diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md index 9aebf18134056..8e9468258ed6b 100644 --- a/CHANGELOG.v2.alpha.md +++ b/CHANGELOG.v2.alpha.md @@ -2,6 +2,18 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [2.189.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.188.0-alpha.0...v2.189.0-alpha.0) (2025-04-09) + + +### Features + +* **ec2-alpha:** implement mapPublicIpOnLaunch prop in SubnetV2 ([#34057](https://github.com/aws/aws-cdk/issues/34057)) ([836c5cf](https://github.com/aws/aws-cdk/commit/836c5cf3e4c627f817e4dc8ed2af28a5bba54792)), closes [#32159](https://github.com/aws/aws-cdk/issues/32159) + + +### Bug Fixes + +* **amplify:** unable to re-run integ test due to missing `status` field in `customRule` ([#33973](https://github.com/aws/aws-cdk/issues/33973)) ([6638c08](https://github.com/aws/aws-cdk/commit/6638c08d56afe7ecc4f23cff4cf334b887001e5e)), closes [#33962](https://github.com/aws/aws-cdk/issues/33962) + ## [2.188.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.187.0-alpha.0...v2.188.0-alpha.0) (2025-04-03) diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md index 525eefb91b2a7..82d1e828a985c 100644 --- a/CHANGELOG.v2.md +++ b/CHANGELOG.v2.md @@ -2,6 +2,23 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [2.189.0](https://github.com/aws/aws-cdk/compare/v2.188.0...v2.189.0) (2025-04-09) + + +### Features + +* **apigatewayv2:** dualstack HTTP and WebSocket API ([#34054](https://github.com/aws/aws-cdk/issues/34054)) ([eec900e](https://github.com/aws/aws-cdk/commit/eec900e90f38f34f896b22cf36cb225fc9c13cc8)) +* update L1 CloudFormation resource definitions ([#34064](https://github.com/aws/aws-cdk/issues/34064)) ([9cb2602](https://github.com/aws/aws-cdk/commit/9cb260266e92f45e40a19667e29ccf2decb3d2b8)) +* **bedrock:** support Amazon Nova Reel 1.1 ([#34070](https://github.com/aws/aws-cdk/issues/34070)) ([3da0c4d](https://github.com/aws/aws-cdk/commit/3da0c4d267dbb693ffc01b9fae69cebcb180cdec)) +* support L2 constructs for Amazon S3 Tables ([#33599](https://github.com/aws/aws-cdk/issues/33599)) ([2e95252](https://github.com/aws/aws-cdk/commit/2e95252fecbb1fec9874fd5af4b4bd6449d50471)) +* **pipelines:** add `V2` pipeline type support in L3 construct ([#34005](https://github.com/aws/aws-cdk/issues/34005)) ([994e952](https://github.com/aws/aws-cdk/commit/994e95289b589596179553a5b9d7201155bd9ed1)), closes [#33995](https://github.com/aws/aws-cdk/issues/33995) + + +### Bug Fixes + +* **codepipeline:** replace account root principal with pipeline role in trust policy for cross-account actions (under feature flag) ([#34074](https://github.com/aws/aws-cdk/issues/34074)) ([2d901f4](https://github.com/aws/aws-cdk/commit/2d901f4e7bb982221e1a48a13666939140109d5a)) +* **custom-resources:** `AwsCustomResource` assumed role session name may contain invalid characters ([#34016](https://github.com/aws/aws-cdk/issues/34016)) ([32b6b4d](https://github.com/aws/aws-cdk/commit/32b6b4d7fa99723efb667239fbe455ede43b92c6)), closes [#23260](https://github.com/aws/aws-cdk/issues/23260) [#34011](https://github.com/aws/aws-cdk/issues/34011) + ## [2.188.0](https://github.com/aws/aws-cdk/compare/v2.187.0...v2.188.0) (2025-04-03) diff --git a/packages/aws-cdk-lib/core/lib/analytics-data-source/classes.ts b/packages/aws-cdk-lib/core/lib/analytics-data-source/classes.ts index 2e9c397f6e51e..2cf57fd0cb5c2 100644 --- a/packages/aws-cdk-lib/core/lib/analytics-data-source/classes.ts +++ b/packages/aws-cdk-lib/core/lib/analytics-data-source/classes.ts @@ -918,6 +918,7 @@ export const AWS_CDK_CONSTRUCTOR_PROPS: { [key: string]: any } = { 'subnetType': 'SubnetType', 'subnetName': '*', 'assignIpv6AddressOnCreation': 'boolean', + 'mapPublicIpOnLaunch': 'boolean', 'associateNetworkAcl': [ '*', { @@ -3767,6 +3768,35 @@ export const AWS_CDK_CONSTRUCTOR_PROPS: { [key: string]: any } = { 'payload': '*' } }, + '@aws-cdk.aws-s3tables-alpha': { + 'TableBucketPolicy': { + 'tableBucket': { + 'tableBucketArn': '*', + 'tableBucketName': '*', + 'account': '*', + 'region': '*', + 'stack': '*', + 'env': { + 'account': '*', + 'region': '*' + }, + 'node': '*' + }, + 'resourcePolicy': '*', + 'removalPolicy': 'RemovalPolicy' + }, + 'TableBucket': { + 'tableBucketName': '*', + 'unreferencedFileRemoval': { + 'noncurrentDays': '*', + 'status': 'UnreferencedFileRemovalStatus', + 'unreferencedDays': '*' + }, + 'region': '*', + 'account': '*', + 'removalPolicy': 'RemovalPolicy' + } + }, '@aws-cdk.aws-sagemaker-alpha': { 'EndpointConfig': { 'endpointConfigName': '*', diff --git a/packages/aws-cdk-lib/core/lib/analytics-data-source/enums.ts b/packages/aws-cdk-lib/core/lib/analytics-data-source/enums.ts index 0744855b1b68c..45f6002912c17 100644 --- a/packages/aws-cdk-lib/core/lib/analytics-data-source/enums.ts +++ b/packages/aws-cdk-lib/core/lib/analytics-data-source/enums.ts @@ -3519,6 +3519,10 @@ export const AWS_CDK_ENUMS: { [key: string]: any } = { 'Count/Second', 'None' ], + 'UnreferencedFileRemovalStatus': [ + 'Enabled', + 'Disabled' + ], 'UntrustedArtifactOnDeployment': [ 'Enforce', 'Warn' diff --git a/packages/aws-cdk-lib/core/lib/analytics-data-source/enums/module-enumlikes.json b/packages/aws-cdk-lib/core/lib/analytics-data-source/enums/module-enumlikes.json index 30da610529628..725a06f3cdc0b 100644 --- a/packages/aws-cdk-lib/core/lib/analytics-data-source/enums/module-enumlikes.json +++ b/packages/aws-cdk-lib/core/lib/analytics-data-source/enums/module-enumlikes.json @@ -556,6 +556,7 @@ "AMAZON_NOVA_PRO_V1_0", "AMAZON_NOVA_PRO_V1_0_300_K", "AMAZON_NOVA_REEL_V1_0", + "AMAZON_NOVA_REEL_V1_1", "AI21_J2_MID", "AI21_LABS_JURASSIC_2_MID_V1", "AI21_J2_ULTRA", diff --git a/packages/aws-cdk-lib/core/lib/analytics-data-source/enums/module-enums.json b/packages/aws-cdk-lib/core/lib/analytics-data-source/enums/module-enums.json index 10c277373b1bf..55855a0baa9e1 100644 --- a/packages/aws-cdk-lib/core/lib/analytics-data-source/enums/module-enums.json +++ b/packages/aws-cdk-lib/core/lib/analytics-data-source/enums/module-enums.json @@ -739,6 +739,12 @@ "ZSTD" ] }, + "aws-cdk/packages/@aws-cdk/aws-s3tables-alpha/lib/table-bucket.ts": { + "UnreferencedFileRemovalStatus": [ + "Enabled", + "Disabled" + ] + }, "aws-cdk/packages/@aws-cdk/aws-sagemaker-alpha/lib/endpoint.ts": { "InvocationHttpResponseCode": [ "Invocation4XXErrors", @@ -886,6 +892,12 @@ 1 ] }, + "aws-cdk/packages/aws-cdk-lib/aws-apigatewayv2/lib/common/api.ts": { + "IpAddressType": [ + "ipv4", + "dualstack" + ] + }, "aws-cdk/packages/aws-cdk-lib/aws-apigatewayv2/lib/common/domain-name.ts": { "SecurityPolicy": [ "TLS_1_0", diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md index b1b9dda3a855b..198e92cdc706c 100644 --- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md +++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md @@ -95,6 +95,7 @@ Flags come in three types: | [@aws-cdk/aws-events:requireEventBusPolicySid](#aws-cdkaws-eventsrequireeventbuspolicysid) | When enabled, grantPutEventsTo() will use resource policies with Statement IDs for service principals. | 2.186.0 | (fix) | | [@aws-cdk/aws-dynamodb:retainTableReplica](#aws-cdkaws-dynamodbretaintablereplica) | When enabled, table replica will be default to the removal policy of source table unless specified otherwise. | 2.187.0 | (fix) | | [@aws-cdk/cognito:logUserPoolClientSecretValue](#aws-cdkcognitologuserpoolclientsecretvalue) | When disabled, the value of the user pool client secret will not be logged in the custom resource lambda function logs. | 2.187.0 | (default) | +| [@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope](#aws-cdkpipelinesreducecrossaccountactionroletrustscope) | When enabled, scopes down the trust policy for the cross-account action role | 2.189.0 | (default) | @@ -222,6 +223,7 @@ are migrating a v1 CDK project to v2, explicitly set any of these flags which do | [@aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask](#aws-cdkaws-stepfunctions-tasksusenews3uriparametersforbedrockinvokemodeltask) | When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model. | (fix) | | `false` | `true` | | [@aws-cdk/core:aspectStabilization](#aws-cdkcoreaspectstabilization) | When enabled, a stabilization loop will be run when invoking Aspects during synthesis. | (config) | | `false` | `true` | | [@aws-cdk/pipelines:reduceStageRoleTrustScope](#aws-cdkpipelinesreducestageroletrustscope) | Remove the root account principal from Stage addActions trust policy | (default) | | `false` | `true` | +| [@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope](#aws-cdkpipelinesreducecrossaccountactionroletrustscope) | When enabled, scopes down the trust policy for the cross-account action role | (default) | | `false` | `true` | @@ -255,6 +257,7 @@ different environments). This means that the name of the synthesized template file will be based on the construct path and not on the defined `stackName` of the stack. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.16.0 | `false` | `true` | @@ -262,6 +265,7 @@ of the stack. **Compatibility with old behavior:** Pass stack identifiers to the CLI instead of stack names. + ### aws-cdk:enableDiffNoFail *Make `cdk diff` not fail when there are differences* (default) @@ -269,13 +273,14 @@ of the stack. Determines what status code `cdk diff` should return when the specified stack differs from the deployed stack or the local CloudFormation template: -- `aws-cdk:enableDiffNoFail=true` => status code == 0 -- `aws-cdk:enableDiffNoFail=false` => status code == 1 +* `aws-cdk:enableDiffNoFail=true` => status code == 0 +* `aws-cdk:enableDiffNoFail=false` => status code == 1 You can override this behavior with the --fail flag: -- `--fail` => status code == 1 -- `--no-fail` => status code == 0 +* `--fail` => status code == 1 +* `--no-fail` => status code == 0 + | Since | Default | Recommended | | ----- | ----- | ----- | @@ -284,6 +289,7 @@ You can override this behavior with the --fail flag: **Compatibility with old behavior:** Specify `--fail` to the CLI. + ### @aws-cdk/aws-ecr-assets:dockerIgnoreSupport *DockerImageAsset properly supports `.dockerignore` files by default* (default) @@ -295,6 +301,7 @@ is standard Docker ignore semantics. This is a feature flag as the old behavior was technically incorrect but users may have come to depend on it. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.73.0 | `false` | `true` | @@ -302,6 +309,7 @@ users may have come to depend on it. **Compatibility with old behavior:** Update your `.dockerignore` file to match standard Docker ignore rules, if necessary. + ### @aws-cdk/aws-secretsmanager:parseOwnedSecretName *Fix the referencing of SecretsManager names from ARNs* (default) @@ -312,6 +320,7 @@ rather than the default full resource name, which includes the SecretsManager su If this flag is not set, Secret.secretName will include the SecretsManager suffix, which cannot be directly used by SecretsManager.DescribeSecret, and must be parsed by the user first (e.g., Fn:Join, Fn:Select, Fn:Split). + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.77.0 | `false` | `true` | @@ -319,6 +328,7 @@ used by SecretsManager.DescribeSecret, and must be parsed by the user first (e.g **Compatibility with old behavior:** Use `parseArn(secret.secretName).resourceName` to emulate the incorrect old parsing. + ### @aws-cdk/aws-kms:defaultKeyPolicies *Tighten default KMS key policies* (default) @@ -335,6 +345,7 @@ true, the policy matches what happens when this feature flag is set. Additionally, if this flag is not set and the user supplies a custom key policy, this will be appended to the key's default policy (rather than replacing it). + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.78.0 | `false` | `true` | @@ -342,6 +353,7 @@ to the key's default policy (rather than replacing it). **Compatibility with old behavior:** Pass `trustAccountIdentities: false` to `Key` construct to restore the old behavior. + ### @aws-cdk/aws-s3:grantWriteWithoutAcl *Remove `PutObjectAcl` from Bucket.grantWrite* (default) @@ -352,6 +364,7 @@ which could be used to grant read/write object access to IAM principals in other Use a feature flag to make sure existing customers who might be relying on the overly-broad permissions are not broken. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.85.0 | `false` | `true` | @@ -359,6 +372,7 @@ on the overly-broad permissions are not broken. **Compatibility with old behavior:** Call `bucket.grantPutAcl()` in addition to `bucket.grantWrite()` to grant ACL permissions. + ### @aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount *Do not specify a default DesiredCount for ECS services* (default) @@ -373,6 +387,7 @@ If this flag is not set, the default behaviour for CfnService.desiredCount is to desiredCount of 1, if one is not provided. If true, a default will not be defined for CfnService.desiredCount and as such desiredCount will be undefined, if one is not provided. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.92.0 | `false` | `true` | @@ -380,12 +395,14 @@ CfnService.desiredCount and as such desiredCount will be undefined, if one is no **Compatibility with old behavior:** You can pass `desiredCount: 1` explicitly, but you should never need this. + ### @aws-cdk/aws-efs:defaultEncryptionAtRest *Enable this feature flag to have elastic file systems encrypted at rest by default.* (default) Encryption can also be configured explicitly using the `encrypted` property. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.98.0 | `false` | `true` | @@ -393,6 +410,7 @@ Encryption can also be configured explicitly using the `encrypted` property. **Compatibility with old behavior:** Pass the `encrypted: false` property to the `FileSystem` construct to disable encryption. + ### @aws-cdk/core:newStyleStackSynthesis *Switch to new stack synthesis method which enables CI/CD* (fix) @@ -400,11 +418,13 @@ Encryption can also be configured explicitly using the `encrypted` property. If this flag is specified, all `Stack`s will use the `DefaultStackSynthesizer` by default. If it is not set, they will use the `LegacyStackSynthesizer`. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.39.0 | `false` | `true` | | 2.0.0 | `true` | `true` | + ### @aws-cdk/core:stackRelativeExports *Name exports based on the construct paths relative to the stack, rather than the global construct path* (fix) @@ -414,11 +434,13 @@ ensure uniqueness, and makes the export names robust against refactoring the location of the stack in the construct tree (specifically, moving the Stack into a Stage). + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.58.0 | `false` | `true` | | 2.0.0 | `true` | `true` | + ### @aws-cdk/aws-rds:lowercaseDbIdentifier *Force lowercasing of RDS Cluster names in CDK* (fix) @@ -433,11 +455,13 @@ Must be behind a permanent flag because changing a name from mixed case to lower would lead CloudFormation to think the name was changed and would trigger a cluster replacement (losing data!). + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.97.0 | `false` | `true` | | 2.0.0 | `true` | `true` | + ### @aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId *Allow adding/removing multiple UsagePlanKeys independently* (fix) @@ -455,11 +479,13 @@ which again is disallowed. In effect, there is no way to get out of this mess in a backwards compatible way, while supporting existing stacks. This flag changes the logical id layout of UsagePlanKey to not be sensitive to order. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.98.0 | `false` | `true` | | 2.0.0 | `true` | `true` | + ### @aws-cdk/aws-lambda:recognizeVersionProps *Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.* (fix) @@ -469,22 +495,26 @@ not constitute creating a new Version. See 'currentVersion' section in the aws-lambda module's README for more details. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.106.0 | `false` | `true` | | 2.0.0 | `true` | `true` | + ### @aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021 *Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.* (fix) The security policy can also be configured explicitly using the `minimumProtocolVersion` property. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.117.0 | `false` | `true` | | 2.0.0 | `true` | `true` | + ### @aws-cdk/core:target-partitions *What regions to include in lookup tables of environment agnostic stacks* (config) @@ -494,11 +524,13 @@ of unnecessary regions included in stacks without a known region. The type of this value should be a list of strings. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.137.0 | `false` | `["aws","aws-cn"]` | | 2.4.0 | `false` | `["aws","aws-cn"]` | + ### @aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver *ECS extensions will automatically add an `awslogs` driver if no logging is specified* (default) @@ -508,6 +540,7 @@ Enable this feature flag to configure default logging behavior for the ECS Servi This is a feature flag as the new behavior provides a better default experience for the users. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.140.0 | `false` | `true` | @@ -515,6 +548,7 @@ This is a feature flag as the new behavior provides a better default experience **Compatibility with old behavior:** Specify a log driver explicitly. + ### @aws-cdk/aws-ec2:uniqueImdsv2TemplateName *Enable this feature flag to have Launch Templates generated by the `InstanceRequireImdsv2Aspect` use unique names.* (fix) @@ -525,11 +559,13 @@ account and region, the deployments would always fail as the generated Launch Te The new implementation addresses this issue by generating the Launch Template name with the `Names.uniqueId` method. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.140.0 | `false` | `true` | | 2.8.0 | `false` | `true` | + ### @aws-cdk/aws-iam:minimizePolicies *Minimize IAM policies by combining Statements* (config) @@ -538,11 +574,13 @@ Minimize IAM policies by combining Principals, Actions and Resources of two Statements in the policies, as long as it doesn't change the meaning of the policy. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.150.0 | `false` | `true` | | 2.18.0 | `false` | `true` | + ### @aws-cdk/core:checkSecretUsage *Enable this flag to make it impossible to accidentally use SecretValues in unsafe locations* (config) @@ -551,11 +589,13 @@ With this flag enabled, `SecretValue` instances can only be passed to constructs that accept `SecretValue`s; otherwise, `unsafeUnwrap()` must be called to use it as a regular string. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.153.0 | `false` | `true` | | 2.21.0 | `false` | `true` | + ### @aws-cdk/aws-lambda:recognizeLayerVersion *Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.* (fix) @@ -564,11 +604,13 @@ This flag correct incorporates Lambda Layer properties into the Lambda Function See 'currentVersion' section in the aws-lambda module's README for more details. + | Since | Default | Recommended | | ----- | ----- | ----- | | 1.159.0 | `false` | `true` | | 2.27.0 | `false` | `true` | + ### @aws-cdk/core:validateSnapshotRemovalPolicy *Error on snapshot removal policies on resources that do not support it.* (default) @@ -578,6 +620,7 @@ If supplied on an unsupported resource, CloudFormation ignores the policy altoge This flag will reduce confusion and unexpected loss of data when erroneously supplying the snapshot removal policy. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -585,6 +628,7 @@ the snapshot removal policy. **Compatibility with old behavior:** The old behavior was incorrect. Update your source to not specify SNAPSHOT policies on resources that do not support it. + ### @aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName *Generate key aliases that include the stack name* (fix) @@ -596,11 +640,13 @@ the KMS key alias name created for these pipelines may be the same due to how th This new implementation creates a stack safe resource name for the alias using the stack name instead of the stack ID. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.29.0 | `false` | `true` | + ### @aws-cdk/aws-s3:createDefaultLoggingPolicy *Enable this feature flag to create an S3 bucket policy by default in cases where an AWS service would automatically create the Policy if one does not exist.* (fix) @@ -614,13 +660,15 @@ and error indicating that a bucket policy already exists. In cases where we know what the required policy is we can go ahead and create the policy so we can remain in control of it. -@see +@see https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-S3 + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.31.0 | `false` | `true` | + ### @aws-cdk/aws-sns-subscriptions:restrictSqsDescryption *Restrict KMS key policy for encrypted Queues a bit more* (fix) @@ -632,11 +680,13 @@ Previously the decryption was only restricted to the SNS service principal. To m secure, it is a good practice to restrict the decryption further and only allow the connected SNS topic to decryption the subscribed queue. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.32.0 | `false` | `true` | + ### @aws-cdk/aws-ecs:arnFormatIncludesClusterName *ARN format used by ECS. In the new ARN format, the cluster name is part of the resource ID.* (fix) @@ -646,31 +696,35 @@ If this flag is set, the new ARN format (with cluster name) for ECS is used. This is a feature flag as the old format is still valid for existing ECS clusters. -See +See https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-account-settings.html#ecs-resource-ids + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.35.0 | `false` | `true` | + ### @aws-cdk/aws-apigateway:disableCloudWatchRole *Make default CloudWatch Role behavior safe for multiple API Gateways in one environment* (fix) Enable this feature flag to change the default behavior for aws-apigateway.RestApi and aws-apigateway.SpecRestApi -to *not* create a CloudWatch role and Account. There is only a single ApiGateway account per AWS +to _not_ create a CloudWatch role and Account. There is only a single ApiGateway account per AWS environment which means that each time you create a RestApi in your account the ApiGateway account is overwritten. If at some point the newest RestApi is deleted, the ApiGateway Account and CloudWatch role will also be deleted, breaking any existing ApiGateways that were depending on them. When this flag is enabled you should either create the ApiGateway account and CloudWatch role -separately *or* only enable the cloudWatchRole on a single RestApi. +separately _or_ only enable the cloudWatchRole on a single RestApi. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.38.0 | `false` | `true` | + ### @aws-cdk/core:enablePartitionLiterals *Make ARNs concrete if AWS partition is known* (fix) @@ -699,11 +753,13 @@ Principal: The intrinsic function will still be used in Stacks where no region is defined or the region's partition is unknown. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.38.0 | `false` | `true` | + ### @aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker *Avoid setting the "ECS" deployment controller when adding a circuit breaker* (fix) @@ -714,11 +770,13 @@ This does not change any behaviour as the default deployment controller when it This is a feature flag as the new behavior provides a better default experience for the users. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.51.0 | `false` | `true` | + ### @aws-cdk/aws-events:eventsTargetQueueSameAccount *Event Rules may only push to encrypted SQS queues in the same account* (fix) @@ -727,11 +785,13 @@ This flag applies to SQS Queues that are used as the target of event Rules. When from the same account as the Rule can send messages. If a queue is unencrypted, this restriction will always apply, regardless of the value of this flag. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.51.0 | `false` | `true` | + ### @aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName *Enable this feature to by default create default policy names for imported roles that depend on the stack the role is in.* (fix) @@ -742,11 +802,13 @@ of a role using the same default policy name. This new implementation creates default policy names based on the constructs node path in their stack. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.60.0 | `false` | `true` | + ### @aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy *Use S3 Bucket Policy instead of ACLs for Server Access Logging* (fix) @@ -758,13 +820,15 @@ enabled on the bucket. This flag uses a Bucket Policy statement to allow Server Access Log delivery, following best practices for S3. -@see +@see https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.60.0 | `false` | `true` | + ### @aws-cdk/customresources:installLatestAwsSdkDefault *Whether to install the latest SDK by default in AwsCustomResource* (default) @@ -776,6 +840,7 @@ do not have internet access, or in environments where 'npmjs.com' is not availab The recommended setting is to disable the default installation behavior, and pass the flag on a resource-by-resource basis to enable it if necessary. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -783,6 +848,7 @@ flag on a resource-by-resource basis to enable it if necessary. **Compatibility with old behavior:** Set installLatestAwsSdk: true on all resources that need it. + ### @aws-cdk/aws-route53-patters:useCertificate *Use the official `Certificate` resource instead of `DnsValidatedCertificate`* (default) @@ -792,6 +858,7 @@ of the deprecated `DnsValidatedCertificate` construct. If this flag is enabled a the stack in a region other than us-east-1 then you must also set `crossRegionReferences=true` on the stack. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -799,6 +866,7 @@ stack. **Compatibility with old behavior:** Define a `DnsValidatedCertificate` explicitly and pass in the `certificate` property + ### @aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup *Remove CloudWatch alarms from deployment group* (fix) @@ -807,11 +875,13 @@ Enable this flag to be able to remove all CloudWatch alarms from a deployment gr the alarms from the construct. If this flag is not set, removing all alarms from the construct will still leave the alarms configured for the deployment group. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.65.0 | `false` | `true` | + ### @aws-cdk/aws-rds:databaseProxyUniqueResourceName *Use unique resource name for Database Proxy* (fix) @@ -824,11 +894,13 @@ If this flag is set, the default behavior is to use unique resource names for ea This is a feature flag as the old behavior was technically incorrect, but users may have come to depend on it. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.65.0 | `false` | `true` | + ### @aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId *Include authorizer configuration in the calculation of the API deployment logical ID.* (fix) @@ -838,11 +910,13 @@ the API configuration, including methods, and resources, etc. Enable this featur to also include the configuration of any authorizer attached to the API in the calculation, so any changes made to an authorizer will create a new deployment. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.66.0 | `false` | `true` | + ### @aws-cdk/aws-ec2:launchTemplateDefaultUserData *Define user data for a launch template by default when a machine image is provided.* (fix) @@ -851,11 +925,13 @@ The ec2.LaunchTemplate construct did not define user data when a machine image i provided despite the document. If this is set, a user data is automatically defined according to the OS of the machine image. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.67.0 | `false` | `true` | + ### @aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments *SecretTargetAttachments uses the ResourcePolicy of the attached Secret.* (fix) @@ -871,11 +947,13 @@ This won't be possible without intervention due to limitation outlined above. First remove all permissions granted to the Secret and deploy without the ResourcePolicies. Then you can re-add the permissions and deploy again. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.67.0 | `false` | `true` | + ### @aws-cdk/aws-redshift:columnId *Whether to use an ID to track Redshift column changes* (fix) @@ -892,11 +970,13 @@ than their `name`. This will prevent data loss when columns are renamed. initial deployment, the columns will be dropped and recreated, causing data loss. After the initial deployment of the `id`s, the `name`s of the columns can be changed without data loss. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.68.0 | `false` | `true` | + ### @aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2 *Enable AmazonEMRServicePolicy_v2 managed policies* (fix) @@ -910,11 +990,13 @@ managed policies. This is a feature flag as the old behavior will be deprecated, but some resources may require manual intervention since they might not have the appropriate tags propagated automatically. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.72.0 | `false` | `true` | + ### @aws-cdk/aws-apigateway:requestValidatorUniqueId *Generate a unique id for each RequestValidator added to a method* (fix) @@ -925,11 +1007,13 @@ providing the `RequestValidatorOptions` in the `addMethod()` method. If the flag is not set then only a single RequestValidator can be added in this way. Any additional RequestValidators have to be created directly with `new RequestValidator`. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.78.0 | `false` | `true` | + ### @aws-cdk/aws-ec2:restrictDefaultSecurityGroup *Restrict access to the VPC default security group* (default) @@ -939,17 +1023,20 @@ VPC default security group. When a VPC is created, a default security group is created as well and this cannot be deleted. The default security group is created with ingress/egress rules that allow -*all* traffic. [AWS Security best practices recommend](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-2) +_all_ traffic. [AWS Security best practices recommend](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-2) removing these ingress/egress rules in order to restrict access to the default security group. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.78.0 | `false` | `true` | -**Compatibility with old behavior:** +**Compatibility with old behavior:** To allow all ingress/egress traffic to the VPC default security group you can set the `restrictDefaultSecurityGroup: false`. + + ### @aws-cdk/aws-kms:aliasNameRef @@ -961,11 +1048,13 @@ when referencing key.aliasName or key.keyArn. If the flag is not set then a raw string is passed as the Alias name and no implicit dependencies will be set. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.83.0 | `false` | `true` | + ### @aws-cdk/core:includePrefixInUniqueNameGeneration *Include the stack prefix in the stack name generation process* (fix) @@ -979,11 +1068,13 @@ If the flag is not set, then the prefix of the stack is prepended to the generat feature flag can lead to a change in stacks' name. Changing a stack name mean recreating the whole stack, which is not viable in some productive setups. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.84.0 | `false` | `true` | + ### @aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig *Generate a launch template when creating an AutoScalingGroup* (fix) @@ -996,14 +1087,17 @@ will now create an equivalent 'launchTemplate'. Alternatively, users can provide attempt to set user data according to the OS of the machine image if explicit user data is not provided. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.88.0 | `false` | `true` | -**Compatibility with old behavior:** +**Compatibility with old behavior:** If backwards compatibility needs to be maintained due to an existing autoscaling group using a launch config, set this flag to false. + + ### @aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby @@ -1012,6 +1106,7 @@ provided. If this is set, an opensearch domain will automatically be created with multi-az with standby enabled. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1019,6 +1114,7 @@ multi-az with standby enabled. **Compatibility with old behavior:** Pass `capacity.multiAzWithStandbyEnabled: false` to `Domain` construct to restore the old behavior. + ### @aws-cdk/aws-efs:denyAnonymousAccess *EFS denies anonymous clients accesses* (default) @@ -1029,6 +1125,7 @@ access to `efs.FileSystem`. If this flag is not set, `efs.FileSystem` will allow all anonymous clients that can access over the network. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1036,6 +1133,7 @@ that can access over the network. **Compatibility with old behavior:** You can pass `allowAnonymousAccess: true` so allow anonymous clients access. + ### @aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId *When enabled, mount targets will have a stable logicalId that is linked to the associated subnet.* (fix) @@ -1047,11 +1145,13 @@ subnets changes. Set this flag to false for existing mount targets. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.93.0 | `false` | `true` | + ### @aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion *Enables aws-lambda-nodejs.Function to use the latest available NodeJs runtime as the default* (default) @@ -1061,6 +1161,7 @@ functions will us the latest version of the runtime provided by the Lambda service. Do not use this if you your lambda function is reliant on dependencies shipped as part of the runtime environment. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1068,6 +1169,7 @@ shipped as part of the runtime environment. **Compatibility with old behavior:** Pass `runtime: lambda.Runtime.NODEJS_16_X` to `Function` construct to restore the previous behavior. + ### @aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier *When enabled, will always use the arn for identifiers for CfnSourceApiAssociation in the GraphqlApi construct rather than id.* (fix) @@ -1076,11 +1178,13 @@ When this feature flag is enabled, we use the IGraphqlApi ARN rather than ID whe the GraphqlApi construct. Using the ARN allows the association to support an association with a source api or merged api in another account. Note that for existing source api associations created with this flag disabled, enabling the flag will lead to a resource replacement. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.97.0 | `false` | `true` | + ### @aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters *When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change.* (fix) @@ -1092,11 +1196,13 @@ from AuroraCluster. If the flag is set to false then it can only make one `AuroraClusterInstance` with each `InstanceParameterGroup` in the AuroraCluster. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.97.0 | `false` | `true` | + ### @aws-cdk/aws-rds:preventRenderingDeprecatedCredentials *When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials.* (fix) @@ -1114,11 +1220,13 @@ Set this flag to prevent rendering deprecated `credentials` and creating an extra database secret when only using `snapshotCredentials` to create an RDS database cluster from a snapshot. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.98.0 | `false` | `true` | + ### @aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource *When enabled, the CodeCommit source action is using the default branch name 'main'.* (fix) @@ -1127,11 +1235,13 @@ When setting up a CodeCommit source action for the source stage of a pipeline, p default branch is 'master'. However, with the activation of this feature flag, the default branch is updated to 'main'. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.103.1 | `false` | `true` | + ### @aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction *When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID.* (fix) @@ -1143,11 +1253,13 @@ can be created with `LambdaAction`. If the flag is set to false then it can only make one alarm for the Lambda with `LambdaAction`. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.124.0 | `false` | `true` | + ### @aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse *Enables Pipeline to set the default value for crossAccountKeys to false.* (default) @@ -1155,6 +1267,7 @@ If the flag is set to false then it can only make one alarm for the Lambda with When this feature flag is enabled, and the `crossAccountKeys` property is not provided in a `Pipeline` construct, the construct automatically defaults the value of this property to false. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1162,6 +1275,7 @@ construct, the construct automatically defaults the value of this property to fa **Compatibility with old behavior:** Pass `crossAccountKeys: true` to `Pipeline` construct to restore the previous behavior. + ### @aws-cdk/aws-codepipeline:defaultPipelineTypeToV2 *Enables Pipeline to set the default pipeline type to V2.* (default) @@ -1169,6 +1283,7 @@ construct, the construct automatically defaults the value of this property to fa When this feature flag is enabled, and the `pipelineType` property is not provided in a `Pipeline` construct, the construct automatically defaults the value of this property to `PipelineType.V2`. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1176,6 +1291,7 @@ construct, the construct automatically defaults the value of this property to `P **Compatibility with old behavior:** Pass `pipelineType: PipelineType.V1` to `Pipeline` construct to restore the previous behavior. + ### @aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope *When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only.* (fix) @@ -1183,11 +1299,13 @@ construct, the construct automatically defaults the value of this property to `P When this feature flag is enabled and calling KMS key grant method, the created IAM policy will reduce the resource scope from '*' to this specific granting KMS key. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.134.0 | `false` | `true` | + ### @aws-cdk/aws-eks:nodegroupNameAttribute *When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix.* (fix) @@ -1195,17 +1313,20 @@ When this feature flag is enabled and calling KMS key grant method, the created When this feature flag is enabled, the nodegroupName attribute will be exactly the name of the nodegroup without any prefix. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.139.0 | `false` | `true` | + ### @aws-cdk/aws-ec2:ebsDefaultGp3Volume *When enabled, the default volume type of the EBS volume will be GP3* (default) When this featuer flag is enabled, the default volume type of the EBS volume will be `EbsDeviceVolumeType.GENERAL_PURPOSE_SSD_GP3`. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1213,6 +1334,7 @@ When this featuer flag is enabled, the default volume type of the EBS volume wil **Compatibility with old behavior:** Pass `volumeType: EbsDeviceVolumeType.GENERAL_PURPOSE_SSD` to `Volume` construct to restore the previous behavior. + ### @aws-cdk/pipelines:reduceAssetRoleTrustScope *Remove the root account principal from PipelineAssetsFileRole trust policy* (default) @@ -1220,6 +1342,7 @@ When this featuer flag is enabled, the default volume type of the EBS volume wil When this feature flag is enabled, the root account principal will not be added to the trust policy of asset role. When this feature flag is disabled, it will keep the root account principal in the trust policy. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1227,12 +1350,14 @@ When this feature flag is disabled, it will keep the root account principal in t **Compatibility with old behavior:** Disable the feature flag to add the root account principal back + ### @aws-cdk/aws-ecs:removeDefaultDeploymentAlarm *When enabled, remove default deployment alarm settings* (default) When this featuer flag is enabled, remove the default deployment alarm settings when creating a AWS ECS service. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1240,6 +1365,7 @@ When this featuer flag is enabled, remove the default deployment alarm settings **Compatibility with old behavior:** Set AWS::ECS::Service 'DeploymentAlarms' manually to restore the previous behavior. + ### @aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault *When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default* (fix) @@ -1247,17 +1373,19 @@ When this featuer flag is enabled, remove the default deployment alarm settings This results in 'logApiResponseData' being passed as true to the custom resource provider. This will cause the custom resource handler to receive an 'Update' event. If you don't have an SDK call configured for the 'Update' event and you're dependent on specific SDK call response data, you will see this error from CFN: -CustomResource attribute error: Vendor response doesn't contain attribute in object. See ) for more details. +CustomResource attribute error: Vendor response doesn't contain attribute in object. See https://github.com/aws/aws-cdk/issues/29949) for more details. Unlike most feature flags, we don't recommend setting this feature flag to true. However, if you're using the 'AwsCustomResource' construct with 'logApiResponseData' as true in the event object, then setting this feature flag will keep this behavior. Otherwise, setting this feature flag to false will trigger an 'Update' event by removing the 'logApiResponseData' property from the event object. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.145.0 | `false` | `false` | + ### @aws-cdk/aws-s3:keepNotificationInImportedBucket *When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack.* (fix) @@ -1267,11 +1395,13 @@ Currently, adding notifications to a bucket where it was created by ourselves wi When this feature flag is enabled, adding notifications to a bucket in the current stack will only update notification defined in this stack. Other notifications that are not managed by this stack will be kept. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.155.0 | `false` | `false` | + ### @aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask *When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model.* (fix) @@ -1282,6 +1412,7 @@ of State Machine Task definition. When this feature flag is enabled, specify newly introduced props 's3InputUri' and 's3OutputUri' to populate S3 uri under input and output fields in state machine task definition for Bedrock invoke model. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1289,6 +1420,7 @@ When this feature flag is enabled, specify newly introduced props 's3InputUri' a **Compatibility with old behavior:** Disable the feature flag to use input and output path fields for s3 URI + ### @aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions *When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration* (fix) @@ -1298,6 +1430,7 @@ specified as logConfiguration and it will grant 'Resources': ['*'] to the task r When this feature flag is enabled, we will only grant the necessary permissions when users specify cloudwatch log group. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1305,6 +1438,7 @@ When this feature flag is enabled, we will only grant the necessary permissions **Compatibility with old behavior:** Disable the feature flag to continue grant permissions to log group when no log group is specified + ### @aws-cdk/aws-ec2:ec2SumTImeoutEnabled *When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together.* (fix) @@ -1314,11 +1448,13 @@ only the value from 'resourceSignalTimeout' will be used. When this feature flag is enabled, if both initOptions.timeout and resourceSignalTimeout are specified, the values will to be summed together. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.160.0 | `false` | `true` | + ### @aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission *When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn.* (fix) @@ -1330,11 +1466,13 @@ it allows invocations from any source. When this feature flag is enabled, the AWS::Lambda::Permission will be properly scoped with the SourceArn corresponding to the specific AppSync GraphQL API. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.161.0 | `false` | `true` | + ### @aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages *When enabled, both `@aws-sdk` and `@smithy` packages will be excluded from the Lambda Node.js 18.x runtime to prevent version mismatches in bundled applications.* (fix) @@ -1345,11 +1483,13 @@ However, this can cause version mismatches between the '@aws-sdk/*' and '@smithy When this feature flag is enabled, both '@aws-sdk/*' and '@smithy/*' packages will be excluded during the bundling process. This ensures that no mismatches occur between these tightly coupled dependencies when using the AWS SDK v3 in Lambda functions. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.161.0 | `false` | `true` | + ### @aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId *When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn`* (fix) @@ -1358,6 +1498,7 @@ Currently, the value of the property 'instanceResourceId' in construct 'Database When this feature flag is enabled, the value of that property will be as expected set to 'DbiResourceId' attribute, and that will fix the grantConnect method. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1365,6 +1506,7 @@ When this feature flag is enabled, the value of that property will be as expecte **Compatibility with old behavior:** Disable the feature flag to use `DbInstanceArn` as value for property `instanceResourceId` + ### @aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics *When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values.* (fix) @@ -1373,11 +1515,13 @@ Without enabling this feature flag, `cfn-include` will silently drop resource up Enabling this feature flag will make `cfn-include` throw on these templates, unless you specify the logical ID of the resource in the 'unhydratedResources' property. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.161.0 | `false` | `true` | + ### @aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy *When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN.* (fix) @@ -1387,11 +1531,13 @@ The revision number at the end will be replaced with a wildcard which it shouldn When this feature flag is enabled, if the task definition is created in the stack, the 'Resource' section will 'Ref' the taskDefinition. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.163.0 | `false` | `true` | + ### @aws-cdk/aws-dynamodb:resourcePolicyPerReplica *When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas* (fix) @@ -1403,11 +1549,13 @@ This will prevent you from creating a new table which has an additional replica This is a feature flag as the old behavior was technically incorrect but users may have come to depend on it. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.164.0 | `false` | `true` | + ### @aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault *When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2.* (default) @@ -1419,6 +1567,7 @@ and secure option. When this feature flag is enabled, if you do not pass the machineImage property to the BastionHost construct, the latest Amazon Linux 2023 version will be used instead of Amazon Linux 2. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1426,6 +1575,7 @@ the latest Amazon Linux 2023 version will be used instead of Amazon Linux 2. **Compatibility with old behavior:** Disable the feature flag or explicitly pass an Amazon Linux 2 machine image to the BastionHost construct. + ### @aws-cdk/core:aspectStabilization *When enabled, a stabilization loop will be run when invoking Aspects during synthesis.* (config) @@ -1435,11 +1585,13 @@ This means that the Aspects that create other Aspects are not run and Aspects th When this feature flag is enabled, a stabilization loop is run to recurse the construct tree multiple times when invoking Aspects. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.172.0 | `true` | `true` | + ### @aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource *When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource.* (fix) @@ -1449,22 +1601,25 @@ creates a custom resource internally, but the new method doesn't need a custom r If the flag is set to false then a custom resource will be created when using `UserPoolDomainTarget`. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.174.0 | `false` | `true` | + ### @aws-cdk/aws-ecs:disableEcsImdsBlocking *When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)*** (temporary) In an ECS Cluster with `MachineImageType.AMAZON_LINUX_2`, the canContainersAccessInstanceRole=false option attempts to add commands to block containers from accessing IMDS. CDK cannot guarantee the correct execution of the feature in all platforms. Setting this feature flag -to true will ensure CDK does not attempt to implement IMDS blocking. By **end of 2025**, CDK will remove the +to true will ensure CDK does not attempt to implement IMDS blocking. By **end of 2025**, CDK will remove the IMDS blocking feature. See [Github discussion](https://github.com/aws/aws-cdk/discussions/32609) for more information. It is recommended to follow ECS documentation to block IMDS for your specific platform and cluster configuration. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1472,16 +1627,18 @@ It is recommended to follow ECS documentation to block IMDS for your specific pl **Compatibility with old behavior:** It is strongly recommended to set this flag to true. However, if necessary, set this flag to false to continue using the old implementation. + ### @aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature *When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)*** (temporary) In an ECS Cluster with `MachineImageType.AMAZON_LINUX_2`, the canContainersAccessInstanceRole=false option attempts to add commands to block containers from -accessing IMDS. Set this flag to true in order to use new and updated commands. Please note that this -feature alone with this feature flag will be deprecated by **end of 2025** as CDK cannot +accessing IMDS. Set this flag to true in order to use new and updated commands. Please note that this +feature alone with this feature flag will be deprecated by **end of 2025** as CDK cannot guarantee the correct execution of the feature in all platforms. See [Github discussion](https://github.com/aws/aws-cdk/discussions/32609) for more information. It is recommended to follow ECS documentation to block IMDS for your specific platform and cluster configuration. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1489,6 +1646,7 @@ It is recommended to follow ECS documentation to block IMDS for your specific pl **Compatibility with old behavior:** Set this flag to false in order to continue using old and outdated commands. However, it is **not** recommended. + ### @aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault *When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere* (fix) @@ -1499,6 +1657,7 @@ will allow IPv6 ingress from anywhere (::/0). Previously, the default security g Using a feature flag to make sure existing customers who might be relying on the overly restrictive permissions are not broken. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1506,6 +1665,7 @@ on the overly restrictive permissions are not broken. **Compatibility with old behavior:** Disable the feature flag to only allow IPv4 ingress in the default security group rules. + ### @aws-cdk/aws-iam:oidcRejectUnauthorizedConnections *When enabled, the default behaviour of OIDC provider will reject unauthorized connections* (fix) @@ -1516,6 +1676,7 @@ default to reject unauthorized connections when downloading CA Certificates. When this feature flag is disabled, the behaviour will be the same as current and will allow downloading thumbprints from unsecure connections. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1523,37 +1684,41 @@ thumbprints from unsecure connections. **Compatibility with old behavior:** Disable the feature flag to allow unsecure OIDC connection. + ### @aws-cdk/core:enableAdditionalMetadataCollection *When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues.* (config) When this feature flag is enabled, CDK expands the scope of usage data collection to include the following: + * L2 construct property keys - Collect which property keys you use from the L2 constructs in your app. This includes property keys nested in dictionary objects. + * L2 construct property values of BOOL and ENUM types - Collect property key values of only BOOL and ENUM types. All other types, such as string values or construct references will be redacted. + * L2 construct method usage - Collection method name, parameter keys and parameter values of BOOL and ENUM type. -- L2 construct property keys - Collect which property keys you use from the L2 constructs in your app. This includes property keys nested in dictionary objects. -- L2 construct property values of BOOL and ENUM types - Collect property key values of only BOOL and ENUM types. All other types, such as string values or construct references will be redacted. -- L2 construct method usage - Collection method name, parameter keys and parameter values of BOOL and ENUM type. | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.178.0 | `false` | `true` | + ### @aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy *[Deprecated] When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement* (fix) -[Deprecated default feature] When this feature flag is enabled, Lambda will create new inline policies with AddToRolePolicy. +[Deprecated default feature] When this feature flag is enabled, Lambda will create new inline policies with AddToRolePolicy. The purpose of this is to prevent lambda from creating a dependency on the Default Policy Statement. This solves an issue where a circular dependency could occur if adding lambda to something like a Cognito Trigger, then adding the User Pool to the lambda execution role permissions. -However in the current implementation, we have removed a dependency of the lambda function on the policy. In addition