib.aws-lambda` to explain this potential situation. ### Describe any new or updated permissions being added None ### Description of how you validated changes None. Only updated README.md ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> Co-authored-by: Grace Luo <[email protected]> (cherry picked from commit 6c5accd)
### Description of changes We currently have to maintain a global singleton `CliIoHost` until we have passed the ioHost through all the layers for logging. Previously the global settings for this `IoHost` were all over the place using setter functions and global variables. This refactor unifies all these APIs on the `CliIoHost`, through the global instance. We also need the ability to register a _different_ `IoHost` that must be used for reporting. This is the case when a Toolkit integrator provides a custom implemenation. ### Describe any new or updated permissions being added no ### Description of how you validated changes Existing and updated test cases. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 72e089b)
…hart to include major and minor contributions (#32619) ### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change Make it easier for those new to contributing and for those submitting small contributions to get started. ### Description of changes Provide introductory information on what a contribution is. Add a new definition of *major* and *minor* contributions. The purpose of these new terms are to distinguish between two different types of contributions for two reasons: (1) Provide a clearer and simpler path to contributing for those submitting small changes like doc improvements or bug fixes; and (2) Provide a separate path of submitting an RFC to discuss implementation details before someone puts in the time and effort of submitting a major contribution. I also updated the flowchart to highlight these two paths and show how they differ. Next steps after this revision are to improve the "getting started" documentation and restructure content based on the updated flowchart. ### Describe any new or updated permissions being added <!— What new or updated IAM permissions are needed to support the changes being introduced ? --> ### Description of how you validated changes ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit d8cd4bd)
Reverts #32976 After discussing with team, I'm going to revert the original PR. This is because we notice that CDK when bundling supports the following feature: https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_lambda_nodejs/ICommandHooks.html ``` beforeBundling: Commands in this hook run before the bundling process begins, outside the Docker container. These are executed on the local machine. beforeInstall: Commands in this hook run inside the Docker container before npm install or npm ci commands are executed. afterBundling: Commands in this hook run inside the Docker container after the bundling process completes. ``` This means that users can provide custom commands to run inside the docker container and we do not know what current users run. They could provide a command that require root access and this will be a regression once released. (cherry picked from commit 28067b0)
Add tests for the destroy action ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 1889527)
### Reason for this change Badge does not render properly ### Description of changes Removing this badge that does not render properly, or alternatively follow https://docs.mergify.com/badge/#finding-the-badge-url to restore if still applicable ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 53dc0d8)
### Reason for this change In #32548 we enabled typed errors for some places in the CLI. However many places were missed and the eslint rule wasn't enabled to enforce it in future. ### Description of changes Enforce by enabling the respective eslint rule. Also adds and implements the eslint rule in the toolkit. This has little functional effect since all new errors are still `Error`s. The printed output of an error will slightly change. ### Describe any new or updated permissions being added n/a ### Description of how you validated changes existing tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit bf81b3c)
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-appsync │ └ resources │ └[~] resource AWS::AppSync::DataSource │ └ properties │ └ ServiceRoleArn: (documentation changed) ├[~] service aws-batch │ └ resources │ └[~] resource AWS::Batch::SchedulingPolicy │ └ types │ └[~] type FairsharePolicy │ └ properties │ └ ShareDecaySeconds: (documentation changed) ├[~] service aws-bedrock │ └ resources │ ├[~] resource AWS::Bedrock::KnowledgeBase │ │ ├ properties │ │ │ └ KnowledgeBaseConfiguration: - KnowledgeBaseConfiguration (required, immutable) │ │ │ + KnowledgeBaseConfiguration (required) │ │ └ types │ │ ├[+] type CuratedQuery │ │ │ ├ documentation: Curated query or question and answer pair │ │ │ │ name: CuratedQuery │ │ │ └ properties │ │ │ ├ NaturalLanguage: string (required) │ │ │ └ Sql: string (required) │ │ ├[~] type KnowledgeBaseConfiguration │ │ │ └ properties │ │ │ ├ KendraKnowledgeBaseConfiguration: - KendraKnowledgeBaseConfiguration │ │ │ │ + KendraKnowledgeBaseConfiguration (immutable) │ │ │ ├[+] SqlKnowledgeBaseConfiguration: SqlKnowledgeBaseConfiguration │ │ │ ├ Type: - string (required) │ │ │ │ + string (required, immutable) │ │ │ └ VectorKnowledgeBaseConfiguration: - VectorKnowledgeBaseConfiguration │ │ │ + VectorKnowledgeBaseConfiguration (immutable) │ │ ├[+] type QueryGenerationColumn │ │ │ ├ documentation: Redshift query generation column │ │ │ │ name: QueryGenerationColumn │ │ │ └ properties │ │ │ ├ Name: string │ │ │ ├ Description: string │ │ │ └ Inclusion: string │ │ ├[+] type QueryGenerationConfiguration │ │ │ ├ documentation: Configurations for generating Redshift engine queries │ │ │ │ name: QueryGenerationConfiguration │ │ │ └ properties │ │ │ ├ ExecutionTimeoutSeconds: integer │ │ │ └ GenerationContext: QueryGenerationContext │ │ ├[+] type QueryGenerationContext │ │ │ ├ documentation: Context used to improve query generation │ │ │ │ name: QueryGenerationContext │ │ │ └ properties │ │ │ ├ Tables: Array<QueryGenerationTable> │ │ │ └ CuratedQueries: Array<CuratedQuery> │ │ ├[+] type QueryGenerationTable │ │ │ ├ documentation: Tables used for Redshift query generation context │ │ │ │ name: QueryGenerationTable │ │ │ └ properties │ │ │ ├ Name: string (required) │ │ │ ├ Description: string │ │ │ ├ Inclusion: string │ │ │ └ Columns: Array<QueryGenerationColumn> │ │ ├[+] type RedshiftConfiguration │ │ │ ├ documentation: Configurations for a Redshift knowledge base │ │ │ │ name: RedshiftConfiguration │ │ │ └ properties │ │ │ ├ StorageConfigurations: Array<RedshiftQueryEngineStorageConfiguration> (required, immutable) │ │ │ ├ QueryEngineConfiguration: RedshiftQueryEngineConfiguration (required, immutable) │ │ │ └ QueryGenerationConfiguration: QueryGenerationConfiguration │ │ ├[+] type RedshiftProvisionedAuthConfiguration │ │ │ ├ documentation: Configurations for Redshift query engine provisioned auth setup │ │ │ │ name: RedshiftProvisionedAuthConfiguration │ │ │ └ properties │ │ │ ├ Type: string (required) │ │ │ ├ DatabaseUser: string │ │ │ └ UsernamePasswordSecretArn: string │ │ ├[+] type RedshiftProvisionedConfiguration │ │ │ ├ documentation: Configurations for provisioned Redshift query engine │ │ │ │ name: RedshiftProvisionedConfiguration │ │ │ └ properties │ │ │ ├ ClusterIdentifier: string (required) │ │ │ └ AuthConfiguration: RedshiftProvisionedAuthConfiguration (required) │ │ ├[+] type RedshiftQueryEngineAwsDataCatalogStorageConfiguration │ │ │ ├ documentation: Configurations for Redshift query engine AWS Data Catalog backed storage │ │ │ │ name: RedshiftQueryEngineAwsDataCatalogStorageConfiguration │ │ │ └ properties │ │ │ └ TableNames: Array<string> (required) │ │ ├[+] type RedshiftQueryEngineConfiguration │ │ │ ├ documentation: Configurations for Redshift query engine │ │ │ │ name: RedshiftQueryEngineConfiguration │ │ │ └ properties │ │ │ ├ Type: string (required) │ │ │ ├ ServerlessConfiguration: RedshiftServerlessConfiguration │ │ │ └ ProvisionedConfiguration: RedshiftProvisionedConfiguration │ │ ├[+] type RedshiftQueryEngineRedshiftStorageConfiguration │ │ │ ├ documentation: Configurations for Redshift query engine Redshift backed storage │ │ │ │ name: RedshiftQueryEngineRedshiftStorageConfiguration │ │ │ └ properties │ │ │ └ DatabaseName: string (required) │ │ ├[+] type RedshiftQueryEngineStorageConfiguration │ │ │ ├ documentation: Configurations for available Redshift query engine storage types │ │ │ │ name: RedshiftQueryEngineStorageConfiguration │ │ │ └ properties │ │ │ ├ Type: string (required) │ │ │ ├ AwsDataCatalogConfiguration: RedshiftQueryEngineAwsDataCatalogStorageConfiguration │ │ │ └ RedshiftConfiguration: RedshiftQueryEngineRedshiftStorageConfiguration │ │ ├[+] type RedshiftServerlessAuthConfiguration │ │ │ ├ documentation: Configurations for Redshift query engine serverless auth setup │ │ │ │ name: RedshiftServerlessAuthConfiguration │ │ │ └ properties │ │ │ ├ Type: string (required) │ │ │ └ UsernamePasswordSecretArn: string │ │ ├[+] type RedshiftServerlessConfiguration │ │ │ ├ documentation: Configurations for serverless Redshift query engine │ │ │ │ name: RedshiftServerlessConfiguration │ │ │ └ properties │ │ │ ├ WorkgroupArn: string (required) │ │ │ └ AuthConfiguration: RedshiftServerlessAuthConfiguration (required) │ │ └[+] type SqlKnowledgeBaseConfiguration │ │ ├ documentation: Configurations for a SQL knowledge base │ │ │ name: SqlKnowledgeBaseConfiguration │ │ └ properties │ │ ├ Type: string (required, immutable) │ │ └ RedshiftConfiguration: RedshiftConfiguration │ └[~] resource AWS::Bedrock::PromptVersion │ └ types │ ├[+] type ChatPromptTemplateConfiguration │ │ ├ documentation: Configuration for chat prompt template │ │ │ name: ChatPromptTemplateConfiguration │ │ └ properties │ │ ├ Messages: Array<Message> (required) │ │ ├ System: Array<SystemContentBlock> │ │ ├ ToolConfiguration: ToolConfiguration │ │ └ InputVariables: Array<PromptInputVariable> │ ├[+] type ContentBlock │ │ ├ documentation: Configuration for chat prompt template │ │ │ name: ContentBlock │ │ └ properties │ │ └ Text: string (required) │ ├[+] type Message │ │ ├ documentation: Chat prompt Message │ │ │ name: Message │ │ └ properties │ │ ├ Role: string (required) │ │ └ Content: Array<ContentBlock> (required) │ ├[+] type PromptAgentResource │ │ ├ documentation: Target Agent to invoke with Prompt │ │ │ name: PromptAgentResource │ │ └ properties │ │ └ AgentIdentifier: string (required) │ ├[+] type PromptGenAiResource │ │ ├ documentation: Target resource to invoke with Prompt │ │ │ name: PromptGenAiResource │ │ └ properties │ │ └ Agent: PromptAgentResource (required) │ ├[~] type PromptTemplateConfiguration │ │ └ properties │ │ ├[+] Chat: ChatPromptTemplateConfiguration │ │ └ Text: - TextPromptTemplateConfiguration (required) │ │ + TextPromptTemplateConfiguration │ ├[~] type PromptVariant │ │ └ properties │ │ └[+] GenAiResource: PromptGenAiResource │ ├[+] type SpecificToolChoice │ │ ├ documentation: Specific Tool choice │ │ │ name: SpecificToolChoice │ │ └ properties │ │ └ Name: string (required) │ ├[+] type SystemContentBlock │ │ ├ documentation: Configuration for chat prompt template │ │ │ name: SystemContentBlock │ │ └ properties │ │ └ Text: string (required) │ ├[+] type Tool │ │ ├ documentation: Tool details │ │ │ name: Tool │ │ └ properties │ │ └ ToolSpec: ToolSpecification (required) │ ├[+] type ToolChoice │ │ ├ name: ToolChoice │ │ └ properties │ │ ├ Auto: json │ │ ├ Any: json │ │ └ Tool: SpecificToolChoice │ ├[+] type ToolConfiguration │ │ ├ documentation: Tool configuration │ │ │ name: ToolConfiguration │ │ └ properties │ │ ├ Tools: Array<Tool> (required) │ │ └ ToolChoice: ToolChoice │ ├[+] type ToolInputSchema │ │ ├ documentation: Tool input schema │ │ │ name: ToolInputSchema │ │ └ properties │ │ └ Json: json (required) │ └[+] type ToolSpecification │ ├ documentation: Tool specification │ │ name: ToolSpecification │ └ properties │ ├ Name: string (required) │ ├ Description: string │ └ InputSchema: ToolInputSchema (required) ├[~] service aws-cloudfront │ └ resources │ └[~] resource AWS::CloudFront::AnycastIpList │ ├ - documentation: An Anycast static IP list. │ │ + documentation: An Anycast static IP list. For more information, see [Request Anycast static IPs to use for allowlisting](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/request-static-ips.html) in the *Amazon CloudFront Developer Guide* . │ └ types │ └[~] type AnycastIpList │ └ - documentation: An Anycast static IP list. │ + documentation: An Anycast static IP list. For more information, see [Request Anycast static IPs to use for allowlisting](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/request-static-ips.html) in the *Amazon CloudFront Developer Guide* . ├[~] service aws-codepipeline │ └ resources │ └[~] resource AWS::CodePipeline::Pipeline │ └ types │ └[~] type RuleDeclaration │ └ properties │ └[+] Commands: Array<string> ├[~] service aws-cognito │ └ resources │ ├[~] resource AWS::Cognito::LogDeliveryConfiguration │ │ └ types │ │ └[~] type LogConfiguration │ │ ├ - documentation: The configuration of user event logs to an external AWS service like Amazon Data Firehose, Amazon S3, or Amazon CloudWatch Logs. │ │ │ This data type is a request parameter of `API_SetLogDeliveryConfiguration` and a response parameter of `API_GetLogDeliveryConfiguration` . │ │ │ + documentation: The configuration of user event logs to an external AWS service like Amazon Data Firehose, Amazon S3, or Amazon CloudWatch Logs. │ │ └ properties │ │ └ CloudWatchLogsConfiguration: (documentation changed) │ ├[~] resource AWS::Cognito::ManagedLoginBranding │ │ └ types │ │ └[~] type AssetType │ │ └ - documentation: An image file from a managed login branding style in a user pool. │ │ This data type is a request parameter of `API_CreateManagedLoginBranding` and `API_UpdateManagedLoginBranding` , and a response parameter of `API_DescribeManagedLoginBranding` . │ │ + documentation: An image file from a managed login branding style in a user pool. │ ├[~] resource AWS::Cognito::UserPool │ │ ├ properties │ │ │ ├ AdminCreateUserConfig: (documentation changed) │ │ │ └ Policies: (documentation changed) │ │ └ types │ │ ├[~] type AdminCreateUserConfig │ │ │ ├ - documentation: The settings for administrator creation of users in a user pool. Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire. │ │ │ │ This data type is a request and response parameter of `API_CreateUserPool` and `API_UpdateUserPool` , and a response parameter of `API_DescribeUserPool` . │ │ │ │ + documentation: The settings for administrator creation of users in a user pool. Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire. │ │ │ └ properties │ │ │ └ UnusedAccountValidityDays: (documentation changed) │ │ ├[~] type DeviceConfiguration │ │ │ └ - documentation: The device-remembering configuration for a user pool. │ │ │ A `API_DescribeUserPool` request returns a null value for this object when the user pool isn't configured to remember devices. When device remembering is active, you can remember a user's device with a `API_ConfirmDevice` API request. Additionally. when the property `DeviceOnlyRememberedOnUserPrompt` is `true` , you must follow `ConfirmDevice` with an `API_UpdateDeviceStatus` API request that sets the user's device to `remembered` or `not_remembered` . │ │ │ To sign in with a remembered device, include `DEVICE_KEY` in the authentication parameters in your user's `API_InitiateAuth` request. If your app doesn't include a `DEVICE_KEY` parameter, the `API_InitiateAuth` from Amazon Cognito includes newly-generated `DEVICE_KEY` and `DEVICE_GROUP_KEY` values under `NewDeviceMetadata` . Store these values to use in future device-authentication requests. │ │ │ > When you provide a value for any property of `DeviceConfiguration` , you activate the device remembering for the user pool. │ │ │ > │ │ │ > This data type is a request and response parameter of `API_CreateUserPool` and `API_UpdateUserPool` , and a response parameter of `API_DescribeUserPool` . │ │ │ + documentation: The device-remembering configuration for a user pool. │ │ ├[~] type LambdaConfig │ │ │ └ - documentation: A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible stages of user pool operations. Triggers can modify the outcome of the operations that invoked them. │ │ │ This data type is a request and response parameter of `API_CreateUserPool` and `API_UpdateUserPool` , and a response parameter of `API_DescribeUserPool` . │ │ │ + documentation: A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible stages of user pool operations. Triggers can modify the outcome of the operations that invoked them. │ │ ├[~] type NumberAttributeConstraints │ │ │ └ - documentation: The minimum and maximum values of an attribute that is of the number type, for example `custom:age` . │ │ │ This data type is part of `API_SchemaAttributeType` . It defines the length constraints on number-type attributes that you configure in `API_CreateUserPool` and `API_UpdateUserPool` , and displays the length constraints of all number-type attributes in the response to `API_DescribeUserPool` │ │ │ + documentation: The minimum and maximum values of an attribute that is of the number type, for example `custom:age` . │ │ ├[~] type PasswordPolicy │ │ │ ├ - documentation: The password policy settings for a user pool, including complexity, history, and length requirements. │ │ │ │ This data type is a request and response parameter of `API_CreateUserPool` and `API_UpdateUserPool` , and a response parameter of `API_DescribeUserPool` . │ │ │ │ + documentation: The password policy settings for a user pool, including complexity, history, and length requirements. │ │ │ └ properties │ │ │ └ PasswordHistorySize: (documentation changed) │ │ ├[~] type Policies │ │ │ ├ - documentation: A list of user pool policies. Contains the policy that sets password-complexity requirements. │ │ │ │ This data type is a request and response parameter of `API_CreateUserPool` and `API_UpdateUserPool` , and a response parameter of `API_DescribeUserPool` . │ │ │ │ + documentation: A list of user pool policies. Contains the policy that sets password-complexity requirements. │ │ │ └ properties │ │ │ └ SignInPolicy: (documentation changed) │ │ ├[~] type PreTokenGenerationConfig │ │ │ └ - documentation: The properties of a pre token generation Lambda trigger. │ │ │ This data type is a request and response parameter of `API_CreateUserPool` and `API_UpdateUserPool` , and a response parameter of `API_DescribeUserPool` . │ │ │ + documentation: The properties of a pre token generation Lambda trigger. │ │ ├[~] type RecoveryOption │ │ │ └ - documentation: A recovery option for a user. The `AccountRecoverySettingType` data type is an array of this object. Each `RecoveryOptionType` has a priority property that determines whether it is a primary or secondary option. │ │ │ For example, if `verified_email` has a priority of `1` and `verified_phone_number` has a priority of `2` , your user pool sends account-recovery messages to a verified email address but falls back to an SMS message if the user has a verified phone number. The `admin_only` option prevents self-service account recovery. │ │ │ This data type is a request and response parameter of `API_CreateUserPool` and `API_UpdateUserPool` , and a response parameter of `API_DescribeUserPool` . │ │ │ + documentation: A recovery option for a user. The `AccountRecoverySettingType` data type is an array of this object. Each `RecoveryOptionType` has a priority property that determines whether it is a primary or secondary option. │ │ │ For example, if `verified_email` has a priority of `1` and `verified_phone_number` has a priority of `2` , your user pool sends account-recovery messages to a verified email address but falls back to an SMS message if the user has a verified phone number. The `admin_only` option prevents self-service account recovery. │ │ ├[~] type SchemaAttribute │ │ │ └ - documentation: A list of the user attributes and their properties in your user pool. The attribute schema contains standard attributes, custom attributes with a `custom:` prefix, and developer attributes with a `dev:` prefix. For more information, see [User pool attributes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html) . │ │ │ Developer-only `dev:` attributes are a legacy feature of user pools, and are read-only to all app clients. You can create and update developer-only attributes only with IAM-authenticated API operations. Use app client read/write permissions instead. │ │ │ This data type is a request and response parameter of `API_CreateUserPool` and `API_UpdateUserPool` , and a response parameter of `API_DescribeUserPool` . │ │ │ + documentation: A list of the user attributes and their properties in your user pool. The attribute schema contains standard attributes, custom attributes with a `custom:` prefix, and developer attributes with a `dev:` prefix. For more information, see [User pool attributes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html) . │ │ │ Developer-only `dev:` attributes are a legacy feature of user pools, and are read-only to all app clients. You can create and update developer-only attributes only with IAM-authenticated API operations. Use app client read/write permissions instead. │ │ ├[~] type SignInPolicy │ │ │ └ - documentation: The policy for allowed types of authentication in a user pool. To activate this setting, your user pool must be in the [Essentials tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html) or higher. │ │ │ This data type is a request and response parameter of `API_CreateUserPool` and `API_UpdateUserPool` , and a response parameter of `API_DescribeUserPool` . │ │ │ + documentation: The policy for allowed types of authentication in a user pool. To activate this setting, your user pool must be in the [Essentials tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html) or higher. │ │ ├[~] type SmsConfiguration │ │ │ └ - documentation: User pool configuration for delivery of SMS messages with Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account . │ │ │ This data type is a request parameter of `API_CreateUserPool` , `API_UpdateUserPool` , and `API_SetUserPoolMfaConfig` , and a response parameter of `API_CreateUserPool` , `API_UpdateUserPool` , and `API_GetUserPoolMfaConfig` . │ │ │ + documentation: User pool configuration for delivery of SMS messages with Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account . │ │ ├[~] type StringAttributeConstraints │ │ │ └ - documentation: The minimum and maximum length values of an attribute that is of the string type, for example `custom:department` . │ │ │ This data type is part of `API_SchemaAttributeType` . It defines the length constraints