chore(release): 2.180.0 #33538
Merged
chore(release): 2.180.0 #33538
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…33456) ### Issue Relates to #32569 ### Description of changes `ValidationErrors` everywhere ### Describe any new or updated permissions being added n/a ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
updates to the CDK roadmap to include work in progress items as well as features committed for 2025. ### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change <!--What is the bug or use case behind this change?--> ### Description of changes updates to the CDK roadmap to include work in progress items as well as features committed for 2025. <!-- What code changes did you make? Have you made any important design decisions? What AWS use cases does this change enable? To enable the use cases, which AWS service features are utilized? --> ### Describe any new or updated permissions being added <!-- What new or updated IAM permissions are needed to support the changes being introduced ? --> ### Description of how you validated changes <!--Have you added any unit tests and/or integration tests?--> ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --------- Co-authored-by: Adam Keller <[email protected]> Co-authored-by: Adam Keller <[email protected]>
These resolutions prevent us from fetching the latest schema. They were [added](#33481) because there are multiple breaking changes in the spec we weren't ready to accept yet. ### Are we ready to accept the new spec? Not quite. ### So whats the plan? We need to remove these resolutions in order to get a service spec update PR that at least **surfaces** all the breaking changes in order to work on them. So the plan is: 1. Merge this PR. 2. Run the spec update workflow 3. Slap a `pr/do-not-merge` label on the resulting PR 4. Figure out what to do with the breaking changes it show. 5. Eventually merge the spec update after applying patches or allowing breaking changes to go through. From a local execution at the time of writing this PR, those breaking changes should be: ```console ├[~] service aws-cognito │ └ resources │ └[~] resource AWS::Cognito::UserPoolDomain │ └ attributes │ └[-] Id: string ├[~] service aws-dynamodb │ └ resources │ └[~] resource AWS::DynamoDB::GlobalTable │ └ properties │ └[-] PointInTimeRecoverySpecification: PointInTimeRecoverySpecification │ ├[~] resource AWS::ECS::Service │ │ ├ properties │ │ │ ├ AvailabilityZoneRebalancing: (documentation changed) │ │ │ └ CapacityProviderStrategy: (documentation changed) │ │ └ types │ │ └[~] type ServiceManagedEBSVolumeConfiguration │ │ └ properties │ │ └[-] VolumeInitializationRate: integer │ └[~] resource AWS::RDS::GlobalCluster │ ├ properties │ │ └[-] GlobalEndpoint: GlobalEndpoint │ └ attributes │ └[+] GlobalEndpoint: GlobalEndpoint ``` ### Wait but you just detailed the breaking changes, can't we just work based of that? No, we shouldn't be operating on the basis of local executions. The local execution diff is just to get a sense and show that there are indeed a few breaking changes already present. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This removes the code of the CLI and CLI-related packages. Those are being moved to a different repository, as announced in #32775 The PR that adds them is here: aws/aws-cdk-cli#37 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change I've added `packageManager` section to `package.json` in this [PR](https://github.com/aws/aws-cdk/pull/32719/files#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519) by mistake. ### Description of changes Remove `packageManager` from `package.json`. ### Describe any new or updated permissions being added None ### Description of how you validated changes None ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #30814. ### Reason for this change To disable logging on a StateMachine (with logging enabled), we should specify `LogLevel.OFF` to `LogOptions.level`. But cannot remove the LogGroup because `LogOptions.destination` is required. ``` ts new sfn.StateMachine(this, 'StateMachine', { definitionBody: ..., logs: { level: sfn.LogLevel.OFF } // allow to disable logging }); ``` ### Description of changes - Make `LogOptions.destination` optional. - Validate `LogOptions.destination` is present when `LogOptions.level` is not `OFF`. ### Description of how you validated changes Unit and integ tests that verify `LogOptions.destination` is opitional when `LogOptions.level` is `OFF` and throw an exception otherwise. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #32396. ### Reason for this change VPC origins has been added to CloudFront and now CloudFormation supports it. For details, see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.html ### Description of changes Added an L2 construct `cloudfront.VpcOrigin` for `AWS::CloudFront::VpcOrigin`. It will be created implicitly by origin class described below. You can create it explicitly to share VPC origins between distributions. ``` ts import * as cloudfront from 'aws-cdk-lib/aws-cloudfront'; // Create a VPC origin resource const vpcOrigin = new cloudfront.VpcOrigin(this, 'VpcOrigin', { // An EC2 instance endpoint endpoint: cloudfront.VpcOriginEndpoint.fromEc2Instance(instance), // An Application Load Balancer endpoint endpoint: cloudfront.VpcOriginEndpoint.fromApplicationLoadBalancer(alb), // A Network Load Balancer endpoint endpoint: cloudfront.VpcOriginEndpoint.fromNetoworkLoadBalancer(nlb), // Endpoint from ARN, i.e. imported resource endpoint: new cloudfront.VpcOriginEndpoint({ endpointArn }), // Optional VPC origin resource configurations vpcOriginName: 'Name of the VPC origin', httpPort: 80, httpsPort: 443, protocolPolicy: cloudfront.OriginProtocolPolicy.MATCH_VIEWER, originSslProtocols: [cloudfront.OriginSslPolicy.TLSV1_2], }); ``` Added an origin class `cloudfront_origins.VpcOrigin` for distribution configuration. It can be configured with an Application Load Balancer, a Network Load Balancer, an EC2 instance, or a `cloudfront.VpcOrigin` construct. ``` ts import * as cloudfront from 'aws-cdk-lib/aws-cloudfront'; import * as origins from 'aws-cdk-lib/aws-cloudfront-origins'; // An EC2 instance as a VPC origin const ec2InstanceOrigin = origins.VpcOrigin.withEc2Instance(instance, { // Optional VPC origin configurations domainName: 'internal.example.com', // default: PrivateDnsName of the instance readTimeout: cdk.Duration.seconds(30), keepaliveTimeout: cdk.Duration.seconds(5), // Optional VPC origin resource configurations vpcOriginName: 'Name of the VPC origin', httpPort: 80, httpsPort: 443, protocolPolicy: cloudfront.OriginProtocolPolicy.MATCH_VIEWER, originSslProtocols: [cloudfront.OriginSslPolicy.TLSV1_2], // Optional origin common configurations connectionTimeout: Duration.seconds(10), connectionAttempts: 3, customHeaders: {}, originShieldRegion: 'region-name', originShieldEnabled: true, originId: 'origin-id', }); // An Application Load Balancer as a VPC origin const albOrigin = origins.VpcOrigin.withApplicationLoadBalancer(alb, { // Optional VPC origin configurations domainName: 'internal.example.com', // default: DNSName of the ALB readTimeout: cdk.Duration.seconds(30), keepaliveTimeout: cdk.Duration.seconds(5), // Optional VPC origin resource configurations // Optional origin common configurations }); // A Network Load Balancer as a VPC origin const nlbOrigin = origins.VpcOrigin.withNetworkLoadBalancer(nlb, { // Optional VPC origin configurations domainName: 'internal.example.com', // default: DNSName of the NLB readTimeout: cdk.Duration.seconds(30), keepaliveTimeout: cdk.Duration.seconds(5), // Optional VPC origin resource configurations // Optional origin common configurations }); // Use an explicit VPC origin resource const vpcOriginOrigin = origins.VpcOrigin.withVpcOrigin(vpcOrigin, { // Mandatory if the vpcOrigin is created without domainName domainName: 'internal.example.com', // Optional VPC origin configurations readTimeout: cdk.Duration.seconds(30), keepaliveTimeout: cdk.Duration.seconds(5), // Optional origin common configurations }); ``` ### Describe any new or updated permissions being added No permissions are added automatically. See README how to allow connections from VPC origins. ### Description of how you validated changes Unit tests and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change As mentioned in [this comment](#33360 (comment)), the annotation phrase is incorrect and may confuse users. The `addReplicationPolicy()` function works to add a resource policy for the destination bucket, but the annotation phrase says source bucket. ### Description of changes ```diff - For Cross-account S3 replication, ensure to set up permissions on source bucket using method addReplicationPolicy() + For Cross-account S3 replication, ensure to set up permissions on destination bucket using method addReplicationPolicy() ``` ### Describe any new or updated permissions being added None ### Description of how you validated changes None ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #32050 ### Reason for this change Support Enhanced fan-out consumers via `AWS::Kinesis::StreamConsumer` and facilitate cross-account stream consumption via Lambda ### Description of changes - introduce `StreamConsumer` construct to model `AWS::Kinesis::StreamConsumer` - introduce `addToResourcePolicy` to enable creating/configuring a resource policy for the consumer - introduce `grant` and `grantRead` for granting permissions - leverage `iam.Grant.addToPrincipalOrResource` in `grant` to be able to use `grant` methods cross environments to update the grantee's iam policy and the consumer's resource policy as needed - update `ResourcePolicy` to support both `Stream` and `StreamConsumer` - update `Stream`'s `grant` to leverage `iam.Grant.addToPrincipalOrResource` for cross-environment support - introduce `KinesisConsumerEventSource` to `lambda-event-sources` for use with the newly introduced `StreamConsumer` #### Useful links - https://docs.aws.amazon.com/streams/latest/dev/enhanced-consumers.html - https://aws.amazon.com/blogs/big-data/invoke-aws-lambda-functions-from-cross-account-amazon-kinesis-data-streams/ ### Description of how you validated changes unit and integration tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #33403 and #33374 and #33396. ### Reason for this change There are three issues here: 1. For summary, the first issue is basically that assign property cannot be accessed with using Map.jsonata(...) but available if we directly create map through new Map(...) using JSONATA query language. 2. For summary, the second issue is that JSONATA main PR added the outputs and assign property in the CatchProps interface for AddCatch functionality. But I don't think it's being used in the actual `addCatch` call https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-stepfunctions/lib/states/state.ts#L398. 3. Result writer and item reader class do not support using JSONATA. Deployment will fails due to if SFN is set to use JSONATA, it expects `Arguments` in the ASL instead of `Parameters`. ### Description of changes Fix both issues by fixing the interface inheritance and added the props to `AddCatch` method. Support `JSONATA` as the query language. ### Description of how you validated changes Added integ test and unit test to make sure that ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --------- Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
