chore(release): 2.190.0 #34171
Merged
chore(release): 2.190.0 #34171
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Reason for this change backfill enum values in cloudfront module https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-viewercertificate.html#cfn-cloudfront-distribution-viewercertificate-sslsupportmethod ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Ref * https://aws.amazon.com/about-aws/whats-new/2025/04/amazon-bedrock-pixtral-large-25-02-mistral-ai/ * https://docs.aws.amazon.com/bedrock/latest/userguide/models-supported.html ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… parameter typo (#34090) ### Issue # (if applicable) Closes #34083. ### Reason for this change ### Description of changes fixes typo from `rentention` to `retention` ### Describe any new or updated permissions being added ### Description of how you validated changes ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
) ### Issue # (if applicable) ### Reason for this change Add more information to the register new region issue template ### Description of changes There's a missing step to add partition map information for a region that's in a new partition ### Describe any new or updated permissions being added N/A ### Description of how you validated changes N/A ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Relates to #32569 ### Reason for this change Untyped Errors are not recommended. ### Description of changes Change Error to ValidationError / UnscopedValidationError ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…onnect` (#34059) ### Issue # (if applicable) Closes #34055 ### Description of how you validated changes Unit + Integ ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #11100 ### Description of changes - apigwv2 HttpStage support access logging to CloudWatch Logs https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-logging.html - Same logic as V1 without Firehose as not supported. ### Description of how you validated changes Unit + Integ ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #31720 This replaces my previous PR #32901. I addressed the PR comments in this new PR. This depends on this PR: cdklabs/cloud-assembly-schema#124. Also depends on this CDK CLI PR: aws/aws-cdk-cli#138. That PR should be merged first and the CLI released, before this PR can be merged. ### Reason for this change Add DatabaseInstance.fromLookup() feature ### Description of changes * Add CC API Context Provider. Needs this PR: cdklabs/cloud-assembly-schema#124 * DatabaseInstance.fromLookup call CC API to get the database instance info from instanceIdentifier. * Add units tests. ### Describe any new or updated permissions being added User will need to have permission to run CloudControl API. ### Description of how you validated changes Tested with this code. I already have an RDS DB in my AWS account. I want to look it up and grant connect to a new user. Saved to packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/my-test-app.ts ``` import * as cdk from 'aws-cdk-lib'; import * as iam from 'aws-cdk-lib/aws-iam'; import * as rds from 'aws-cdk-lib/aws-rds'; const awsAccountId = 'XXXXXXXXXX79'; const instanceId = 'XXXXXXXXXX-instance-1'; const appWithDb = new cdk.App(); const stack = new cdk.Stack(appWithDb, 'StackWithVpc', { env: { region: 'us-east-1', account: awsAccountId, }, }); const dbFromLookup = rds.DatabaseInstance.fromLookup(stack, 'dbFromLookup', { instanceIdentifier: instanceId, }); /* eslint-disable no-console */ console.log('lookup values', dbFromLookup.dbInstanceEndpointAddress, dbFromLookup.dbInstanceEndpointPort); const consoleReadOnlyRole = new iam.Role(stack, 'TestRole', { assumedBy: new iam.ArnPrincipal('arn_for_trusted_principal'), }); dbFromLookup.grantConnect(consoleReadOnlyRole, 'dbTestUser'); ``` Ran this command: ``` ../../aws-cdk/bin/cdk -a 'npx ts-node test/aws-rds/test/my-test-app.ts' synth ``` ### Checklist - [ X ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…er (#33736) ### Issue # (if applicable) Closes #9696. ### Reason for this change Cloudformation supports the configuration of subnet information through `subnetMapping` more detailed than using `subnetIds` but AWS CDK doesn't support this. https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-loadbalancer-subnetmapping.html ### Description of changes - Add `subnetMappings` to `NetworkLoadBalancerProps` - Define `SourceNatIpv6Prefix` class and `SubnetMapping` interface at `base-loadbalancer.ts` ### Describe any new or updated permissions being added None ### Description of how you validated changes Add both unit and integ tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…34113) By default we would use `^41.0.0` to depend on this package, but it is strictly backwards compatible. The major version number of this package currently tracks the revision of the cloud assembly protocol, and does not use semver major versions to indicate breaking changes (breaking changes are not allowed). We should use `>=` to indicate that we expect a minimum version of the schema, but we don't want to imply a maximum version. Otherwise, users will get peerDependency errors/warnings for perfectly valid dependency sets. Fixes aws/aws-cdk-cli#345. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…on-private (#34108) ### Reason for this change - Add rosetta support for s3tables-alpha documentation. - Set @aws-cdk/aws-s3tables-alpha module to non-private. ### Description of changes Add support for rosetta for README and JSDocs examples. This module was previously set to private, due to which it was not released as an npm module and was not showing up on aws-cdk documentation. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes yarn build+test+extract ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #34099. ### Reason for this change Fixes a bug where CloudFront `Distribution` validation would throw a `TypeError` when `webAclId` was a CloudFormation token or intrinsic, instead of a plain string. This prevented users from passing unresolved tokens or references as `webAclId`. ### Description of changes - Updated `validateWebAclId()` to **skip validation** if `webAclId` is **not a string** or is an **unresolved token**. - This prevents `.startsWith()` from being called on non-string values, avoiding runtime errors. - Added unit tests to cover unresolved tokens and non-string values. - Removed the integration test that attempted to deploy dummy WebACL ARNs, which caused CloudFront deployment failures due to invalid account ownership. This change enables users to safely pass CloudFormation references or tokens as `webAclId` without causing synthesis errors. ### Describe any new or updated permissions being added None. ### Description of how you validated changes - Added and updated unit tests for `validateWebAclId()` to cover tokens and non-string values. - Removed the failing integration test that was not suitable for automated deployment. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Relates to #32569 ### Reason for this change Untyped Errors are not recommended. ### Description of changes Change Error to ValidationError / UnscopedValidationError ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…34133) ### Reason for this change CDK Pipelines added support for CodePipeline V2 in https://github.com/aws/aws-cdk/releases/tag/v2.189.0. ### Description of changes Removed the notice about lack of CodePipeline V2 support in CDK Pipelines documentation. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… applications (#34132) Some CDK methods apply mutating Aspects on behalf of users. Since #32333, these Aspects have a priority of `MUTATING` to classify their behavior. If a user-applied Aspect (priority `DEFAULT`) now configures the same property as an implicitly added Aspect: * Before that change, the relative execution order depended on the location of the Aspects in the construct tree. * After that change, the user Aspect always "wins" (executes last) because its priority is higher. In this change, we roll back to the behavior from pre-2.172.0, and introduce a feature flag which gives the Aspects a priority only if the feature flag is enabled. This introduces the feature flag: ```json { "context": { "@aws-cdk/core:aspectPrioritiesMutating": true } } ``` Which sets the priority of Aspects added on your behalf a priority of `MUTATING` (200) (instead of the default `DEFAULT`, 500). * If you have given your own Aspect a priority of `MUTATING` already to make sure it can get overridden by another Aspect of priority `MUTATING`, this current change will not affect you (either with or without feature flag). * If you have come to rely on the new default priority being low already, you can set the above feature flag to re-enable the new behavior. ----------- Did not touch the following Aspects: - In `integ-tests-alpha`: overriding logical IDs in assertions stacks does not affect production infrastructure. - Tags: tags are exclusively manipulated through the official APIs, so there no conflict between custom and implicit Aspects. - CDK Pipelines: there cannot be a conflict because the customer can't create a default pipeline before the implicit Aspect. This PR also introduces some slight rendering and documentation changes to the feature flags to improve clarity of the purpose of certain fields and the produced report.