on string-type attributes that you configure in `API_CreateUserPool` and `API_UpdateUserPool` , and displays the length constraints of all string-type attributes in the response to `API_DescribeUserPool` │ │ │ + documentation: The minimum and maximum length values of an attribute that is of the string type, for example `custom:department` . │ │ ├[~] type UserAttributeUpdateSettings │ │ │ └ properties │ │ │ └ AttributesRequireVerificationBeforeUpdate: (documentation changed) │ │ ├[~] type UsernameConfiguration │ │ │ └ - documentation: Case sensitivity of the username input for the selected sign-in option. When case sensitivity is set to `False` (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, `username` , `USERNAME` , or `UserName` , or for email, `[email protected]` or `[email protected]` . For most use cases, set case sensitivity to `False` (case insensitive) as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user. │ │ │ This configuration is immutable after you set it. For more information, see `API_UsernameConfigurationType` . │ │ │ + documentation: Case sensitivity of the username input for the selected sign-in option. When case sensitivity is set to `False` (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, `username` , `USERNAME` , or `UserName` , or for email, `[email protected]` or `[email protected]` . For most use cases, set case sensitivity to `False` (case insensitive) as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user. │ │ ├[~] type UserPoolAddOns │ │ │ └ - documentation: Contains settings for activation of threat protection, including the operating mode and additional authentication types. To log user security information but take no action, set to `AUDIT` . To configure automatic security responses to potentially unwanted traffic to your user pool, set to `ENFORCED` . │ │ │ For more information, see [Adding advanced security to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html) . To activate this setting, your user pool must be on the [Plus tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html) . │ │ │ This data type is a request and response parameter of `API_CreateUserPool` and `API_UpdateUserPool` , and a response parameter of `API_DescribeUserPool` . │ │ │ + documentation: User pool add-ons. Contains settings for activation of threat protection. To log user security information but take no action, set to `AUDIT` . To configure automatic security responses to risky traffic to your user pool, set to `ENFORCED` . │ │ │ For more information, see [Adding advanced security to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html) . To activate this setting, your user pool must be on the [Plus tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html) . │ │ └[~] type VerificationMessageTemplate │ │ └ - documentation: The template for the verification message that your user pool delivers to users who set an email address or phone number attribute. │ │ This data type is a request and response parameter of `API_CreateUserPool` and `API_UpdateUserPool` , and a response parameter of `API_DescribeUserPool` . │ │ + documentation: The template for the verification message that your user pool delivers to users who set an email address or phone number attribute. │ ├[~] resource AWS::Cognito::UserPoolClient │ │ ├ properties │ │ │ ├ EnableTokenRevocation: (documentation changed) │ │ │ ├ ReadAttributes: (documentation changed) │ │ │ └ WriteAttributes: (documentation changed) │ │ └ types │ │ └[~] type AnalyticsConfiguration │ │ └ - documentation: The settings for Amazon Pinpoint analytics configuration. With an analytics configuration, your application can collect user-activity metrics for user notifications with a Amazon Pinpoint campaign. │ │ Amazon Pinpoint isn't available in all AWS Regions. For a list of available Regions, see [Amazon Cognito and Amazon Pinpoint Region availability](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html#cognito-user-pools-find-region-mappings) . │ │ This data type is a request parameter of `API_CreateUserPoolClient` and `API_UpdateUserPoolClient` , and a response parameter of `API_DescribeUserPoolClient` . │ │ + documentation: The settings for Amazon Pinpoint analytics configuration. With an analytics configuration, your application can collect user-activity metrics for user notifications with a Amazon Pinpoint campaign. │ │ Amazon Pinpoint isn't available in all AWS Regions. For a list of available Regions, see [Amazon Cognito and Amazon Pinpoint Region availability](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html#cognito-user-pools-find-region-mappings) . │ ├[~] resource AWS::Cognito::UserPoolDomain │ │ ├ properties │ │ │ └ CustomDomainConfig: (documentation changed) │ │ └ types │ │ └[~] type CustomDomainConfigType │ │ └ - documentation: The configuration for a hosted UI custom domain. │ │ This data type is a request parameter of `API_CreateUserPoolDomain` and `API_UpdateUserPoolDomain` . │ │ + documentation: The configuration for a hosted UI custom domain. │ ├[~] resource AWS::Cognito::UserPoolGroup │ │ └ - documentation: A user pool group. Contains details about the group and the way that it contributes to IAM role decisions with identity pools. Identity pools can make decisions about the IAM role to assign based on groups: users get credentials for the role associated with their highest-priority group. │ │ This data type is a response parameter of `API_AdminListGroupsForUser` , `API_CreateGroup` , `API_GetGroup` , `API_ListGroups` , and `API_UpdateGroup` . │ │ + documentation: A user pool group. Contains details about the group and the way that it contributes to IAM role decisions with identity pools. Identity pools can make decisions about the IAM role to assign based on groups: users get credentials for the role associated with their highest-priority group. │ ├[~] resource AWS::Cognito::UserPoolResourceServer │ │ └ types │ │ └[~] type ResourceServerScopeType │ │ └ - documentation: One custom scope associated with a user pool resource server. This data type is a member of `ResourceServerScopeType` . For more information, see [Scopes, M2M, and API authorization with resource servers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html) . │ │ This data type is a request parameter of `API_CreateResourceServer` and a response parameter of `API_DescribeResourceServer` . │ │ + documentation: One custom scope associated with a user pool resource server. This data type is a member of `ResourceServerScopeType` . For more information, see [Scopes, M2M, and API authorization with resource servers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html) . │ ├[~] resource AWS::Cognito::UserPoolRiskConfigurationAttachment │ │ └ types │ │ ├[~] type AccountTakeoverActionsType │ │ │ └ - documentation: A list of account-takeover actions for each level of risk that Amazon Cognito might assess with threat protection features. │ │ │ This data type is a request parameter of `API_SetRiskConfiguration` and a response parameter of `API_DescribeRiskConfiguration` . │ │ │ + documentation: A list of account-takeover actions for each level of risk that Amazon Cognito might assess with advanced security features. │ │ ├[~] type AccountTakeoverActionType │ │ │ └ - documentation: The automated response to a risk level for adaptive authentication in full-function, or `ENFORCED` , mode. You can assign an action to each risk level that threat protection evaluates. │ │ │ This data type is a request parameter of `API_SetRiskConfiguration` and a response parameter of `API_DescribeRiskConfiguration` . │ │ │ + documentation: The automated response to a risk level