### Issue # (if applicable) Closes #33497 (aws-ec2): Add Windows Server 2025 to WindowsVersion enum ### Reason for this change The AWS License Manager team requires Windows Server 2025 support in the WindowsVersion enum to build production-ready EC2 image pipelines. ### Description of changes Added new enum values in packages/@aws-cdk/aws-ec2/lib/windows-versions.ts: ``` WINDOWS_SERVER_2025_ENGLISH_FULL_BASE = 'Windows_Server-2025-English-Full-Base', WINDOWS_SERVER_2025_ENGLISH_CORE_BASE = 'Windows_Server-2025-English-Core-Base' ``` - No breaking changes introduced - Maintains consistent naming convention with existing enum values - Describe any new or updated permissions being added - No new IAM permissions are required for this change as it only extends the existing enum with additional values. ### Description of how you validated changes **Existing Unit Tests:** - Ran all existing unit tests to ensure no regressions - Confirmed all tests pass successfully with the new enum values added **Manual Testing:** - Tested in development environment - Verified correct AMI resolution using the new enum values **Checklist** [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) [x] My code adheres to the [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) [ ] Added new unit tests (No new tests added, verified against existing tests) [ ] Added integration tests (Manual testing performed) [x] Followed existing enum naming conventions
…on` (#33472) ### Issue # (if applicable) Closes #33473 ### Reason for this change The `TimeoutInMinutes` property, which is for the manual approval action, has been added to `ActionDeclaration` in CFn, but not yet added to `ManualApprovalAction` in CDK. > A timeout duration in minutes that can be applied against the ActionType’s default timeout value specified in [Quotas for AWS CodePipeline](https://docs.aws.amazon.com/codepipeline/latest/userguide/limits.html). This attribute is available only to the manual approval ActionType. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-actiondeclaration.html#cfn-codepipeline-pipeline-actiondeclaration-timeoutinminutes Other ref: https://docs.aws.amazon.com/codepipeline/latest/userguide/limits.html > Manual approval action account level default timeout: 7 days > > Note > The default timeout for the manual approval action can be overridden for a specific action in the pipeline, and it is configurable up to 86400 minutes (60 days) with a minimum value of 5 minutes. For more information, see [ActionDeclaration](https://docs.aws.amazon.com/codepipeline/latest/APIReference/API_ActionDeclaration.html) in the CodePipeline API Reference. > > When configured, this timeout is applied for the action. Otherwise, the account level default is used. ### Description of changes Added `timeout` to `ManualApprovalActionProps` and other related properties (such as Action, FullActionDescriptor and Stage). ### Describe any new or updated permissions being added ### Description of how you validated changes Both unit and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…3462) ### Issue # (if applicable) Closes #33408 Closes #26728 ### Reason for this change Invalid DataProtectionPolicy syntax ### Description of changes Change template key from camelCase > PascalCase ### Description of how you validated changes Unit + integration ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… destination (#33093) ### Issue # (if applicable) Closes #32835 Closes #30671 ### Reason for this change ConfigurationSet doesn't support EventBridge, Firehose as destination ### Description of changes ConfigurationSet destination support: - Firehose - default EventBus <img width="912" alt="Screenshot 2025-01-23 192024" src="https://github.com/user-attachments/assets/d0e5ee91-ccb4-4cba-89e9-2ac94510536d" /> ### Description of how you validated changes Unit + integration ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) N/A ### Reason for this change Fix workflow failing with `Your push was rejected due to missing or corrupt local objects.` ### Description of changes Add `--all` to git lfs fetch command ### Describe any new or updated permissions being added n/a ### Description of how you validated changes Manually ran workflow and confirmed it succeeded ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…tential (under feature flag) (#33291) ## Issue Closes #7016 I did NOT mean to drop the branch which closed #33268 🤦 My bad ## Reason for this change When using the function `Function.addToRolePolicy()` from lambda, behind the scenes it's calling `Role.addToPrincipalPolicy()`. What this does is it adds to the existing Lambda Role that is defined for the function, whether that is a predefined Role, or the default Role created from including no Role in the props. The issue with using specifically this method however, is if the policy statement that you are adding is related to a resource that this same Lambda function is added to as a prop, it causes a circular dependency. The simplest example of this is from the original issue, but it's not limited to this use case. (I tested with API Gateway also and got the same results) In the original issues, a user is creating a cognito UserPool, and adding a lambda trigger, which would run the lambda function after a new user has authorized. So in order to allow this lambda to perform operations related to the cognito user pool itself, it needs to add to it's execution role's policy, some kind of cognito permissions to that UserPool. So; `Function -> Cognito Trigger -> IAM Policy Statement with UserPool reference -> Function.addToRolePolicy()` This snippet from the integ I added shows what this would look like. See also the original issue. ``` const fn = new lambda.Function(stack, 'MyLambda', { code: new lambda.InlineCode('foo'), handler: 'index.handler', runtime: STANDARD_NODEJS_RUNTIME, }); const userPool = new UserPool(stack, 'myUserPoolTest', { lambdaTriggers: { fn, }, }); const cognitoPolicy = new iam.PolicyStatement({ actions: ['cognito:*'], resources: [userPool.userPoolArn], }); fn.addToRolePolicy(cognitoPolicy); ``` The reason why this causes an issue is because when using `Role.addToPrincipalPolicy()`, it adds a dependency check to ensure that the "PrincipalPolicy" actually exists first. This causes a circular reference. Now; * Lambda depends on the Policy * The policy has a reference call to GetAtt something from the UserPool * The UserPool has the lambda in the trigger props thus a dependency on lambda * repeat This logically makes no sense, because why would lambda depend on the policy? It really should just depend on the IAM Role and the policy should also depend on the Role. In fact if you build a template using this error, you can just delete the policy dependency in the Function, and upload by hand to CFN and it works just fine. So the question is, how can we avoid creating this dependency without some insane fundamental change to aws-iam? ## Description of changes Use `Role.attachInlinePolicy()` instead behind the scenes of `Function.addToRolePolicy()`. `Role.attachInlinePolicy()` will define a 2nd new policy. This means that we will no longer depend on the original policy existing in the first place. Instead we can just use these outside references in their own inline policy. Although this seems like it's changing a lot about this feature, functionality wise the permissions granted to the lambda function will not change because of this. ``` /** * The number of permissions added to this function * @internal */ private _policyCounter: number = 0; ``` A counter was added to help dedup the policies that are added, since you should be able to call this more than once without it exploding. ``` public addToRolePolicy(statement: iam.PolicyStatement) { if (!this.role) { return; } const policyToAdd = new iam.Policy(this, `inlinePolicyAddedToExecutionRole-${this._policyCounter++}`, { statements: [statement], }); this.role.attachInlinePolicy(policyToAdd); } ``` Of course the input from the user should remain the same, so a policy statement is passed in, and since `Role.attachInlinePolicy()` requires a Policy (not just a statement), we can rebuild from the statement input to allow for `Role.attachInlinePolicy()` to function properly. ## Description of how you validated changes Unit tests needed a few edits to match this, mainly just removing the policy dependency from the lambda function, then changing the reference name of the policy. For Integ similar changes were made to some snapshots. **All integ updates related to this, are "destructive" updates.** This is by design and should be reviewed but not changed. The reason is that none of the policies are actually being destroyed, rather, their logical IDs are just being renamed / new policies are being added. So if the primary policy had 3 statements before, now it has 3 policies with one statement each. I also added `integ.lambda-circular-test.ts` to specifically check for this circular dependency. I left a comment that this test's snapshot cannot be updated by hand since only CFN throws the error during validation for the circular dependency, so locally building you won't be able to tell if it works or not without using `--update-on-failure` to update it in the future. Edit: It's hard to determine which integs are okay to fail locally and not. During my first push the build failed on the PR, and it was showing an integ for an alpha construct. Since just using `yarn integ` on it's own makes it unrealistic to find the tests I need. I'm just solving each integ fail one at a time using the PR builder instead. Edit 2: After updating a dump truck of integs, I'm thinking that we might need a few people to review this first. Edit 3: Turns out everything is made from lambda Edit 4: I did some tests to ensure that if you update a template with this new structure of policy that it wouldn't break, and they worked just fine. However I only did this on areas of aws I was familiar with. Due to how many integs I had to update, there are clearly a lot more things than I was aware of that use Lambda, and replacement tests like the one I did are probably needed from anyone who is willing. ## Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