### Issue # (if applicable) None ### Reason for this change Fix typo ### Description of changes `concatentation` → `concatenation` ### Describe any new or updated permissions being added None ### Description of how you validated changes None ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…33978) ### Issue # (if applicable) Closes #33974 ### Reason for this change Currently, the `aws-s3` module automatically creates and manages the IAM Role used for S3 replication. This limits integration flexibility, especially in environments where IAM Roles are provisioned externally or reused across stacks/accounts. This change addresses that limitation by allowing users to provide a custom IAM Role for replication. ### Description of changes - Introduced an optional `replicationRole?: iam.IRole` property in `BucketProps`. - When `replicationRole` is provided, the CDK uses it instead of creating a new role. - Required permissions are **NOT** automatically attached to the provided role. It is the user's responsibility to attach the necessary IAM policies. - Added validation to ensure that if `replicationRole` is specified, `replicationRules` must also be defined and non-empty, since both are required by CloudFormation when configuring replication. ### Describe any new or updated permissions being added No new IAM actions are introduced. When a custom role is provided, CDK does not attach any permissions automatically. Users are expected to grant the appropriate replication-related permissions manually. ### Description of how you validated changes Added unit and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue Part of #33673 (comment) ### Reason for this change `yarn integ aws-eks/test/integ.eks-hybrid-nodes.js` is failed to complete. Error1: ```zsh ❌ aws-cdk-eks-cluster-hybrid-nodes failed: _ToolkitError: The stack named aws-cdk-eks-cluster-hybrid-nodes failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Received response status [FAILED] from custom resource. Message returned: AccessConfig AuthMode must be API_AND_CONFIG_MAP or API when remoteNetworkConfig is specified ``` Error2: ```zsh ❌ aws-cdk-eks-cluster-hybrid-nodes failed: _ToolkitError: The stack named aws-cdk-eks-cluster-hybrid-nodes failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Received response status [FAILED] from custom resource. Message returned: Invalid remote node network: CIDR 10.0.0.0/16 overlaps with VPC CIDR 10.0.0.0/16 ``` ### Description of changes - Setting `accessConfig` to resolve Error1 - Changing CIDR to resolve Error2 ### Describe any new or updated permissions being added NONE ### Description of how you validated changes - Pass integration test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change The previous exclusion list was applied to parsed sdk enum values. That doesn't work for the wrong mappings between cfn enum values and cdk enum values. This new exclusion list is applied to the cdk enum values directly, means we can exclude any enum values in CDK. ### Description of changes - Instead of applying exclusion list at SDK enum values, this PR moves the exclusion list to CDK enum values. - Make the github workflow run every week automatically. ### Description of how you validated changes Unit tests passed Github workflow run successfully ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…hod (#34094) Closes #<issue number here>. ### Reason for this change Cannot add multiple NATGW to current VPC construct as it is using the same construct id which cause conflict. ### Description of changes - Fix the NATGW construct id to be unique using provided subnet. - Fix the current domain being set in EIP to be `vpc` instead of `vpcId`. - Fix the validation for subnet IP ranges as those can be unresolved token values referred in VPC construct using vpc.attr.<ipaddressblock> . ### Describe any new or updated permissions being added NA ### Description of how you validated changes - Added unit test and integration test for NATGW. - Added unit test for EIP ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) BREAKING CHANGE: The logical ID for the NAT Gateway, defined using the `addNatGateways` method, will be changed, resulting in the NAT Gateway being recreated. Additionally, the domain for the Elastic IP (EIP) will be set to `vpc`, which will also trigger its recreation in the account. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #34002. ### Reason for this change The original fix for issue #22661 (PR #33698) introduced a regression where the S3 deployment Lambda would read entire files into memory to check if they're JSON. This approach works fine for small files but causes Lambda timeouts and memory issues with large files (10MB+). This is particularly problematic for customers deploying large assets to S3 buckets. ### Description of changes The S3 deployment Lambda handler was reading entire files into memory to check if they're JSON, causing timeouts and memory issues with large files (10MB+). This change optimizes the S3 deployment Lambda handler to process files more efficiently by: 1. Adding an early return when there are no markers to replace 2. Processing all files line by line, which is much more memory-efficient than loading the full JSON in memory 3. Adding an optional `escape` parameter to the `Source.jsonData` method in order to control JSON escaping 4. Using the `jsonEscape` flag in `MarkersConfig` to control when special JSON escaping is needed These changes ensure that: - Files without markers are processed instantly - Files with markers are processed line by line, minimizing memory usage - Special JSON escaping is only applied when explicitly requested The implementation is backward compatible with the experience before the PR #33698 was merged, as it maintains the existing behavior by default but provides an opt-in mechanism for JSON escaping when needed. The opt-in mechanism is required for users who were benefitting from the escaping mechanism introduced by the PR #33698. ### Describe any new or updated permissions being added No new or updated IAM permissions are required for this change. ### Description of how you validated changes - Created an integration test (`integ.bucket-deployment-large-file.ts`) that reproduces the issue with large files - Implemented local testing to verify the fix with both small and large files - Added memory limit assertions to ensure memory usage stays within acceptable bounds - Conducted performance testing with isolated test runs to measure memory usage across various file types and sizes The integration test specifically validates that large files (10MB+) can be successfully deployed without memory issues, ensuring the fix works in real-world scenarios. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None Closes #<issue number here>. None ### Reason for this change * Adds a new tool to run cfn-guard * Enhances PR linter to find added or updated snapshot templates and run cfn-guard through them for detecting inline broad trust policy ### Description of changes Refer README.md ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Tested on personal fork. Refer QuantumNeuralCoder#6 PR Linter output shows test results. ### Checklist - [ x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change Attribute documentation was incorrect (pasted from the documentation for `principalStatements`, probably) ### Description of changes Updated the documentation comment to agree with the contents of the attribute. ### Describe any new or updated permissions being added None. Has no effect on permissions or on the synthesized stacks. ### Description of how you validated changes Non-behavioral change. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Ref: https://aws.amazon.com/about-aws/whats-new/2025/04/amazon-nova-sonic-speech-to-speech-conversations-bedrock/ ```console $ aws bedrock get-foundation-model --model-identifier amazon.nova-sonic-v1:0 { "modelDetails": { "modelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.nova-sonic-v1:0", "modelId": "amazon.nova-sonic-v1:0", "modelName": "Nova Sonic", "providerName": "Amazon", "inputModalities": [ "SPEECH" ], "outputModalities": [ "SPEECH", "TEXT" ], "responseStreamingSupported": true, "customizationsSupported": [], "inferenceTypesSupported": [ "ON_DEMAND" ], "modelLifecycle": { "status": "ACTIVE" } } } ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…esultWriter in Distributed Map (#33772) and (#33601) (#33831) feat(stepfunctions): Create a new ResultWriterV2 class to support WriterConfig in ResultWriter object in Distributed Map Closes #33772 and #33601. Reason for making this change: A new property `WriterConfig` was added under ResultWriter property of Distributed Map. `WriterConfig` contains OutputType and Transformation Ref: https://docs.aws.amazon.com/step-functions/latest/dg/input-output-resultwriter.html#input-output-resultwriter-field-contents `ItemReader` also supports "JSONL" as the `InputType`. It's currently missing in the enum. Ref: https://docs.aws.amazon.com/step-functions/latest/dg/input-output-itemreader.html#itemreader-field-contents Changes: * Created a copy of ResultWriter as ResultWriterV2 to avoid introducing a breaking change to ResultWriter. * Consumers will need to set feature`@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2` to true in the context. * Create new class `WriterConfig` and add `writerConfig` property under `ResultWriterV2` in Distributed Map. * Add `OutputType` and `Transformation` properties under `WriterConfig`. * Add Warning when ResultWriter is empty. * Add the missing `JSONL` type which is a part of `InputType` `ItemReader` of Distributed Map. * Permissions - No additions. But removed the permission to put object when just `writerConfig` is specified. * * Also added the missing `JSONL` from `InputType` in the `ItemReader` of Distributed Map. * Add a unit test and an integ test. - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ges (#34152) Allows codecov access to metadata ### Issue # (if applicable) Closes #<issue number here>. NA ### Reason for this change Solves issue ``` Upload results to codecov failures Run codecov/codecov-action@v5 Run CC_ACTION_VERSION=$(cat ${GITHUB_ACTION_PATH}/src/version) ==> Running Action version 5.4.2 Run git config --global --add safe.directory "/home/runner/work/aws-cdk/aws-cdk" Run CC_FORK="false" ==> Fork detected Run actions/github-script@v7 Error: Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable at OidcClient.