for adaptive authentication in full-function, or `ENFORCED` , mode. You can assign an action to each risk level that advanced security features evaluates. │ │ ├[~] type AccountTakeoverRiskConfigurationType │ │ │ └ - documentation: The settings for automated responses and notification templates for adaptive authentication with threat protection features. │ │ │ This data type is a request parameter of `API_SetRiskConfiguration` and a response parameter of `API_DescribeRiskConfiguration` . │ │ │ + documentation: The settings for automated responses and notification templates for adaptive authentication with advanced security features. │ │ ├[~] type CompromisedCredentialsActionsType │ │ │ └ - documentation: Settings for user pool actions when Amazon Cognito detects compromised credentials with threat protection in full-function `ENFORCED` mode. │ │ │ This data type is a request parameter of `API_SetRiskConfiguration` and a response parameter of `API_DescribeRiskConfiguration` . │ │ │ + documentation: Settings for user pool actions when Amazon Cognito detects compromised credentials with advanced security features in full-function `ENFORCED` mode. │ │ ├[~] type CompromisedCredentialsRiskConfigurationType │ │ │ └ - documentation: Settings for compromised-credentials actions and authentication-event sources with threat protection in full-function `ENFORCED` mode. │ │ │ This data type is a request parameter of `API_SetRiskConfiguration` and a response parameter of `API_DescribeRiskConfiguration` . │ │ │ + documentation: Settings for compromised-credentials actions and authentication-event sources with advanced security features in full-function `ENFORCED` mode. │ │ ├[~] type NotifyConfigurationType │ │ │ └ - documentation: The configuration for Amazon SES email messages that threat protection sends to a user when your adaptive authentication automated response has a *Notify* action. │ │ │ This data type is a request parameter of `API_SetRiskConfiguration` and a response parameter of `API_DescribeRiskConfiguration` . │ │ │ + documentation: The configuration for Amazon SES email messages that advanced security features sends to a user when your adaptive authentication automated response has a *Notify* action. │ │ ├[~] type NotifyEmailType │ │ │ └ - documentation: The template for email messages that threat protection sends to a user when your threat protection automated response has a *Notify* action. │ │ │ This data type is a request parameter of `API_SetRiskConfiguration` and a response parameter of `API_DescribeRiskConfiguration` . │ │ │ + documentation: The template for email messages that advanced security features sends to a user when your threat protection automated response has a *Notify* action. │ │ └[~] type RiskExceptionConfigurationType │ │ └ - documentation: Exceptions to the risk evaluation configuration, including always-allow and always-block IP address ranges. │ │ This data type is a request parameter of `API_SetRiskConfiguration` and a response parameter of `API_DescribeRiskConfiguration` . │ │ + documentation: Exceptions to the risk evaluation configuration, including always-allow and always-block IP address ranges. │ ├[~] resource AWS::Cognito::UserPoolUICustomizationAttachment │ │ └ - documentation: A container for the UI customization information for the hosted UI in a user pool. │ │ This data type is a response parameter of `API_DescribeUserPoolClient` . │ │ + documentation: A container for the UI customization information for the hosted UI in a user pool. │ └[~] resource AWS::Cognito::UserPoolUser │ ├ properties │ │ └ UserAttributes: (documentation changed) │ └ types │ └[~] type AttributeType │ └ - documentation: The name and value of a user attribute. │ This data type is a request parameter of `API_AdminUpdateUserAttributes` and `API_UpdateUserAttributes` . │ + documentation: The name and value of a user attribute. ├[~] service aws-customerprofiles │ └ resources │ └[~] resource AWS::CustomerProfiles::EventTrigger │ ├ - documentation: An event trigger resource of Amazon Connect Customer Profiles │ │ + documentation: Specifies the rules to perform an action based on customer ingested data. │ └ types │ └[~] type ObjectAttribute │ └ properties │ └ Values: (documentation changed) ├[~] service aws-datazone │ └ resources │ └[~] resource AWS::DataZone::DataSource │ ├ properties │ │ ├[+] ConnectionIdentifier: string (immutable) │ │ └ EnvironmentIdentifier: - string (required, immutable) │ │ + string (immutable) │ ├ attributes │ │ └[+] ConnectionId: string │ └ types │ ├[~] type GlueRunConfigurationInput │ │ └ properties │ │ └[+] CatalogName: string │ └[~] type RedshiftRunConfigurationInput │ └ properties │ ├ RedshiftCredentialConfiguration: - RedshiftCredentialConfiguration (required) │ │ + RedshiftCredentialConfiguration │ └ RedshiftStorage: - RedshiftStorage (required) │ + RedshiftStorage ├[~] service aws-ec2 │ └ resources │ └[~] resource AWS::EC2::LaunchTemplate │ └ types │ └[~] type NetworkInterface │ └ properties │ └ DeviceIndex: (documentation changed) ├[~] service aws-ecs │ └ resources │ ├[~] resource AWS::ECS::Service │ │ └ types │ │ ├[~] type AwsVpcConfiguration │ │ │ └ properties │ │ │ ├ SecurityGroups: (documentation changed) │ │ │ └ Subnets: (documentation changed) │ │ └[~] type ServiceManagedEBSVolumeConfiguration │ │ └ properties │ │ └[+] VolumeInitializationRate: integer │ └[~] resource AWS::ECS::TaskSet │ └ types │ └[~] type AwsVpcConfiguration │ └ properties │ ├ SecurityGroups: (documentation changed) │ └ Subnets: (documentation changed) ├[~] service aws-efs │ └ resources │ └[~] resource AWS::EFS::MountTarget │ └ properties │ └ SecurityGroups: (documentation changed) ├[~] service aws-eks │ └ resources │ └[~] resource AWS::EKS::Nodegroup │ └ types │ └[~] type UpdateConfig │ └ properties │ └[+] UpdateStrategy: string ├[~] service aws-emrserverless │ └ resources │ └[~] resource AWS::EMRServerless::Application │ └ types │ ├[~] type MonitoringConfiguration │ │ └ properties │ │ └[+] PrometheusMonitoringConfiguration: PrometheusMonitoringConfiguration │ └[+] type PrometheusMonitoringConfiguration │ ├ name: PrometheusMonitoringConfiguration │ └ properties │ └ RemoteWriteUrl: string ├[~] service aws-fms │ └ resources │ └[~] resource AWS::FMS::Policy │ └ properties │ └[+] ResourceTagLogicalOperator: string ├[~] service aws-gamelift │ └ resources │ └[~] resource AWS::GameLift::GameSessionQueue │ └ types │ └[~] type PriorityConfiguration │ └ properties │ ├ LocationOrder: (documentation changed) │ └ PriorityOrder: (documentation changed) ├[~] service aws-imagebuilder │ └ resources │ ├[~] resource AWS::ImageBuilder::Image │ │ └ types │ │ └[~] type ImageTestsConfiguration │ │ └ properties │ │ └ TimeoutMinutes: (documentation changed) │ ├[~] resource AWS::ImageBuilder::ImagePipeline │ │ └ types │ │ └[~] type ImageTestsConfiguration │ │ └ properties │ │ └ TimeoutMinutes: (documentation changed) │ └[~] resource AWS::ImageBuilder::InfrastructureConfiguration │ ├ - documentation: The infrastructure configuration allows you to specify the infrastructure within which to build and test your image. In the infrastructure configuration, you can specify instance types, subnets, and security groups to associate with your instance. You can also associate an Amazon EC2 key pair with the instance used to build your image. This allows you to log on to your instance to troubleshoot if your build fails and you set terminateInstanceOnFailure to false. │ │ + documentation: Creates a new infrastructure configuration. An infrastructure configuration defines the environment in which your image will be built and tested. │ └ properties │ ├ InstanceMetadataOptions: (documentation changed) │ ├ InstanceProfileName: (documentation changed) │ ├ InstanceTypes: (documentation changed) │ ├ KeyPair: (documentation changed) │ ├ Logging: (documentation changed) │ ├ ResourceTags: (documentation changed) │ ├ SecurityGroupIds: (documentation changed) │ ├ SnsTopicArn: (documentation changed) │ ├ SubnetId: (documentation changed) │ ├ Tags: (documentation changed) │ └ TerminateInstanceOnFailure: (documentation changed) ├[~] service aws-logs │ └ resources │ ├[~] resource AWS::Logs::Integration │ │ └ types │ │ └[~] type OpenSearchResourceConfig │ │ └ properties │ │ └ DashboardViewerPrincipals: (documentation changed) │ └[~] resource AWS::Logs::Transformer │ ├ - documentation: Creates or updates a *log transformer* for a single log group. You use log transformers to transform log events into a different format, making them easier for you to process and analyze. You can also transform logs from different sources into standardized formats that contains relevant, source-specific information. │ │ After you have created a transformer, CloudWatch Logs performs the transformations at the time of log ingestion. You can then refer to the transformed versions of the logs during operations such as querying with CloudWatch Logs Insights or creating metric filters or subscription filers. │ │ You can also use a transformer to copy metadata from metadata keys into the log events themselves. This metadata can include log group name, log stream name, account ID and Region. │ │ A transformer for a log group is a series of processors, where each processor applies one type of transformation to the log events ingested into this log group. The processors work one after another, in the order that you list them, like a pipeline. For more information about the available processors to use in a transformer, see [Processors that you can use](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html#CloudWatch-Logs-Transformation-Processors) . │ │ Having log events in standardized format enables visibility across your applications for your log analysis, reporting, and alarming needs. CloudWatch Logs provides transformation for common log types with out-of-the-box transformation templates for major AWS log sources such as VPC flow logs, Lambda, and Amazon RDS. You can use pre-built transformation templates or create custom transformation policies. │ │ You can create transformers only for the log groups in the Standard log class. │ │ You can also set up a transformer at the account level. For more information, see [PutAccountPolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutAccountPolicy.html) . If there is both a log-group level transformer created with `PutTransformer` and an account-level transformer that could apply to the same log group, the log group uses only the log-group level transformer. It ignores the account-level transformer. │ │ + documentation: Creates or updates a *log transformer* for a single log group. You use log transformers to transform log events into a different format, making them easier for you to process and analyze. You can also transform logs from different sources into standardized formats that contains relevant, source-specific information. │ │ After you have created a transformer, CloudWatch Logs performs the transformations at the time of log ingestion. You can then refer to the transformed versions of the logs during operations such as querying with CloudWatch Logs Insights or creating metric filters or subscription filers. │ │ You can also use a transformer to copy metadata from metadata keys into the log events themselves. This metadata can include log group name, log stream name, account ID and Region. │ │ A transformer for a log group is a series of processors, where each processor applies one type of transformation to the log events ingested into this log group. The processors work one after another, in the order that you list them, like a pipeline. For more information about the available processors to use in a transformer, see [Processors that you can use](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation-Processors.html#CloudWatch-Logs-Transformation-Processors) . │ │ Having log events in standardized format enables visibility across your applications for your log analysis, reporting, and alarming needs. CloudWatch Logs provides transformation for common log types with out-of-the-box transformation templates for major AWS log sources such as VPC flow logs, Lambda, and Amazon RDS. You can use pre-built transformation templates or create custom transformation policies. │ │ You can create transformers only for the log groups in the Standard log class. │ │ You can also set up a transformer at the account level. For more information, see [PutAccountPolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutAccountPolicy.html) . If there is both a log-group level transformer created with `PutTransformer` and an account-level transformer that could apply to the same log group, the log group uses only the log-group level transformer. It ignores the account-level transformer. │ └ types │ ├[~] type AddKeyEntry │ │ └ - documentation: This object defines one key that will be added with the [addKeys](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html#CloudWatch-Logs-Transformation-addKey) processor. │ │ + documentation: This object defines one key that will be added with the [addKeys](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation-Processors.html#CloudWatch-Logs-Transformation-addKey) processor. │ ├[~] type AddKeys │ │ └ - documentation: This processor adds new key-value pairs to the log event. │ │ For more information about this processor including examples, see [addKeys](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html#CloudWatch-Logs-Transformation-addKeys) in the *CloudWatch Logs User Guide* . │ │ + documentation: This processor adds new key-value pairs to the log event. │ │ For more information about this processor including examples, see [addKeys](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation-Processors.html#CloudWatch-Logs-Transformation-addKeys) in the *CloudWatch Logs User Guide* . │ ├[~] type CopyValue │ │ └ - documentation: This processor copies values within a log event. You can also use this processor to add metadata to log events by copying the values of the following metadata keys into the log events: `@logGroupName` , `@logGroupStream` , `@accountId` , `@regionName` . │ │ For more information about this processor including examples, see [copyValue](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html#CloudWatch-Logs-Transformation-copyValue) in the *CloudWatch Logs User Guide* . │ │ + documentation: This processor copies values within a log event. You can also use this processor to add metadata to log events by copying the values of the following metadata keys into the log events: `@logGroupName` , `@logGroupStream` , `@accountId` , `@regionName` . │ │ For more information about this processor including examples, see [copyValue](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation-Processors.html#CloudWatch-Logs-Transformation-copyValue) in the *CloudWatch Logs User Guide* . │ ├[~] type CopyValueEntry │ │ └ - documentation: This object defines one value to be copied with the [copyValue](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html#CloudWatch-Logs-Transformation-copoyValue) processor. │ │ + documentation: This object defines one value to be copied with the [copyValue](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation-Processors.html#CloudWatch-Logs-Transformation-copyValue) processor. │ ├[~] type DateTimeConverter │ │ └ - documentation: This processor converts a datetime string into a format that you specify. │ │ For more information about this processor including examples, see [datetimeConverter](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html#CloudWatch-Logs-Transformation-datetimeConverter) in the *CloudWatch Logs User Guide* . │ │ + documentation: This processor converts a datetime string into a format that you specify. │ │ For more information about this processor including examples, see [datetimeConverter](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation-Processors.html#CloudWatch-Logs-Transformation-datetimeConverter) in the *CloudWatch Logs User Guide* . │ ├[~] type DeleteKeys │ │ └ - documentation: This processor deletes entries from a log event. These entries are key-value pairs. │ │ For more information about this processor including examples, see [deleteKeys](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html#CloudWatch-Logs-Transformation-deleteKeys) in the *CloudWatch Logs User Guide* . │ │ + documentation: This processor deletes entries from a log event. These entries are key-value pairs. │ │ For more information about this processor including examples, see [deleteKeys](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation-Processors.html#CloudWatch-Logs-Transformation-deleteKeys) in the *CloudWatch Logs User Guide* . │ ├[~] type Grok │ │ ├ - documentation: This processor uses pattern matching to parse and structure unstructured data. This processor can also extract fields from log messages. │ │ │ For more information about this processor including examples, see [grok](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html#CloudWatch-Logs-Transformation-Grok) in the *CloudWatch Logs User Guide* . │ │ │ + documentation: This processor uses pattern matching to parse and structure unstructured data. This processor can also extract fields from log messages. │ │ │ For more information about this processor including examples, see [grok](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation-Processors.html#CloudWatch-Logs-Transformation-Grok) in the *CloudWatch Logs User Guide* . │ │ └ properties │ │ └ Match: (documentation changed) │ ├[~] type LowerCaseString │ │ └ - documentation: This processor converts a string to lowercase. │ │ For more information about this processor including examples, see [lowerCaseString](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html#CloudWatch-Logs-Transformation-lowerCaseString) in the *CloudWatch Logs User Guide* . │ │ + documentation: This processor converts a string to lowercase. │ │ For more information about this processor including examples, see [lowerCaseString](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation-Processors.html#CloudWatch-Logs-Transformation-lowerCaseString) in the *CloudWatch Logs User Guide* . │ ├[~] type MoveKeys │ │ └ - documentation: This processor moves a key from one field to another. The original key is deleted. │ │ For more information about this processor including examples, see [moveKeys](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html#CloudWatch-Logs-Transformation-moveKeys) in the *CloudWatch Logs User Guide* . │ │ + documentation: This processor moves a key from one field to another. The original key is deleted. │ │ For more information about this processor including examples, see [moveKeys](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation-Processors.html#CloudWatch-Logs-Transformation-moveKeys) in the *CloudWatch Logs User Guide* . │ ├[~] type ParseCloudfront │ │ └ - documentation: This processor parses CloudFront vended logs, extract fields, and convert them into JSON format. Encoded field values are decoded. Values that are integers and doubles are treated as such. For more information about this processor including examples, see [parseCloudfront](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html#CloudWatch-Logs-Transformation-parseCloudfront) │ │ For more information about CloudFront log format, see [Configure and use standard logs (access logs)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html) . │ │ If you use this processor, it must be the first processor in your transformer. │ │ + documentation: This processor parses CloudFront vended logs, extract fields, and convert them into JSON format. Encoded field values are decoded. Values that are integers and doubles are treated as such. For more information about this processor including examples, see [parseCloudfront](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation-Processors.html#CloudWatch-Logs-Transformation-parseCloudfront) │ │ For more information about CloudFront log format, see [Configure and use standard logs (access logs)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html) . │ │ If you use this processor, it must be the first processor in your transformer. │ ├[~] type ParseJSON │ │ └ - documentation: This processor parses log events that are in JSON format. It can extract JSON key-value pairs and place them under a destination that you specify. │ │ Additionally, because you must have at least one parse-type processor in a transformer, you can use `ParseJSON` as that processor for JSON-format logs, so that you can also apply other processors, such as mutate processors, to these logs. │ │ For more information about this processor including examples, see [parseJSON](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html#CloudWatch-Logs-Transformation-parseJSON) in the *CloudWatch Logs User Guide* . │ │ + documentation: This processor parses log events that are in JSON format. It can extract JSON key-value pairs and place them under a destination that you specify. │ │ Additionally, because you must have at least one parse-type processor in a transformer, you can use `ParseJSON` as that processor for JSON-format logs, so that you can also apply other processors, such as mutate processors, to these logs. │ │ For more information about this processor including examples, see [parseJSON](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation-Processors.html#CloudWatch-Logs-Transformation-parseJSON) in the *CloudWatch Logs User Guide* . │ ├[~] type ParsePostgres │ │ └ - documentation: Use this processor to parse RDS for PostgreSQL vended logs, extract fields, and and convert them into a JSON format. This processor always processes the entire log event message. For more information about this processor including examples, see [parsePostGres](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html#CloudWatch-Logs-Transformation-parsePostGres) . │ │ For more information about RDS for PostgreSQL log format, see [RDS for PostgreSQL database log filesTCP flag sequence](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.Concepts.PostgreSQL.html#USER_LogAccess.Concepts.PostgreSQL.Log_Format.log-line-prefix) . │ │ > If you use this processor, it must be the first processor in your transformer. │ │ + documentation: Use this processor to parse RDS for PostgreSQL vended logs, extract fields, and and convert them into a JSON format. This processor always processes the entire log event message. For more information about this processor including examples, see [parsePostGres](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation-Processors.html#CloudWatch-Logs-Transformation-parsePostGres) . │ │ For more information about RDS for PostgreSQL log format, see [RDS for PostgreSQL database log filesTCP flag sequence](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.Concepts.PostgreSQL.html#USER_LogAccess.Concepts.PostgreSQL.Log_Format.log-line-prefix) . │ │ > If