Ipv6 vpc endpoints #2
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ws#33899) ### Issue # (if applicable) Relates to aws#32569 ### Reason for this change untyped Errors are not recommended ### Description of changes ValidationErrors everywhere ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws#33894) When node pools are disabled (by setting an empty array in nodePools), the IAM role will not be created, preventing deployment failures with the error 'When Compute Config nodeRoleArn is not null or empty, nodePool value(s) must be provided. ### Issue # (if applicable) Fixes aws#33771 ### Reason for this change When using EKS Auto Mode with empty node pools (by setting `nodePools: []`), the IAM role was still being created by the L2 construct, causing stack deployment failures. The AWS service returns an error stating that when `nodeRoleArn` is provided, node pool values must also be provided. ### Description of changes Modified the `computeConfig` section in the `CfnCluster` resource to check if `nodePools` is empty before assigning `nodeRoleArn`. If `nodePools` is empty, `nodeRoleArn` will be set to `undefined` to prevent the unnecessary creation of the IAM role. The change ensures that when users explicitly disable node pools by providing an empty array, the IAM role won't be created, allowing the cluster to be provisioned successfully. Added a test case to verify that when node pools are empty: 1. The nodeRoleArn is not included in the CloudFormation template 2. No IAM role resource is created for node pools ### Describe any new or updated permissions being added No new or updated IAM permissions are being added. This change actually prevents the creation of an IAM role when it's not needed. ### Description of how you validated changes Added a new test case in `automode.test.ts` that verifies: - The `nodeRoleArn` property is not included in the CloudFormation template when node pools are empty - No IAM role resource is created for node pools when they are disabled The test passes, confirming that our fix works as expected. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) N/A ### Reason for this change Only allow the workflow to run by aws-cdk-automation. ### Description of changes Limit the github author to be aws-cdk-automation. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes N/A ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes aws#31785 . ### Description of changes We are excited to graduate the `@aws-cdk/aws-scheduler-alpha` and `@aws-cdk/aws-scheduler-targets-alpha` modules to STABLE. They now live on as `aws-cdk-lib/aws-scheduler` and `aws-cdk-lib/aws-scheduler-targets`. The `Group` construct (deprecated) has now been removed and `ScheduleGroup` should be used instead. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes aws#27483 ### Description We are excited to graduate the `@aws-cdk/aws-cognito-identitypool-alpha` module to **STABLE**. It now lives on as `aws-cdk-lib/aws-cognito-identitypool`. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-amazonmq │ └ resources │ └[~] resource AWS::AmazonMQ::Broker │ └ types │ └[~] type User │ └ properties │ └ JolokiaApiAccess: (documentation changed) ├[~] service aws-apigatewayv2 │ └ resources │ └[~] resource AWS::ApiGatewayV2::DomainName │ └ attributes │ └[+] DomainNameArn: string ├[~] service aws-appconfig │ └ resources │ └[~] resource AWS::AppConfig::ConfigurationProfile │ └ properties │ └ RetrievalRoleArn: (documentation changed) ├[~] service aws-applicationsignals │ └ resources │ ├[~] resource AWS::ApplicationSignals::Discovery │ │ ├ - documentation: Resource Type definition for AWS::ApplicationSignals::Discovery │ │ │ + documentation: Enables this AWS account to be able to use CloudWatch Application Signals by creating the `AWSServiceRoleForCloudWatchApplicationSignals` service-linked role. This service-linked role has the following permissions: │ │ │ - `xray:GetServiceGraph` │ │ │ - `logs:StartQuery` │ │ │ - `logs:GetQueryResults` │ │ │ - `cloudwatch:GetMetricData` │ │ │ - `cloudwatch:ListMetrics` │ │ │ - `tag:GetResources` │ │ │ - `autoscaling:DescribeAutoScalingGroups` │ │ │ After completing this step, you still need to instrument your Java and Python applications to send data to Application Signals. For more information, see [Enabling Application Signals](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Application-Signals-Enable.html) . │ │ └ attributes │ │ └ AccountId: (documentation changed) │ └[~] resource AWS::ApplicationSignals::ServiceLevelObjective │ ├ properties │ │ └[+] ExclusionWindows: Array<ExclusionWindow> │ └ types │ ├[+] type ExclusionWindow │ │ ├ documentation: The core SLO time window exclusion object that includes Window, StartTime, RecurrenceRule, and Reason. │ │ │ name: ExclusionWindow │ │ └ properties │ │ ├ Window: Window (required) │ │ ├ StartTime: string │ │ ├ RecurrenceRule: RecurrenceRule │ │ └ Reason: string (default="No reason") │ ├[+] type RecurrenceRule │ │ ├ documentation: The recurrence rule for the SLO time window exclusion . │ │ │ name: RecurrenceRule │ │ └ properties │ │ └ Expression: string (required) │ ├[~] type RequestBasedSliMetric │ │ └ properties │ │ └ KeyAttributes: (documentation changed) │ └[+] type Window │ ├ documentation: The object that defines the time length of an exclusion window. │ │ name: Window │ └ properties │ ├ DurationUnit: string (required) │ └ Duration: integer (required) ├[~] service aws-appsync │ └ resources │ └[~] resource AWS::AppSync::DomainName │ ├ - tagInformation: undefined │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ ├ properties │ │ └[+] Tags: Array<tag> │ └ attributes │ └[+] DomainNameArn: string ├[~] service aws-bedrock │ └ resources │ ├[~] resource AWS::Bedrock::DataSource │ │ ├ - documentation: Specifies a data source as a resource in a top-level template. Minimally, you must specify the following properties: │ │ │ - Name – Specify a name for the data source. │ │ │ - KnowledgeBaseId – Specify the ID of the knowledge base for the data source to belong to. │ │ │ - DataSourceConfiguration – Specify information about the Amazon S3 bucket containing the data source. The following sub-properties are required: │ │ │ - Type – Specify the value `S3` . │ │ │ For more information about setting up data sources in Amazon Bedrock , see [Set up a data