(description based on #32180) ### Issue # (if applicable) n/a ### Reason for this change Add support for newly supported 8.0.mysql_aurora.3.08.1. https://docs.aws.amazon.com/AmazonRDS/latest/AuroraMySQLReleaseNotes/AuroraMySQL.Updates.3081.html ### Description of changes Add a new version as a new property to AuroraMysqlEngineVersion class. ### Description of how you validated changes I used the AWS CLI to verify that the new version is available. ``` $ aws rds describe-db-engine-versions --engine aurora-mysql --query "DBEngineVersions[?EngineVersion=='8.0.mysql_aurora.3.08.1']" [ { "Engine": "aurora-mysql", "EngineVersion": "8.0.mysql_aurora.3.08.1", "DBParameterGroupFamily": "aurora-mysql8.0", "DBEngineDescription": "Aurora MySQL", "DBEngineVersionDescription": "Aurora MySQL 3.08.1 (compatible with MySQL 8.0.39)", "ValidUpgradeTarget": [], "ExportableLogTypes": [ "audit", "error", "general", "iam-db-auth-error", "instance", "slowquery" ], "SupportsLogExportsToCloudwatchLogs": true, "SupportsReadReplica": false, "SupportedEngineModes": [ "provisioned" ], "SupportedFeatureNames": [ "Bedrock" ], "Status": "available", "SupportsParallelQuery": true, "SupportsGlobalDatabases": true, "MajorEngineVersion": "8.0", "SupportsBabelfish": false, "SupportsLimitlessDatabase": false, "SupportsCertificateRotationWithoutRestart": true, "SupportedCACertificateIdentifiers": [ "rds-ca-ecc384-g1", "rds-ca-rsa4096-g1", "rds-ca-rsa2048-g1" ], "SupportsLocalWriteForwarding": true, "SupportsIntegrations": true, "ServerlessV2FeaturesSupport": { "MinCapacity": 0.0, "MaxCapacity": 256.0 } } ] ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #33508. ### Reason for this change Per [Amazon RDS for PostgreSQL updates](https://docs.aws.amazon.com/AmazonRDS/latest/PostgreSQLReleaseNotes/postgresql-versions.html), PostgreSQL version `16.7` is now available on Amazon RDS. Executing AWS CLI command `aws rds describe-db-engine-versions --engine postgres --output table --query 'DBEngineVersions[*].{Engine:Engine,EngineVersion:EngineVersion}'` also lists `16.7` as one of the supported versions. ### Description of changes Added `16.7` version to `PostgresEngineVersion` class. ### Describe any new or updated permissions being added ### Description of how you validated changes ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) N/A ### Reason for this change Adds metadata collector for CDK's enum-like classes. ### Description of changes * Added `EnumLikeUpdater` to parse out the enum-like classes and write them to a separate file to be used and updated. * Altered existing `EnumUpdater` to also write to another file, including the module name to prevent ambiguity when updating. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes N/A ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #33225. ### Reason for this change PySpark jobs with extra JAR dependencies cannot be defined with the new L2 constructs introduced in [v2.177.0](https://github.com/aws/aws-cdk/releases/tag/v2.177.0). ### Description of changes Add the `extraJars` parameter in the PySpark job L2 constructs. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) ### Reason for this change The doc of `Vary` header for `allowOrigins` seems to be wrong. It will be included if it is not `Cors.ALL_ORIGINS`. > If Cors.ALL_ORIGINS is specified, the Vary: Origin response header will also be included. see: https://github.com/go-to-k/aws-cdk/blob/9154927fa0959238c4ddf9ba807cc912fa05a5e6/packages/aws-cdk-lib/aws-apigateway/lib/resource.ts#L224 ### Description of changes Change to: > If specific origins are specified (not `Cors.ALL_ORIGINS`), the `Vary: Origin` response header will also be included. ### Describe any new or updated permissions being added ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…en (#33507) ### Issue # Closes #32468 ### Reason for this change When using a custom resource, the values for `serviceToken` and `serviceTimeout` are added to the construct prop `properties` during the synth. Thus passing those values through to the lambda. The issue is that these values can be overwritten if you also include the exact keys in your own properties argument. So if I include `serviceToken`, which is a required arg, then I set properties ``` properties: { ServiceToken: 'something else', }, ``` the value of `serviceToken` is set to `ServiceToken`, then my property I wrote to `ServiceToken` takes over and replaces the value with my own. This change is to add a warning to the user so they can understand that what they are doing is overwriting that key, as well as add some more detailed flavor text to the properties and readme to help convey this. ### Description of changes Previously the props like `serviceToken` were being written directly to properties, along with the user provided properties broken out with `...` notation. I moved the automatically added props out of this ``` const constructPropertiesPassed = { ServiceToken: props.serviceToken, ServiceTimeout: props.serviceTimeout?.toSeconds().toString(), }; const hasCommonKeys = Object.keys(properties).some(key => key in constructPropertiesPassed); if (hasCommonKeys) { Annotations.of(this).addWarningV2('@aws-cdk/core:customResourcePropDuplicate', `CustomResource properties should not contain keys that are automatically added by the CDK. Found: ${Object.keys(properties).filter(key => key in constructPropertiesPassed)}`); } this.resource = new CfnResource(this, 'Default', { type, properties: { ...constructPropertiesPassed, ...properties, }, }); ``` This allowed for a simple comparison between the 2 dicts, which allows for the warning to be initiated from. ### Description of how you validated changes I added a test to check if this warning is being generated. I did not change any integs because the actual synth in the end is the exact same as before. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #32534. ### Reason for this change CloudFormation supports `GrpcConfig` property to enable gRPC in `CacheBehavior` and `DefaultCacheBehavior`. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-grpcconfig.html https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-cachebehavior.html https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-defaultcachebehavior.html So it would be good to enable gRPC for CloudFront Distribution using L2. ### Description of changes Add `enableGrpc` property in `BehaviorOptions`. ### Description of how you validated changes Both unit and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) n/a ### Reason for this change Adhere to best security practices. ### Description of changes Fetch remote branch to check for any unapproved commits to the remote branch and only commit/push if there are not. ### Describe any new or updated permissions being added n/a ### Description of how you validated changes Tested the commands locally ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) N/A ### Reason for this change JSII docbuild to python fails due to MRC issue since `MapBaseOptions` already inherits `AssignableStateOptions` ### Description of changes Remove duplicate imports ### Describe any new or updated permissions being added <!-- What new or updated IAM permissions are needed to support the changes being introduced ? --> ### Description of how you validated changes N/A ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`
**L1 CloudFormation resource definition changes:**
```
├[~] service aws-acmpca
│ └ resources
│ └[~] resource AWS::ACMPCA::CertificateAuthority
│ └ types
│ └[~] type CrlConfiguration
│ └ properties
│ ├[+] CrlType: string
│ └[+] CustomPath: string
├[~] service aws-appsync
│ └ resources
│ └[~] resource AWS::AppSync::ApiCache
│ └ properties
│ └ ApiCachingBehavior: (documentation changed)
├[~] service aws-backup
│ └ resources
│ └[~] resource AWS::Backup::BackupPlan
│ └ types
│ ├[~] type BackupRuleResourceType
│ │ └ properties
│ │ └[+] IndexActions: Array<IndexActionsResourceType>
│ └[+] type IndexActionsResourceType
│ ├ name: IndexActionsResourceType
│ └ properties
│ └ ResourceTypes: Array<string>
├[~] service aws-batch
│ └ resources
│ ├[~] resource AWS::Batch::ComputeEnvironment
│ │ └ properties
│ │ └ UnmanagedvCpus: (documentation changed)
│ ├[~] resource AWS::Batch::JobDefinition
│ │ ├ properties
│ │ │ └ SchedulingPriority: (documentation changed)
│ │ └ types
│ │ ├[~] type LinuxParameters
│ │ │ └ properties
│ │ │ └ MaxSwap: (documentation changed)
│ │ ├[~] type MultiNodeContainerProperties
│ │ │ ├ - documentation: undefined
│ │ │ │ + documentation: Container properties are used for Amazon ECS based job definitions. These properties to describe the container that's launched as part of a job.
│ │ │ └ properties
│ │ │ ├ Command: (documentation changed)
│ │ │ ├ Environment: (documentation changed)
│ │ │ ├ EphemeralStorage: (documentation changed)
│ │ │ ├ ExecutionRoleArn: (documentation changed)
│ │ │ ├ Image: (documentation changed)
│ │ │ ├ InstanceType: (documentation changed)
│ │ │ ├ JobRoleArn: (documentation changed)
│ │ │ ├ LinuxParameters: (documentation changed)
│ │ │ ├ LogConfiguration: (documentation changed)
│ │ │ ├ Memory: (documentation changed)
│ │ │ ├ MountPoints: (documentation changed)
│ │ │ ├ Privileged: (documentation changed)
│ │ │ ├ ReadonlyRootFilesystem: (documentation changed)
│ │ │ ├ RepositoryCredentials: (documentation changed)
│ │ │ ├ ResourceRequirements: (documentation changed)
│ │ │ ├ RuntimePlatform: (documentation changed)
│ │ │ ├ Secrets: (documentation changed)
│ │ │ ├ Ulimits: (documentation changed)
│ │ │ ├ User: (documentation changed)
│ │ │ ├ Vcpus: (documentation changed)
│ │ │ └ Volumes: (documentation changed)
│ │ ├[~] type MultiNodeEcsProperties
│ │ │ ├ - documentation: undefined
│ │ │ │ + documentation: An object that contains the properties for the Amazon ECS resources of a job.
│ │ │ └ properties
│ │ │ └ TaskProperties: (documentation changed)
│ │ └[~] type MultiNodeEcsTaskProperties
│ │ ├ - documentation: undefined
│ │ │ + documentation: The properties for a task definition that describes the container and volume definitions of an Amazon ECS task. You can specify which Docker images to use, the required resources, and other configurations related to launching the task definition through an Amazon ECS service or task.
│ │ └ properties
│ │ ├ Containers: (documentation changed)
│ │ ├ ExecutionRoleArn: (documentation changed)
│ │ ├ IpcMode: (documentation changed)
│ │ ├ PidMode: (documentation changed)
│ │ ├ TaskRoleArn: (documentation changed)
│ │ └ Volumes: (documentation changed)
│ └[~] resource AWS::Batch::SchedulingPolicy
│ ├ properties
│ │ ├ FairsharePolicy: (documentation changed)
│ │ └ Name: (documentation changed)
│ └ types
│ ├[~] type FairsharePolicy
│ │ ├ - documentation: The fair share policy for a scheduling policy.
│ │ │ + documentation: The fair-share scheduling policy details.
│ │ └ properties
│ │ ├ ComputeReservation: (documentation changed)
│ │ ├ ShareDecaySeconds: (documentation changed)
│ │ └ ShareDistribution: (documentation changed)
│ └[~] type ShareAttributes
│ ├ - documentation: Specifies the weights for the fair share identifiers for the fair share policy. Fair share identifiers that aren't included have a default weight of `1.0` .
│ │ + documentation: Specifies the weights for the share identifiers for the fair-share policy. Share identifiers that aren't included have a default weight of `1.0` .
│ └ properties
│ ├ ShareIdentifier: (documentation changed)
│ └ WeightFactor: (documentation changed)
├[~] service aws-bedrock
│ └ resources
│ ├[~] resource AWS::Bedrock::Agent
│ │ └ types
│ │ └[~] type PromptConfiguration
│ │ └ properties
│ │ └ ParserMode: (documentation changed)
│ ├[~] resource AWS::Bedrock::AgentAlias
│ │ └ attributes
│ │ └ AgentAliasStatus: (documentation changed)
│ ├[~] resource AWS::Bedrock::DataSource
│ │ └ types
│ │ └[~] type BedrockFoundationModelConfiguration
│ │ ├ - documentation: Settings for a foundation model or [inference profile](https://docs.aws.amazon.com/bedrock/latest/userguide/cross-region-inference.html) used to parse documents for a data source.