you use this processor, it must be the first processor in your transformer. │ ├[~] type ParseRoute53 │ │ └ - documentation: Use this processor to parse Route 53 vended logs, extract fields, and and convert them into a JSON format. This processor always processes the entire log event message. For more information about this processor including examples, see [parseRoute53](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html#CloudWatch-Logs-Transformation-parseRoute53) . │ │ > If you use this processor, it must be the first processor in your transformer. │ │ + documentation: Use this processor to parse Route 53 vended logs, extract fields, and and convert them into a JSON format. This processor always processes the entire log event message. For more information about this processor including examples, see [parseRoute53](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation-Processors.html#CloudWatch-Logs-Transformation-parseRoute53) . │ │ > If you use this processor, it must be the first processor in your transformer. │ ├[~] type ParseWAF │ │ └ - documentation: Use this processor to parse AWS WAF vended logs, extract fields, and and convert them into a JSON format. This processor always processes the entire log event message. For more information about this processor including examples, see [parseWAF](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation.html#CloudWatch-Logs-Transformation-parsePostGres) . │ │ For more information about AWS WAF log format, see [Log examples for web ACL traffic](https://docs.aws.amazon.com/waf/latest/developerguide/logging-examples.html) . │ │ > If you use this processor, it must be the first processor in your transformer. │ │ + documentation: Use this processor to parse AWS WAF vended logs, extract fields, and and convert them into a JSON format. This processor always processes the entire log event message. For more information about this processor including examples, see [parseWAF](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatch-Logs-Transformation-Processors.html#CloudWatch-Logs-Transformation-parsePostGres) . │ │ For more information about AWS WAF log format, see [Log examples for web ACL traffic](https://docs.aws.amazon.com/waf/latest/developerguide/logging-examples.html) . │ │ > If you use this processor, it must be the first processor in your transformer. │ ├[~] type Processor │ │ └ properties │ │ ├ CopyValue: (documentation changed) │ │ ├ DateTimeConverter: (documentation changed) │ │ ├ Grok: (documentation changed) │ │ ├ LowerCaseString: (documentation changed) │ │ ├ MoveKeys: (documentation changed) │ │ ├ ParseCloudfront: (documentation changed) │ │ ├ ParseJSON: (documentation changed) │ │ ├ ParseKeyValue: (documentation changed) │ │ ├ ParseRoute53: (documentation changed) │ │ ├ ParseVPC: (documentation changed) │ │ ├ SplitString: (documentation changed) │ │ ├ SubstituteString: (documentation changed) │ │ ├ TrimString: (documentation changed) │ │ ├ TypeConverter: (documentation changed) │ │ └ UpperCaseString: (documentation changed) │ ├[~] type RenameKeyEntry │ │ └ - documentation: This object defines one key that will…
There was a test that was waiting a minute for some operation to time out after 7 retries. Make those retries happen faster by hijacking the timer system. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit c9d4a67)
In a recent upgrade of the SDKv3, the INI credential provider has gotten a private copy of the STS Client, to make AssumeRole calls with. This means the STS Client used by the INI provider is now unmockable. In #31702, we migrated the tests of the credentials chain mostly to using mocks, as opposed to what it was doing in the past: intercepting network traffic and emulating a fake STS Endpoint. These tests now start failing due to an SDK upgrade. Fortunately, most of the old code was still there, so in this change I'm ripping out the STS Mocking and doing a couple minor changes; the tests now pass again. This PR also upgrades the SDKv3 version at the same time, some other packages that needed to be upgraded along with this as well (`@smithy/middleware-endpoint` and `cdk-assets` which covers a new enum value for the S3 client). ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --------- Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> (cherry picked from commit d4845ce)
…sk (#33003) ### Issue # (if applicable) N/A. ### Reason for this change Raise awareness on the `*` used for resources in the default policy in the `Universal` target class. ### Description of changes README updates and added a new warning. ### Describe any new or updated permissions being added None ### Description of how you validated changes Unit tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit fa2327d)
### Reason for this change
Previously it was possible to import any subpaths from the `aws-cdk`
package ("the CLI"). This was never intended to be allowed, or
supported. In practice, these subpaths imports allowed users to depend
on internal CLI APIs that are not intended for public usage and do not
receive the same backwards compatibility guarantees as other parts of
the AWS CDK.
**With this change we are explicitly disallowing unsanctioned subpath
imports.**
We are currently in the process of making most CLI features available
through a new Programmatic Toolkit library. Please see the [respective
RFC](aws/aws-cdk-rfcs#654) and let us know if
you have a use case that is not currently covered by the proposed
feature set.
In order to not immediately break all customers using unsanctioned
subpath imports, we have identified a subset of symbols that we will
keep exporting in the short-time future. **You are still very strongly
encouraged to move off any of these features asap.** We are actively
considering to emit warnings and enact brown-outs to inform users of
this removal.
### Description of changes
Added the new legacy exports to `aws-cdk`.
Also change some imports in `aws-cdk` to use the lower-level path
instead of `lib/index`.
In `cli-lib-alpha` we now import from the CLI package via file paths,
instead of the package. This is intentional because we don't actually
need or want to depended on the `aws-cdk` the package as `cli-lib-alpha`
is bundling everything itself. Although we still have a dependency on
`aws-cdk` at the moment because we need its build to run to produce some
other artifacts. Soon these imports will change to
`../../../tmp-aws-cdk/lib` and import from the temporary package that
holds all library code. We already do the same in the toolkit package.
### Describe any new or updated permissions being added
none
### Description of how you validated changes
Existing tests
### Checklist
- [x] My code adheres to the [CONTRIBUTING
GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and
[DESIGN
GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)
----
*By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license*
(cherry picked from commit e5ac918)
moelasmar
added
pr/no-squash
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
moelasmar
temporarily deployed
to
test-pipeline
GitHub Actions
Inactive
|
➡️ PR build request submitted to A maintainer must now check the pipeline and add the |
aws-cdk-automation
previously requested changes
Jan 24, 2025
aws-cdk-automation
added
the
pr/needs-cli-test-run
moelasmar
added
pr-linter/cli-integ-tested
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
|
Comments on closed issues and PRs are hard for our team to see. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
13 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
the bump PR is too big and causing some issues when run
git diff