to this, a Role will be attached to the Policy instead of an inline policy being attached to the role. -This will create a data race condition in the CloudFormation template because the creation of the Lambda function no longer waits for the policy to be created. Having said that, we are not deprecating the feature (we are defaulting the feature flag to false for new stacks) since this feature can still be used to get around the circular dependency issue (issue-7016) particularly in cases where the lambda resource creation doesnt need to depend on the policy resource creation. +However in the current implementation, we have removed a dependency of the lambda function on the policy. In addition to this, a Role will be attached to the Policy instead of an inline policy being attached to the role. +This will create a data race condition in the CloudFormation template because the creation of the Lambda function no longer waits for the policy to be created. Having said that, we are not deprecating the feature (we are defaulting the feature flag to false for new stacks) since this feature can still be used to get around the circular dependency issue (issue-7016) particularly in cases where the lambda resource creation doesnt need to depend on the policy resource creation. We recommend to unset the feature flag if already set which will restore the original behavior. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.180.0 | `false` | `false` | + ### @aws-cdk/aws-s3:setUniqueReplicationRoleName *When enabled, CDK will automatically generate a unique role name that is used for s3 object replication.* (fix) @@ -1562,11 +1727,13 @@ When performing cross-account S3 replication, we need to explicitly specify a ro When this feature flag is enabled, a unique role name is specified only when performing cross-account replication. When disabled, 'CDKReplicationRole' is always specified. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.182.0 | `false` | `true` | + ### @aws-cdk/pipelines:reduceStageRoleTrustScope *Remove the root account principal from Stage addActions trust policy* (default) @@ -1574,6 +1741,10 @@ When disabled, 'CDKReplicationRole' is always specified. When this feature flag is enabled, the root account principal will not be added to the trust policy of stage role. When this feature flag is disabled, it will keep the root account principal in the trust policy. +For cross-account cases, when this feature flag is enabled the trust policy will be scoped to the role only. +If you are providing a custom role, you will need to ensure 'roleName' is specified or set to PhysicalName.GENERATE_IF_NEEDED. + + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1581,31 +1752,32 @@ When this feature flag is disabled, it will keep the root account principal in t **Compatibility with old behavior:** Disable the feature flag to add the root account principal back + ### @aws-cdk/aws-events:requireEventBusPolicySid *When enabled, grantPutEventsTo() will use resource policies with Statement IDs for service principals.* (fix) -Currently, when granting permissions to service principals using grantPutEventsTo(), the operation silently fails -because service principals require resource policies with Statement IDs. +Currently, when granting permissions to service principals using grantPutEventsTo(), the operation silently fails +because service principals require resource policies with Statement IDs. When this flag is enabled: - - Resource policies will be created with Statement IDs for service principals - The operation will succeed as expected When this flag is disabled: - - A warning will be emitted - The grant operation will be dropped - No permissions will be added This fixes the issue where permissions were silently not being added for service principals. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.186.0 | `false` | `true` | + ### @aws-cdk/aws-dynamodb:retainTableReplica *When enabled, table replica will be default to the removal policy of source table unless specified otherwise.* (fix) @@ -1613,21 +1785,24 @@ This fixes the issue where permissions were silently not being added for service Currently, table replica will always be deleted when stack deletes regardless of source table's deletion policy. When enabled, table replica will be default to the removal policy of source table unless specified otherwise. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | | 2.187.0 | `false` | `true` | + ### @aws-cdk/cognito:logUserPoolClientSecretValue *When disabled, the value of the user pool client secret will not be logged in the custom resource lambda function logs.* (default) -When this feature flag is enabled, the SDK API call response to desribe user pool client values will be logged in the custom +When this feature flag is enabled, the SDK API call response to desribe user pool client values will be logged in the custom resource lambda function logs. -When this feature flag is disabled, the SDK API call response to describe user pool client values will not be logged in the custom +When this feature flag is disabled, the SDK API call response to describe user pool client values will not be logged in the custom resource lambda function logs. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | @@ -1635,19 +1810,22 @@ resource lambda function logs. **Compatibility with old behavior:** Enable the feature flag to keep the old behavior and log the client secret values -### @aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope -*When enabled, the trust policy for the cross-account action role is scoped to the pipeline role.* (default) +### @aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope -When this feature flag is enabled, the trust policy of the cross-account action role will be scoped to the pipeline role. If you are providing a custom role, you will need to ensure 'roleName' is specified or set to PhysicalName.GENERATE_IF_NEEDED. +*When enabled, scopes down the trust policy for the cross-account action role* (default) +When this feature flag is enabled, the trust policy of the cross-account action role will be scoped to the pipeline role. +If you are providing a custom role, you will need to ensure 'roleName' is specified or set to PhysicalName.GENERATE_IF_NEEDED. When this feature flag is disabled, it will keep the root account principal in the trust policy. + | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | -| V2NEXT | `true` | `true` | +| 2.189.0 | `true` | `true` | + +**Compatibility with old behavior:** Disable the feature flag to add the root account principal back -**Compatibility with old behavior:** Disable the feature flag to keep the trust policy as the root account principal diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts index cedfe0b87271b..077fecf273e74 100644 --- a/packages/aws-cdk-lib/cx-api/lib/features.ts +++ b/packages/aws-cdk-lib/cx-api/lib/features.ts @@ -1501,7 +1501,7 @@ export const FLAGS: Record = { If you are providing a custom role, you will need to ensure 'roleName' is specified or set to PhysicalName.GENERATE_IF_NEEDED. When this feature flag is disabled, it will keep the root account principal in the trust policy. `, - introducedIn: { v2: 'V2NEXT' }, + introducedIn: { v2: '2.189.0' }, defaults: { v2: true }, recommendedValue: true, compatibilityWithOldBehaviorMd: 'Disable the feature flag to add the root account principal back', diff --git a/version.v2.json b/version.v2.json index 85428cd6ffb87..c3fdf7e0f2b86 100644 --- a/version.v2.json +++ b/version.v2.json @@ -1,4 +1,4 @@ { - "version": "2.188.0", - "alphaVersion": "2.188.0-alpha.0" + "version": "2.189.0", + "alphaVersion": "2.189.0-alpha.0" } \ No newline at end of file