│ │ │ + documentation: Settings for a foundation model used to parse documents for a data source.
│ │ └ properties
│ │ └ ModelArn: (documentation changed)
│ ├[~] resource AWS::Bedrock::KnowledgeBase
│ │ └ types
│ │ └[~] type VectorKnowledgeBaseConfiguration
│ │ └ properties
│ │ └ EmbeddingModelArn: (documentation changed)
│ ├[~] resource AWS::Bedrock::Prompt
│ │ └ types
│ │ ├[+] type CachePointBlock
│ │ │ ├ documentation: Indicates where a cache checkpoint is located. All information before this checkpoint is cached to be accessed on subsequent requests.
│ │ │ │ name: CachePointBlock
│ │ │ └ properties
│ │ │ └ Type: string (required)
│ │ ├[~] type ContentBlock
│ │ │ └ properties
│ │ │ ├[+] CachePoint: CachePointBlock
│ │ │ └ Text: - string (required)
│ │ │ + string
│ │ ├[~] type PromptVariant
│ │ │ └ properties
│ │ │ └[+] AdditionalModelRequestFields: json
│ │ ├[~] type SystemContentBlock
│ │ │ └ properties
│ │ │ ├[+] CachePoint: CachePointBlock
│ │ │ └ Text: - string (required)
│ │ │ + string
│ │ ├[~] type TextPromptTemplateConfiguration
│ │ │ └ properties
│ │ │ └[+] CachePoint: CachePointBlock
│ │ └[~] type Tool
│ │ └ properties
│ │ ├[+] CachePoint: CachePointBlock
│ │ └ ToolSpec: - ToolSpecification (required)
│ │ + ToolSpecification
│ └[~] resource AWS::Bedrock::PromptVersion
│ └ types
│ ├[+] type CachePointBlock
│ │ ├ documentation: Indicates where a cache checkpoint is located. All information before this checkpoint is cached to be accessed on subsequent requests.
│ │ │ name: CachePointBlock
│ │ └ properties
│ │ └ Type: string (required)
│ ├[~] type ContentBlock
│ │ └ properties
│ │ ├[+] CachePoint: CachePointBlock
│ │ └ Text: - string (required)
│ │ + string
│ ├[~] type PromptVariant
│ │ └ properties
│ │ └[+] AdditionalModelRequestFields: json
│ ├[~] type SystemContentBlock
│ │ └ properties
│ │ ├[+] CachePoint: CachePointBlock
│ │ └ Text: - string (required)
│ │ + string
│ ├[~] type TextPromptTemplateConfiguration
│ │ └ properties
│ │ └[+] CachePoint: CachePointBlock
│ └[~] type Tool
│ └ properties
│ ├[+] CachePoint: CachePointBlock
│ └ ToolSpec: - ToolSpecification (required)
│ + ToolSpecification
├[~] service aws-cloudfront
│ └ resources
│ ├[~] resource AWS::CloudFront::Distribution
│ │ └ types
│ │ ├[~] type Origin
│ │ │ └ properties
│ │ │ └ VpcOriginConfig: (documentation changed)
│ │ └[~] type VpcOriginConfig
│ │ ├ - documentation: undefined
│ │ │ + documentation: An Amazon CloudFront VPC origin configuration.
│ │ └ properties
│ │ ├ OriginKeepaliveTimeout: (documentation changed)
│ │ ├ OriginReadTimeout: (documentation changed)
│ │ └ VpcOriginId: (documentation changed)
│ └[~] resource AWS::CloudFront::VpcOrigin
│ └ types
│ └[~] type VpcOriginEndpointConfig
│ └ properties
│ ├ HTTPPort: (documentation changed)
│ └ HTTPSPort: (documentation changed)
├[~] service aws-cloudtrail
│ └ resources
│ ├[~] resource AWS::CloudTrail::EventDataStore
│ │ └ types
│ │ ├[~] type AdvancedEventSelector
│ │ │ └ - documentation: Advanced event selectors let you create fine-grained selectors for AWS CloudTrail management, data, and network activity events. They help you control costs by logging only those events that are important to you. For more information about configuring advanced event selectors, see the [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) , [Logging network activity events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html) , and [Logging management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html) topics in the *AWS CloudTrail User Guide* .
│ │ │ You cannot apply both event selectors and advanced event selectors to a trail.
│ │ │ *Supported CloudTrail event record fields for management events*
│ │ │ - `eventCategory` (required)
│ │ │ - `eventSource`
│ │ │ - `readOnly`
│ │ │ The following additional fields are available for event data stores:
│ │ │ - `eventName`
│ │ │ - `eventType`
│ │ │ - `sessionCredentialFromConsole`
│ │ │ - `userIdentity.arn`
│ │ │ *Supported CloudTrail event record fields for data events*
│ │ │ - `eventCategory` (required)
│ │ │ - `resources.type` (required)
│ │ │ - `readOnly`
│ │ │ - `eventName`
│ │ │ - `resources.ARN`
│ │ │ The following additional fields are available for event data stores:
│ │ │ - `eventSource`
│ │ │ - `eventType`
│ │ │ - `sessionCredentialFromConsole`
│ │ │ - `userIdentity.arn`
│ │ │ *Supported CloudTrail event record fields for network activity events*
│ │ │ > Network activity events is in preview release for CloudTrail and is subject to change.
│ │ │ - `eventCategory` (required)
│ │ │ - `eventSource` (required)
│ │ │ - `eventName`
│ │ │ - `errorCode` - The only valid value for `errorCode` is `VpceAccessDenied` .
│ │ │ - `vpcEndpointId`
│ │ │ > For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` .
│ │ │ + documentation: Advanced event selectors let you create fine-grained selectors for AWS CloudTrail management, data, and network activity events. They help you control costs by logging only those events that are important to you. For more information about configuring advanced event selectors, see the [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) , [Logging network activity events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html) , and [Logging management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html) topics in the *AWS CloudTrail User Guide* .
│ │ │ You cannot apply both event selectors and advanced event selectors to a trail.
│ │ │ *Supported CloudTrail event record fields for management events*
│ │ │ - `eventCategory` (required)
│ │ │ - `eventSource`
│ │ │ - `readOnly`
│ │ │ The following additional fields are available for event data stores:
│ │ │ - `eventName`
│ │ │ - `eventType`
│ │ │ - `sessionCredentialFromConsole`
│ │ │ - `userIdentity.arn`
│ │ │ *Supported CloudTrail event record fields for data events*
│ │ │ - `eventCategory` (required)
│ │ │ - `resources.type` (required)
│ │ │ - `readOnly`
│ │ │ - `eventName`
│ │ │ - `resources.ARN`
│ │ │ The following additional fields are available for event data stores:
│ │ │ - `eventSource`
│ │ │ - `eventType`
│ │ │ - `sessionCredentialFromConsole`
│ │ │ - `userIdentity.arn`
│ │ │ *Supported CloudTrail event record fields for network activity events*
│ │ │ - `eventCategory` (required)
│ │ │ - `eventSource` (required)
│ │ │ - `eventName`
│ │ │ - `errorCode` - The only valid value for `errorCode` is `VpceAccessDenied` .
│ │ │ - `vpcEndpointId`
│ │ │ > For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` .
│ │ └[~] type AdvancedFieldSelector
│ │ └ properties
│ │ └ Field: (documentation changed)
│ └[~] resource AWS::CloudTrail::Trail
│ └ types
│ ├[~] type AdvancedEventSelector
│ │ └ - documentation: Advanced event selectors let you create fine-grained selectors for AWS CloudTrail management, data, and network activity events. They help you control costs by logging only those events that are important to you. For more information about configuring advanced event selectors, see the [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) , [Logging network activity events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html) , and [Logging management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html) topics in the *AWS CloudTrail User Guide* .
│ │ You cannot apply both event selectors and advanced event selectors to a trail.
│ │ *Supported CloudTrail event record fields for management events*
│ │ - `eventCategory` (required)
│ │ - `eventSource`
│ │ - `readOnly`
│ │ The following additional fields are available for event data stores:
│ │ - `eventName`
│ │ - `eventType`
│ │ - `sessionCredentialFromConsole`
│ │ - `userIdentity.arn`
│ │ *Supported CloudTrail event record fields for data events*
│ │ - `eventCategory` (required)
│ │ - `resources.type` (required)
│ │ - `readOnly`
│ │ - `eventName`
│ │ - `resources.ARN`
│ │ The following additional fields are available for event data stores:
│ │ - `eventSource`
│ │ - `eventType`
│ │ - `sessionCredentialFromConsole`
│ │ - `userIdentity.arn`
│ │ *Supported CloudTrail event record fields for network activity events*
│ │ > Network activity events is in preview release for CloudTrail and is subject to change.
│ │ - `eventCategory` (required)
│ │ - `eventSource` (required)
│ │ - `eventName`
│ │ - `errorCode` - The only valid value for `errorCode` is `VpceAccessDenied` .
│ │ - `vpcEndpointId`
│ │ > For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` .
│ │ + documentation: Advanced event selectors let you create fine-grained selectors for AWS CloudTrail management, data, and network activity events. They help you control costs by logging only those events that are important to you. For more information about configuring advanced event selectors, see the [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) , [Logging network activity events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-network-events-with-cloudtrail.html) , and [Logging management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html) topics in the *AWS CloudTrail User Guide* .
│ │ You cannot apply both event selectors and advanced event selectors to a trail.
│ │ *Supported CloudTrail event record fields for management events*
│ │ - `eventCategory` (required)
│ │ - `eventSource`
│ │ - `readOnly`
│ │ The following additional fields are available for event data stores:
│ │ - `eventName`
│ │ - `eventType`
│ │ - `sessionCredentialFromConsole`
│ │ - `userIdentity.arn`
│ │ *Supported CloudTrail event record fields for data events*
│ │ - `eventCategory` (required)
│ │ - `resources.type` (required)
│ │ - `readOnly`
│ │ - `eventName`
│ │ - `resources.ARN`
│ │ The following additional fields are available for event data stores:
│ │ - `eventSource`
│ │ - `eventType`
│ │ - `sessionCredentialFromConsole`
│ │ - `userIdentity.arn`
│ │ *Supported CloudTrail event record fields for network activity events*
│ │ - `eventCategory` (required)
│ │ - `eventSource` (required)
│ │ - `eventName`
│ │ - `errorCode` - The only valid value for `errorCode` is `VpceAccessDenied` .
│ │ - `vpcEndpointId`
│ │ > For event data stores for CloudTrail Insights events, AWS Config configuration items, Audit Manager evidence, or events outside of AWS , the only supported field is `eventCategory` .
│ └[~] type AdvancedFieldSelector
│ └ properties
│ └ Field: (documentation changed)
├[~] service aws-cloudwatch
│ └ resources
│ └[~] resource AWS::CloudWatch::Alarm
│ └ types
│ └[~] type Dimension
│ └ - documentation: Dimension is an embedded property of the `AWS::CloudWatch::Alarm` type. Dimensions are name/value pairs that can be associated with a CloudWatch metric. You can specify a maximum of 10 dimensions for a given metric.
│ + documentation: Dimension is an embedded property of the `AWS::CloudWatch::Alarm` type. Dimensions are name/value pairs that can be associated with a CloudWatch metric. You can specify a maximum of 30 dimensions for a given metric.
├[~] service aws-codebuild
│ └ resources
│ └[~] resource AWS::CodeBuild::Project
│ └ types
│ └[~] type WebhookFilter
│ └ properties
│ └ Type: (documentation changed)
├[~] service aws-codestar
│ └ resources
│ └[~] resource AWS::CodeStar::GitHubRepository
│ └ attributes
│ └ Id: (documentation changed)
├[~] service aws-cognito
│ └ resources
│ └[~] resource AWS::Cognito::UserPoolDomain
│ └ attributes
│ └[-] Id: string
├[~] service aws-connect
│ └ resources
│ └[+] resource AWS::Connect::ContactFlowVersion
│ ├ name: ContactFlowVersion
│ │ cloudFormationType: AWS::Connect::ContactFlowVersion
│ │ documentation: Creates a version for the specified customer-managed flow within the specified instance.
│ ├ properties
│ │ ├ ContactFlowId: string (required, immutable)
│ │ └ Description: string (immutable)
│ └ attributes
│ ├ ContactFlowVersionARN: string
│ ├ Version: integer
│ └ FlowContentSha256: string
├[~] service aws-datasync
│ └ resources
│ └[~] resource AWS::DataSync::LocationSMB
│ ├ - documentation: The `AWS::DataSync::LocationSMB` resource specifies a Server Message Block (SMB) location.
│ │ + documentation: The `AWS::DataSync::LocationSMB` resource specifies a Server Message Block (SMB) location that AWS DataSync can use as a transfer source or destination.
│ ├ properties
│ │ ├ AgentArns: (documentation changed)
│ │ ├[+] AuthenticationType: string
│ │ ├[+] DnsIpAddresses: Array<string>
│ │ ├[+] KerberosKeytab: string
│ │ ├[+] KerberosKrb5Conf: string
│ │ ├[+] KerberosPrincipal: string
│ │ ├ Password: (documentation changed)
│ │ ├ Subdirectory: (documentation changed)
│ │ └ User: - string (required)
│ │ + string
│ │ (documentation changed)
│ └ attributes
│ └ LocationArn: (documentation changed)
├[~] service aws-deadline
│ └ resources
│ ├[~] resource AWS::Deadline::Farm
│ │ └ properties
│ │ └ Description: (documentation changed)
│ ├[~] resource AWS::Deadline::Fleet
│ │ └ properties
│ │ └ Description: (documentation changed)
│ ├[+] resource AWS::Deadline::Limit
│ │ ├ name: Limit
│ │ │ cloudFormationType: AWS::Deadline::Limit
│ │ │ documentation: Creates a limit that manages the distribution of shared resources, such as floating licenses. A limit can throttle work assignments, help manage workloads, and track current usage. Before you use a limit, you must associate the limit with one or more queues.
│ │ │ You must add the `amountRequirementName` to a step in a job template to declare the limit requirement.
│ │ ├ properties
│ │ │ ├ AmountRequirementName: string (required, immutable)
│ │ │ ├ Description: string (default="")
│ │ │ ├ DisplayName: string (required)
│ │ │ ├ FarmId: string (required, immutable)
│ │ │ └ MaxCount: integer (required)
│ │ └ attributes
│ │ ├ CurrentCount: integer
│ │ └ LimitId: string
│ ├[~] resource AWS::Deadline::Queue
│ │ └ properties
│ │ └ Description: (documentation changed)
│ └[+] resource AWS::Deadline::QueueLimitAssociation
│ ├ name: QueueLimitAssociation
│ │ cloudFormationType: AWS::Deadline::QueueLimitAssociation
│ │ documentation: Associates a limit with a particular queue. After the limit is associated, all workers for jobs that specify the limit associated with the queue are subject to the limit. You can't associate two limits with the same `amountRequirementName` to the same queue.
│ └ properties
│ ├ FarmId: string (required, immutable)
│ ├ LimitId: string (required, immutable)
│ └ QueueId: string (required, immutable)
├[~] service aws-directoryservice
│ └ resources
│ ├[~] resource AWS::DirectoryService::MicrosoftAD
│ │ └ attributes
│ │ ├ Alias: (documentation changed)
│ │ └ Id: (documentation changed)
│ └[~] resource AWS::DirectoryService::SimpleAD
│ └ attributes
│ ├ Alias: (documentation changed)
│ └ DirectoryId: (documentation changed)
├[~] service aws-dlm
│ └ resources
│ └[~] resource AWS::DLM::LifecyclePolicy
│ └ types
│ └[~] type EventSource
│ └ properties
│ └ Type: (documentation changed)
├[~] service aws-dms
│ └ resources
│ └[~] resource AWS::DMS::DataProvider
│ └ properties
│ └ Engine: (documentation changed)
├[~] service aws-dynamodb
│ └ resources
│ └[~] resource AWS::DynamoDB::GlobalTable
│ └ properties
│ └[-] PointInTimeRecoverySpecification: PointInTimeRecoverySpecification
├[~] service aws-ec2
│ └ resources
│ ├[~] resource AWS::EC2::EC2Fleet
│ │ └ types
│ │ └[~] type FleetLaunchTemplateOverridesRequest
│ │ └ properties
│ │ └ MaxPrice: (documentation changed)
│ ├[~] resource AWS::EC2::IPAM
│ │ ├ properties
│ │ │ └[+] DefaultResourceDiscoveryOrganizationalUnitExclusions: Array<IpamOrganizationalUnitExclusion>
│ │ └ types
│ │ └[+] type IpamOrganizationalUnitExclusion
│ │ ├ documentation: If your IPAM is integrated with AWS Organizations and you add an organizational unit (OU) exclusion, IPAM will not manage the IP addresses in accounts in that OU exclusion.
│ │ │ name: IpamOrganizationalUnitExclusion
│ │ └ properties
│ │ └ OrganizationsEntityPath: string (required)
│ ├[~] resource AWS::EC2::IPAMResourceDiscovery
│ │ ├ properties
│ │ │ └[+] OrganizationalUnitExclusions: Array<IpamResourceDiscoveryOrganizationalUnitExclusion>
│ │ └ types
│ │ └[+] type IpamResourceDiscoveryOrganizationalUnitExclusion
│ │ ├ documentation: If your IPAM is integrated with AWS Organizations and you add an organizational unit (OU) exclusion, IPAM will not manage the IP addresses in accounts in that OU exclusion.
│ │ │ name: IpamResourceDiscoveryOrganizationalUnitExclusion
│ │ └ properties
│ │ └ OrganizationsEntityPath: string (required)
│ ├[~] resource AWS::EC2::LaunchTemplate
│ │ └ types
│ │ ├[~] type CpuOptions
│ │ │ └ properties
│ │ │ └ AmdSevSnp: (documentation changed)
│ │ ├[~] type Ebs
│ │ │ └ properties
│ │ │ └ Iops: (documentation changed)
│ │ ├[~] type LaunchTemplateData
│ │ │ └ properties
│ │ │ ├ CpuOptions: (documentation changed)
│ │ │ ├ DisableApiStop: (documentation changed)
│ │ │ ├ EnclaveOptions: (documentation changed)
│ │ │ ├ MetadataOptions: (documentation changed)
│ │ │ └ UserData: (documentation changed)
│ │ ├[~] type MetadataOptions
│ │ │ └ properties
│ │ │ └ InstanceMetadataTags: (documentation changed)
│ │ ├[~] type NetworkInterface
│ │ │ └ properties
│ │ │ └ InterfaceType: (documentation changed)
│ │ └[~] type SpotOptions
│ │ └ properties
│ │ └ MaxPrice: (documentation changed)
│ ├[~] resource AWS::EC2::SecurityGroup
│ │ └ - documentation: Specifies a security group. To create a security group, use the [VpcId](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#cfn-ec2-securitygroup-vpcid) property to specify the VPC for which to create the security group.
│ │ If you do not specify an egress rule, we add egress rules that allow IPv4 and IPv6 traffic on all ports and protocols to any destination. We do not add these rules if you specify your own egress rules.
│ │ This type supports updates. For more information about updating stacks, see [AWS CloudFormation Stacks Updates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks.html) .
│ │ > To cross-reference two security groups in the ingress and egress rules of those security groups, use the [AWS::EC2::SecurityGroupEgress](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-egress.html) and [AWS::EC2::SecurityGroupIngress](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-ingress.html) resources to define your rules. Do not use the embedded ingress and egress rules in the `AWS::EC2::SecurityGroup` . Doing so creates a circular dependency, which AWS CloudFormation doesn't allow.
│ │ + documentation: Specifies a security group.
│ │ You must specify ingress rules to allow inbound traffic. By default, no inbound traffic is allowed.
│ │ If you do not specify an egress rule, we add egress rules that allow outbound IPv4 and IPv6 traffic on all ports and protocols to any destination. We do not add these rules if you specify your own egress rules.
│ │ This type supports updates. For more information about updating stacks, see [AWS CloudFormation Stacks Updates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks.html) .
│ │ > To cross-reference two security groups in the ingress and egress rules of those security groups, use the [AWS::EC2::SecurityGroupEgress](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-egress.html) and [AWS::EC2::SecurityGroupIngress](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-ingress.html) resources to define your rules. Do not use the embedded ingress and egress rules in the `AWS::EC2::SecurityGroup` . Doing so creates a circular dependency, which AWS CloudFormation doesn't allow.
│ ├[~] resource AWS::EC2::VerifiedAccessEndpoint
│ │ └ types
│ │ ├[~] type CidrOptions
│ │ │ ├ - documentation: The options for cidr type endpoint.
│ │ │ │ + documentation: Describes the CIDR options for a Verified Access endpoint.
│ │ │ └ properties
│ │ │ ├ Cidr: (documentation changed)
│ │ │ ├ PortRanges: (documentation changed)
│ │ │ └ Protocol: (documentation changed)
│ │ ├[~] type LoadBalancerOptions
│ │ │ └ properties
│ │ │ ├ PortRanges: (documentation changed)
│ │ │ └ SubnetIds: (documentation changed)
│ │ ├[~] type NetworkInterfaceOptions
│ │ │ └ properties
│ │ │ └ PortRanges: (documentation changed)
│ │ ├[~] type PortRange
│ │ │ ├ - documentation: Describes a range of ports.
│ │ │ │ + documentation: Describes the port range for a Verified Access endpoint.
│ │ │ └ properties
│ │ │ ├ FromPort: (documentation changed)
│ │ │ └ ToPort: (documentation changed)
│ │ └[~] type RdsOptions
│ │ ├ - documentation: The options for rds type endpoint.
│ │ │ + documentation: Describes the RDS options for a Verified Access endpoint.
│ │ └ properties
│ │ ├ Port: (documentation changed)
│ │ ├ Protocol: (documentation changed)
│ │ ├ RdsDbClusterArn: (documentation changed)
│ │ ├ RdsDbInstanceArn: (documentation changed)
│ │ ├ RdsDbProxyArn: (documentation changed)
│ │ └ SubnetIds: (documentation changed)
│ ├[~] resource AWS::EC2::VerifiedAccessInstance
│ │ └ attributes
│ │ └ CidrEndpointsCustomSubDomainNameServers: (documentation changed)
│ ├[~] resource AWS::EC2::VerifiedAccessTrustProvider
│ │ └ types
│ │ └[~] type NativeApplicationOidcOptions
│ │ └ properties
│ │ └ ClientSecret: (documentation changed)
│ ├[~] resource AWS::EC2::VPCCidrBlock
│ │ └ properties
│ │ └ Ipv6CidrBlockNetworkBorderGroup: (documentation changed)
│ ├[~] resource AWS::EC2::VPCEndpoint
│ │ └ properties
│ │ └ Tags: (documentation changed)
│ └[~] resource AWS::EC2::VPCEndpointService
│ └ properties
│ └ Tags: (documentation changed)
├[~] service aws-ecs
│ └ resources
│ ├[~] resource AWS::ECS::Cluster
│ │ └ types
│ │ └[~] type ManagedStorageConfiguration
│ │ └ properties
│ │ ├ FargateEphemeralStorageKmsKeyId: (documentation changed)
│ │ └ KmsKeyId: (documentation changed)
│ ├[~] resource AWS::ECS::Service
│ │ ├ properties
│ │ │ ├ AvailabilityZoneRebalancing: (documentation changed)
│ │ │ └ CapacityProviderStrategy: (documentation changed)
│ │ └ types
│ │ └[~] type ServiceManagedEBSVolumeConfiguration
│ │ └ properties
│ │ └[-] VolumeInitializationRate: integer
│ └[~] resource AWS::ECS::TaskDefinition
│ └ types
│ └[~] type HealthCheck
│ └ properties
│ ├ Interval: (documentation changed)
│ ├ Retries: (documentation changed)
│ ├ StartPeriod: (documentation changed)
│ └ Timeout: (documentation changed)
├[~] service aws-eks
│ └ resources
│ └[~] resource AWS::EKS::Nodegroup
│ └ types
│ └[~] type UpdateConfig
│ └ properties
│ └ UpdateStrategy: (documentation changed)
├[~] service aws-elasticloadbalancingv2
│ └ resources
│ └[~] resource AWS::ElasticLoadBalancingV2::Listener
│ └ types
│ └[~] type MutualAuthentication
│ ├ - documentation: Specifies the configuration information for mutual authentication.
│ │ + documentation: The mutual authentication configuration information.
│ └ properties
│ ├ AdvertiseTrustStoreCaNames: (documentation changed)
│ └ Mode: (documentation changed)
├[~] service aws-emr
│ └ resources
│ └[~] resource AWS::EMR::Studio
│ └ - tagInformation: undefined
│ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
├[~] service aws-emrcontainers
│ └ resources
│ └[~] resource AWS::EMRContainers::VirtualCluster
│ └ properties
│ └[+] SecurityConfigurationId: string
├[~] service aws-fms
│ └ resources
│ └[~] resource AWS::FMS::Policy
│ ├ properties
│ │ └ SecurityServicePolicyData: (documentation changed)
│ └ types
│ └[~] type SecurityServicePolicyData
│ └ properties
│ └ Type: (documentation changed)
├[~] service aws-fsx
│ └ resources
│ └[~] resource AWS::FSx::FileSystem
│ └ types
│ └[~] type OpenZFSConfiguration
│ └ properties
│ ├ EndpointIpAddressRange: (documentation changed)
│ └ ThroughputCapacity: (documentation changed)
├[~] service aws-glue
│ └ resources
│ └[~] resource AWS::Glue::Crawler
│ └ types
│ ├[+] type HudiTarget
│ │ ├ documentation: Specifies an Apache Hudi data source.
│ │ │ name: HudiTarget
│ │ └ properties
│ │ ├ ConnectionName: string
│ │ ├ Paths: Array<string>
│ │ ├ Exclusions: Array<string>
│ │ └ MaximumTraversalDepth: integer
│ └[~] type Targets
│ └ properties
│ └[+] HudiTargets: Array<HudiTarget>
├[~] service aws-groundstation
│ └ resources
│ ├[~] resource AWS::GroundStation::DataflowEndpointGroup
│ │ └ properties
│ │ ├ ContactPostPassDurationSeconds: - integer
│ │ │ + integer (immutable)
│ │ ├ ContactPrePassDurationSeconds: - integer
│ │ │ + integer (immutable)
│ │ └ EndpointDetails: - Array<EndpointDetails> (required)
│ │ + Array<EndpointDetails> (required, immutable)
│ └[~] resource AWS::GroundStation::MissionProfile
│ └ types
│ └[~] type StreamsKmsKey
│ └ properties
│ └[+] KmsAliasName: string
├[~] service aws-iot
│ └ resources
│ └[~] resource AWS::IoT::Logging
│ └ - documentation: Configure logging.
│ + documentation: Configure logging.
│ > If you already set the log function of AWS IoT Core , you can't deploy the AWS Cloud Development Kit (AWS CDK) to change the logging settings. You can change the logging settings by either:
│ >
│ > - Importing a role into your AWS CloudFormation stack, such as with the [infrastructure as code generator (IaC generator)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/generate-IaC.html) .
│ > - [Deleting the existing role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html#roles-managingrole-deleting-console) .
├[~] service aws-ivs
│ └ resources
│ ├[~] resource AWS::IVS::Channel
│ │ ├ properties
│ │ │ ├[+] ContainerFormat: string (default="TS")
│ │ │ ├[+] MultitrackInputConfiguration: MultitrackInputConfiguration
│ │ │ └ Type: (documentation changed)
│ │ └ types
│ │ └[+] type MultitrackInputConfiguration
│ │ ├ documentation: A complex type that specifies multitrack input configuration.
│ │ │ name: MultitrackInputConfiguration
│ │ └ properties
│ │ ├ Enabled: boolean (default=false)
│ │ ├ MaximumResolution: string
│ │ └ Policy: string
│ ├[~] resource AWS::IVS::PlaybackKeyPair
│ │ └ properties
│ │ └ PublicKeyMaterial: (documentation changed)
│ └[~] resource AWS::IVS::PublicKey
│ └ properties
│ └ PublicKeyMaterial: (documentation changed)
├[~] service aws-medialive
│ └ resources
│ ├[~] resource AWS::MediaLive::Channel
│ │ ├ properties
│ │ │ ├[+] ChannelEngineVersion: ChannelEngineVersionRequest
│ │ │ └[+] DryRun: boolean
│ │ └ types
│ │ ├[+] type ChannelEngineVersionRequest
│ │ │ ├ name: ChannelEngineVersionRequest
│ │ │ └ properties
│ │ │ └ Version: string
│ │ ├[~] type CmafIngestGroupSettings
│ │ │ └ properties
│ │ │ ├[+] Id3Behavior: string
│ │ │ ├[+] Id3NameModifier: string
│ │ │ ├[+] KlvBehavior: string
│ │ │ ├[+] KlvNameModifier: string
│ │ │ ├[+] NielsenId3NameModifier: string
│ │ │ └[+] Scte35NameModifier: string
│ │ ├[~] type H265Settings
│ │ │ └ properties
│ │ │ └[+] Deblocking: string
│ │ └[~] type MediaPackageOutputDestinationSettings
│ │ └ properties
│ │ ├[+] ChannelGroup: string
│ │ └[+] ChannelName: string
│ └[~] resource AWS::MediaLive::InputSecurityGroup
│ └ properties
│ └ Tags: - json
│ + json (immutable)
├[~] service aws-opensearchserverless
│ └ resources
│ └[~] resource AWS::OpenSearchServerless::SecurityConfig
│ └ types
│ └[~] type SamlConfigOptions
│ └ properties
│ └[+] OpenSearchServerlessEntityId: string
├[~] service aws-rds
│ └ resources
│ ├[~] resource AWS::RDS::DBInstance
│ │ └ properties
│ │ └[+] ApplyImmediately: boolean
│ ├[~] resource AWS::RDS::DBParameterGroup
│ │ └ properties
│ │ └ Parameters: (documentation changed)
│ └[~] resource AWS::RDS::GlobalCluster
│ ├ properties
│ │ └[-] GlobalEndpoint: GlobalEndpoint
│ └ attributes
│ └[+] GlobalEndpoint: GlobalEndpoint
├[~] service aws-s3
│ └ resources
│ └[~] resource AWS::S3::Bucket
│ ├ properties
│ │ └[+] MetadataTableConfiguration: MetadataTableConfiguration
│ ├ attributes
│ │ ├[+] MetadataTableConfiguration.S3TablesDestination.TableArn: string
│ │ └[+] MetadataTableConfiguration.S3TablesDestination.TableNamespace: string
│ └ types
│ ├[+] type MetadataTableConfiguration
│ │ ├ documentation: The metadata table configuration of an Amazon S3 general purpose bucket. For more information, see [Accelerating data discovery with S3 Metadata](https://docs.aws.amazon.com/AmazonS3/latest/userguide/metadata-tables-overview.html) and [Setting up permissions for configuring metadata tables](https://docs.aws.amazon.com/AmazonS3/latest/userguide/metadata-tables-permissions.html) .
│ │ │ name: MetadataTableConfiguration
│ │ └ properties
│ │ └ S3TablesDestination: S3TablesDestination (required)
│ └[+] type S3TablesDestination
│ ├ documentation: The destination information for the metadata table configuration. The destination table bucket must be in the same Region and AWS account as the general purpose bucket. The specified metadata table name must be unique within the `aws_s3_metadata` namespace in the destination table bucket.
│ │ name: S3TablesDestination
│ └ properties
│ ├ TableBucketArn: string (required)
│ ├ TableName: string (required)
│ ├ TableNamespace: string
│ └ TableArn: string
├[~] service aws-s3objectlambda
│ └ resources
│ └[~] resource AWS::S3ObjectLambda::AccessPoint
│ └ types
│ └[~] type TransformationConfiguration
│ └ properties
│ └ Actions: (documentation changed)
├[~] service aws-ssm
│ └ resources
│ ├[~] resource AWS::SSM::Association
│ │ └ properties
│ │ └ CalendarNames: (documentation changed)
│ └[~] resource AWS::SSM::ResourceDataSync
│ └ attributes
│ └ SyncName: (documentation changed)
├[~] service aws-supportapp
│ └ resources
│ ├[~] resource AWS::SupportApp::AccountAlias
│ │ └ - documentation: You can use the `AWS::SupportApp::AccountAlias` resource to specify your AWS account when you configure the AWS Support App in Slack. Your alias name appears on the AWS Support App page in the Support Center Console and in messages from the AWS Support App. You can use this alias to identify the account you've configured with the AWS Support App .
│ │ For more information, see [AWS Support App in Slack](https://docs.aws.amazon.com/awssupport/latest/user/aws-support-app-for-slack.html) in the *AWS Support User Guide* .
│ │ + documentation: You can use the `AWS::SupportApp::AccountAlias` resource to specify your AWS account when you configure the AWS Support App in Slack. Your alias name appears on the AWS Support App page in the Support Center Console and in messages from the App. You can use this alias to identify the account you've configured with the AWS Support App .
│ │ For more information, see [AWS Support App in Slack](https://docs.aws.amazon.com/awssupport/latest/user/aws-support-app-for-slack.html) in the *User Guide* .
│ ├[~] resource AWS::SupportApp::SlackChannelConfiguration
│ │ ├ - documentation: You can use the `AWS::SupportApp::SlackChannelConfiguration` resource to specify your AWS account when you configure the AWS Support App . This resource includes the following information:
│ │ │ - The Slack channel name and ID
│ │ │ - The team ID in Slack
│ │ │ - The Amazon Resource Name (ARN) of the AWS Identity and Access Management ( IAM ) role
│ │ │ - Whether you want the AWS Support App to notify you when your support cases are created, updated, resolved, or reopened
│ │ │ - The case severity that you want to get notified for
│ │ │ For more information, see the following topics in the *AWS Support User Guide* :
│ │ │ - [AWS Support App in Slack](https://docs.aws.amazon.com/awssupport/latest/user/aws-support-app-for-slack.html)
│ │ │ - [Creating AWS Support App in Slack resources with AWS CloudFormation](https://docs.aws.amazon.com/awssupport/latest/user/creating-resources-with-cloudformation.html)
│ │ │ + documentation: You can use the `AWS::SupportApp::SlackChannelConfiguration` resource to specify your AWS account when you configure the AWS Support App . This resource includes the following information:
│ │ │ - The Slack channel name and ID
│ │ │ - The team ID in Slack
│ │ │ - The Amazon Resource Name (ARN) of the AWS Identity and Access Management ( IAM ) role
│ │ │ - Whether you want the AWS Support App to notify you when your support cases are created, updated, resolved, or reopened
│ │ │ - The case severity that you want to get notified for
│ │ │ For more information, see the following topics in the *User Guide* :
│ │ │ - [AWS Support App in Slack](https://docs.aws.amazon.com/awssupport/latest/user/aws-support-app-for-slack.html)
│ │ │ - [Creating AWS Support App in Slack resources with AWS CloudFormation](https://docs.aws.amazon.com/awssupport/latest/user/creating-resources-with-cloudformation.html)
│ │ └ properties
│ │ └ ChannelRoleArn: (documentation changed)
│ └[~] resource AWS::SupportApp::SlackWorkspaceConfiguration
│ └ - documentation: You can use the `AWS::SupportApp::SlackWorkspaceConfiguration` resource to specify your Slack workspace configuration. This resource configures your AWS account so that you can use the specified Slack workspace in the AWS Support App . This resource includes the following information:
│ - The team ID for the Slack workspace
│ - The version ID of the resource to use with AWS CloudFormation
│ For more information, see the following topics in the *AWS Support User Guide* :
│ - [AWS Support App in Slack](https://docs.aws.amazon.com/awssupport/latest/user/aws-support-app-for-slack.html)
│ - [Creating AWS Support App in Slack resources with AWS CloudFormation](https://docs.aws.amazon.com/awssupport/latest/user/creating-resources-with-cloudformation.html)
│ + documentation: You can use the `AWS::SupportApp::SlackWorkspaceConfiguration` resource to specify your Slack workspace configuration. This resource configures your AWS account so that you can use the specified Slack workspace in the AWS Support App . This resource includes the following information:
│ - The team ID for the Slack workspace
│ - The version ID of the resource to use with AWS CloudFormation
│ For more information, see the following topics in the *User Guide* :
│ - [AWS Support App in Slack](https://docs.aws.amazon.com/awssupport/latest/user/aws-support-app-for-slack.html)
│ - [Creating AWS Support App in Slack resources with AWS CloudFormation](https://docs.aws.amazon.com/awssupport/latest/user/creating-resources-with-cloudformation.html)
├[~] service aws-transfer
│ └ resources
│ ├[~] resource AWS::Transfer::Agreement
│ │ └ properties
│ │ ├[+] EnforceMessageSigning: string
│ │ └[+] PreserveFilename: string
│ ├[~] resource AWS::Transfer::Connector
│ │ └ types
│ │ └[~] type As2Config
│ │ └ properties
│ │ └[+] PreserveContentType: string
│ ├[~] resource AWS::Transfer::User
│ │ └ properties
│ │ └ SshPublicKeys: (documentation changed)
│ └[+] resource AWS::Transfer::WebApp
│ ├ name: WebApp
│ │ cloudFormationType: AWS::Transfer::WebApp
│ │ documentation: Creates a web app based on specified parameters, and returns the ID for the new web app.
│ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ ├ properties
│ │ ├ IdentityProviderDetails: IdentityProviderDetails (required)
│ │ ├ AccessEndpoint: string
│ │ ├ WebAppUnits: WebAppUnits
│ │ ├ WebAppCustomization: WebAppCustomization
│ │ └ Tags: Array<tag>
│ ├ attributes
│ │ ├ Arn: string
│ │ ├ WebAppId: string
│ │ └ IdentityProviderDetails.ApplicationArn: string
│ └ types
│ ├ type IdentityProviderDetails
│ │ ├ documentation: A structure that describes the values to use for the IAM Identity Center settings when you create or update a web app.
│ │ │ name: IdentityProviderDetails
│ │ └ properties
│ │ ├ ApplicationArn: string
│ │ ├ InstanceArn: string (immutable)
│ │ └ Role: string
│ ├ type WebAppCustomization
│ │ ├ documentation: A structure that contains the customization fields for the web app. You can provide a title, logo, and icon to customize the appearance of your web app.
│ │ │ name: WebAppCustomization
│ │ └ properties
│ │ ├ Title: string
│ │ ├ LogoFile: string
│ │ └ FaviconFile: string
│ └ type WebAppUnits
│ ├ documentation: Contains an integer value that represents the value for number of concurrent connections or the user sessions on your web app.
│ │ name: WebAppUnits
│ └ properties
│ └ Provisioned: integer (required)
├[~] service aws-wafv2
│ └ resources
│ ├[~] resource AWS::WAFv2::LoggingConfiguration
│ │ ├ - documentation: Defines an association between logging destinations and a web ACL resource, for logging from AWS WAF . As part of the association, you can specify parts of the standard logging fields to keep out of the logs and you can specify filters so that you log only a subset of the logging records.
│ │ │ > You can define one logging destination per web ACL.
│ │ │ You can access information about the traffic that AWS WAF inspects using the following steps:
│ │ │ - Create your logging destination. You can use an Amazon CloudWatch Logs log group, an Amazon Simple Storage Service (Amazon S3) bucket, or an Amazon Kinesis Data Firehose.
│ │ │ The name that you give the destination must start with `aws-waf-logs-` . Depending on the type of destination, you might need to configure additional settings or permissions.
│ │ │ For configuration requirements and pricing information for each destination type, see [Logging web ACL traffic](https://docs.aws.amazon.com/waf/latest/developerguide/logging.html) in the *AWS WAF Developer Guide* .
│ │ │ - Associate your logging destination to your web ACL using a `PutLoggingConfiguration` request.
│ │ │ When you successfully enable logging using a `PutLoggingConfiguration` request, AWS WAF creates an additional role or policy that is required to write logs to the logging destination. For an Amazon CloudWatch Logs log group, AWS WAF creates a resource policy on the log group. For an Amazon S3 bucket, AWS WAF creates a bucket policy. For an Amazon Kinesis Data Firehose, AWS WAF creates a service-linked role.
│ │ │ For additional information about web ACL logging, see [Logging web ACL traffic information](https://docs.aws.amazon.com/waf/latest/developerguide/logging.html) in the *AWS WAF Developer Guide* .
│ │ │ + documentation: Defines an association between logging destinations and a web ACL resource, for logging from AWS WAF . As part of the association, you can specify parts of the standard logging fields to keep out of the logs and you can specify filters so that you log only a subset of the logging records.
│ │ │ If you configure data protection for the web ACL, the protection applies to the data that AWS WAF sends to the logs.
│ │ │ > You can define one logging destination per web ACL.
│ │ │ You can access information about the traffic that AWS WAF inspects using the following steps:
│ │ │ - Create your logging destination. You can use an Amazon CloudWatch Logs log group, an Amazon Simple Storage Service (Amazon S3) bucket, or an Amazon Kinesis Data Firehose.
│ │ │ The name that you give the destination must start with `aws-waf-logs-` . Depending on the type of destination, you might need to configure additional settings or permissions.
│ │ │ For configuration requirements and pricing information for each destination type, see [Logging web ACL traffic](https://docs.aws.amazon.com/waf/latest/developerguide/logging.html) in the *AWS WAF Developer Guide* .
│ │ │ - Associate your logging destination to your web ACL using a `PutLoggingConfiguration` request.
│ │ │ When you successfully enable logging using a `PutLoggingConfiguration` request, AWS WAF creates an additional role or policy that is required to write logs to the logging destination. For an Amazon CloudWatch Logs log group, AWS WAF creates a resource policy on the log group. For an Amazon S3 bucket, AWS WAF creates a bucket policy. For an Amazon Kinesis Data Firehose, AWS WAF creates a service-linked role.
│ │ │ For additional information about web ACL logging, see [Logging web ACL traffic information](https://docs.aws.amazon.com/waf/latest/developerguide/logging.html) in the *AWS WAF Developer Guide* .
│ │ └ properties
│ │ └ RedactedFields: (documentation changed)
│ ├[~] resource AWS::WAFv2::RuleGroup
│ │ └ types
│ │ ├[~] type FieldToMatch
│ │ │ └ - documentation: Specifies a web request component to be used in a rule match statement or in a logging configuration.
│ │ │ - In a rule statement, this is the part of the web request that you want AWS WAF to inspect. Include the single `FieldToMatch` type that you want to inspect, with additional specifications as needed, according to the type. You specify a single request component in `FieldToMatch` for each rule statement that requires it. To inspect more than one component of the web request, create a separate rule statement for each component.
│ │ │ Example JSON for a `QueryString` field to match:
│ │ │ `"FieldToMatch": { "QueryString": {} }`
│ │ │ Example JSON for a `Method` field to match specification:
│ │ │ `"FieldToMatch": { "Method": { "Name": "DELETE" } }`
│ │ │ - In a logging configuration, this is used in the `RedactedFields` property to specify a field to redact from the logging records. For this use case, note the following:
│ │ │ - Even though all `FieldToMatch` settings are available, the only valid settings for field redaction are `UriPath` , `QueryString` , `SingleHeader` , and `Method` .
│ │ │ - In this documentation, the descriptions of the individual fields talk about specifying the web request component to inspect, but for field redaction, you are specifying the component type to redact from the logs.
│ │ │ - If you have request sampling enabled, the redacted fields configuration for logging has no impact on sampling. The only way to exclude fields from request sampling is by disabling sampling in the web ACL visibility configuration.
│ │ │ + documentation: Specifies a web request component to be used in a rule match statement or in a logging configuration.
│ │ │ - In a rule statement, this is the part of the web request that you want AWS WAF to inspect. Include the single `FieldToMatch` type that you want to inspect, with additional specifications as needed, according to the type. You specify a single request component in `FieldToMatch` for each rule statement that requires it. To inspect more than one component of the web request, create a separate rule statement for each component.
│ │ │ Example JSON for a `QueryString` field to match:
│ │ │ `"FieldToMatch": { "QueryString": {} }`
│ │ │ Example JSON for a `Method` field to match specification:
│ │ │ `"FieldToMatch": { "Method": { "Name": "DELETE" } }`
│ │ │ - In a logging configuration, this is used in the `RedactedFields` property to specify a field to redact from the logging records. For this use case, note the following:
│ │ │ - Even though all `FieldToMatch` settings are available, the only valid settings for field redaction are `UriPath` , `QueryString` , `SingleHeader` , and `Method` .
│ │ │ - In this documentation, the descriptions of the individual fields talk about specifying the web request component to inspect, but for field redaction, you are specifying the component type to redact from the logs.
│ │ │ - If you have request sampling enabled, the redacted fields configuration for logging has no impact on sampling. You can only exclude fields from request sampling by disabling sampling in the web ACL visibility configuration or by configuring data protection for the web ACL.
│ │ └[~] type VisibilityConfig
│ │ └ properties
│ │ └ SampledRequestsEnabled: (documentation changed)
│ └[~] resource AWS::WAFv2::WebACL
│ └ types
│ ├[~] type FieldToMatch
│ │ └ - documentation: Specifies a web request component to be used in a rule match statement or in a logging configuration.
│ │ - In a rule statement, this is the part of the web request that you want AWS WAF to inspect. Include the single `FieldToMatch` type that you want to inspect, with additional specifications as needed, according to the type. You specify a single request component in `FieldToMatch` for each rule statement that requires it. To inspect more than one component of the web request, create a separate rule statement for each component.
│ │ Example JSON for a `QueryString` field to match:
│ │ `"FieldToMatch": { "QueryString": {} }`
│ │ Example JSON for a `Method` field to match specification:
│ │ `"FieldToMatch": { "Method": { "Name": "DELETE" } }`
│ │ - In a logging configuration, this is used in the `RedactedFields` property to specify a field to redact from the logging records. For this use case, note the following:
│ │ - Even though all `FieldToMatch` settings are available, the only valid settings for field redaction are `UriPath` , `QueryString` , `SingleHeader` , and `Method` .
│ │ - In this documentation, the descriptions of the individual fields talk about specifying the web request component to inspect, but for field redaction, you are specifying the component type to redact from the logs.
│ │ - If you have request sampling enabled, the redacted fields configuration for logging has no impact on sampling. The only way to exclude fields from request sampling is by disabling sampling in the web ACL visibility configuration.
│ │ + documentation: Specifies a web request component to be used in a rule match statement or in a logging configuration.
│ │ - In a rule statement, this is the part of the web request that you want AWS WAF to inspect. Include the single `FieldToMatch` type that you want to inspect, with additional specifications as needed, according to the type. You specify a single request component in `FieldToMatch` for each rule statement that requires it. To inspect more than one component of the web request, create a separate rule statement for each component.
│ │ Example JSON for a `QueryString` field to match:
│ │ `"FieldToMatch": { "QueryString": {} }`
│ │ Example JSON for a `Method` field to match specification:
│ │ `"FieldToMatch": { "Method": { "Name": "DELETE" } }`
│ │ - In a logging configuration, this is used in the `RedactedFields` property to specify a field to redact from the logging records. For this use case, note the following:
│ │ - Even though all `FieldToMatch` settings are available, the only valid settings for field redaction are `UriPath` , `QueryString` , `SingleHeader` , and `Method` .
│ │ - In this documentation, the descriptions of the individual fields talk about specifying the web request component to inspect, but for field redaction, you are specifying the component type to redact from the logs.
│ │ - If you have request sampling enabled, the redacted fields configuration for logging has no impact on sampling. You can only exclude fields from request sampling by disabling sampling in the web ACL visibility configuration or by configuring data protection for the web ACL.
│ └[~] type VisibilityConfig
│ └ properties
│ └ SampledRequestsEnabled: (documentation changed)
└[~] service aws-wisdom
└ resources
├[~] resource AWS::Wisdom::Assistant
│ └ - tagInformation: undefined
│ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
└[~] resource AWS::Wisdom::AssistantAssociation
└ - tagInformation: undefined
+ tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
```
### Reason for this change Fix failed workflow yarn upgrade https://github.com/aws/aws-cdk/actions/runs/13445238910/job/37568949091 Since CLI is moved out, there is no `packages/aws-cdk` dir.
### Issue # (if applicable) Closes #33034 ### Reason for this change This allows creating an S3 bucket origin OriginAccessControl for access of versioned objects via CloudFront. ### Description of changes Added a new `AccessLevel.READ_VERSIONED`, to extend the list of the OAC access levels, which extends the S3 bucket policy to contain `s3:GetObjectVersion`. I followed the existing patterns for the different AccessLevels, to make the change as small as possible. This enables versioned S3 bucket origins to allow the CloudFront distribution to access object versions. ### Describe any new or updated permissions being added n/a ### Description of how you validated changes Added a new unit-test and a new integration test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) N/A ### Reason for this change The enum-like parser was pulling in some classes that did not follow the pattern of enum-like classes. This alleviates that by, rather than looking for fields that are strictly not strings, fields that strictly follow the pattern: ```ts public static readonly NEW_EXPRESSION = new SomeClass(...); public static readonly CALL_EXPRESSION = SomeClass.method(...); public static readonly ACCESS_EXPRESSION = MyClass.ANOTHER_ENUM; ``` ### Description of changes Altered the parsing logic to be more specific, and reran the script to parse enum-likes. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes `yarn test` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws-cdk-automation
added
auto-approve
pr/no-squash
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
aws-cdk-automation
added
the
pr/needs-community-review
|
Exemption request: The PR Linter failed due to too many lines of code removed. This is expected as the result of CLI removal from this repository. CDK Analytics Metadata Updater failed due to a recent change #33525. We will work on the fix after the release and will not block this release PR due to this issue as there's a recent PR to update the enums config already. |
aws-cdk-automation
added
the
pr-linter/exemption-requested
GavinZZ
added
pr-linter/exempt-size-check
|
Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Comments on closed issues and PRs are hard for our team to see. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See CHANGELOG