<anonymous> (/home/runner/work/_actions/actions/github-script/v7/dist/index.js:585:23) at Generator.next (<anonymous>) at /home/runner/work/_actions/actions/github-script/v7/dist/index.js:522:7[1](https://github.com/aws/aws-cdk/actions/runs/14471001849/job/40584624218?pr=34151#step:7:1) at new Promise (<anonymous>) at __webpack_modules__.8041.__awaiter (/home/runner/work/_actions/actions/github-script/v7/dist/index.js:518:12) at OidcClient.getIDToken (/home/runner/work/_actions/actions/github-script/v7/dist/index.js:571:16) at Object.<anonymous> (/home/runner/work/_actions/actions/github-script/v7/dist/index.js:421:46) at Generator.next (<anonymous>) at /home/runner/work/_actions/actions/github-script/v7/dist/index.js:133:71 at new Promise (<anonymous>) Error: Unhandled error: Error: Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable ``` ### Description of changes ### Describe any new or updated permissions being added ### Description of how you validated changes ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…OnCreation` (#34116) ### Issue # (if applicable) N/A ### Reason for this change The `Subnet.assignIpv6AddressOnCreation` attribute was being set in the L1, despite it not being necessary to set. This may cause issues with backwards migrations from V1 subnets to V2, since there will be this attribute difference across both. ### Description of changes ```ts const subnet = new CfnSubnet(this, 'Subnet', { ... assignIpv6AddressOnCreation: props.assignIpv6AddressOnCreation /* ?? false */, mapPublicIpOnLaunch: props.mapPublicIpOnLaunch /* ?? undefined */ // this one was just a redundant nit } ``` ### Describe any new or updated permissions being added N/A ### Description of how you validated changes `yarn test && yarn integ-runner --update-on-failed --dry-run` (dry run since it's a very minor change, and some of the integ tests for IPv6 and IPAM are finnicky) ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…branch (#34154) ### Issue # (if applicable) Github action security-guradian is unable to detect changed cfn templates in PRs ### Closes #. NA ### Reason for this change Fixes an issue where security-guardian github action runs but is unable to find changed templates. Since it runs in the context of pull_request_target workflow its unable to find the head commit of PR which is in the base branch. This happened after we switched from pull_request to pull_request_target for improved security posture during the run of the github action. ``` Run echo "Getting changed CloudFormation templates..." Getting changed CloudFormation templates... From https://github.com/aws/aws-cdk * branch main -> FETCH_HEAD fatal: bad object 7c12c04 ``` ### Description of changes Checksout and compares the base version with the head version. ### Describe any new or updated permissions being added None ### Description of how you validated changes Cannot be validated until merged ### Checklist [ x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ATE compatible task definitions (#34155) Reverts #33608 This is a breaking change because `cpu` property allows input like `1vcpu` although it's not documented in the public CFN documentation. This would mean that the reverted PR will cause regression on CDK app that looks like below ``` const taskDefinition = new TaskDefinition(this, 'MyFargateTaskDef', { compatibility: Compatibility.FARGATE, family: "update-service-test-fargate-taskdef-small-cpu", memoryMiB: "2gb", cpu: "1 vcpu", networkMode: NetworkMode.AWS_VPC }); ```
### Issue # (if applicable) Relates to #32569 ### Reason for this change Untyped Errors are not recommended. ### Description of changes Change Error to ValidationError / UnscopedValidationError ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #33807 ### Reason for this change Neptune engine versions not up-to-date. ### Description of changes Added engine up to most recently released version as specified here https://docs.aws.amazon.com/neptune/latest/userguide/engine-releases.html ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Integration test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… Errors (#34109) ### Issue # (if applicable) Relates to #32569 ### Reason for this change Untyped Errors are not recommended. ### Description of changes Change Error to ValidationError / UnscopedValidationError ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…n zip assets (#34162) ### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change Update the git attributes to add a new pattern of large files to include the zip assets in alpha modules. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…esponding unit tests (#33898) Enabling features for ipv6 and dualstack support with corresponding unit tests ### Original PR: [#3873](#33873) ### Issue [#33493](#33493) Closes [#33493](#33493) ### Reason for this change Currently, AWS Services, i.e., Xray, Wafv2, Workmail, have started to release support for IPv6 or Dualstack for their VPC endpoints. We would like to modify our infrastructure to be able to support. these new IP address types. ### Description of changes 1. Passed necessary props to the VPC Endpoint interface 2. Added necessary props that need to be passed to enable all different IP address types 3. Abstracted address types as enum to abide by L1, L2 constructs 4. Added necessary unit tests to cover all cases 5. Added necessary changes to integ tests Added more detailed descriptions and guidlines for usage in the aws-ec2 README.md as well as very detailed comments above each code change. ### Description of how you validated changes Added unit tests and integ tests to cover all valid and invalid cases. Throws necessary errors according to [documentation](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html#connect-to-endpoint-service). Detailed descriptions of each case are outlined in comments. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)
https://github.com/orgs/community/discussions/123735 ### Issue # (if applicable) Follow up of #34152 ``` Run actions/github-script@v7 Error: Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable at OidcClient.<anonymous> (/home/runner/work/_actions/actions/github-script/v7/dist/index.js:585:23) at Generator.next (<anonymous>) at /home/runner/work/_actions/actions/github-script/v7/dist/index.js:522:71 at new Promise (<anonymous>) at __webpack_modules__.8041.__awaiter (/home/runner/work/_actions/actions/github-script/v7/dist/index.js:518:12) at OidcClient.getIDToken (/home/runner/work/_actions/actions/github-script/v7/dist/index.js:571:16) at Object.<anonymous> (/home/runner/work/_actions/actions/github-script/v7/dist/index.js:421:46) at Generator.next (<anonymous>) at /home/runner/work/_actions/actions/github-script/v7/dist/index.js:133:71 at new Promise (<anonymous>) Error: Unhandled error: Error: Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable ``` Closes #<issue number here>. None ### Reason for this change Issue persists ### Description of changes Permissions were already provided at a job level but no permissions at the workflow level and there are no inheritance of scopes from level to level (wouldnt have applied here anyway since we provided at a job level but not workflow level). In this PR adding permissions at the workflow level. ### Describe any new or updated permissions being added ### Description of how you validated changes ### Checklist - [ x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…34164) Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-acmpca │ └ resources │ └[~] resource AWS::ACMPCA::CertificateAuthority │ └ properties │ └ KeyStorageSecurityStandard: (documentation changed) ├[~] service aws-applicationautoscaling │ └ resources │ ├[~] resource AWS::ApplicationAutoScaling::ScalableTarget │ │ └ properties │ │ ├ ResourceId: (documentation changed) │ │ └ ScalableDimension: (documentation changed) │ └[~] resource AWS::ApplicationAutoScaling::ScalingPolicy │ └ properties │ ├ PolicyType: (documentation changed) │ ├ ResourceId: (documentation changed) │ └ ScalableDimension: (documentation changed) ├[~] service aws-applicationsignals │ └ resources │ └[~] resource AWS::ApplicationSignals::ServiceLevelObjective │ ├ - documentation: Creates or updates a service level objective (SLO), which can help you ensure that your critical business operations are meeting customer expectations. Use SLOs to set and track specific target levels for the reliability and availability of your applications and services. SLOs use service level indicators (SLIs) to calculate whether the application is performing at the level that you want. │ │ Create an SLO to set a target for a service or operation’s availability or latency. CloudWatch measures this target frequently you can find whether it has been breached. │ │ The target performance quality that is defined for an SLO is the *attainment goal* . An attainment goal is the percentage of time or requests that the SLI is expected to meet the threshold over each time interval. For example, an attainment goal of 99.9% means that within your interval, you are targeting 99.9% of the periods to be in healthy state. │ │ When you create an SLO, you specify whether it is a *period-based SLO* or a *request-based SLO* . Each type of SLO has a different way of evaluating your application's performance against its attainment goal. │ │ - A *period-based SLO* uses defined *periods* of time within a specified total time interval. For each period of time, Application Signals determines whether the application met its goal. The attainment rate is calculated as the `number of good periods/number of total periods` . │ │ For example, for a period-based SLO, meeting an attainment goal of 99.9% means that within your interval, your application must meet its performance goal during at least 99.9% of the time periods. │ │ - A *request-based SLO* doesn't use pre-defined periods of time. Instead, the SLO measures `number of good requests/number of total requests` during the interval. At any time, you can find the ratio of good requests to total requests for the interval up to the time stamp that you specify, and measure that ratio against the goal set in your SLO. │ │ After you have created an SLO, you can retrieve error budget reports for it. An *error budget* is the amount of time or amount of requests that your application can be non-compliant with the SLO's goal, and still have your application meet the goal. │ │ - For a period-based SLO, the error budget starts at a number defined by the highest number of periods that can fail to meet the threshold, while still meeting the overall goal. The *remaining error budget* decreases with every failed period that is recorded. The error budget within one interval can never increase. │ │ For example, an SLO with a threshold that 99.95% of requests must be completed under 2000ms every month translates to an error budget of 21.9 minutes of downtime per month. │ │ - For a request-based SLO, the remaining error budget is dynamic and can increase or decrease, depending on the ratio of good requests to total requests. │ │ When you call this operation, Application Signals creates the *AWSServiceRoleForCloudWatchApplicationSignals* service-linked role, if it doesn't already exist in your account. This service- linked role has the following permissions: │ │ - `xray:GetServiceGraph` │ │ - `logs:StartQuery` │ │ - `logs:GetQueryResults` │ │ - `cloudwatch:GetMetricData` │ │ - `cloudwatch:ListMetrics` │ │ - `tag:GetResources` │ │ - `autoscaling:DescribeAutoScalingGroups` │ │ You can easily set SLO targets for your applications that are discovered by Application Signals, using critical metrics such as latency and availability. You can also set SLOs against any CloudWatch metric or math expression that produces a time series. │ │ > You can't create an SLO for a service operation that was discovered by Application Signals until after that operation has reported standard metrics to Application Signals. │ │ You cannot change from a period-based SLO to a request-based SLO, or change from a request-based SLO to a period-based SLO. │ │ For more information about SLOs, see [Service level objectives (SLOs)](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-ServiceLevelObjectives.html) . │ │ + documentation: Creates or updates a service level objective (SLO), which can help you ensure that your critical business operations are meeting customer expectations. Use SLOs to set and track specific target levels for the reliability and availability of your applications and services. SLOs use service level indicators (SLIs) to calculate whether the application is performing at the level that you want. │ │ Create an SLO to set a target for a service operation, or service dependency's availability or latency. CloudWatch measures this target frequently you can find whether it has been breached. │ │ The target performance quality that is defined for an SLO is the *attainment goal* . An attainment goal is the percentage of time or requests that the SLI is expected to meet the threshold over each time interval. For example, an attainment goal of 99.9% means that within your interval, you are targeting 99.9% of the periods to be in healthy state. │ │ When you create an SLO, you specify whether it is a *period-based SLO* or a *request-based SLO* . Each type of SLO has a different way of evaluating your application's performance against its attainment goal. │ │ - A *period-based SLO* uses defined *periods* of time within a specified total time interval. For each period of time, Application Signals determines whether the application met its goal. The attainment rate is calculated as the `number of good periods/number of total periods` . │ │ For example, for a period-based SLO, meeting an attainment goal of 99.9% means that within your interval, your application must meet its performance goal during at least 99.9% of the time periods. │ │ - A *request-based SLO* doesn't use pre-defined periods of time. Instead, the SLO measures `number of good requests/number of total requests` during the interval. At any time, you can find the ratio of good requests to total requests for the interval up to the time stamp that you specify, and measure that ratio against the goal set in your SLO. │ │ After you have created an SLO, you can retrieve error budget reports for it. An *error budget* is the amount of time or amount of requests that your application can be non-compliant with the SLO's goal, and still have your application meet the goal. │ │ - For a period-based SLO, the error budget starts at a number defined by the highest number of periods that can fail to meet the threshold, while still meeting the overall goal. The *remaining error budget* decreases with every failed period that is recorded. The error budget within one interval can never increase. │ │ For example, an SLO with a threshold that 99.95% of requests must be completed under 2000ms every month translates to an error budget of 21.9 minutes of downtime per month. │ │ - For a request-based SLO, the remaining error budget is dynamic and can increase or decrease, depending on the ratio of good requests to total requests. │ │ When you call this operation, Application Signals creates the *AWSServiceRoleForCloudWatchApplicationSignals* service-linked role, if it doesn't already exist in your account. This service- linked role has the following permissions: │ │ - `xray:GetServiceGraph` │ │ - `logs:StartQuery` │ │ - `logs:GetQueryResults` │ │ - `cloudwatch:GetMetricData` │ │ - `cloudwatch:ListMetrics` │ │ - `tag:GetResources` │ │ - `autoscaling:DescribeAutoScalingGroups` │ │ You can easily set SLO targets for your applications, and their dependencies, that are discovered by Application Signals, using critical metrics such as latency and availability. You can also set SLOs against any CloudWatch metric or math expression that produces a time series. │ │ > You can't create an SLO for a service operation that was discovered by Application Signals until after that operation has reported standard metrics to Application Signals. │ │ You cannot change from a period-based SLO to a request-based SLO, or change from a request-based SLO to a period-based SLO. │ │ For more information about SLOs, see [Service level objectives (SLOs)](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-ServiceLevelObjectives.html) . │ ├ properties │ │ └ ExclusionWindows: (documentation changed) │ └ types │ ├[+] type DependencyConfig │ │ ├ documentation: Identifies the dependency using the `DependencyKeyAttributes` and `DependencyOperationName` . │ │ │ name: DependencyConfig │ │ └ properties │ │ ├ DependencyKeyAttributes: Map<string, string> (required) │ │ └ DependencyOperationName: string (required) │ ├[~] type ExclusionWindow │ │ ├ - documentation: The core SLO time window exclusion object that includes Window, StartTime, RecurrenceRule, and Reason. │ │ │ + documentation: The time window to be excluded from the SLO performance metrics. │ │ └ properties │ │ ├ Reason: (documentation changed) │ │ ├ RecurrenceRule: (documentation changed) │ │ ├ StartTime: (documentation changed) │ │ └ Window: (documentation changed) │ ├[~] type RecurrenceRule │ │ ├ - documentation: The recurrence rule for the SLO time window exclusion . │ │ │ + documentation: The recurrence rule for the time exclusion window. │ │ └ properties │ │ └ Expression: (documentation changed) │ ├[~] type RequestBasedSliMetric │ │ └ properties │ │ └[+] DependencyConfig: DependencyConfig │ ├[~] type SliMetric │ │ └ properties │ │ └[+] DependencyConfig: DependencyConfig │ └[~] type Window │ ├ - documentation: The object that defines the time length of an exclusion window. │ │ + documentation: The start and end time of the time exclusion window. │ └ properties │ ├ Duration: (documentation changed) │ └ DurationUnit: (documentation changed) ├[~] service aws-backup │ └ resources │ └[~] resource AWS::Backup::RestoreTestingPlan │ └ properties │ └[-] ScheduleStatus: string ├[~] service aws-batch │ └ resources │ └[~] resource AWS::Batch::JobDefinition │ └ types │ ├[~] type ContainerProperties │ │ └ properties │ │ └[+] EnableExecuteCommand: boolean │ ├[~] type EcsTaskProperties │ │ └ properties │ │ └[+] EnableExecuteCommand: boolean │ ├[+] type FirelensConfiguration │ │ ├ name: FirelensConfiguration │ │ └ properties │ │ ├ Type: string (required) │ │ └ Options: Map<string, string> │ ├[~] type MultiNodeContainerProperties │ │ └ properties │ │ └[+] EnableExecuteCommand: boolean │ ├[~] type MultiNodeEcsTaskProperties │ │ └ properties │ │ └[+] EnableExecuteCommand: boolean │ └[~] type TaskContainerProperties │ └ properties │ └[+] FirelensConfiguration: FirelensConfiguration ├[~] service aws-bedrock │ └ resources │ └[~] resource AWS::Bedrock::KnowledgeBase │ └ types │ ├[+] type OpenSearchManagedClusterConfiguration │ │ ├ documentation: Contains details about the Managed Cluster configuration of the knowledge base in Amazon OpenSearch Service. For more information, see [Create a vector index in OpenSearch Managed Cluster](https://docs.aws.amazon.com/bedrock/latest/userguide/knowledge-base-setup-osm.html) . │ │ │ name: OpenSearchManagedClusterConfiguration │ │ └ properties │ │ ├ DomainArn: string (required) │ │ ├ DomainEndpoint: string (required) │ │ ├ VectorIndexName: string (required) │ │ └ FieldMapping: OpenSearchManagedClusterFieldMapping (required) │ ├[+] type OpenSearchManagedClusterFieldMapping │ │ ├ documentation: Contains the names of the fields to which to map information about the vector store. │ │ │ name: OpenSearchManagedClusterFieldMapping │ │ └ properties │ │ ├ VectorField: string (required) │ │ ├ TextField: string (required) │ │ └ MetadataField: string (required) │ └[~] type StorageConfiguration │ └ properties │ └[+] OpensearchManagedClusterConfiguration: OpenSearchManagedClusterConfiguration ├[~] service aws-cleanrooms │ └ resources │ ├[~] resource AWS::CleanRooms::AnalysisTemplate │ │ ├ properties │ │ │ ├[+] Schema: AnalysisSchema (immutable) │ │ │ └[+] SourceMetadata: AnalysisSourceMetadata │ │ └ types │ │ ├[~] type AnalysisSource │ │ │ └ properties │ │ │ ├[+] Artifacts: AnalysisTemplateArtifacts │ │ │ └ Text: - string (required, immutable) │ │ │ + string (immutable) │ │ ├[+] type AnalysisSourceMetadata │ │ │ ├ documentation: The analysis source metadata. │ │ │ │ name: AnalysisSourceMetadata │ │ │ └ properties │ │ │ └ Artifacts: AnalysisTemplateArtifactMetadata (required) │ │ ├[+] type AnalysisTemplateArtifact │ │ │ ├ documentation: The analysis template artifact. │ │ │ │ name: AnalysisTemplateArtifact │ │ │ └ properties │ │ │ └ Location: S3Location (required) │ │ ├[+] type AnalysisTemplateArtifactMetadata │ │ │ ├ documentation: The analysis template artifact metadata. │ │ │ │ name: AnalysisTemplateArtifactMetadata │ │ │ └ properties │ │ │ ├ EntryPointHash: Hash (required) │ │ │ └ AdditionalArtifactHashes: Array<Hash> │ │ ├[+] type AnalysisTemplateArtifacts │ │ │ ├ documentation: The analysis template artifacts. │ │ │ │ name: AnalysisTemplateArtifacts │ │ │ └ properties │ │ │ ├ EntryPoint: AnalysisTemplateArtifact (required) │ │ │ ├ AdditionalArtifacts: Array<AnalysisTemplateArtifact> │ │ │ └ RoleArn: string (required) │ │ ├[+] type Hash │ │ │ ├ documentation: Hash │ │ │ │ name: Hash │ │ │ └ properties │ │ │ └ Sha256: string │ │ └[+] type S3Location │ │ ├ documentation: The S3 location. │ │ │ name: S3Location │ │ └ properties │ │ ├ Bucket: string (required) │ │ └ Key: string (required) │ ├[~] resource AWS::CleanRooms::Collaboration │ │ ├ properties │ │ │ ├ CreatorMemberAbilities: (documentation changed) │ │ │ └[+] JobLogStatus: string (immutable) │ │ └ types │ │ ├[+] type JobComputePaymentConfig │ │ │ ├ documentation: An object representing the collaboration member's payment responsibilities set by the collaboration creator for query and job compute costs. │ │ │ │ name: JobComputePaymentConfig │ │ │ └ properties │ │ │ └ IsResponsible: boolean (required) │ │ └[~] type PaymentConfiguration │ │ └ properties │ │ └[+] JobCompute: JobComputePaymentConfig │ ├[~] resource AWS::CleanRooms::ConfiguredTable │ │ └ properties │ │ └[+] SelectedAnalysisMethods: Array<string> │ └[~] resource AWS::CleanRooms::Membership │ ├ properties │ │ ├[+] DefaultJobResultConfiguration: MembershipProtectedJobResultConfiguration │ │ └[+] JobLogStatus: string │ └ types │ ├[+] type MembershipJobComputePaymentConfig │ │ ├ documentation: An object representing the payment responsibilities accepted by the collaboration member for query and job compute costs. │ │ │ name: MembershipJobComputePaymentConfig │ │ └ properties │ │ └ IsResponsible: boolean (required) │ ├[~] type MembershipPaymentConfiguration │ │ └ properties │ │ └[+] JobCompute: MembershipJobComputePaymentConfig │ ├[+] type MembershipProtectedJobOutputConfiguration │ │ ├ documentation: Contains configurations for protected job results. │ │ │ name: MembershipProtectedJobOutputConfiguration │ │ └ properties │ │ └ S3: ProtectedJobS3OutputConfigurationInput (required) │ ├[+] type MembershipProtectedJobResultConfiguration │ │ ├ documentation: Contains configurations for protected job results. │ │ │ name: MembershipProtectedJobResultConfiguration │ │ └ properties │ │ ├ OutputConfiguration: MembershipProtectedJobOutputConfiguration (required) │ │ └ RoleArn: string (required) │ └[+] type ProtectedJobS3OutputConfigurationInput │ ├ documentation: Contains input information for protected jobs with an S3 output type. │ │ name: ProtectedJobS3OutputConfigurationInput │ └ properties │ ├ Bucket: string (required) │ └ KeyPrefix: string ├[~] service aws-cloudtrail │ └ resources │ ├[~] resource AWS::CloudTrail::EventDataStore │ │ └ types │ │ ├[~] type AdvancedEventSelector │ │ │ └ - documentation: Advanced event selectors let you create fine-grained selectors for AWS CloudTrail management, data, and network activity events. They help you control costs by logging only those events that are important to you. For more information about configuring advanced event selectors, see the [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) , [Logging network activity events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html) , and [Logging management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html) topics in the *AWS CloudTrail User Guide* . │ │ │ You cannot apply both event selectors and advanced event selectors to a trail. │ │ │ *Supported CloudTrail event record fields for management events* │ │ │ - `eventCategory` (required) │ │ │ - `eventSource` │ │ │ - `readOnly` │ │ │ The following additional fields are available for event data stores: │ │ │ - `eventName` │ │ │ - `eventType` │ │ │ - `sessionCredentialFromConsole` │ │ │ - `userIdentity.arn` │ │ │ *Supported CloudTrail event record fields for data events* │ │ │ - `eventCategory` (required) │ │ │ - `resources.type` (required) │ │ │ - `readOnly` │ │ │ - `eventName` │ │ │ - `resources.ARN` │ │ │ The following additional fields are available for event data stores: │ │ │ - `eventSource` │ │ │ - `eventType` │ │ │ - `sessionCredentialFromConsole` │ │ │ - `userIdentity.arn` │ │ │ *Supported CloudTrail event record fields for network activity events* │ │ │ - `eventCategory` (required) │ │ │ - `eventSource` (required) │ │ │ - `eventName` │ │ │ - `errorCode` - The only valid value for `errorCode` is `VpceAccessDenied` . │ │ │ - `vpcEndpointId` │ │ │ > For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` . │ │ │ + documentation: Advanced event selectors let you create fine-grained selectors for AWS CloudTrail management, data, and network activity events. They help you control costs by logging only those events that are important to you. For more information about configuring advanced event selectors, see the [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) , [Logging network activity events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html) , and [Logging management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html) topics in the *AWS CloudTrail User Guide* . │ │ │ You cannot apply both event selectors and advanced event selectors to a trail. │ │ │ *Supported CloudTrail event record fields for management events* │ │ │ - `eventCategory` (required) │ │ │ - `eventSource` │ │ │ - `readOnly` │ │ │ The following additional fields are available for event data stores: │ │ │ - `eventName` │ │ │ - `eventType` │ │ │ - `sessionCredentialFromConsole` │ │ │ - `userIdentity.arn` │ │ │ *Supported CloudTrail event record fields for data events* │ │ │ - `eventCategory` (required) │ │ │ - `eventName` │ │ │ - `eventSource` │ │ │ - `eventType` │ │ │ - `resources.ARN` │ │ │ - `resources.type` (required) │ │ │ - `readOnly` │ │ │ - `sessionCredentialFromConsole` │ │ │ - `userIdentity.arn` │ │ │ *Supported CloudTrail event record fields for network activity events* │ │ │ - `eventCategory` (required) │ │ │ - `eventSource` (required) │ │ │ - `eventName` │ │ │ - `errorCode` - The only valid value for `errorCode` is `VpceAccessDenied` . │ │ │ - `vpcEndpointId` │ │ │ > For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` . │ │ └[~] type AdvancedFieldSelector │ │ └ properties │ │ └ Field: (documentation changed) │ └[~] resource AWS::CloudTrail::Trail │ └ types │ ├[~] type AdvancedEventSelector │ │ └ - documentation: Advanced event selectors let you create fine-grained selectors for AWS CloudTrail management, data, and network activity events. They help you control costs by logging only those events that are important to you. For more information about configuring advanced event selectors, see the [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) , [Logging network activity events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html) , and [Logging management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html) topics in the *AWS CloudTrail User Guide* . │ │ You cannot apply both event selectors and advanced event selectors to a trail. │ │ *Supported CloudTrail event record fields for management events* │ │ - `eventCategory` (required) │ │ - `eventSource` │ │ - `readOnly` │ │ The following additional fields are available for event data stores: │ │ - `eventName` │ │ - `eventType` │ │ - `sessionCredentialFromConsole` │ │ - `userIdentity.arn` │ │ *Supported CloudTrail event record fields for data events* │ │ - `eventCategory` (required) │ │ - `resources.type` (required) │ │ - `readOnly` │ │ - `eventName` │ │ - `resources.ARN` │ │ The following additional fields are available for event data stores: │ │ - `eventSource` │ │ - `eventType` │ │ - `sessionCredentialFromConsole` │ │ - `userIdentity.arn` │ │ *Supported CloudTrail event record fields for network activity events* │ │ - `eventCategory` (required) │ │ - `eventSource` (required) │ │ - `eventName` │ │ - `errorCode` - The only valid value for `errorCode` is `VpceAccessDenied` . │ │ - `vpcEndpointId` │ │ > For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` . │ │ + documentation: Advanced event selectors let you create fine-grained selectors for AWS CloudTrail management, data, and network activity events. They help you control costs by logging only those events that are important to you. For more information about configuring advanced event selectors, see the [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) , [Logging network activity events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html) , and [Logging management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html) topics in the *AWS CloudTrail User Guide* . │ │ You cannot apply both event selectors and advanced event selectors to a trail. │ │ *Supported CloudTrail event record fields for management events* │ │ - `eventCategory` (required) │ │ - `eventSource` │ │ - `readOnly` │ │ The following additional fields are available for event data stores: │ │ - `eventName` │ │ - `eventType` │ │ - `sessionCredentialFromConsole` │ │ - `userIdentity.arn` │ │ *Supported CloudTrail event record fields for data events* │ │ - `eventCategory` (required) │ │ - `eventName` │ │ - `eventSource` │ │ - `eventType` │ │ - `resources.ARN` │ │ - `resources.type` (required) │ │ - `readOnly` │ │ - `sessionCredentialFromConsole` │ │ - `userIdentity.arn` │ │ *Supported CloudTrail event record fields for network activity events* │ │ - `eventCategory` (required) │ │ - `eventSource` (required) │ │ - `eventName` │ │ - `errorCode` - The only valid value for `errorCode` is `VpceAccessDenied` . │ │ - `vpcEndpointId` │ │ > For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` . │ └[~] type AdvancedFieldSelector │ └ properties │ └ Field: (documentation changed) ├[~] service aws-codebuild │ └ resources │ └[~] resource AWS::CodeBuild::Project │ └ types │ └[~] type ScopeConfiguration │ └ properties │ ├[+] Domain: string │ └[+] Scope: string ├[~] service aws-dms │ └ resources │ └[~] resource AWS::DMS::ReplicationInstance │ └ properties │ └[+] DnsNameServers: string (immutable) ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::Host │ │ ├ - tagInformation: undefined │ │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ └ properties │ │ └[+] Tags: Array<tag> │ ├[~] resource AWS::EC2::SecurityGroup │ │ └ - documentation: Specifies a security group. │ │ You must specify ingress rules to allow inbound traffic. By default, no inbound traffic is allowed. │ │ If you do not specify an egress rule, we add egress rules that allow outbound IPv4 and IPv6 traffic on all ports and protocols to any destination. We do not add these rules if you specify your own egress rules. │ │ If you modify a rule, CloudFormation removes the existing rule and then adds a new rule. There is a brief period when neither the original rule or the new rule exists, so the corresponding traffic is dropped. │ │ This type supports updates. For more information about updating stacks, see [AWS CloudFormation Stacks Updates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks.html) . │ │ > To cross-reference two security groups in the ingress and egress rules of those security groups, use the [AWS::EC2::SecurityGroupEgress](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-egress.html) and [AWS::EC2::SecurityGroupIngress](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-ingress.html) resources to define your rules. Do not use the embedded ingress and egress rules in the `AWS::EC2::SecurityGroup` . Doing so creates a circular dependency, which AWS CloudFormation doesn't allow. │ │ + documentation: Specifies a security group. │ │ You must specify ingress rules to allow inbound traffic. By default, no inbound traffic is allowed. │ │ When you create a security group, if you do not add egress rules, we add egress rules that allow all outbound IPv4 and IPv6 traffic. Otherwise, we do not add them. After the security group is created, if you remove all egress rules that you added, we do not add egress rules, so no outbound traffic is allowed. │ │ If you modify a rule, CloudFormation removes the existing rule and then adds a new rule. There is a brief period when neither the original rule or the new rule exists, so the corresponding traffic is dropped. │ │ This type supports updates. For more information about updating stacks, see [AWS CloudFormation Stacks Updates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks.html) . │ │ > To cross-reference two security groups in the ingress and egress rules of those security groups, use the [AWS::EC2::SecurityGroupEgress](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-egress.html) and [AWS::EC2::SecurityGroupIngress](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-ingress.html) resources to define your rules. Do not use the embedded ingress and egress rules in the `AWS::EC2::SecurityGroup` . Doing so creates a circular dependency, which AWS CloudFormation doesn't allow. │ └[~] resource AWS::EC2::VPCEndpoint │ └ properties │ └[+] ServiceRegion: string (immutable) ├[~] service aws-eks │ └ resources │ └[~] resource AWS::EKS::PodIdentityAssociation │ ├ properties │ │ ├[-] DisableSessionTags: boolean │ │ └[-] TargetRoleArn: string │ └ attributes │ └[-] ExternalId: string ├[~] service aws-elasticache │ └ resources │ └[~] resource AWS::ElastiCache::ReplicationGroup │ └ properties │ ├ AtRestEncryptionEnabled: (documentation changed) │ └ TransitEncryptionEnabled: (documentation changed) ├[~] service aws-events │ └ resources │ ├[~] resource AWS::Events::ApiDestination │ │ └ attributes │ │ └[+] ArnForPolicy: string │ ├[~] resource AWS::Events::Archive │ │ ├ - documentation: Creates an archive of events with the specified settings. When you create an archive, incoming events might not immediately start being sent to the archive. Allow a short period of time for changes to take effect. If you do not specify a pattern to filter events sent to the archive, all events are sent to the archive except replayed events. Replayed events are not sent to an archive. │ │ │ > Archives and schema discovery are not supported for event buses encrypted using a customer managed key. EventBridge returns an error if: │ │ │ > │ │ │ > - You call `[CreateArchive](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_CreateArchive.html)` on an event bus set to use a customer managed key for encryption. │ │ │ > - You call `[CreateDiscoverer](https://docs.aws.amazon.com/eventbridge/latest/schema-reference/v1-discoverers.html#CreateDiscoverer)` on an event bus set to use a customer managed key for encryption. │ │ │ > - You call `[UpdatedEventBus](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_UpdatedEventBus.html)` to set a customer managed key on an event bus with an archives or schema discovery enabled. │ │ │ > │ │ │ > To enable archives or schema discovery on an event bus, choose to use an AWS owned key . For more information, see [Data encryption in EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-encryption.html) in the *Amazon EventBridge User Guide* . │ │ │ + documentation: Creates an archive of events with the specified settings. When you create an archive, incoming events might not immediately start being sent to the archive. Allow a short period of time for changes to take effect. If you do not specify a pattern to filter events sent to the archive, all events are sent to the archive except replayed events. Replayed events are not sent to an archive. │ │ │ > If you have specified that EventBridge use a customer managed key for encrypting the source event bus, we strongly recommend you also specify a customer managed key for any archives for the event bus as well. │ │ │ > │ │ │ > For more information, see [Encrypting archives](https://docs.aws.amazon.com/eventbridge/latest/userguide/encryption-archives.html) in the *Amazon EventBridge User Guide* . │ │ └ properties │ │ └[+] KmsKeyIdentifier: string │ ├[~] resource AWS::Events::Connection │ │ └ attributes │ │ └[+] ArnForPolicy: string │ └[~] resource AWS::Events::EventBus │ └ properties │ └ KmsKeyIdentifier: (documentation changed) ├[~] service aws-fsx │ └ resources │ └[~] resource AWS::FSx::FileSystem │ ├ properties │ │ └ StorageType: (documentation changed) │ └ types │ ├[~] type LustreConfiguration │ │ └ properties │ │ └ WeeklyMaintenanceStartTime: (documentation changed) │ ├[~] type OntapConfiguration │ │ └ properties │ │ └ WeeklyMaintenanceStartTime: (documentation changed) │ └[~] type OpenZFSConfiguration │ └ properties │ └ WeeklyMaintenanceStartTime: (documentation changed) ├[~] service aws-iot │ └ resources │ ├[~] resource AWS::IoT::AccountAuditConfiguration │ │ └ properties │ │ └ AuditCheckConfigurations: (documentation changed) │ └[~] resource AWS::IoT::ScheduledAudit │ └ properties │ └ TargetCheckNames: (documentation changed) ├[~] service aws-kafkaconnect │ └ resources │ └[~] resource AWS::KafkaConnect::Connector │ └ types │ └[~] type Vpc │ └ properties │ └ SecurityGroups: (documentation changed) ├[~] service aws-kinesis │ └ resources │ └[~] resource AWS::Kinesis::Stream │ └ properties │ └[+] DesiredShardLevelMetrics: Array<string> ├[~] service aws-lex │ └ resources │ └[~] resource AWS::Lex::Bot │ ├ properties │ │ └ Replication: (documentation changed) │ └ types │ ├[+] type BedrockAgentConfiguration │ │ ├ name: BedrockAgentConfiguration │ │ └ properties │ │ ├ BedrockAgentId: string │ │ └ BedrockAgentAliasId: string │ ├[+] type BedrockAgentIntentConfiguration │ │ ├ name: BedrockAgentIntentConfiguration │ │ └ properties │ │ ├ BedrockAgentConfiguration: BedrockAgentConfiguration │ │ └ BedrockAgentIntentKnowledgeBaseConfiguration: BedrockAgentIntentKnowledgeBaseConfiguration │ ├[+] type BedrockAgentIntentKnowledgeBaseConfiguration │ │ ├ name: BedrockAgentIntentKnowledgeBaseConfiguration │ │ └ properties │ │ ├ BedrockKnowledgeBaseArn: string (required) │ │ └ BedrockModelConfiguration: BedrockModelSpecification (required) │ ├[~] type BedrockGuardrailConfiguration │ │ └ properties │ │ ├ BedrockGuardrailIdentifier: (documentation changed) │ │ └ BedrockGuardrailVersion: (documentation changed) │ ├[~] type BedrockKnowledgeStoreConfiguration │ │ └ properties │ │ └ BKBExactResponseFields: (documentation changed) │ ├[~] type BedrockModelSpecification │ │ └ properties │ │ ├ BedrockGuardrailConfiguration: (documentation changed) │ │ ├ BedrockModelCustomPrompt: (documentation changed) │ │ └ BedrockTraceStatus: (documentation changed) │ ├[~] type BKBExactResponseFields │ │ ├ - documentation: Contains the names of the fields used for an exact response to the user. │ │ │ + documentation: undefined │ │ └ properties │ │ └ AnswerField: (documentation changed) │ ├[+] type CompositeSlotTypeSetting │ │ ├ documentation: A composite slot is a combination of two or more slots that capture multiple pieces of information in a single user input. │ │ │ name: CompositeSlotTypeSetting │ │ └ properties │ │ └ SubSlots: Array<SubSlotTypeComposition> │ ├[~] type Intent │ │ └ properties │ │ ├[+] BedrockAgentIntentConfiguration: BedrockAgentIntentConfiguration │ │ ├[+] QInConnectIntentConfiguration: QInConnectIntentConfiguration │ │ └ QnAIntentConfiguration: (documentation changed) │ ├[+] type QInConnectAssistantConfiguration │ │ ├ name: QInConnectAssistantConfiguration │ │ └ properties │ │ └ AssistantArn: string (required) │ ├[+] type QInConnectIntentConfiguration │ │ ├ name: QInConnectIntentConfiguration │ │ └ properties │ │ └ QInConnectAssistantConfiguration: QInConnectAssistantConfiguration │ ├[~] type QnAIntentConfiguration │ │ └ properties │ │ └ BedrockModelConfiguration: (documentation changed) │ ├[~] type Replication │ │ ├ - documentation: Parameter used to create a replication of the source bot in the secondary region. │ │ │ + documentation: undefined │ │ └ properties │ │ └ ReplicaRegions: (documentation changed) │ ├[~] type SlotType │ │ └ properties │ │ └[+] CompositeSlotTypeSetting: CompositeSlotTypeSetting │ └[+] type SubSlotTypeComposition │ ├ documentation: Subslot type composition. │ │ name: SubSlotTypeComposition │ └ properties │ ├ Name: string (required) │ └ SlotTypeId: string (required) ├[~] service aws-location │ └ resources │ └[~] resource AWS::Location::PlaceIndex │ └ properties │ └ DataSource: (documentation changed) ├[~] service aws-macie │ └ resources │ └[~] resource AWS::Macie::Session │ ├ properties │ │ └ Status: (documentation changed) │ └ attributes │ └[+] AutomatedDiscoveryStatus: string ├[~] service aws-memorydb │ └ resources │ ├[~] resource AWS::MemoryDB::Cluster │ │ └ properties │ │ ├[+] IpDiscovery: string │ │ └[+] NetworkType: string (immutable) │ └[~] resource AWS::MemoryDB::SubnetGroup │ └ attributes │ └[+] SupportedNetworkTypes: Array<string> ├[~] service aws-msk │ └ resources │ ├[~] resource AWS::MSK::Cluster │ │ └ types │ │ ├[~] type BrokerLogs │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: The broker logs configuration for this MSK cluster. │ │ │ └ properties │ │ │ ├ Firehose: (documentation changed) │ │ │ └ S3: (documentation changed) │ │ ├[~] type ClientAuthentication │ │ │ └ properties │ │ │ ├ Sasl: (documentation changed) │ │ │ ├ Tls: (documentation changed) │ │ │ └ Unauthenticated: (documentation changed) │ │ ├[~] type CloudWatchLogs │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Details of the CloudWatch Logs destination for broker logs. │ │ │ └ properties │ │ │ ├ Enabled: (documentation changed) │ │ │ └ LogGroup: (documentation changed) │ │ ├[~] type ConfigurationInfo │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Specifies the configuration to use for the brokers. │ │ │ └ properties │ │ │ ├ Arn: (documentation changed) │ │ │ └ Revision: (documentation changed) │ │ ├[~] type ConnectivityInfo │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Broker access controls. │ │ │ └ properties │ │ │ ├ PublicAccess: (documentation changed) │ │ │ └ VpcConnectivity: (documentation changed) │ │ ├[~] type EBSStorageInfo │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Contains information about the EBS storage volumes attached to the broker nodes. │ │ │ └ properties │ │ │ ├ ProvisionedThroughput: (documentation changed) │ │ │ └ VolumeSize: (documentation changed) │ │ ├[~] type EncryptionAtRest │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: The data-volume encryption details. You can't update encryption at rest settings for existing clusters. │ │ │ └ properties │ │ │ └ DataVolumeKMSKeyId: (documentation changed) │ │ ├[~] type EncryptionInfo │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Includes encryption-related information, such as the Amazon KMS key used for encrypting data at rest and whether you want MSK to encrypt your data in transit. │ │ │ └ properties │ │ │ └ EncryptionAtRest: (documentation changed) │ │ ├[~] type Firehose │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Firehose details for BrokerLogs. │ │ │ └ properties │ │ │ ├ DeliveryStream: (documentation changed) │ │ │ └ Enabled: (documentation changed) │ │ ├[~] type Iam │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Details for SASL/IAM client authentication. │ │ │ └ properties │ │ │ └ Enabled: (documentation changed) │ │ ├[~] type JmxExporter │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Indicates whether you want to enable or disable the JMX Exporter. │ │ │ └ properties │ │ │ └ EnabledInBroker: (documentation changed) │ │ ├[~] type LoggingInfo │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: You can configure your MSK cluster to send broker logs to different destination types. This is a container for the configuration details related to broker logs. │ │ │ └ properties │ │ │ └ BrokerLogs: (documentation changed) │ │ ├[~] type NodeExporter │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Indicates whether you want to enable or disable the Node Exporter. │ │ │ └ properties │ │ │ └ EnabledInBroker: (documentation changed) │ │ ├[~] type OpenMonitoring │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: JMX and Node monitoring for the MSK cluster. │ │ │ └ properties │ │ │ └ Prometheus: (documentation changed) │ │ ├[~] type Prometheus │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Prometheus settings for open monitoring. │ │ │ └ properties │ │ │ ├ JmxExporter: (documentation changed) │ │ │ └ NodeExporter: (documentation changed) │ │ ├[~] type ProvisionedThroughput │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Contains information about provisioned throughput for EBS storage volumes attached to kafka broker nodes. │ │ │ └ properties │ │ │ ├ Enabled: (documentation changed) │ │ │ └ VolumeThroughput: (documentation changed) │ │ ├[~] type PublicAccess │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Broker access controls │ │ │ └ properties │ │ │ └ Type: (documentation changed) │ │ ├[~] type S3 │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: The details of the Amazon S3 destination for broker logs. │ │ │ └ properties │ │ │ ├ Bucket: (documentation changed) │ │ │ ├ Enabled: (documentation changed) │ │ │ └ Prefix: (documentation changed) │ │ ├[~] type Sasl │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Details for client authentication using SASL. To turn on SASL, you must also turn on `EncryptionInTransit` by setting `inCluster` to true. You must set `clientBroker` to either `TLS` or `TLS_PLAINTEXT` . If you choose `TLS_PLAINTEXT` , then you must also set `unauthenticated` to true. │ │ │ └ properties │ │ │ ├ Iam: (documentation changed) │ │ │ └ Scram: (documentation changed) │ │ ├[~] type Scram │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Details for SASL/SCRAM client authentication. │ │ │ └ properties │ │ │ └ Enabled: (documentation changed) │ │ ├[~] type StorageInfo │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Contains information about storage volumes attached to Amazon MSK broker nodes. │ │ │ └ properties │ │ │ └ EBSStorageInfo: (documentation changed) │ │ ├[~] type Tls │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Details for client authentication using TLS. │ │ │ └ properties │ │ │ ├ CertificateAuthorityArnList: (documentation changed) │ │ │ └ Enabled: (documentation changed) │ │ ├[~] type Unauthenticated │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Details for allowing no client authentication. │ │ │ └ properties │ │ │ └ Enabled: (documentation changed) │ │ ├[~] type VpcConnectivity │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: VPC connection control settings for brokers. │ │ │ └ properties │ │ │ └ ClientAuthentication: (documentation changed) │ │ ├[~] type VpcConnectivityClientAuthentication │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Includes all client authentication information for VpcConnectivity. │ │ │ └ properties │ │ │ ├ Sasl: (documentation changed) │ │ │ └ Tls: (documentation changed) │ │ ├[~] type VpcConnectivityIam │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Details for SASL/IAM client authentication for VpcConnectivity. │ │ │ └ properties │ │ │ └ Enabled: (documentation changed) │ │ ├[~] type VpcConnectivitySasl │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Details for client authentication using SASL for VpcConnectivity. │ │ │ └ properties │ │ │ ├ Iam: (documentation changed) │ │ │ └ Scram: (documentation changed) │ │ ├[~] type VpcConnectivityScram │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Details for SASL/SCRAM client authentication for VpcConnectivity. │ │ │ └ properties │ │ │ └ Enabled: (documentation changed) │ │ └[~] type VpcConnectivityTls │ │ ├ - documentation: undefined │ │ │ + documentation: Details for client authentication using TLS for VpcConnectivity. │ │ └ properties │ │ └ Enabled: (documentation changed) │ └[~] resource AWS::MSK::ServerlessCluster │ └ types │ ├[~] type ClientAuthentication │ │ ├ - documentation: undefined │ │ │ + documentation: Includes all client authentication information. │ │ └ properties │ │ └ Sasl: (documentation changed) │ ├[~] type Iam │ │ ├ - documentation: undefined │ │ │ + documentation: Details for SASL/IAM client authentication. │ │ └ properties │ │ └ Enabled: (documentation changed) │ └[~] type Sasl │ ├ - documentation: undefined │ │ + documentation: Details for client authentication using SASL. To turn on SASL, you must also turn on `EncryptionInTransit` by setting `inCluster` to true. You must set `clientBroker` to either `TLS` or `TLS_PLAINTEXT` . If you choose `TLS_PLAINTEXT` , then you must also set `unauthenticated` to true. │ └ properties │ └ Iam: (documentation changed) ├[~] service aws-neptune │ └ resources │ └[~] resource AWS::Neptune::DBSubnetGroup │ └ attributes │ └[-] Id: string ├[~] service aws-opensearchservice │ └ resources │ ├[~] resource AWS::OpenSearchService::Application │ │ ├ - documentation: Creates an OpenSearch Application. │ │ │ + documentation: Creates an OpenSearch UI application. For more information, see [Using the OpenSearch user interface in Amazon OpenSearch Service](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/application.html) . │ │ ├ properties │ │ │ ├ Endpoint: (documentation changed) │ │ │ ├ IamIdentityCenterOptions: (documentation changed) │ │ │ └ Name: (documentation changed) │ │ ├ attributes │ │ │ └ Id: (documentation changed) │ │ └ types │ │ ├[~] type AppConfig │ │ │ ├ - documentation: Configurations of the OpenSearch Application. │ │ │ │ + documentation: Configuration settings for an OpenSearch application. For more information, see see [Using the OpenSearch user interface in Amazon OpenSearch Service](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/application.html) . │ │ │ └ properties │ │ │ ├ Key: (documentation changed) │ │ │ └ Value: (documentation changed) │ │ ├[~] type DataSource │ │ │ └ - documentation: Data sources that are associated with an OpenSearch Application. │ │ │ + documentation: Data sources that are associated with an OpenSearch application. │ │ └[~] type IamIdentityCenterOptions │ │ ├ - documentation: Settings for IAM Identity Center for an OpenSearch Application. │ │ │ + documentation: Configuration settings for IAM Identity Center in an OpenSearch application. │ │ └ properties │ │ ├ Enabled: (documentation changed) │ │ └ IamRoleForIdentityCenterApplicationArn: (documentation changed) │ └[~] resource AWS::OpenSearchService::Domain │ ├ properties │ │ └ IdentityCenterOptions: (documentation changed) │ ├ attributes │ │ ├ IdentityCenterOptions.IdentityCenterApplicationARN: (documentation changed) │ │ └ IdentityCenterOptions.IdentityStoreId: (documentation changed) │ └ types │ ├[~] type IdentityCenterOptions │ │ ├ - documentation: Container for IAM Identity Center Options settings. │ │ │ + documentation: Settings container for integrating IAM Identity Center with OpenSearch UI applications, which enables enabling secure user authentication and access control across multiple data sources. This setup supports single sign-on (SSO) through IAM Identity Center, allowing centralized user management. │ │ └ properties │ │ ├ EnabledAPIAccess: (documentation changed) │ │ ├ IdentityCenterApplicationARN: (documentation changed) │ │ ├ IdentityCenterInstanceARN: (documentation changed) │ │ ├ IdentityStoreId: (documentation changed) │ │ ├ RolesKey: (documentation changed) │ │ └ SubjectKey: (documentation changed) │ ├[~] type NodeConfig │ │ ├ - documentation: Container for specifying configuration of any node type. │ │ │ + documentation: Configuration options for defining the setup of any node type within the cluster. │ │ └ properties │ │ ├ Count: (documentation changed) │ │ ├ Enabled: (documentation changed) │ │ └ Type: (documentation changed) │ └[~] type NodeOption │ ├ - documentation: Container for specifying node type. │ │ + documentation: Configuration settings for defining the node type within a cluster. │ └ properties │ ├ NodeConfig: (documentation changed) │ └ NodeType: (documentation changed) ├[~] service aws-paymentcryptography │ └ resources │ └[~] resource AWS::PaymentCryptography::Key │ └ properties │ └[+] DeriveKeyUsage: string ├[~] service aws-qbusiness │ └ resources │ └[~] resource AWS::QBusiness::DataSource │ └ types │ ├[+] type AudioExtractionConfiguration │ │ ├ documentation: Configuration settings for audio content extraction and processing. │ │ │ name: AudioExtractionConfiguration │ │ └ properties │ │ └ AudioExtractionStatus: string (required) │ ├[~] type HookConfiguration │ │ └ properties │ │ └ LambdaArn: (documentation changed) │ ├[~] type MediaExtractionConfiguration │ │ └ properties │ │ ├[+] AudioExtractionConfiguration: AudioExtractionConfiguration │ │ └[+] VideoExtractionConfiguration: VideoExtractionConfiguration │ └[+] type VideoExtractionConfiguration │ ├ documentation: Configuration settings for video content extraction and processing. │ │ name: VideoExtractionConfiguration │ └ properties │ └ VideoExtractionStatus: string (required) ├[~] service aws-quicksight │ └ resources │ ├[~] resource AWS::QuickSight::Analysis │ │ └ types │ │ ├[~] type TableFieldOptions │ │ │ └ properties │ │ │ └[+] TransposedTableOptions: Array<TransposedTableOption> │ │ └[+] type TransposedTableOption │ │ ├ documentation: The column option of the transposed table. │ │ │ name: TransposedTableOption │ │ └ properties │ │ ├ ColumnWidth: string │ │ ├ ColumnIndex: number │ │ └ ColumnType: string (required) │ ├[~] resource AWS::QuickSight::Dashboard │ │ └ types │ │ ├[~] type TableFieldOptions │ │ │ └ properties │ │ │ └[+] TransposedTableOptions: Array<TransposedTableOption> │ │ └[+] type TransposedTableOption │ │ ├ documentation: The column option of the transposed table. │ │ │ name: TransposedTableOption │ │ └ properties │ │ ├ ColumnWidth: string │ │ ├ ColumnIndex: number │ │ └ ColumnType: string (required) │ └[~] resource AWS::QuickSight::Template │ └ types │ ├[~] type TableFieldOptions │ │ └ properties │ │ └[+] TransposedTableOptions: Array<TransposedTableOption> │ └[+] type TransposedTableOption │ ├ documentation: The column option of the transposed table. │ │ name: TransposedTableOption │ └ properties │ ├ ColumnWidth: string │ ├ ColumnIndex: number │ └ ColumnType: string (required) ├[~] service aws-rds │ └ resources │ └[~] resource AWS::RDS::DBInstance │ └ properties │ ├[-] CertificateDetails: CertificateDetails │ └[-] Endpoint: Endpoint ├[~] service aws-redshiftserverless │ └ resources │ └[~] resource AWS::RedshiftServerless::Workgroup │ ├ properties │ │ └ SnapshotOwnerAccount: (documentation changed) │ └ attributes │ └[-] Workgroup.BaseCapacity: integer ├[~] service aws-route53resolver │ └ resources │ ├[~] resource AWS::Route53Resolver::ResolverConfig │ │ └ properties │ │ └ ResourceId: (documentation changed) │ └[~] resource AWS::Route53Resolver::ResolverQueryLoggingConfig │ ├ - tagInformation: undefined │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ └ properties │ └[+] Tags: Array<tag> (immutable) ├[~] service aws-sagemaker │ └ resources │ └[~] resource AWS::SageMaker::PartnerApp │ ├ - documentation: Creates an Amazon SageMaker Partner AI App. │ │ + documentation: The `AWS::SageMaker::PartnerApp` resource creates an Amazon SageMaker Partner AI App. For more information, see [Partner AI Apps](https://docs.aws.amazon.com/sagemaker/latest/dg/partner-apps.html) . │ ├ properties │ │ ├ ApplicationConfig: (documentation changed) │ │ ├ AuthType: (documentation changed) │ │ ├ ExecutionRoleArn: (documentation changed) │ │ ├ Name: (documentation changed) │ │ ├ Tier: (documentation changed) │ │ └ Type: (documentation changed) │ ├ attributes │ │ └ Arn: (documentation changed) │ └ types │ ├[~] type PartnerAppConfig │ │ ├ - documentation: Configuration settings for the SageMaker Partner AI App. │ │ │ + documentation: A collection of configuration settings for the PartnerApp. │ │ └ properties │ │ ├ AdminUsers: (documentation changed) │ │ └ Arguments: (documentation changed) │ └[~] type PartnerAppMaintenanceConfig │ ├ - documentation: Maintenance configuration settings for the SageMaker Partner AI App. │ │ + documentation: A collection of settings that specify the maintenance schedule for the PartnerApp. │ └ properties │ └ MaintenanceWindowStart: (documentation changed) ├[~]…
aws-cdk-automation
added
auto-approve
pr/no-squash
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
paulhcsun
reviewed
Apr 16, 2025
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Comments on closed issues and PRs are hard for our team to see. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
26 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See CHANGELOG