source for your knowledge base](https://docs.aws.amazon.com/bedrock/latest/userguide/knowledge-base-ds.html) . │ │ │ See the *Properties* section below for descriptions of both the required and optional properties. │ │ │ + documentation: > Properties with `__Update requires: Replacement__` can result in the creation of a new data source and deletion of the old one. This can happen if you also change the Name of the data source. │ │ │ Specifies a data source as a resource in a top-level template. Minimally, you must specify the following properties: │ │ │ - Name – Specify a name for the data source. │ │ │ - KnowledgeBaseId – Specify the ID of the knowledge base for the data source to belong to. │ │ │ - DataSourceConfiguration – Specify information about the Amazon S3 bucket containing the data source. The following sub-properties are required: │ │ │ - Type – Specify the value `S3` . │ │ │ For more information about setting up data sources in Amazon Bedrock , see [Set up a data source for your knowledge base](https://docs.aws.amazon.com/bedrock/latest/userguide/knowledge-base-ds.html) . │ │ │ See the *Properties* section below for descriptions of both the required and optional properties. │ │ ├ attributes │ │ │ └[+] DataSourceConfiguration.WebConfiguration.CrawlerConfiguration.UserAgentHeader: string │ │ └ types │ │ ├[+] type BedrockFoundationModelContextEnrichmentConfiguration │ │ │ ├ documentation: Bedrock Foundation Model configuration to be used for Context Enrichment. │ │ │ │ name: BedrockFoundationModelContextEnrichmentConfiguration │ │ │ └ properties │ │ │ ├ EnrichmentStrategyConfiguration: EnrichmentStrategyConfiguration (required) │ │ │ └ ModelArn: string (required) │ │ ├[+] type ContextEnrichmentConfiguration │ │ │ ├ documentation: Additional Enrichment Configuration for example when using GraphRag. │ │ │ │ name: ContextEnrichmentConfiguration │ │ │ └ properties │ │ │ ├ Type: string (required) │ │ │ └ BedrockFoundationModelConfiguration: BedrockFoundationModelContextEnrichmentConfiguration │ │ ├[+] type EnrichmentStrategyConfiguration │ │ │ ├ documentation: Strategy to be used when using Bedrock Foundation Model for Context Enrichment. │ │ │ │ name: EnrichmentStrategyConfiguration │ │ │ └ properties │ │ │ └ Method: string (required) │ │ ├[~] type VectorIngestionConfiguration │ │ │ └ properties │ │ │ └[+] ContextEnrichmentConfiguration: ContextEnrichmentConfiguration │ │ ├[~] type WebCrawlerConfiguration │ │ │ └ properties │ │ │ ├[+] UserAgent: string │ │ │ └[+] UserAgentHeader: string │ │ └[~] type WebCrawlerLimits │ │ └ properties │ │ └[+] MaxPages: integer │ ├[~] resource AWS::Bedrock::Prompt │ │ └ types │ │ ├[~] type SpecificToolChoice │ │ │ └ - documentation: The model must request a specific tool. For example, `{"tool" : {"name" : "Your tool name"}}` . For more information, see [Call a tool with the Converse API](https://docs.aws.amazon.com/bedrock/latest/userguide/tool-use.html) in the Amazon Bedrock User Guide │ │ │ > This field is only supported by Anthropic Claude 3 models. │ │ │ + documentation: The model must request a specific tool. For example, `{"tool" : {"name" : "Your tool name"}}` . For more information, see [Call a tool with the Converse API](https://docs.aws.amazon.com/bedrock/latest/userguide/tool-use.html) in the Amazon Bedrock User Guide │ │ │ > This field is only supported by Amazon Nova models and Anthropic Claude 3 models. │ │ └[~] type ToolChoice │ │ └ properties │ │ └ Tool: (documentation changed) │ └[~] resource AWS::Bedrock::PromptVersion │ └ types │ ├[~] type SpecificToolChoice │ │ └ - documentation: The model must request a specific tool. For example, `{"tool" : {"name" : "Your tool name"}}` . For more information, see [Call a tool with the Converse API](https://docs.aws.amazon.com/bedrock/latest/userguide/tool-use.html) in the Amazon Bedrock User Guide │ │ > This field is only supported by Anthropic Claude 3 models. │ │ + documentation: The model must request a specific tool. For example, `{"tool" : {"name" : "Your tool name"}}` . For more information, see [Call a tool with the Converse API](https://docs.aws.amazon.com/bedrock/latest/userguide/tool-use.html) in the Amazon Bedrock User Guide │ │ > This field is only supported by Amazon Nova models and Anthropic Claude 3 models. │ └[~] type ToolChoice │ └ properties │ └ Tool: (documentation changed) ├[~] service aws-cleanrooms │ └ resources │ ├[~] resource AWS::CleanRooms::Collaboration │ │ └ properties │ │ └ QueryLogStatus: (documentation changed) │ ├[~] resource AWS::CleanRooms::ConfiguredTable │ │ ├ properties │ │ │ └ AnalysisMethod: (documentation changed) │ │ └ types │ │ └[~] type DifferentialPrivacy │ │ └ - documentation: The analysis method for the configured tables. The only valid value is currently `DIRECT_QUERY`. │ │ + documentation: The analysis method allowed for the configured tables. │ │ `DIRECT_QUERY` allows SQL queries to be run directly on this table. │ │ `DIRECT_JOB` allows PySpark jobs to be run directly on this table. │ │ `MULTIPLE` allows both SQL queries and PySpark jobs to be run directly on this table. │ └[~] resource AWS::CleanRooms::Membership │ └ properties │ └ QueryLogStatus: (documentation changed) ├[~] service aws-cloudformation │ └ resources │ └[~] resource AWS::CloudFormation::StackSet │ └ types │ └[~] type OperationPreferences │ └ properties │ └ RegionOrder: (documentation changed) ├[~] service aws-cloudfront │ └ resources │ ├[~] resource AWS::CloudFront::AnycastIpList │ │ └ attributes │ │ └ AnycastIpList: (documentation changed) │ └[~] resource AWS::CloudFront::VpcOrigin │ └ types │ └[~] type VpcOriginEndpointConfig │ └ properties │ └ OriginSSLProtocols: (documentation changed) ├[~] service aws-codeartifact │ └ resources │ └[~] resource AWS::CodeArtifact::PackageGroup │ ├ properties │ │ └ Tags: (documentation changed) │ ├ attributes │ │ └ Arn: (documentation changed) │ └ types │ ├[~] type OriginConfiguration │ │ ├ - documentation: The package group origin configuration that determines how package versions can enter repositories. │ │ │ + documentation: undefined │ │ └ properties │ │ └ Restrictions: (documentation changed) │ ├[~] type Restrictions │ │ ├ - documentation: Contains information about the configured restrictions of the origin controls of a package group. │ │ │ + documentation: undefined │ │ └ properties │ │ ├ ExternalUpstream: (documentation changed) │ │ ├ InternalUpstream: (documentation changed) │ │ └ Publish: (documentation changed) │ └[~] type RestrictionType │ ├ - documentation: The `RestrictionType` property type specifies the package group origin configuration restriction mode, and the repositories when the `RestrictionMode` is set to `ALLOW_SPECIFIC_REPOSITORIES` . │ │ + documentation: undefined │ └ properties │ ├ Repositories: (documentation changed) │ └ RestrictionMode: (documentation changed) ├[~] service aws-connect │ └ resources │ ├[~] resource AWS::Connect::ContactFlow │ │ └ attributes │ │ └ ContactFlowArn: (documentation changed) │ ├[~] resource AWS::Connect::ContactFlowModule │ │ └ attributes │ │ └ ContactFlowModuleArn: (documentation changed) │ └[~] resource AWS::Connect::ContactFlowVersion │ └ attributes │ └ ContactFlowVersionARN: (documentation changed) ├[~] service aws-controltower │ └ resources │ ├[~] resource AWS::ControlTower::EnabledBaseline │ │ ├ - documentation: This resource represents a `Baseline` that has been applied to a target. │ │ │ + documentation: Definition of AWS::ControlTower::EnabledBaseline Resource Type │ │ ├ properties │ │ │ ├ Parameters: (documentation changed) │ │ │ └ Tags: (documentation changed) │ │ ├ attributes │ │ │ └ EnabledBaselineIdentifier: (documentation changed) │ │ └ types │ │ └[~] type Parameter │ │ ├ - documentation: A key-value parameter to an `EnabledBaseline` resource. │ │ │ + documentation: undefined │ │ └ properties │ │ ├ Key: (documentation changed) │ │ └ Value: (documentation changed) │ └[~] resource AWS::ControlTower::EnabledControl │ └ properties │ └ Tags: (documentation changed) ├[~] service aws-datazone │ └ resources │ ├[+] resource AWS::DataZone::Connection │ │ ├ name: Connection │ │ │ cloudFormationType: AWS::DataZone::Connection │ │ │ documentation: Connections enables users to connect their DataZone resources (domains, projects, and environments) to external resources/services (data, compute, etc) │ │ ├ properties │ │ │ ├ AwsLocation: AwsLocation │ │ │ ├ Description: string │ │ │ ├ DomainIdentifier: string (required, immutable) │ │ │ ├ EnvironmentIdentifier: string (required, immutable) │ │ │ ├ Name: string (required, immutable) │ │ │ └ Props: ConnectionPropertiesInput │ │ ├ attributes │ │ │ ├ ConnectionId: string │ │ │ ├ DomainId: string │ │ │ ├ DomainUnitId: string │ │ │ ├ EnvironmentId: string │ │ │ ├ EnvironmentUserRole: string │ │ │ ├ ProjectId: string │ │ │ └ Type: string │ │ └ types │ │ ├ type AthenaPropertiesInput │ │ │ ├ documentation: Athena Properties Input │ │ │ │ name: AthenaPropertiesInput │ │ │ └ properties │ │ │ └ WorkgroupName: string (required) │ │ ├ type AuthenticationConfigurationInput │ │ │ ├ documentation: Authentication Configuration Input │ │ │ │ name: AuthenticationConfigurationInput │ │ │ └ properties │ │ │ ├ AuthenticationType: string │ │ │ ├ OAuth2Properties: OAuth2Properties │ │ │ ├ SecretArn: string │ │ │ ├ KmsKeyArn: string │ │ │ ├ BasicAuthenticationCredentials: BasicAuthenticationCredentials │ │ │ └ CustomAuthenticationCredentials: Map<string, string> │ │ ├ type AuthorizationCodeProperties │ │ │ ├ documentation: Authorization Code Properties │ │ │ │ name: AuthorizationCodeProperties │ │ │ └ properties │ │ │ ├ AuthorizationCode: string │ │ │ └ RedirectUri: string │ │ ├ type AwsLocation │ │ │ ├ documentation: AWS Location of project │ │ │ │ name: AwsLocation │ │ │ └ properties │ │ │ ├ AccessRole: string │ │ │ ├ AwsAccountId: string │ │ │ ├ AwsRegion: string │ │ │ └ IamConnectionId: string │ │ ├ type BasicAuthenticationCredentials │ │ │ ├ documentation: Basic Authentication Credentials │ │ │ │ name: BasicAuthenticationCredentials │ │ │ └ properties │ │ │ ├ UserName: string │ │ │ └ Password: string │ │ ├ type ConnectionPropertiesInput │ │ │ ├ name: ConnectionPropertiesInput │ │ │ └ properties │ │ │ ├ AthenaProperties: AthenaPropertiesInput │ │ │ ├ GlueProperties: GluePropertiesInput │ │ │ ├ HyperPodProperties: HyperPodPropertiesInput │ │ │ ├ IamProperties: IamPropertiesInput │ │ │ ├ RedshiftProperties: RedshiftPropertiesInput │ │ │ ├ SparkEmrProperties: SparkEmrPropertiesInput │ │ │ └ SparkGlueProperties: SparkGluePropertiesInput │ │ ├ type GlueConnectionInput │ │ │ ├ documentation: Glue Connection Input │ │ │ │ name: GlueConnectionInput │ │ │ └ properties │ │ │ ├ ConnectionProperties: Map<string, string> │ │ │ ├ PhysicalConnectionRequirements: PhysicalConnectionRequirements │ │ │ ├ Name: string │ │ │ ├ Description: string │ │ │ ├ ConnectionType: string │ │ │ ├ MatchCriteria: string │ │ │ ├ ValidateCredentials: boolean │ │ │ ├ ValidateForComputeEnvironments: Array<string> │ │ │ ├ SparkProperties: Map<string, string> │ │ │ ├ AthenaProperties: Map<string, string> │ │ │ ├ PythonProperties: Map<string, string> │ │ │ └ AuthenticationConfiguration: AuthenticationConfigurationInput │ │ ├ type GlueOAuth2Credentials │ │ │ ├ documentation: Glue OAuth2 Credentials │ │ │ │ name: GlueOAuth2Credentials │ │ │ └ properties │ │ │ ├ UserManagedClientApplicationClientSecret: string │ │ │ ├ AccessToken: string │ │ │ ├ RefreshToken: string │ │ │ └ JwtToken: string │ │ ├ type GluePropertiesInput │ │ │ ├ documentation: Glue Properties Input │ │ │ │ name: GluePropertiesInput │ │ │ └ properties │ │ │ └ GlueConnectionInput: GlueConnectionInput │ │ ├ type HyperPodPropertiesInput │ │ │ ├ documentation: HyperPod Properties Input │ │ │ │ name: HyperPodPropertiesInput │ │ │ └ properties │ │ │ └ ClusterName: string (required) │ │ ├ type IamPropertiesInput │ │ │ ├ documentation: IAM Properties Input │ │ │ │ name: IamPropertiesInput │ │ │ └ properties │ │ │ └ GlueLineageSyncEnabled: boolean │ │ ├ type LineageSyncSchedule │ │ │ ├ documentation: Lineage Sync Schedule │ │ │ │ name: LineageSyncSchedule │ │ │ └ properties │ │ │ └ Schedule: string │ │ ├ type OAuth2ClientApplication │ │ │ ├ documentation: OAuth2 Client Application │ │ │ │ name: OAuth2ClientApplication │ │ │ └ properties │ │ │ ├ UserManagedClientApplicationClientId: string │ │ │ └ AWSManagedClientApplicationReference: string │ │ ├ type OAuth2Properties │ │ │ ├ documentation: OAuth2 Properties │ │ │ │ name: OAuth2Properties │ │ │ └ properties │ │ │ ├ OAuth2GrantType: string │ │ │ ├ OAuth2ClientApplication: OAuth2ClientApplication │ │ │ ├ TokenUrl: string │ │ │ ├ TokenUrlParametersMap: Map<string, string> │ │ │ ├ AuthorizationCodeProperties: AuthorizationCodeProperties │ │ │ └ OAuth2Credentials: GlueOAuth2Credentials │ │ ├ type PhysicalConnectionRequirements │ │ │ ├ documentation: Physical Connection Requirements │ │ │ │ name: PhysicalConnectionRequirements │ │ │ └ properties │ │ │ ├ SubnetId: string │ │ │ ├ SubnetIdList: Array<string> │ │ │ ├ SecurityGroupIdList: Array<string> │ │ │ └ AvailabilityZone: string │ │ ├ type RedshiftCredentials │ │ │ ├ name: RedshiftCredentials │ │ │ └ properties │ │ │ ├ SecretArn: string │ │ │ └ UsernamePassword: UsernamePassword │ │ ├ type RedshiftLineageSyncConfigurationInput │ │ │ ├ documentation: Redshift Lineage Sync Configuration Input │ │ │ │ name: RedshiftLineageSyncConfigurationInput │ │ │ └ properties │ │ │ ├ Enabled: boolean │ │ │ └ Schedule: LineageSyncSchedule │ │ ├ type RedshiftPropertiesInput │ │ │ ├ documentation: Redshift Properties Input │ │ │ │ name: RedshiftPropertiesInput │ │ │ └ properties │ │ │ ├ Storage: RedshiftStorageProperties │ │ │ ├ DatabaseName: string │ │ │ ├ Host: string │ │ │ ├ Port: number │ │ │ ├ Credentials: RedshiftCredentials │ │ │ └ LineageSync: RedshiftLineageSyncConfigurationInput │ │ ├ type RedshiftStorageProperties │ │ │ ├ name: RedshiftStorageProperties │ │ │ └ properties │ │ │ ├ ClusterName: string │ │ │ └ WorkgroupName: string │ │ ├ type SparkEmrPropertiesInput │ │ │ ├ documentation: Spark EMR Properties Input. │ │ │ │ name: SparkEmrPropertiesInput │ │ │ └ properties │ │ │ ├ ComputeArn: string │ │ │ ├ InstanceProfileArn: string │ │ │ ├ JavaVirtualEnv: string │ │ │ ├ LogUri: string │ │ │ ├ PythonVirtualEnv: string │ │ │ ├ RuntimeRole: string │ │ │ └ TrustedCertificatesS3Uri: string │ │ ├ type SparkGlueArgs │ │ │ ├ documentation: Spark Glue Args. │ │ │ │ name: SparkGlueArgs │ │ │ └ properties │ │ │ └ Connection: string │ │ ├ type SparkGluePropertiesInput │ │ │ ├ documentation: Spark Glue Properties Input. │ │ │ │ name: SparkGluePropertiesInput │ │ │ └ properties │ │ │ ├ AdditionalArgs: SparkGlueArgs │ │ │ ├ GlueConnectionName: string │ │ │ ├ GlueVersion: string │ │ │ ├ IdleTimeout: number │ │ │ ├ JavaVirtualEnv: string │ │ │ ├ NumberOfWorkers: number │ │ │ ├ PythonVirtualEnv: string │ │ │ └ WorkerType: string │ │ └ type UsernamePassword │ │ ├ documentation: The username and password to be used for authentication. │ │ │ name: UsernamePassword │ │ └ properties │ │ ├ Password: string (required) │ │ └ Username: string (required) │ ├[~] resource AWS::DataZone::DataSource │ │ └ properties │ │ └ Type: (documentation changed) │ └[~] resource AWS::DataZone::Domain │ └ attributes │ └[+] RootDomainUnitId: string ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::CapacityReservation │ │ ├ attributes │ │ │ ├[+] CapacityAllocationSet: Array<CapacityAllocation> │ │ │ ├[+] CapacityReservationArn: string │ │ │ ├[+] CapacityReservationFleetId: string │ │ │ ├[+] CommitmentInfo: CommitmentInfo │ │ │ ├[+] CreateDate: string │ │ │ ├[+] DeliveryPreference: string │ │ │ ├[+] OwnerId: string │ │ │ ├[+] ReservationType: string │ │ │ ├[+] StartDate: string │ │ │ └[+] State: string │ │ └ types │ │ ├[+] type CapacityAllocation │ │ │ ├ documentation: Information about instance capacity usage for a Capacity Reservation. │ │ │ │ name: CapacityAllocation │ │ │ └ properties │ │ │ ├ AllocationType: string │ │ │ └ Count: integer │ │ └[+] type CommitmentInfo │ │ ├ documentation: Information about your commitment for a future-dated Capacity Reservation. │ │ │ name: CommitmentInfo │ │ └ properties │ │ ├ CommitmentEndDate: string │ │ └ CommittedInstanceCount: integer │ ├[~] resource AWS::EC2::EC2Fleet │ │ └ types │ │ └[~] type InstanceRequirementsRequest │ │ └ properties │ │ └ AcceleratorTypes: (documentation changed) │ ├[~] resource AWS::EC2::LaunchTemplate │ │ └ types │ │ ├[~] type InstanceRequirements │ │ │ └ properties │ │ │ └ AcceleratorTypes: (documentation changed) │ │ └[~] type NetworkPerformanceOptions │ │ ├ - documentation: undefined │ │ │ + documentation: Contains settings for the network performance options for the instance. │ │ └ properties │ │ └ BandwidthWeighting: (documentation changed) │ ├[~] resource AWS::EC2::SpotFleet │ │ └ types │ │ └[~] type InstanceRequirementsRequest │ │ └ properties │ │ └ AcceleratorTypes: (documentation changed) │ └[~] resource AWS::EC2::VPCEndpointService │ └ properties │ ├ SupportedIpAddressTypes: (documentation changed) │ └[+] SupportedRegions: Array<string> ├[~] service aws-gamelift │ └ resources │ └[~] resource AWS::GameLift::GameSessionQueue │ ├ properties │ │ └ TimeoutInSeconds: (documentation changed) │ └ types │ └[~] type PriorityConfiguration │ └ properties │ └ PriorityOrder: (documentation changed) ├[~] service aws-imagebuilder │ └ resources │ └[~] resource AWS::ImageBuilder::DistributionConfiguration │ └ types │ └[~] type Distribution │ └ properties │ └[-] SsmParameterConfigurations: Array<json> ├[~] service aws-kinesisfirehose │ └ resources │ └[~] resource AWS::KinesisFirehose::DeliveryStream │ └ types │ └[~] type SnowflakeDestinationConfiguration │ └ properties │ └ ProcessingConfiguration: (documentation changed) ├[~] service aws-location │ └ resources │ └[~] resource AWS::Location::APIKey │ └ types │ └[~] type ApiKeyRestrictions │ └ properties │ └ AllowActions: (documentation changed) ├[~] service aws-msk │ └ resources │ └[~] resource AWS::MSK::Configuration │ └ properties │ └ KafkaVersionsList: (documentation changed) ├[~] service aws-networkfirewall │ └ resources │ ├[~] resource AWS::NetworkFirewall::RuleGroup │ │ └ types │ │ └[~] type MatchAttributes │ │ └ properties │ │ ├ DestinationPorts: (documentation changed) │ │ ├ Protocols: (documentation changed) │ │ └ SourcePorts: (documentation changed) │ └[~] resource AWS::NetworkFirewall::TLSInspectionConfiguration │ └ types │ └[~] type ServerCertificateScope │ └ properties │ └ Protocols: (documentation changed) ├[~] service aws-oam │ └ resources │ └[~] resource AWS::Oam::Link │ ├ properties │ │ └ ResourceTypes: (documentation changed) │ └ types │ ├[~] type LinkConfiguration │ │ └ properties │ │ └ LogGroupConfiguration: (documentation changed) │ └[~] type LinkFilter │ ├ - documentation: When used in `MetricConfiguration` this field specifies which metric namespaces are to be shared with the monitoring account │ │ When used in `LogGroupConfiguration` this field specifies which log groups are to share their log events with the monitoring account. Use the term `LogGroupName` and one or more of the following operands. │ │ + documentation: undefined │ └ properties │ └ Filter: (documentation changed) ├[~] service aws-quicksight │ └ resources │ ├[~] resource AWS::QuickSight::Analysis │ │ └ types │ │ └[~] type SheetTextBox │ │ └ properties │ │ └[-] Interactions: json │ ├[~] resource AWS::QuickSight::Dashboard │ │ └ types │ │ └[~] type SheetTextBox │ │ └ properties │ │ └[-] Interactions: json │ └[~] resource AWS::QuickSight::Template │ └ types │ └[~] type SheetTextBox │ └ properties │ └[-] Interactions: json ├[~] service aws-redshiftserverless │ └ resources │ └[~] resource AWS::RedshiftServerless::Workgroup │ ├ properties │ │ ├[+] TrackName: string │ │ └[+] Workgroup: Workgroup │ ├ attributes │ │ ├ Workgroup.BaseCapacity: (documentation changed) │ │ ├[-] Workgroup.MaxCapacity: integer │ │ └[+] Workgroup.TrackName: string │ └ types │ └[~] type Workgroup │ └ properties │ └[+] TrackName: string ├[~] service aws-rum │ └ resources │ └[~] resource AWS::RUM::AppMonitor │ ├ properties │ │ ├[+] DeobfuscationConfiguration: DeobfuscationConfiguration │ │ ├ Domain: - string (required) │ │ │ + string │ │ ├[+] DomainList: Array<string> │ │ └ ResourcePolicy: (documentation changed) │ └ types │ ├[+] type DeobfuscationConfiguration │ │ ├ documentation: A structure that contains the configuration for how an app monitor can deobfuscate stack traces. │ │ │ name: DeobfuscationConfiguration │ │ └ properties │ │ └ JavaScriptSourceMaps: JavaScriptSourceMaps │ ├[+] type JavaScriptSourceMaps │ │ ├ documentation: A structure that contains the configuration for how an app monitor can unminify JavaScript error stack traces using source maps. │ │ │ name: JavaScriptSourceMaps │ │ └ properties │ │ ├ Status: string (required) │ │ └ S3Uri: string │ └[~] type ResourcePolicy │ ├ - documentation: A structure that defines resource policy attached to your app monitor. │ │ + documentation: Use this structure to assign a resource-based policy to a CloudWatch RUM app monitor to control access to it. Each app monitor can have one resource-based policy. The maximum size of the policy is 4 KB. To learn more about using resource policies with RUM, see [Using resource-based policies with CloudWatch RUM](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-RUM-resource-policies.html) . │ └ properties │ ├ PolicyDocument: (documentation changed) │ └ PolicyRevisionId: (documentation changed) ├[~] service aws-ssmquicksetup │ └ resources │ └[~] resource AWS::SSMQuickSetup::ConfigurationManager │ └ types │ └[~] type ConfigurationDefinition │ └ properties │ └ Parameters: (documentation changed) ├[~] service aws-timestream │ └ resources │ └[~] resource AWS::Timestream::Table │ └ properties │ └ MagneticStoreWriteProperties: (documentation changed) ├[~] service aws-wafv2 │ └ resources │ └[~] resource AWS::WAFv2::WebACL │ ├ properties │ │ └[+] DataProtectionConfig: DataProtectionConfig │ └ types │ ├[+] type DataProtect │ │ ├ name: DataProtect │ │ └ properties │ │ ├ Field: FieldToProtect (required) │ │ ├ Action: string (required) │ │ ├ ExcludeRateBasedDetails: boolean │ │ └ ExcludeRuleMatchDetails: boolean │ ├[+] type DataProtectionConfig │ │ ├ documentation: Specifies data protection to apply to the web request data for the web ACL. This is a web ACL level data protection option. │ │ │ The data protection that you configure for the web ACL alters the data that's available for any other data collection activity, including your AWS WAF logging destinations, web ACL request sampling, and Amazon Security Lake data collection and management. Your other option for data protection is in the logging configuration, which only affects logging. │ │ │ This is part of the data protection configuration for a web ACL. │ │ │ name: DataProtectionConfig │ │ └ properties │ │ └ DataProtections: Array<DataProtect> (required) │ └[+] type FieldToProtect │ ├ documentation: Specifies a field type and keys to protect in stored web request data. This is part of the data protection configuration for a web ACL. │ │ name: FieldToProtect │ └ properties │ ├ FieldKeys: Array<string> │ └ FieldType: string (required) └[~] service aws-workspacesthinclient └ resources └[~] resource AWS::WorkSpacesThinClient::Environment └ properties └ DeviceCreationTags: (documentation changed) ```
…construct (aws#33872) branches and files in git push filter in codepipeline L2 construct Refer to the README content of reverted pr:(https://github.com/aws/aws-cdk/pull/30462/files). Credit to @go-to-k ### Issue # 31009(aws#31009) ### Reason for this change Branches and files in git push filter under codepipeline trigger has been supported last year, and cdk library didn't support this feature yet. ### Description of changes Support ranches and files in git push filter under codepipeline trigger. ### Describe any new or updated permissions being added No ### Description of how you validated changes Unit test/Integ test/ local deployment ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…s#33909) ### Description of changes No-op PR to automatically include breaking change in the CHANGELOG. See aws#33906 for details. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) BREAKING CHANGE: The `CfnDistributionConfiguration.DistributionProperty.ssmParameterConfigurations` property has been removed. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…33910) ### Description of changes No-op PR to automatically include breaking change in the CHANGELOG. See aws#33906 for details. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) BREAKING CHANGE: The `CfnAnalysis.SheetTextBoxProperty.interactions`, `CfnDashboard.SheetTextBoxProperty.interactions`, and `CfnTemplate.SheetTextBoxProperty.interactions` properties have been removed. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ns (aws#33911) ### Description of changes No-op PR to automatically include breaking change in the CHANGELOG. See aws#33906 for details. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) BREAKING CHANGE: The `CfnWorkgroup.attrWorkgroupMaxCapacity` attribute has been removed. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) NA ### Reason for this change Currently in the Prioritization dasboard, we don't have a way to filter the PRs and Issues by date when it is added. ### Description of changes This PR enables automation for adding current date to the `AddedOn` column field in the Github Prioritization dasboard whenever new PR/Issues are being added to the dashboard. ### Describe any new or updated permissions being added NA ### Description of how you validated changes Tested in test dashboard. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change Ruby 3.4 support in Lambda is coming soon: https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html#runtimes-future ### Description of changes Add `ruby3.4` to the list of Lambda runtimes (`RUBY_3_4`) and add integration tests with their corresponding assets. ### Describe any new or updated permissions being added ### Description of how you validated changes Added integ tests for Ruby 3.4. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…33917) ### Issue # (if applicable) Closes NA ### Reason for this change `@aws-cdk/integ-runner` is removed from this repository with the [PR](aws#33835) and moved to `aws-cdk-cli` repository. Hence yarn upgrade workflow fails at the integ-runner build step as the package is no longer available in the repo. ### Description of changes Remove the integ-runner build step as no longer applicable in the yarn upgrade workflow. ### Describe any new or updated permissions being added NA ### Description of how you validated changes * Ran `yarn install` and verified the integ-runner installed version using `npx integ-runner --version` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…kflow (aws#33920) ### Issue # (if applicable) Closes NA ### Reason for this change This followup PR to remove integ-runner package related steps from the yarn upgrade workflow. Previous PR aws#33917 Currently the workflow is failing at this step with error ``` Run cd packages/@aws-cdk/integ-runner && yarn pkglint /home/runner/work/_temp/**-[4](https://github.com/aws/aws-cdk/actions/runs/****.sh: line 1: cd: packages/@aws-cdk/integ-runner: No such file or directory Error: Process completed with exit code 1. ``` ### Description of changes Since integ-runner package is no longer available, this step can be removed from the workflow. ### Describe any new or updated permissions being added NA ### Description of how you validated changes Ran yarn install and verified the integ-runner installed version using npx integ-runner --version ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes aws#32562 ### Description of changes - EKS Nodegroup support `nodeRepairConfig` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… applications (aws#34132) Some CDK methods apply mutating Aspects on behalf of users. Since aws#32333, these Aspects have a priority of `MUTATING` to classify their behavior. If a user-applied Aspect (priority `DEFAULT`) now configures the same property as an implicitly added Aspect: * Before that change, the relative execution order depended on the location of the Aspects in the construct tree. * After that change, the user Aspect always "wins" (executes last) because its priority is higher. In this change, we roll back to the behavior from pre-2.172.0, and introduce a feature flag which gives the Aspects a priority only if the feature flag is enabled. This introduces the feature flag: ```json { "context": { "@aws-cdk/core:aspectPrioritiesMutating": true } } ``` Which sets the priority of Aspects added on your behalf a priority of `MUTATING` (200) (instead of the default `DEFAULT`, 500). * If you have given your own Aspect a priority of `MUTATING` already to make sure it can get overridden by another Aspect of priority `MUTATING`, this current change will not affect you (either with or without feature flag). * If you have come to rely on the new default priority being low already, you can set the above feature flag to re-enable the new behavior. ----------- Did not touch the following Aspects: - In `integ-tests-alpha`: overriding logical IDs in assertions stacks does not affect production infrastructure. - Tags: tags are exclusively manipulated through the official APIs, so there no conflict between custom and implicit Aspects. - CDK Pipelines: there cannot be a conflict because the customer can't create a default pipeline before the implicit Aspect. This PR also introduces some slight rendering and documentation changes to the feature flags to improve clarity of the purpose of certain fields and the produced report.
… applications (aws#34132) Some CDK methods apply mutating Aspects on behalf of users. Since aws#32333, these Aspects have a priority of `MUTATING` to classify their behavior. If a user-applied Aspect (priority `DEFAULT`) now configures the same property as an implicitly added Aspect: * Before that change, the relative execution order depended on the location of the Aspects in the construct tree. * After that change, the user Aspect always "wins" (executes last) because its priority is higher. In this change, we roll back to the behavior from pre-2.172.0, and introduce a feature flag which gives the Aspects a priority only if the feature flag is enabled. This introduces the feature flag: ```json { "context": { "@aws-cdk/core:aspectPrioritiesMutating": true } } ``` Which sets the priority of Aspects added on your behalf a priority of `MUTATING` (200) (instead of the default `DEFAULT`, 500). * If you have given your own Aspect a priority of `MUTATING` already to make sure it can get overridden by another Aspect of priority `MUTATING`, this current change will not affect you (either with or without feature flag). * If you have come to rely on the new default priority being low already, you can set the above feature flag to re-enable the new behavior. ----------- Did not touch the following Aspects: - In `integ-tests-alpha`: overriding logical IDs in assertions stacks does not affect production infrastructure. - Tags: tags are exclusively manipulated through the official APIs, so there no conflict between custom and implicit Aspects. - CDK Pipelines: there cannot be a conflict because the customer can't create a default pipeline before the implicit Aspect. This PR also introduces some slight rendering and documentation changes to the feature flags to improve clarity of the purpose of certain fields and the produced report.
### Issue # (if applicable) None ### Reason for this change Fix typo ### Description of changes `concatentation` → `concatenation` ### Describe any new or updated permissions being added None ### Description of how you validated changes None ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
See CHANGELOG ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ws#33978) ### Issue # (if applicable) Closes aws#33974 ### Reason for this change Currently, the `aws-s3` module automatically creates and manages the IAM Role used for S3 replication. This limits integration flexibility, especially in environments where IAM Roles are provisioned externally or reused across stacks/accounts. This change addresses that limitation by allowing users to provide a custom IAM Role for replication. ### Description of changes - Introduced an optional `replicationRole?: iam.IRole` property in `BucketProps`. - When `replicationRole` is provided, the CDK uses it instead of creating a new role. - Required permissions are **NOT** automatically attached to the provided role. It is the user's responsibility to attach the necessary IAM policies. - Added validation to ensure that if `replicationRole` is specified, `replicationRules` must also be defined and non-empty, since both are required by CloudFormation when configuring replication. ### Describe any new or updated permissions being added No new IAM actions are introduced. When a custom role is provided, CDK does not attach any permissions automatically. Users are expected to grant the appropriate replication-related permissions manually. ### Description of how you validated changes Added unit and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
AlexanderJangAMZN
force-pushed
the
ipv6-vpc-endpoints
branch
from
74e45ae to
d38592d
Compare
### Issue Part of aws#33673 (comment) ### Reason for this change `yarn integ aws-eks/test/integ.eks-hybrid-nodes.js` is failed to complete. Error1: ```zsh ❌ aws-cdk-eks-cluster-hybrid-nodes failed: _ToolkitError: The stack named aws-cdk-eks-cluster-hybrid-nodes failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Received response status [FAILED] from custom resource. Message returned: AccessConfig AuthMode must be API_AND_CONFIG_MAP or API when remoteNetworkConfig is specified ``` Error2: ```zsh ❌ aws-cdk-eks-cluster-hybrid-nodes failed: _ToolkitError: The stack named aws-cdk-eks-cluster-hybrid-nodes failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Received response status [FAILED] from custom resource. Message returned: Invalid remote node network: CIDR 10.0.0.0/16 overlaps with VPC CIDR 10.0.0.0/16 ``` ### Description of changes - Setting `accessConfig` to resolve Error1 - Changing CIDR to resolve Error2 ### Describe any new or updated permissions being added NONE ### Description of how you validated changes - Pass integration test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change The previous exclusion list was applied to parsed sdk enum values. That doesn't work for the wrong mappings between cfn enum values and cdk enum values. This new exclusion list is applied to the cdk enum values directly, means we can exclude any enum values in CDK. ### Description of changes - Instead of applying exclusion list at SDK enum values, this PR moves the exclusion list to CDK enum values. - Make the github workflow run every week automatically. ### Description of how you validated changes Unit tests passed Github workflow run successfully ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…hod (aws#34094) Closes #<issue number here>. ### Reason for this change Cannot add multiple NATGW to current VPC construct as it is using the same construct id which cause conflict. ### Description of changes - Fix the NATGW construct id to be unique using provided subnet. - Fix the current domain being set in EIP to be `vpc` instead of `vpcId`. - Fix the validation for subnet IP ranges as those can be unresolved token values referred in VPC construct using vpc.attr.<ipaddressblock> . ### Describe any new or updated permissions being added NA ### Description of how you validated changes - Added unit test and integration test for NATGW. - Added unit test for EIP ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) BREAKING CHANGE: The logical ID for the NAT Gateway, defined using the `addNatGateways` method, will be changed, resulting in the NAT Gateway being recreated. Additionally, the domain for the Elastic IP (EIP) will be set to `vpc`, which will also trigger its recreation in the account. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes aws#34002. ### Reason for this change The original fix for issue aws#22661 (PR aws#33698) introduced a regression where the S3 deployment Lambda would read entire files into memory to check if they're JSON. This approach works fine for small files but causes Lambda timeouts and memory issues with large files (10MB+). This is particularly problematic for customers deploying large assets to S3 buckets. ### Description of changes The S3 deployment Lambda handler was reading entire files into memory to check if they're JSON, causing timeouts and memory issues with large files (10MB+). This change optimizes the S3 deployment Lambda handler to process files more efficiently by: 1. Adding an early return when there are no markers to replace 2. Processing all files line by line, which is much more memory-efficient than loading the full JSON in memory 3. Adding an optional `escape` parameter to the `Source.jsonData` method in order to control JSON escaping 4. Using the `jsonEscape` flag in `MarkersConfig` to control when special JSON escaping is needed These changes ensure that: - Files without markers are processed instantly - Files with markers are processed line by line, minimizing memory usage - Special JSON escaping is only applied when explicitly requested The implementation is backward compatible with the experience before the PR aws#33698 was merged, as it maintains the existing behavior by default but provides an opt-in mechanism for JSON escaping when needed. The opt-in mechanism is required for users who were benefitting from the escaping mechanism introduced by the PR aws#33698. ### Describe any new or updated permissions being added No new or updated IAM permissions are required for this change. ### Description of how you validated changes - Created an integration test (`integ.bucket-deployment-large-file.ts`) that reproduces the issue with large files - Implemented local testing to verify the fix with both small and large files - Added memory limit assertions to ensure memory usage stays within acceptable bounds - Conducted performance testing with isolated test runs to measure memory usage across various file types and sizes The integration test specifically validates that large files (10MB+) can be successfully deployed without memory issues, ensuring the fix works in real-world scenarios. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None Closes #<issue number here>. None ### Reason for this change * Adds a new tool to run cfn-guard * Enhances PR linter to find added or updated snapshot templates and run cfn-guard through them for detecting inline broad trust policy ### Description of changes Refer README.md ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Tested on personal fork. Refer QuantumNeuralCoder#6 PR Linter output shows test results. ### Checklist - [ x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change Attribute documentation was incorrect (pasted from the documentation for `principalStatements`, probably) ### Description of changes Updated the documentation comment to agree with the contents of the attribute. ### Describe any new or updated permissions being added None. Has no effect on permissions or on the synthesized stacks. ### Description of how you validated changes Non-behavioral change. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Ref: https://aws.amazon.com/about-aws/whats-new/2025/04/amazon-nova-sonic-speech-to-speech-conversations-bedrock/ ```console $ aws bedrock get-foundation-model --model-identifier amazon.nova-sonic-v1:0 { "modelDetails": { "modelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.nova-sonic-v1:0", "modelId": "amazon.nova-sonic-v1:0", "modelName": "Nova Sonic", "providerName": "Amazon", "inputModalities": [ "SPEECH" ], "outputModalities": [ "SPEECH", "TEXT" ], "responseStreamingSupported": true, "customizationsSupported": [], "inferenceTypesSupported": [ "ON_DEMAND" ], "modelLifecycle": { "status": "ACTIVE" } } } ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…esultWriter in Distributed Map (aws#33772) and (aws#33601) (aws#33831) feat(stepfunctions): Create a new ResultWriterV2 class to support WriterConfig in ResultWriter object in Distributed Map Closes aws#33772 and aws#33601. Reason for making this change: A new property `WriterConfig` was added under ResultWriter property of Distributed Map. `WriterConfig` contains OutputType and Transformation Ref: https://docs.aws.amazon.com/step-functions/latest/dg/input-output-resultwriter.html#input-output-resultwriter-field-contents `ItemReader` also supports "JSONL" as the `InputType`. It's currently missing in the enum. Ref: https://docs.aws.amazon.com/step-functions/latest/dg/input-output-itemreader.html#itemreader-field-contents Changes: * Created a copy of ResultWriter as ResultWriterV2 to avoid introducing a breaking change to ResultWriter. * Consumers will need to set feature`@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2` to true in the context. * Create new class `WriterConfig` and add `writerConfig` property under `ResultWriterV2` in Distributed Map. * Add `OutputType` and `Transformation` properties under `WriterConfig`. * Add Warning when ResultWriter is empty. * Add the missing `JSONL` type which is a part of `InputType` `ItemReader` of Distributed Map. * Permissions - No additions. But removed the permission to put object when just `writerConfig` is specified. * * Also added the missing `JSONL` from `InputType` in the `ItemReader` of Distributed Map. * Add a unit test and an integ test. - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ges (aws#34152) Allows codecov access to metadata ### Issue # (if applicable) Closes #<issue number here>. NA ### Reason for this change Solves issue ``` Upload results to codecov failures Run codecov/codecov-action@v5 Run CC_ACTION_VERSION=$(cat ${GITHUB_ACTION_PATH}/src/version) ==> Running Action version 5.4.2 Run git config --global --add safe.directory "/home/runner/work/aws-cdk/aws-cdk" Run CC_FORK="false" ==> Fork detected Run actions/github-script@v7 Error: Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable at OidcClient.<anonymous> (/home/runner/work/_actions/actions/github-script/v7/dist/index.js:585:23) at Generator.next (<anonymous>) at /home/runner/work/_actions/actions/github-script/v7/dist/index.js:522:7[1](https://github.com/aws/aws-cdk/actions/runs/14471001849/job/40584624218?pr=34151#step:7:1) at new Promise (<anonymous>) at __webpack_modules__.8041.__awaiter (/home/runner/work/_actions/actions/github-script/v7/dist/index.js:518:12) at OidcClient.getIDToken (/home/runner/work/_actions/actions/github-script/v7/dist/index.js:571:16) at Object.<anonymous> (/home/runner/work/_actions/actions/github-script/v7/dist/index.js:421:46) at Generator.next (<anonymous>) at /home/runner/work/_actions/actions/github-script/v7/dist/index.js:133:71 at new Promise (<anonymous>) Error: Unhandled error: Error: Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable ``` ### Description of changes ### Describe any new or updated permissions being added ### Description of how you validated changes ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…OnCreation` (aws#34116) ### Issue # (if applicable) N/A ### Reason for this change The `Subnet.assignIpv6AddressOnCreation` attribute was being set in the L1, despite it not being necessary to set. This may cause issues with backwards migrations from V1 subnets to V2, since there will be this attribute difference across both. ### Description of changes ```ts const subnet = new CfnSubnet(this, 'Subnet', { ... assignIpv6AddressOnCreation: props.assignIpv6AddressOnCreation /* ?? false */, mapPublicIpOnLaunch: props.mapPublicIpOnLaunch /* ?? undefined */ // this one was just a redundant nit } ``` ### Describe any new or updated permissions being added N/A ### Description of how you validated changes `yarn test && yarn integ-runner --update-on-failed --dry-run` (dry run since it's a very minor change, and some of the integ tests for IPv6 and IPAM are finnicky) ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…branch (aws#34154) ### Issue # (if applicable) Github action security-guradian is unable to detect changed cfn templates in PRs ### Closes #. NA ### Reason for this change Fixes an issue where security-guardian github action runs but is unable to find changed templates. Since it runs in the context of pull_request_target workflow its unable to find the head commit of PR which is in the base branch. This happened after we switched from pull_request to pull_request_target for improved security posture during the run of the github action. ``` Run echo "Getting changed CloudFormation templates..." Getting changed CloudFormation templates... From https://github.com/aws/aws-cdk * branch main -> FETCH_HEAD fatal: bad object 7c12c04 ``` ### Description of changes Checksout and compares the base version with the head version. ### Describe any new or updated permissions being added None ### Description of how you validated changes Cannot be validated until merged ### Checklist [ x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ATE compatible task definitions (aws#34155) Reverts aws#33608 This is a breaking change because `cpu` property allows input like `1vcpu` although it's not documented in the public CFN documentation. This would mean that the reverted PR will cause regression on CDK app that looks like below ``` const taskDefinition = new TaskDefinition(this, 'MyFargateTaskDef', { compatibility: Compatibility.FARGATE, family: "update-service-test-fargate-taskdef-small-cpu", memoryMiB: "2gb", cpu: "1 vcpu", networkMode: NetworkMode.AWS_VPC }); ```
### Issue # (if applicable) Relates to aws#32569 ### Reason for this change Untyped Errors are not recommended. ### Description of changes Change Error to ValidationError / UnscopedValidationError ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes aws#33807 ### Reason for this change Neptune engine versions not up-to-date. ### Description of changes Added engine up to most recently released version as specified here https://docs.aws.amazon.com/neptune/latest/userguide/engine-releases.html ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Integration test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… Errors (aws#34109) ### Issue # (if applicable) Relates to aws#32569 ### Reason for this change Untyped Errors are not recommended. ### Description of changes Change Error to ValidationError / UnscopedValidationError ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…n zip assets (aws#34162) ### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change Update the git attributes to add a new pattern of large files to include the zip assets in alpha modules. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
45 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Enabling features for ipv6 and dualstack support with corresponding unit tests
Issue #33493
Closes #33493
Reason for this change
Currently, AWS Services, i.e., Xray, Wafv2, Workmail, have started to release support for IPv6 or Dualstack for their VPC endpoints. We would like to modify our infrastructure to be able to support. these new IP address types.
Description of changes
Passed necessary props to the VPC Endpoint interface
Added necessary props that need to be passed to enable all different IP address types
Abstracted address types as enum to abide by L1, L2 constructs
Added necessary unit tests to cover all cases
Added necessary changes to integ tests
Added more detailed descriptions and guidlines for usage in the aws-ec2 README.md as well as very detailed comments above each code change.
Description of how you validated changes
Added unit tests and integ tests to cover all valid and invalid cases. Throws necessary errors according to documentation. Detailed descriptions of each case are outlined in comments.
Checklist
My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES