chore(release): 2.116.0 #28456
Merged
chore(release): 2.116.0 #28456
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The init-go canary was broken because the test replaced the aws-cdk go module with a locally build version. However in canaries we want to use the publish versioned instead. This change simply makes the replacement conditional. Manually tested in CodeBuild. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
If using CodePipeline EcsDeployAction without using the CODE_DEPLOY deployment controller, future deployments of an ECS service will revert the task definition to the task definition deployed by CloudFormation, even though the latest active revision created by the deploy action is the one that is intended to be used. This provides a way to specify the specific revision of a task definition that should be used, including the special value `latest` which uses the latest ACTIVE revision. Closes #26983. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This PR supports Aurora MySQL 3.05.1. https://docs.aws.amazon.com/AmazonRDS/latest/AuroraMySQLReleaseNotes/AuroraMySQL.Updates.3051.html ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ndlers (#28373) Add dependency from from **@aws-cdk/custom-resource-handlers** to **@aws-cdk/aws-amplify-alpha** as part of effort to standardize custom resource creation and bundling of source code. Verified addition with `yarn install` and `yarn test`. Closes #28289. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Allows to set hourly rotation up to 4 hours on secrets as per [official docs](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_managed.html). Closes #28261. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Adds support for Map's [`ItemProcessor`](https://docs.aws.amazon.com/step-functions/latest/dg/use-dist-map-orchestrate-large-scale-parallel-workloads.html#distitemprocessor) required field and deprecates [`Iterator`](https://docs.aws.amazon.com/step-functions/latest/dg/concepts-asl-use-map-state-inline.html#iterator). Closes #27878. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
When multiple bucket notifications are created it creates a race condition where only the last one processed gets applied. All bucket notifications created in a stack are given the same `stackId` prefix. This prefix is then used to filter out the notification created by the custom resource. If there are other notifications created in the same stack, but not by this custom resource, they get filtered out. This PR fixes that by filtering the notifications by the specific notification id. This ensures that only the notifications created by the individual custom resource are filter out and the rest (included those created by other custom resources) are marked external. Note - I had to refactor some of the function code to make it fit the inline size limit. This should probably be rewritten in typescript... ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
The following PR adds validation for the case when `allowAllOutbound` and `securityGroups` are specified at the same time in `FunctionOptions`. #26528 (#27157) According to related issues and discussions, this PR causes existing Lambda deployments to fail. However, since this change has already been merged and I think it is the correct change, I did not fix the validation process but added documentation to clarify the behavior. Relates to #28170, #27669 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This PR adds support for configuring flexible time windows. ## Description Currently, users cannot configure the `flexibleTimeWindow` feature in the Scheduler construct. This feature enhances flexibility and reliability, allowing tasks to be invoked within a defined time window. https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-schedule-flexible-time-windows.html CloudFormation allows users to take advantage of this feature as follows. With this template, it will invokes the target within 10 minutes after the scheduled time. ```yaml Resources: Schedule: Type: AWS::Scheduler::Schedule Properties: FlexibleTimeWindow: Mode: "FLEXIBLE" # or "OFF" MaximumWindowInMinutes: 10 # between 1 and 1440 Name: "sample-schedule" ScheduleExpression: "cron(0 9 * * ? *)" State: "ENABLED" Target: Arn: hoge RoleArn: hoge ``` ## Changes ### add Enum indicating flexible time window mode Currently there are only two modes, FLEXIBLE and OFF, so there is no problem using boolean instead of enum. But I think it's better to use Enum to prepare for future expansion. https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-scheduler-schedule-flexibletimewindow.html ### add property to `ScheduleProps` interface `flexibleTimeWindowMode` property defaults to `OFF` to avoid a breaking change. ```ts interface ScheduleProps { // .... /** * Determines whether the schedule is invoked within a flexible time window. * * @see https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-schedule-flexible-time-windows.html * * @default - FlexibleTimeWindowMode.OFF */ readonly flexibleTimeWindowMode?: FlexibleTimeWindowMode; /** * The maximum time window during which the schedule can be invoked. * * @default - Required if flexibleTimeWindowMode is FLEXIBLE. */ readonly maximumWindowInMinutes?: Duration; } ``` ### set the added property to `CfnSchedule` construct Basically, just set the values as documented, but with the following validations. - If `flexibleTimeWindowMode` is `FLEXIBLE` - `maximumWindowInMinutes` must be specified - `maximumWindowInMinutes` must be set from 1 to 1440 minutes https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-scheduler-schedule-flexibletimewindow.html In addition, I added some unit tests and integ-tests. ### others - fixed typo in README - `customizeable` => `customizable` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Add IPv6 support for VPC to the roadmap. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This PR introduces an internal handler framework used to code generate constructs that extend a lambda `Function`, lambda `SingletonFunction`, or core `CustomResourceProvider` construct and prohibit the user from directly configuring the `handler`, `runtime`, `code`, and `codeDirectory` properties. In doing this, we are able to establish best practices, runtime enforcement, and consistency across all handlers we build and vend within the aws-cdk. As expected, no integ tests were changed as a result of this PR. To verify that the code generated custom resource providers are working correctly I force ran three integ tests all targeted at an individual custom resource provider: 1. integ.global.ts to test replica provider and the code generated construct extending `Function` 2. integ.bucket-auto-delete-objects.ts to test auto delete objects provider and the code generated construct extending `CustomResourceProvider` 3. integ.aws-api.ts to test aws api provider and the code generated construct `SingletonFunction` All of these integ tests passed successfully. Closes #27303 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…for role (#28403) This test case is flagged up by automated security tooling. There is no actual risk since this is a test stack that is only short-lived and the permissions for the role only allow consuming messages from a queue that doesn't hold any data. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 3 to 4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/download-artifact/releases">actions/download-artifact's releases</a>.</em></p> <blockquote> <h2>v4.0.0</h2> <h2>What's Changed</h2> <p>The release of upload-artifact@v4 and download-artifact@v4 are major changes to the backend architecture of Artifacts. They have numerous performance and behavioral improvements.</p> <p>For more information, see the <a href="https://github.com/actions/toolkit/tree/main/packages/artifact"><code>@actions/artifact</code></a> documentation.</p> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/bflad"><code>@bflad</code></a> made their first contribution in <a href="https://github.com/actions/download-artifact/pull/194">actions/download-artifact#194</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/download-artifact/compare/v3...v4.0.0">https://github.com/actions/download-artifact/compare/v3...v4.0.0</a></p> <h2>v3.0.2</h2> <ul> <li>Bump <code>@actions/artifact</code> to v1.1.1 - <a href="https://github.com/actions/download-artifact/pull/195">actions/download-artifact#195</a></li> <li>Fixed a bug in Node16 where if an HTTP download finished too quickly (<1ms, e.g. when it's mocked) we attempt to delete a temp file that has not been created yet <a href="hhttps://github.com/actions/toolkit/pull/1278">actions/toolkit#1278</a></li> </ul> <h2>v3.0.1</h2> <ul> <li><a href="https://github.com/actions/download-artifact/pull/178">Bump <code>@actions/core</code> to 1.10.0</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/download-artifact/commit/7a1cd3216ca9260cd8022db641d960b1db4d1be4"><code>7a1cd32</code></a> Merge pull request <a href="https://github.com/actions/download-artifact/issues/246">#246</a> from actions/v4-beta</li> <li><a href="https://github.com/actions/download-artifact/commit/8f32874a49903ea488c5e7d476a9173e8706f409"><code>8f32874</code></a> licensed cache</li> <li><a href="https://github.com/actions/download-artifact/commit/b5ff8444b1c4fcec8131f3cb1ddade813ddfacb1"><code>b5ff844</code></a> Merge pull request <a href="https://github.com/actions/download-artifact/issues/245">#245</a> from actions/robherley/v4-documentation</li> <li><a href="https://github.com/actions/download-artifact/commit/f07a0f73f51b3f1d41667c782c821b9667da9d19"><code>f07a0f7</code></a> Update README.md</li> <li><a href="https://github.com/actions/download-artifact/commit/7226129829bb686fdff47bd63bbd0d1373993a84"><code>7226129</code></a> update test workflow to use different artifact names for matrix</li> <li><a href="https://github.com/actions/download-artifact/commit/ada9446619b84dd8a557aaaec3b79b58c4986cdf"><code>ada9446</code></a> update docs and bump <code>@actions/artifact</code></li> <li><a href="https://github.com/actions/download-artifact/commit/7eafc8b729ba790ce8f2cee54be8ad6257af4c7c"><code>7eafc8b</code></a> Merge pull request <a href="https://github.com/actions/download-artifact/issues/244">#244</a> from actions/robherley/bump-toolkit</li> <li><a href="https://github.com/actions/download-artifact/commit/3132d12662b5915f20cdbf449465896962101abf"><code>3132d12</code></a> consume latest toolkit</li> <li><a href="https://github.com/actions/download-artifact/commit/5be1d3867182a382bc59f2775e002595f487aa88"><code>5be1d38</code></a> Merge pull request <a href="https://github.com/actions/download-artifact/issues/243">#243</a> from actions/robherley/v4-beta-updates</li> <li><a href="https://github.com/actions/download-artifact/commit/465b526e63559575a64716cdbb755bc78dfb263b"><code>465b526</code></a> consume latest <code>@actions/toolkit</code></li> <li>Additional commits viewable in <a href="https://github.com/actions/download-artifact/compare/v3...v4">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's releases</a>.</em></p> <blockquote> <h2>v4.0.0</h2> <h2>What's Changed</h2> <p>The release of upload-artifact@v4 and download-artifact@v4 are major changes to the backend architecture of Artifacts. They have numerous performance and behavioral improvements.</p> <p>For more information, see the <a href="https://github.com/actions/toolkit/tree/main/packages/artifact"><code>@actions/artifact</code></a> documentation.</p> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/vmjoseph"><code>@vmjoseph</code></a> made their first contribution in <a href="https://github.com/actions/upload-artifact/pull/464">actions/upload-artifact#464</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v3...v4.0.0">https://github.com/actions/upload-artifact/compare/v3...v4.0.0</a></p> <h2>v3.1.3</h2> <h2>What's Changed</h2> <ul> <li>chore(github): remove trailing whitespaces by <a href="https://github.com/ljmf00"><code>@ljmf00</code></a> in <a href="https://github.com/actions/upload-artifact/pull/313">actions/upload-artifact#313</a></li> <li>Bump <code>@actions/artifact</code> version to v1.1.2 by <a href="https://github.com/bethanyj28"><code>@bethanyj28</code></a> in <a href="https://github.com/actions/upload-artifact/pull/436">actions/upload-artifact#436</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v3...v3.1.3">https://github.com/actions/upload-artifact/compare/v3...v3.1.3</a></p> <h2>v3.1.2</h2> <ul> <li>Update all <code>@actions/*</code> NPM packages to their latest versions- <a href="https://github.com/actions/upload-artifact/issues/374">#374</a></li> <li>Update all dev dependencies to their most recent versions - <a href="https://github.com/actions/upload-artifact/issues/375">#375</a></li> </ul> <h2>v3.1.1</h2> <ul> <li>Update actions/core package to latest version to remove <code>set-output</code> deprecation warning <a href="https://github.com/actions/upload-artifact/issues/351">#351</a></li> </ul> <h2>v3.1.0</h2> <h2>What's Changed</h2> <ul> <li>Bump <code>@actions/artifact</code> to v1.1.0 (<a href="https://github.com/actions/upload-artifact/pull/327">actions/upload-artifact#327</a>) <ul> <li>Adds checksum headers on artifact upload (<a href="https://github.com/actions/toolkit/pull/1095">actions/toolkit#1095</a>) (<a href="https://github.com/actions/toolkit/pull/1063">actions/toolkit#1063</a>)</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/upload-artifact/commit/c7d193f32edcb7bfad88892161225aeda64e9392"><code>c7d193f</code></a> Merge pull request <a href="https://github.com/actions/upload-artifact/issues/466">#466</a> from actions/v4-beta</li> <li><a href="https://github.com/actions/upload-artifact/commit/13131bb095770b4070a7477c3cd2d96e1c16d9f4"><code>13131bb</code></a> licensed cache</li> <li><a href="https://github.com/actions/upload-artifact/commit/4a6c273b9834f66a1d05c170dc3f80f9cdb9def1"><code>4a6c273</code></a> Merge branch 'main' into v4-beta</li> <li><a href="https://github.com/actions/upload-artifact/commit/f391bb91a3d3118aeca171c365bb319ece276b37"><code>f391bb9</code></a> Merge pull request <a href="https://github.com/actions/upload-artifact/issues/465">#465</a> from actions/robherley/v4-documentation</li> <li><a href="https://github.com/actions/upload-artifact/commit/9653d03c4b74c32144e02dae644fea70e079d4b3"><code>9653d03</code></a> Apply suggestions from code review</li> <li><a href="https://github.com/actions/upload-artifact/commit/875b63076402f25ef9d52c294c86ba4f97810575"><code>875b630</code></a> add limitations section</li> <li><a href="https://github.com/actions/upload-artifact/commit/ecb21463e93740a6be75c3116242169bfdbcb15a"><code>ecb2146</code></a> add compression example</li> <li><a href="https://github.com/actions/upload-artifact/commit/5e7604f84a055838f64ed68bb9904751523081ae"><code>5e7604f</code></a> trim some repeated info</li> <li><a href="https://github.com/actions/upload-artifact/commit/d6437d07581fe318a364512e6cf6b1dca6b4f92c"><code>d6437d0</code></a> naming</li> <li><a href="https://github.com/actions/upload-artifact/commit/1b561557037b4957d7d184e9aac02bec86c771eb"><code>1b56155</code></a> s/v4-beta/v4/g</li> <li>Additional commits viewable in <a href="https://github.com/actions/upload-artifact/compare/v3...v4">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
Update AWS Service Spec packages to latest versions **@aws-cdk/aws-service-spec changes:** ``` ├[~] service aws-applicationautoscaling │ └ resources │ └[~] resource AWS::ApplicationAutoScaling::ScalingPolicy │ ├ attributes │ │ └ Arn: (documentation changed) │ └ types │ ├[~] type TargetTrackingMetric │ │ ├ - documentation: Represents a specific metric. │ │ │ + documentation: Represents a specific metric for a target tracking scaling policy for Application Auto Scaling. │ │ │ Metric is a property of the [AWS::ApplicationAutoScaling::ScalingPolicy TargetTrackingMetricStat](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-applicationautoscaling-scalingpolicy-targettrackingmetricstat.html) property type. │ │ └ properties │ │ ├ Dimensions: (documentation changed) │ │ └ Namespace: (documentation changed) │ ├[~] type TargetTrackingMetricDataQuery │ │ ├ - documentation: The metric data to return. Also defines whether this call is returning data for one metric only, or whether it is performing a math expression on the values of returned metric statistics to create a new time series. A time series is a series of data points, each of which is associated with a timestamp. │ │ │ + documentation: The metric data to return. Also defines whether this call is returning data for one metric only, or whether it is performing a math expression on the values of returned metric statistics to create a new time series. A time series is a series of data points, each of which is associated with a timestamp. │ │ │ You can call for a single metric or perform math expressions on multiple metrics. Any expressions used in a metric specification must eventually return a single time series. │ │ │ For more information and examples, see [Create a target tracking scaling policy for Application Auto Scaling using metric math](https://docs.aws.amazon.com/autoscaling/application/userguide/application-auto-scaling-target-tracking-metric-math.html) in the *Application Auto Scaling User Guide* . │ │ │ `TargetTrackingMetricDataQuery` is a property of the [AWS::ApplicationAutoScaling::ScalingPolicy CustomizedMetricSpecification](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-applicationautoscaling-scalingpolicy-customizedmetricspecification.html) property type. │ │ └ properties │ │ ├ Expression: (documentation changed) │ │ ├ Id: (documentation changed) │ │ ├ MetricStat: (documentation changed) │ │ └ ReturnData: (documentation changed) │ ├[~] type TargetTrackingMetricDimension │ │ └ - documentation: Describes the dimension of a metric. │ │ + documentation: `TargetTrackingMetricDimension` specifies a name/value pair that is part of the identity of a CloudWatch metric for the `Dimensions` property of the [AWS::ApplicationAutoScaling::ScalingPolicy TargetTrackingMetric](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-applicationautoscaling-scalingpolicy-targettrackingmetric.html) property type. Duplicate dimensions are not allowed. │ └[~] type TargetTrackingMetricStat │ ├ - documentation: This structure defines the CloudWatch metric to return, along with the statistic, period, and unit. │ │ + documentation: This structure defines the CloudWatch metric to return, along with the statistic, period, and unit. │ │ `TargetTrackingMetricStat` is a property of the [AWS::ApplicationAutoScaling::ScalingPolicy TargetTrackingMetricDataQuery](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-applicationautoscaling-scalingpolicy-targettrackingmetricdataquery.html) property type. │ │ For more information about the CloudWatch terminology below, see [Amazon CloudWatch concepts](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html) in the *Amazon CloudWatch User Guide* . │ └ properties │ ├ Metric: (documentation changed) │ ├ Stat: (documentation changed) │ └ Unit: (documentation changed) ├[~] service aws-appsync │ └ resources │ ├[~] resource AWS::AppSync::DataSource │ │ └ attributes │ │ └ Id: (documentation changed) │ ├[~] resource AWS::AppSync::GraphQLApi │ │ └ attributes │ │ ├[+] GraphQLEndpointArn: string │ │ └ Id: (documentation changed) │ └[~] resource AWS::AppSync::GraphQLSchema │ └ attributes │ └ Id: (documentation changed) ├[+] service aws-b2bi │ ├ capitalized: B2BI │ │ cloudFormationNamespace: AWS::B2BI │ │ name: aws-b2bi │ │ shortName: b2bi │ └ resources │ ├resource AWS::B2BI::Capability │ │├ name: Capability │ ││ cloudFormationType: AWS::B2BI::Capability │ ││ documentation: Definition of AWS::B2BI::Capability Resource Type │ ││ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │├ properties │ ││ ├Configuration: CapabilityConfiguration (required) │ ││ ├InstructionsDocuments: Array<S3Location> │ ││ ├Name: string (required) │ ││ ├Tags: Array<tag> │ ││ └Type: string (required, immutable) │ │├ attributes │ ││ ├CapabilityArn: string │ ││ ├CapabilityId: string │ ││ ├CreatedAt: string │ ││ └ModifiedAt: string │ │└ types │ │ ├type CapabilityConfiguration │ │ │├ name: CapabilityConfiguration │ │ │└ properties │ │ │ └Edi: EdiConfiguration (required) │ │ ├type EdiConfiguration │ │ │├ name: EdiConfiguration │ │ │└ properties │ │ │ ├Type: EdiType (required) │ │ │ ├InputLocation: S3Location (required) │ │ │ ├OutputLocation: S3Location (required) │ │ │ └TransformerId: string (required) │ │ ├type EdiType │ │ │├ name: EdiType │ │ │└ properties │ │ │ └X12Details: X12Details (required) │ │ ├type X12Details │ │ │├ name: X12Details │ │ │└ properties │ │ │ ├TransactionSet: string │ │ │ └Version: string │ │ └type S3Location │ │ ├ name: S3Location │ │ └ properties │ │ ├BucketName: string │ │ └Key: string │ ├resource AWS::B2BI::Partnership │ │├ name: Partnership │ ││ cloudFormationType: AWS::B2BI::Partnership │ ││ documentation: Definition of AWS::B2BI::Partnership Resource Type │ ││ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │├ properties │ ││ ├Capabilities: Array<string> │ ││ ├Email: string (required, immutable) │ ││ ├Name: string (required) │ ││ ├Phone: string (immutable) │ ││ ├ProfileId: string (required, immutable) │ ││ └Tags: Array<tag> │ │└ attributes │ │ ├CreatedAt: string │ │ ├ModifiedAt: string │ │ ├PartnershipArn: string │ │ ├PartnershipId: string │ │ └TradingPartnerId: string │ ├resource AWS::B2BI::Profile │ │├ name: Profile │ ││ cloudFormationType: AWS::B2BI::Profile │ ││ documentation: Definition of AWS::B2BI::Profile Resource Type │ ││ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │├ properties │ ││ ├BusinessName: string (required) │ ││ ├Email: string │ ││ ├Logging: string (required, immutable) │ ││ ├Name: string (required) │ ││ ├Phone: string (required) │ ││ └Tags: Array<tag> │ │└ attributes │ │ ├CreatedAt: string │ │ ├LogGroupName: string │ │ ├ModifiedAt: string │ │ ├ProfileArn: string │ │ └ProfileId: string │ └resource AWS::B2BI::Transformer │ ├ name: Transformer │ │ cloudFormationType: AWS::B2BI::Transformer │ │ documentation: Definition of AWS::B2BI::Transformer Resource Type │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ ├ properties │ │ ├EdiType: EdiType (required) │ │ ├FileFormat: string (required) │ │ ├MappingTemplate: string (required) │ │ ├ModifiedAt: string │ │ ├Name: string (required) │ │ ├SampleDocument: string │ │ ├Status: string (required) │ │ └Tags: Array<tag> │ ├ attributes │ │ ├CreatedAt: string │ │ ├TransformerArn: string │ │ └TransformerId: string │ └ types │ ├type EdiType │ │├ name: EdiType │ │└ properties │ │ └X12Details: X12Details (required) │ └type X12Details │ ├ name: X12Details │ └ properties │ ├TransactionSet: string │ └Version: string ├[~] service aws-cloud9 │ └ resources │ └[~] resource AWS::Cloud9::EnvironmentEC2 │ └ properties │ └ ImageId: - string (immutable) │ + string (required, immutable) ├[~] service aws-cloudfront │ └ resources │ └[+] resource AWS::CloudFront::KeyValueStore │ ├ name: KeyValueStore │ │ cloudFormationType: AWS::CloudFront::KeyValueStore │ │ documentation: The Key Value Store. Use this to separate data from function code, allowing you to update data without having to publish a new version of a function. The Key Value Store holds keys and their corresponding values. │ ├ properties │ │ ├Name: string (required, immutable) │ │ ├Comment: string │ │ └ImportSource: ImportSource │ ├ attributes │ │ ├Arn: string │ │ ├Id: string │ │ └Status: string │ └ types │ └type ImportSource │ ├ documentation: The import source for the Key Value Store. │ │ name: ImportSource │ └ properties │ ├SourceType: string (required) │ └SourceArn: string (required) ├[~] service aws-cloudtrail │ └ resources │ ├[~] resource AWS::CloudTrail::EventDataStore │ │ ├ properties │ │ │ ├ FederationEnabled: (documentation changed) │ │ │ └ FederationRoleArn: (documentation changed) │ │ └ types │ │ └[~] type AdvancedFieldSelector │ │ └ properties │ │ └ Field: (documentation changed) │ └[~] resource AWS::CloudTrail::Trail │ └ types │ ├[~] type AdvancedFieldSelector │ │ └ properties │ │ └ Field: (documentation changed) │ └[~] type DataResource │ └ properties │ └ Type: (documentation changed) ├[~] service aws-cloudwatch │ └ resources │ └[~] resource AWS::CloudWatch::MetricStream │ └ properties │ ├ OutputFormat: (documentation changed) │ └ StatisticsConfigurations: (documentation changed) ├[~] service aws-codedeploy │ └ resources │ ├[~] resource AWS::CodeDeploy::DeploymentConfig │ │ ├ properties │ │ │ └ ZonalConfig: (documentation changed) │ │ └ types │ │ ├[~] type MinimumHealthyHostsPerZone │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Information about the minimum number of healthy instances per Availability Zone. │ │ │ └ properties │ │ │ ├ Type: (documentation changed) │ │ │ └ Value: (documentation changed) │ │ └[~] type ZonalConfig │ │ ├ - documentation: undefined │ │ │ + documentation: Configure the `ZonalConfig` object if you want AWS CodeDeploy to deploy your application to one [Availability Zone](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-availability-zones) at a time, within an AWS Region. By deploying to one Availability Zone at a time, you can expose your deployment to a progressively larger audience as confidence in the deployment's performance and viability grows. If you don't configure the `ZonalConfig` object, CodeDeploy deploys your application to a random selection of hosts across a Region. │ │ │ For more information about the zonal configuration feature, see [zonal configuration](https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-configurations-create.html#zonal-config) in the *CodeDeploy User Guide* . │ │ └ properties │ │ ├ FirstZoneMonitorDurationInSeconds: (documentation changed) │ │ ├ MinimumHealthyHostsPerZone: (documentation changed) │ │ └ MonitorDurationInSeconds: (documentation changed) │ └[~] resource AWS::CodeDeploy::DeploymentGroup │ └ properties │ └[+] TerminationHookEnabled: boolean ├[~] service aws-codepipeline │ └ resources │ └[~] resource AWS::CodePipeline::Pipeline │ ├ properties │ │ ├[+] PipelineType: string │ │ ├[+] Triggers: Array<PipelineTriggerDeclaration> │ │ └[+] Variables: Array<VariableDeclaration> │ └ types │ ├[+] type GitConfiguration │ │ ├ documentation: A type of trigger configuration for Git-based source actions. │ │ │ > You can specify the Git configuration trigger type for all third-party Git-based source actions that are supported by the `CodeStarSourceConnection` action type. │ │ │ name: GitConfiguration │ │ └ properties │ │ ├Push: Array<GitPushFilter> │ │ └SourceActionName: string (required) │ ├[+] type GitPushFilter │ │ ├ documentation: The event criteria that specify when a specified repository event will start the pipeline for the specified trigger configuration, such as the lists of Git tags to include and exclude. │ │ │ name: GitPushFilter │ │ └ properties │ │ └Tags: GitTagFilterCriteria │ ├[+] type GitTagFilterCriteria │ │ ├ documentation: The Git tags specified as filter criteria for whether a Git tag repository event will start the pipeline. │ │ │ name: GitTagFilterCriteria │ │ └ properties │ │ ├Includes: Array<string> │ │ └Excludes: Array<string> │ ├[+] type PipelineTriggerDeclaration │ │ ├ documentation: Represents information about the specified trigger configuration, such as the filter criteria and the source stage for the action that contains the trigger. │ │ │ > This is only supported for the `CodeStarSourceConnection` action type. > When a trigger configuration is specified, default change detection for repository and branch commits is disabled. │ │ │ name: PipelineTriggerDeclaration │ │ └ properties │ │ ├GitConfiguration: GitConfiguration │ │ └ProviderType: string (required) │ └[+] type VariableDeclaration │ ├ documentation: A variable declared at the pipeline level. │ │ name: VariableDeclaration │ └ properties │ ├DefaultValue: string │ ├Description: string │ └Name: string (required) ├[~] service aws-cognito │ └ resources │ ├[~] resource AWS::Cognito::UserPool │ │ └ attributes │ │ └ UserPoolId: (documentation changed) │ ├[~] resource AWS::Cognito::UserPoolClient │ │ └ properties │ │ └ AllowedOAuthFlows: (documentation changed) │ ├[~] resource AWS::Cognito::UserPoolGroup │ │ └ - documentation: Specifies a new group in the identified user pool. │ │ Calling this action requires developer credentials. │ │ > If you don't specify a value for a parameter, Amazon Cognito sets it to a default value. │ │ + documentation: A user pool group that you can add a user to. │ └[~] resource AWS::Cognito::UserPoolUser │ └ properties │ └ UserAttributes: (documentation changed) ├[~] service aws-config │ └ resources │ └[~] resource AWS::Config::ConfigurationRecorder │ ├ properties │ │ └[+] RecordingMode: RecordingMode │ └ types │ ├[+] type RecordingMode │ │ ├ documentation: Specifies the default recording frequency that AWS Config uses to record configuration changes. AWS Config supports *Continuous recording* and *Daily recording* . │ │ │ - Continuous recording allows you to record configuration changes continuously whenever a change occurs. │ │ │ - Daily recording allows you to receive a configuration item (CI) representing the most recent state of your resources over the last 24-hour period, only if it’s different from the previous CI recorded. │ │ │ > AWS Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous. │ │ │ You can also override the recording frequency for specific resource types. │ │ │ name: RecordingMode │ │ └ properties │ │ ├RecordingModeOverrides: Array<RecordingModeOverride> │ │ └RecordingFrequency: string (required) │ └[+] type RecordingModeOverride │ ├ documentation: An object for you to specify your overrides for the recording mode. │ │ name: RecordingModeOverride │ └ properties │ ├ResourceTypes: Array<string> (required) │ ├RecordingFrequency: string (required) │ └Description: string ├[~] service aws-connect │ └ resources │ ├[~] resource AWS::Connect::Instance │ │ └ properties │ │ └ Tags: (documentation changed) │ ├[~] resource AWS::Connect::InstanceStorageConfig │ │ └ types │ │ └[~] type KinesisVideoStreamConfig │ │ └ properties │ │ └ EncryptionConfig: - EncryptionConfig │ │ + EncryptionConfig (required) │ └[~] resource AWS::Connect::Rule │ └ types │ ├[~] type Actions │ │ └ properties │ │ ├[+] CreateCaseActions: Array<CreateCaseAction> │ │ ├[+] EndAssociatedTaskActions: Array<json> │ │ └[+] UpdateCaseActions: Array<UpdateCaseAction> │ ├[+] type CreateCaseAction │ │ ├ documentation: The definition for create case action. │ │ │ name: CreateCaseAction │ │ └ properties │ │ ├Fields: Array<Field> (required) │ │ └TemplateId: string (required) │ ├[+] type Field │ │ ├ documentation: The field of the case. │ │ │ name: Field │ │ └ properties │ │ ├Id: string (required) │ │ └Value: FieldValue (required) │ ├[+] type FieldValue │ │ ├ documentation: The value of the field. │ │ │ name: FieldValue │ │ └ properties │ │ ├StringValue: string │ │ ├BooleanValue: boolean │ │ ├DoubleValue: number │ │ └EmptyValue: json │ └[+] type UpdateCaseAction │ ├ documentation: The definition for update case action. │ │ name: UpdateCaseAction │ └ properties │ └Fields: Array<Field> (required) ├[~] service aws-controltower │ └ resources │ └[~] resource AWS::ControlTower::LandingZone │ └ properties │ └ Manifest: (documentation changed) ├[~] service aws-datasync │ └ resources │ └[~] resource AWS::DataSync::Task │ └ types │ └[~] type Options │ └ properties │ └ OverwriteMode: (documentation changed) ├[~] service aws-dms │ └ resources │ ├[~] resource AWS::DMS::DataProvider │ │ ├ - documentation: Resource schema for AWS::DMS::DataProvider │ │ │ + documentation: Provides information that defines a data provider. │ │ ├ properties │ │ │ ├ DataProviderIdentifier: (documentation changed) │ │ │ ├ DataProviderName: (documentation changed) │ │ │ ├ Description: (documentation changed) │ │ │ ├ Engine: (documentation changed) │ │ │ └ Settings: (documentation changed) │ │ ├ attributes │ │ │ ├ DataProviderArn: (documentation changed) │ │ │ └ DataProviderCreationTime: (documentation changed) │ │ └ types │ │ └[~] type PostgreSqlSettings │ │ ├ - documentation: undefined │ │ │ + documentation: Provides information that defines a PostgreSQL endpoint. │ │ └ properties │ │ ├ DatabaseName: (documentation changed) │ │ ├ Port: (documentation changed) │ │ └ ServerName: (documentation changed) │ ├[~] resource AWS::DMS::Endpoint │ │ └ types │ │ └[~] type IbmDb2Settings │ │ └ properties │ │ ├[+] KeepCsvFiles: boolean │ │ ├[+] LoadTimeout: integer │ │ ├[+] MaxFileSize: integer │ │ └[+] WriteBufferSize: integer │ ├[~] resource AWS::DMS::InstanceProfile │ │ ├ - documentation: Resource schema for AWS::DMS::InstanceProfile. │ │ │ + documentation: Provides information that defines an instance profile. │ │ ├ properties │ │ │ ├ AvailabilityZone: (documentation changed) │ │ │ ├ Description: (documentation changed) │ │ │ ├ InstanceProfileIdentifier: (documentation changed) │ │ │ ├ InstanceProfileName: (documentation changed) │ │ │ ├ KmsKeyArn: (documentation changed) │ │ │ ├ NetworkType: (documentation changed) │ │ │ ├ PubliclyAccessible: (documentation changed) │ │ │ ├ SubnetGroupIdentifier: (documentation changed) │ │ │ └ VpcSecurityGroups: (documentation changed) │ │ └ attributes │ │ ├ InstanceProfileArn: (documentation changed) │ │ └ InstanceProfileCreationTime: (documentation changed) │ └[~] resource AWS::DMS::MigrationProject │ ├ - documentation: Resource schema for AWS::DMS::MigrationProject │ │ + documentation: Provides information that defines a migration project. │ ├ properties │ │ ├ Description: (documentation changed) │ │ ├ InstanceProfileArn: (documentation changed) │ │ ├ InstanceProfileIdentifier: (documentation changed) │ │ ├ InstanceProfileName: (documentation changed) │ │ ├ MigrationProjectIdentifier: (documentation changed) │ │ ├ MigrationProjectName: (documentation changed) │ │ ├ SchemaConversionApplicationAttributes: (documentation changed) │ │ ├ SourceDataProviderDescriptors: (documentation changed) │ │ ├ TargetDataProviderDescriptors: (documentation changed) │ │ └ TransformationRules: (documentation changed) │ ├ attributes │ │ └ MigrationProjectArn: (documentation changed) │ └ types │ └[~] type DataProviderDescriptor │ ├ - documentation: It is an object that describes Source and Target DataProviders and credentials for connecting to databases that are used in MigrationProject │ │ + documentation: Information about a data provider. │ └ properties │ ├ DataProviderArn: (documentation changed) │ ├ DataProviderName: (documentation changed) │ ├ SecretsManagerAccessRoleArn: (documentation changed) │ └ SecretsManagerSecretId: (documentation changed) ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::EC2Fleet │ │ └ types │ │ └[~] type TargetCapacitySpecificationRequest │ │ └ properties │ │ ├ DefaultTargetCapacityType: (documentation changed) │ │ ├ TargetCapacityUnitType: (documentation changed) │ │ └ TotalTargetCapacity: (documentation changed) │ ├[~] resource AWS::EC2::Instance │ │ ├ properties │ │ │ ├ SsmAssociations: (documentation changed) │ │ │ └ UserData: (documentation changed) │ │ ├ attributes │ │ │ └[+] InstanceId: string │ │ └ types │ │ └[~] type NetworkInterface │ │ └ properties │ │ └ AssociatePublicIpAddress: (documentation changed) │ ├[~] resource AWS::EC2::LaunchTemplate │ │ └ types │ │ ├[~] type MetadataOptions │ │ │ └ properties │ │ │ └ HttpTokens: (documentation changed) │ │ └[~] type NetworkInterface │ │ └ properties │ │ └ AssociatePublicIpAddress: (documentation changed) │ ├[~] resource AWS::EC2::Route │ │ └ properties │ │ └[+] CoreNetworkArn: string │ ├[~] resource AWS::EC2::SecurityGroupEgress │ │ └ attributes │ │ └ Id: (documentation changed) │ ├[+] resource AWS::EC2::SnapshotBlockPublicAccess │ │ ├ name: SnapshotBlockPublicAccess │ │ │ cloudFormationType: AWS::EC2::SnapshotBlockPublicAccess │ │ │ documentation: Specifies the state of the *block public access for snapshots* setting for the Region. For more information, see [Block public access for snapshots](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-public-access-snapshots.html) . │ │ ├ properties │ │ │ └State: string (required) │ │ └ attributes │ │ └AccountId: string │ ├[~] resource AWS::EC2::SpotFleet │ │ └ types │ │ ├[~] type InstanceNetworkInterfaceSpecification │ │ │ └ properties │ │ │ └ AssociatePublicIpAddress: (documentation changed) │ │ └[~] type SpotFleetRequestConfigData │ │ └ properties │ │ └ TargetCapacityUnitType: (documentation changed) │ └[~] resource AWS::EC2::Subnet │ └ properties │ └ MapPublicIpOnLaunch: (documentation changed) ├[~] service aws-elasticache │ └ resources │ └[~] resource AWS::ElastiCache::ServerlessCache │ ├ properties │ │ ├[+] Endpoint: Endpoint │ │ └[+] ReaderEndpoint: Endpoint │ └ attributes │ ├[-] Endpoint: Endpoint │ ├[+] Endpoint.Address: string │ ├[+] Endpoint.Port: integer │ ├[-] ReaderEndpoint: Endpoint │ ├[+] ReaderEndpoint.Address: string │ └[+] ReaderEndpoint.Port: integer ├[~] service aws-emr │ └ resources │ ├[~] resource AWS::EMR::Cluster │ │ ├ properties │ │ │ ├[+] EbsRootVolumeIops: integer (immutable) │ │ │ ├[+] EbsRootVolumeThroughput: integer (immutable) │ │ │ └[+] PlacementGroupConfigs: Array<PlacementGroupConfig> (immutable) │ │ └ types │ │ └[+] type PlacementGroupConfig │ │ ├ name: PlacementGroupConfig │ │ └ properties │ │ ├InstanceRole: string (required) │ │ └PlacementStrategy: string │ └[~] resource AWS::EMR::Studio │ └ properties │ ├ EncryptionKeyArn: (documentation changed) │ ├ IdcInstanceArn: (documentation changed) │ ├ IdcUserAssignment: (documentation changed) │ └ TrustedIdentityPropagationEnabled: (documentation changed) ├[~] service aws-eventschemas │ └ resources │ ├[~] resource AWS::EventSchemas::Registry │ │ └ attributes │ │ └[-] Id: string │ └[~] resource AWS::EventSchemas::Schema │ └ attributes │ ├[-] Id: string │ ├[+] LastModified: string │ └[+] VersionCreatedDate: string ├[~] service aws-fis │ └ resources │ ├[~] resource AWS::FIS::ExperimentTemplate │ │ ├ - documentation: Describes an experiment template. │ │ │ + documentation: Specifies an experiment template. │ │ │ An experiment template includes the following components: │ │ │ - *Targets* : A target can be a specific resource in your AWS environment, or one or more resources that match criteria that you specify, for example, resources that have specific tags. │ │ │ - *Actions* : The actions to carry out on the target. You can specify multiple actions, the duration of each action, and when to start each action during an experiment. │ │ │ - *Stop conditions* : If a stop condition is triggered while an experiment is running, the experiment is automatically stopped. You can define a stop condition as a CloudWatch alarm. │ │ │ For more information, see [Experiment templates](https://docs.aws.amazon.com/fis/latest/userguide/experiment-templates.html) in the *AWS Fault Injection Service User Guide* . │ │ └ types │ │ ├[~] type ExperimentTemplateAction │ │ │ └ - documentation: Describes an action for an experiment template. │ │ │ + documentation: Specifies an action for an experiment template. │ │ │ For more information, see [Actions](https://docs.aws.amazon.com/fis/latest/userguide/actions.html) in the *AWS Fault Injection Service User Guide* . │ │ ├[~] type ExperimentTemplateLogConfiguration │ │ │ ├ - documentation: Describes the configuration for experiment logging. │ │ │ │ + documentation: Specifies the configuration for experiment logging. │ │ │ │ For more information, see [Experiment logging](https://docs.aws.amazon.com/fis/latest/userguide/monitoring-logging.html) in the *AWS Fault Injection Service User Guide* . │ │ │ └ properties │ │ │ ├ CloudWatchLogsConfiguration: (documentation changed) │ │ │ └ S3Configuration: (documentation changed) │ │ ├[~] type ExperimentTemplateStopCondition │ │ │ └ - documentation: Describes a stop condition for an experiment template. │ │ │ + documentation: Specifies a stop condition for an experiment template. │ │ │ For more information, see [Stop conditions](https://docs.aws.amazon.com/fis/latest/userguide/stop-conditions.html) in the *AWS Fault Injection Service User Guide* . │ │ ├[~] type ExperimentTemplateTarget │ │ │ ├ - documentation: Describes a target for an experiment template. │ │ │ │ + documentation: Specifies a target for an experiment. You must specify at least one Amazon Resource Name (ARN) or at least one resource tag. You cannot specify both ARNs and tags. │ │ │ │ For more information, see [Targets](https://docs.aws.amazon.com/fis/latest/userguide/targets.html) in the *AWS Fault Injection Service User Guide* . │ │ │ └ properties │ │ │ └ Parameters: (documentation changed) │ │ └[~] type ExperimentTemplateTargetFilter │ │ └ - documentation: Describes a filter used for the target resources in an experiment template. │ │ + documentation: Specifies a filter used for the target resource input in an experiment template. │ │ For more information, see [Resource filters](https://docs.aws.amazon.com/fis/latest/userguide/targets.html#target-filters) in the *AWS Fault Injection Service User Guide* . │ └[~] resource AWS::FIS::TargetAccountConfiguration │ └ - documentation: Creates a target account configuration for the experiment template. A target account configuration is required when `accountTargeting` of `experimentOptions` is set to `multi-account` . For more information, see [experiment options](https://docs.aws.amazon.com/fis/latest/userguide/experiment-options.html) in the *AWS Fault Injection Simulator User Guide* . │ + documentation: Creates a target account configuration for the experiment template. A target account configuration is required when `accountTargeting` of `experimentOptions` is set to `multi-account` . For more information, see [experiment options](https://docs.aws.amazon.com/fis/latest/userguide/experiment-options.html) in the *AWS Fault Injection Service User Guide* . ├[~] service aws-gamelift │ └ resources │ └[~] resource AWS::GameLift::Fleet │ └ properties │ └[+] ApplyCapacity: string (immutable) ├[~] service aws-identitystore │ └ resources │ └[~] resource AWS::IdentityStore::GroupMembership │ └ properties │ ├ GroupId: - string (required) │ │ + string (required, immutable) │ └ MemberId: - MemberId (required) │ + MemberId (required, immutable) ├[~] service aws-imagebuilder │ └ resources │ ├[~] resource AWS::ImageBuilder::Component │ │ └ properties │ │ └ ChangeDescription: (documentation changed) │ ├[~] resource AWS::ImageBuilder::ImagePipeline │ │ ├ properties │ │ │ ├[+] ExecutionRole: string │ │ │ └[+] Workflows: Array<WorkflowConfiguration> │ │ └ types │ │ ├[~] type Schedule │ │ │ └ - documentation: A schedule configures how often and when a pipeline will automatically create a new image. │ │ │ + documentation: A schedule configures when and how often a pipeline will automatically create a new image. │ │ ├[+] type WorkflowConfiguration │ │ │ ├ documentation: The workflow configuration of the image │ │ │ │ name: WorkflowConfiguration │ │ │ └ properties │ │ │ ├WorkflowArn: string │ │ │ ├Parameters: Array<WorkflowParameter> │ │ │ ├ParallelGroup: string │ │ │ └OnFailure: string │ │ └[+] type WorkflowParameter │ │ ├ documentation: A parameter associated with the workflow │ │ │ name: WorkflowParameter │ │ └ properties │ │ ├Name: string │ │ └Value: Array<string> │ ├[~] resource AWS::ImageBuilder::LifecyclePolicy │ │ └ properties │ │ └ ExecutionRole: (documentation changed) │ └[+] resource AWS::ImageBuilder::Workflow │ ├ name: Workflow │ │ cloudFormationType: AWS::ImageBuilder::Workflow │ │ documentation: Resource schema for AWS::ImageBuilder::Workflow │ ├ properties │ │ ├Name: string (required, immutable) │ │ ├Version: string (required, immutable) │ │ ├Description: string (immutable) │ │ ├ChangeDescription: string (immutable) │ │ ├Type: string (required, immutable) │ │ ├Data: string (immutable) │ │ ├Uri: string (immutable) │ │ ├KmsKeyId: string (immutable) │ │ └Tags: Map<string, string> (immutable) │ └ attributes │ └Arn: string ├[~] service aws-internetmonitor │ └ resources │ └[~] resource AWS::InternetMonitor::Monitor │ └ types │ ├[~] type InternetMeasurementsLogDelivery │ │ └ properties │ │ └ S3Config: (documentation changed) │ └[~] type S3Config │ ├ - documentation: The configuration for publishing Amazon CloudWatch Internet Monitor internet measurements to Amazon S3. The configuration includes the bucket name and (optionally) prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is `ENABLED` or `DISABLED` , depending on whether you choose to deliver internet measurements to S3 logs. │ │ + documentation: The configuration for publishing Amazon CloudWatch Internet Monitor internet measurements to Amazon S3. The configuration includes the bucket name and (optionally) bucket prefix for the S3 bucket to store the measurements, and the delivery status. The delivery status is `ENABLED` if you choose to deliver internet measurements to S3 logs, and `DISABLED` otherwise. │ │ The measurements are also published to Amazon CloudWatch Logs. │ └ properties │ ├ BucketName: (documentation changed) │ ├ BucketPrefix: (documentation changed) │ └ LogDeliveryStatus: (documentation changed) ├[~] service aws-iot │ └ resources │ ├[~] resource AWS::IoT::SoftwarePackage │ │ └ properties │ │ ├ Description: (documentation changed) │ │ ├ PackageName: (documentation changed) │ │ └ Tags: (documentation changed) │ └[~] resource AWS::IoT::SoftwarePackageVersion │ └ properties │ ├ Attributes: (documentation changed) │ ├ Description: (documentation changed) │ ├ PackageName: (documentation changed) │ ├ Tags: (documentation changed) │ └ VersionName: (documentation changed) ├[~] service aws-iottwinmaker │ └ resources │ ├[~] resource AWS::IoTTwinMaker::ComponentType │ │ ├ properties │ │ │ └ CompositeComponentTypes: (documentation changed) │ │ └ types │ │ ├[~] type CompositeComponentType │ │ │ ├ - documentation: An object that sets information about a composite component type. │ │ │ │ + documentation: Specifies the ID of the composite component type. │ │ │ └ properties │ │ │ └ ComponentTypeId: (documentation changed) │ │ └[~] type PropertyDefinition │ │ └ properties │ │ └ IsExternalId: (documentation changed) │ └[~] resource AWS::IoTTwinMaker::Entity │ ├ properties │ │ ├ CompositeComponents: (documentation changed) │ │ └ WorkspaceId: (documentation changed) │ └ types │ └[~] type CompositeComponent │ ├ - documentation: undefined │ │ + documentation: Information about a composite component. │ └ properties │ ├ ComponentPath: (documentation changed) │ ├ ComponentTypeId: (documentation changed) │ ├ Description: (documentation changed) │ ├ Properties: (documentation changed) │ ├ PropertyGroups: (documentation changed) │ └ Status: (documentation changed) ├[~] service aws-lambda │ └ resources │ └[~] resource AWS::Lambda::EventInvokeConfig │ └ attributes │ └[-] Id: string ├[~] service aws-logs │ └ resources │ ├[~] resource AWS::Logs::DeliveryDestination │ │ └ - documentation: This structure contains information about one *delivery destination* in your account. A delivery destination is an AWS resource that represents an AWS service that logs can be sent to. CloudWatch Logs, Amazon S3, are supported as Kinesis Data Firehose delivery destinations. │ │ To configure logs delivery between a supported AWS service and a destination, you must do the following: │ │ - Create a delivery source, which is a logical object that represents the resource that is actually sending the logs. For more information, see [PutDeliverySource](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html) . │ │ - Create a *delivery destination* , which is a logical object that represents the actual delivery destination. │ │ - If you are delivering logs cross-account, you must use [PutDeliveryDestinationPolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestinationolicy.html) in the destination account to assign an IAM policy to the destination. This policy allows delivery to that destination. │ │ - Create a *delivery* by pairing exactly one delivery source and one delivery destination. For more information, see [CreateDelivery](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateDelivery.html) . │ │ You can configure a single delivery source to send logs to multiple destinations by creating multiple deliveries. You can also create multiple deliveries to configure multiple delivery sources to send logs to the same delivery destination. │ │ + documentation: This structure contains information about one *delivery destination* in your account. A delivery destination is an AWS resource that represents an AWS service that logs can be sent to. CloudWatch Logs, Amazon S3, are supported as Kinesis Data Firehose delivery destinations. │ │ To configure logs delivery between a supported AWS service and a destination, you must do the following: │ │ - Create a delivery source, which is a logical object that represents the resource that is actually sending the logs. For more information, see [PutDeliverySource](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html) . │ │ - Create a *delivery destination* , which is a logical object that represents the actual delivery destination. │ │ - If you are delivering logs cross-account, you must use [PutDeliveryDestinationPolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestinationPolicy.html) in the destination account to assign an IAM policy to the destination. This policy allows delivery to that destination. │ │ - Create a *delivery* by pairing exactly one delivery source and one delivery destination. For more information, see [CreateDelivery](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateDelivery.html) . │ │ You can configure a single delivery source to send logs to multiple destinations by creating multiple deliveries. You can also create multiple deliveries to configure multiple delivery sources to send logs to the same delivery destination. │ └[~] resource AWS::Logs::DeliverySource │ ├ - documentation: This structure contains information about one *delivery source* in your account. A delivery source is an AWS resource that sends logs to an AWS destination. The destination can be CloudWatch Logs, Amazon S3, or Kinesis Data Firehose. │ │ Only some AWS services support being configured as a delivery source. These services are listed as *Supported [V2 Permissions]* in the table at [Enabling logging from AWS services.](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html) │ │ To configure logs delivery between a supported AWS service and a destination, you must do the following: │ │ - Create a delivery source, which is a logical object that represents the resource that is actually sending the logs. For more information, see [PutDeliverySource](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html) . │ │ - Create a *delivery destination* , which is a logical object that represents the actual delivery destination. For more information, see [PutDeliveryDestination](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestination.html) . │ │ - If you are delivering logs cross-account, you must use [PutDeliveryDestinationPolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestinationolicy.html) in the destination account to assign an IAM policy to the destination. This policy allows delivery to that destination. │ │ - Create a *delivery* by pairing exactly one delivery source and one delivery destination. For more information, see [CreateDelivery](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateDelivery.html) . │ │ You can configure a single delivery source to send logs to multiple destinations by creating multiple deliveries. You can also create multiple deliveries to configure multiple delivery sources to send logs to the same delivery destination. │ │ + documentation: This structure contains information about one *delivery source* in your account. A delivery source is an AWS resource that sends logs to an AWS destination. The destination can be CloudWatch Logs, Amazon S3, or Kinesis Data Firehose. │ │ Only some AWS services support being configured as a delivery source. These services are listed as *Supported [V2 Permissions]* in the table at [Enabling logging from AWS services.](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html) │ │ To configure logs delivery between a supported AWS service and a destination, you must do the following: │ │ - Create a delivery source, which is a logical object that represents the resource that is actually sending the logs. For more information, see [PutDeliverySource](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html) . │ │ - Create a *delivery destination* , which is a logical object that represents the actual delivery destination. For more information, see [PutDeliveryDestination](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestination.html) . │ │ - If you are delivering logs cross-account, you must use [PutDeliveryDestinationPolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestinationPolicy.html) in the destination account to assign an IAM policy to the destination. This policy allows delivery to that destination. │ │ - Create a *delivery* by pairing exactly one delivery source and one delivery destination. For more information, see [CreateDelivery](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateDelivery.html) . │ │ You can configure a single delivery source to send logs to multiple destinations by creating multiple deliveries. You can also create multiple deliveries to configure multiple delivery sources to send logs to the same delivery destination. │ └ properties │ └ ResourceArn: (documentation changed) ├[~] service aws-opensearchservice │ └ resources │ └[~] resource AWS::OpenSearchService::Domain │ └ properties │ └ IPAddressType: (documentation changed) ├[~] service aws-organizations │ └ resources │ └[~] resource AWS::Organizations::Policy │ └ properties │ └ Content: (documentation changed) ├[~] service aws-osis │ └ resources │ └[~] resource AWS::OSIS::Pipeline │ ├ properties │ │ ├ BufferOptions: (documentation changed) │ │ └ EncryptionAtRestOptions: (documentation changed) │ └ types │ ├[~] type BufferOptions │ │ └ - documentation: Key-value pairs to configure buffering. │ │ + documentation: Options that specify the configuration of a persistent buffer. To configure how OpenSearch Ingestion encrypts this data, set the EncryptionAtRestOptions. │ └[~] type EncryptionAtRestOptions │ ├ - documentation: Key-value pairs to configure encryption at rest. │ │ + documentation: Options to control how OpenSearch encrypts all data-at-rest. │ └ properties │ └ KmsKeyArn: (documentation changed) ├[~] service aws-route53resolver │ └ resources │ └[~] resource AWS::Route53Resolver::ResolverConfig ├[~] service aws-s3 │ └ resources │ └[~] resource AWS::S3::Bucket │ └ types │ ├[~] type FilterRule │ │ └ - documentation: Specifies the Amazon S3 object key name to filter on and whether to filter on the suffix or prefix of the key name. │ │ + documentation: Specifies the Amazon S3 object key name to filter on. An object key name is the name assigned to an object in your Amazon S3 bucket. You can also specify whether to filter on the suffix or prefix of the object key name. A prefix is a specific string of characters at the beginning of an object key name, which you can use to organize objects. For example, you can start the key names of related objects with a prefix, such as `2023-` or `engineering/` . Then, you can use `FilterRule` to find objects in a bucket with key names that have the same prefix. A suffix is similar to a prefix, but it is at the end of the object key name instead of at the beginning. │ └[~] type ReplicationConfiguration │ └ - documentation: A container for replication rules. You can add up to 1,000 rules. The maximum size of a replication configuration is 2 MB. │ + documentation: A container for replication rules. You can add up to 1,000 rules. The maximum size of a replication configuration is 2 MB. The latest version of the replication configuration XML is V2. For more information about XML V2 replication configurations, see [Replication configuration](https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-add-config.html) in the *Amazon S3 User Guide* . ├[~] service aws-s3outposts │ └ resources │ ├[~] resource AWS::S3Outposts::Bucket │ │ └ properties │ │ └ OutpostId: (documentation changed) │ └[~] resource AWS::S3Outposts::Endpoint │ └ properties │ └ OutpostId: (documentation changed) ├[~] service aws-sagemaker │ └ resources │ ├[~] resource AWS::SageMaker::Domain │ │ ├ attributes │ │ │ └[+] SingleSignOnApplicationArn: string │ │ └ types │ │ └[~] type CodeEditorAppSettings │ │ └ properties │ │ └[-] CustomImages: Array<CustomImage> │ ├[~] resource AWS::SageMaker::FeatureGroup │ │ └ types │ │ └[~] type OnlineStoreConfig │ │ └ properties │ │ └ StorageType: (documentation changed) │ └[~] resource AWS::SageMaker::UserProfile │ └ types │ └[~] type CodeEditorAppSettings │ └ properties │ └[-] CustomImages: Array<CustomImage> ├[~] service aws-securityhub │ └ resources │ └[~] resource AWS::SecurityHub::Hub │ ├ properties │ │ └ Tags: - json │ │ + Map<string, string> ⇐ json │ └ attributes │ ├[+] ARN: string │ └[+] SubscribedAt: string ├[~] service aws-servicecatalogappregistry │ └ resources │ └[~] resource AWS::ServiceCatalogAppRegistry::Application │ └ attributes │ ├[+] ApplicationName: string │ ├[+] ApplicationTagKey: string │ └[+] ApplicationTagValue: string ├[~] service aws-sns │ └ resources │ ├[~] resource AWS::SNS::Subscription │ │ └ properties │ │ └[+] ReplayPolicy: json │ └[~] resource AWS::SNS::Topic │ ├ properties │ │ └ DeliveryStatusLogging: (documentation changed) │ └ types │ └[~] type LoggingConfig │ ├ - documentation: undefined │ │ + documentation: The `LoggingConfig` property type specifies the `Delivery` status logging configuration for an [`AWS::SNS::Topic`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sns-topic.html) . │ └ properties │ ├ FailureFeedbackRoleArn: (documentation changed) │ ├ Protocol: (documentation changed) │ ├ SuccessFeedbackRoleArn: (documentation changed) │ └ SuccessFeedbackSampleRate: (documentation changed) ├[~] service aws-ssm │ └ resources │ └[~] resource AWS::SSM::Parameter │ └ properties │ └ Type: (documentation changed) └[~] service aws-transfer └ resources ├[~] resource AWS::Transfer::Server │ ├ properties │ │ └ S3StorageOptions: (documentation changed) │ └ types │ ├[~] type EndpointDetails │ │ └ properties │ │ └ AddressAllocationIds: (documentation changed) │ └[~] type S3StorageOptions │ ├ - documentation: undefined │ │ + documentation: The Amazon S3 storage options that are configured for your server. │ └ properties │ └ DirectoryListingOptimization: (documentation changed) └[~] resource AWS::Transfer::User └ types └[~] type HomeDirectoryMapEntry └ properties └ Type: (documentation changed) ```
…authorizers (#28411) I was using CDK and found just a few small typos, so I submitted this PR... One is a method name, but it should not be a breaking change since it is a private scope. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…to aws-autoscaling (#28396) Closes #28395 Adds the On-Demand `lowest-price` allocation strategy enum for aws-autoscaling. https://docs.aws.amazon.com/autoscaling/ec2/userguide/allocation-strategies.html#on-demand-allocation-strategy ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ect]` (#28414) **CDK Version**: 2.115.0 (build 58027ee) **Os**: macOS 14.2 (BuildVersion: 23C64) I have observed the following warning showing up in my console today when running `cdk`: > [Warning at /CdkStack/AuthorizerFunction] [object Object] I was able to track down where this message was generated and apply a patch to see the error in a more descriptive format. For the records the error in my case was: > addPermission() has no effect on a Lambda Function with region=${Token[TOKEN.23]}, account=${Token[TOKEN.24]}, in a Stack with region=${Token[AWS.Region.12]}, account=${Token[AWS.AccountId.8]}. Suppress this warning if this is is intentional, or pass sameEnvironment=true to fromFunctionAttributes() if you would like to add the permissions. [ack: UnclearLambdaEnvironment] The fix proposed here makes sure that if I am not sure this is the best way to fix this issue. The signature of the `addMessage` seems to expect a `string` for the `message` value, so maybe the error needs to be corrected downstream where the `addMessage` call is made (which judging from the stack trace seems to come from `aws-cdk-lib/aws-lambda/lib/function-base.js`). Thoughts? ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ls (#27787) Because `AnyPrincipal` extends `ArnPrincipal` it gets caught up in the checks for parsing the ARN from the principal to get the account. This check should be skipped when the ARN is set to `"*"` because that can't be parsed. Closes #27783. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Fix typo in method name (`convertArnPrincpalToAccountId` -> `convertArnPrincipalToAccountId`) and another `princpal` typo. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
As part of the pipenv release 2022.8.13 the deprecated way of generating requirements ("pipenv install -r" or "pipenv lock -r") has been removed in favor of the "pipenv requirements" command.
See #28015 for the motivation behind this change.
* [Reference to pipenv CHANGELOG](https://github.com/pypa/pipenv/blob/main/CHANGELOG.md#2022813-2022-08-13)
* [Refernce to relevant pipenv pull request](pypa/pipenv#5200)
Closes #28015 .
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This PR resolves the missing `logs:PutRetentionPolicy` permission issue when using `FireLensLogDriver` with CloudWatch Logs. ### Description When using `FireLensLogDriver` to send logs to CloudWatch Logs, we can specify the retention period for newly created Log Groups by specifying `log_retention_days` in the `FireLensLogDriverProps.options`. https://docs.fluentbit.io/manual/pipeline/outputs/cloudwatch#configuration-parameters https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FireLensLogDriverProps.html#options If you have not added a FluentBit container, CDK will automatically add it to the task definition, and the IAM permissions required for this are added to the task role. https://github.com/aws/aws-cdk/blob/db22b85c9b2a853aa2f830c182a340f0bcf95d1a/packages/aws-cdk-lib/aws-ecs/lib/base/task-definition.ts#L816 https://github.com/aws/aws-cdk/blob/db22b85c9b2a853aa2f830c182a340f0bcf95d1a/packages/aws-cdk-lib/aws-ecs/lib/firelens-log-router.ts#L170 While `FireLensLogDriver` allows specifying `log_retention_days` for Log Groups, FluentBit cannot set the retention period due to the absence of the `logs:PutRetentionPolicy` policy. Consequently, it results in an `AccessDeniedException`. To address this, the PR adds the necessary `logs:PutRetentionPolicy` permission to the task role when `log_retention_days` is set in `FireLensLogDriverProps.options`, ensuring FluentBit has the required permissions to set the retention period for Log Groups. Relates to #28258 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Previously, the neuron plugin is already added in the addAutoScalingGroupCapacity() method, when the instanceType was some of the INFERENTIA types. Let's also add the plugin if at least one (some/any) of the instanceTypes in addNodegroupCapacity() is of the INFERENTIA types. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… construct (#28233) Added `emptyOnDelete` prop to the ecr `Repository` construct. `emptyOndelete` is supported by CloudFormation See here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html#cfn-ecr-repository-emptyondelete I've also deprecated the `autoDeleteImages` prop that deployed a custom resource. According to #24572 this was added before CloudFormation added the `EmptyOnDelete` property here aws-cloudformation/cloudformation-coverage-roadmap#515 Closes #28196 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
`albController` would fail the deployment if there's no defaultCapacity or nodegroup. This PR improves the doc about it. Documents issue from #22005 but further effort is needed to create a synth-time error. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Closes #27418 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Adds a public `addCatch` method to the stepfunctions `CustomState` state. Closes #25798. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…27340) Enable the creation of multiple event bus policies on a single event bus. Closes #24671. The result of the Policies created by the integration test is a resource policy on the event bus that looks like ```json { "Version": "2012-10-17", "Statement": [{ "Sid": "Statement2", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<account-id>:root" }, "Action": "events:PutRule", "Resource": "arn:aws:events:us-west-2:<account-id>:event-bus/StackBusAA0A1E4B" }, { "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<account-id>:root" }, "Action": "events:PutEvents", "Resource": "arn:aws:events:us-west-2:<account-id>:event-bus/StackBusAA0A1E4B" }] } ``` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…rvice (#28220) Fixed a bug in queueProcessingFargateService where the taskDefinition provided as an argument was not being used, and a default taskDefinition was always being generated instead. Closes #27360 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
The readme for apigatewayv2 is currently [removed](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigatewayv2-readme.html), and this PR gets it back. I got the original README.md from this commit (just before it got removed): https://github.com/aws/aws-cdk/blob/187f67b3430dca7ea96a94c66b18694bce213f03/packages/%40aws-cdk/aws-apigatewayv2-alpha/README.md I confirmed other two modules (integration and authorizers) have correct READMEs already. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Adding CDK GC to the roadmap. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Description The following issue describes a bug where the IAM Policy is not correctly set to the calling Lambda when using `invokeFunction` and `waitForAssertions`. Normally, when the `waitForAssertions` method is invoked, the necessary Policy is granted to the `waiterProvider` using the `adPolicyStatementFromSdkCall` method. https://github.com/aws/aws-cdk/blob/52a5579aa52c88bb289a7a9677c35385763c8fff/packages/%40aws-cdk/integ-tests-alpha/lib/assertions/sdk.ts#L136 In the case of a Lambda function call, the API name and the Action name of the Policy are different (invoke => invokeFunction), so the `addPolicyStatementFromSdkCall` method cannot grant the correct Policy. The `LambdaInvokeFunction` is doing the correct Policy assignment to deal with this in the constructor. https://github.com/aws/aws-cdk/blob/52a5579aa52c88bb289a7a9677c35385763c8fff/packages/%40aws-cdk/integ-tests-alpha/lib/assertions/sdk.ts#L247 However, this is not done for the `waiterProvider`, resulting in an access denied error. This PR has been modified so that the correct Policy is granted to `waiterProvider`. fixes #27865 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This adds support for creating `AWS::EC2::KeyPair` resources. These are added as a property to `Instance`, `LaunchTemplate`, and `NatInstance` and the older `keyName` prop is deprecated in favor of the new `keyPair: IKeyPair` property. A getter is added to retrieve the SSM parameter that hold the private key for non-imported keys and checks are added to make sure that ED25519 keys are not used with a Windows instance. Closes #5252. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Adding EKSv2 L2 construct to the roadmap. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This PR supports `tagPatternList` for the lifecycle policy. According to the doc, the lifecycle policy has following evaluation rules: > A lifecycle policy rule may specify either tagPatternList or tagPrefixList, but not both. > The tagPatternList or tagPrefixList parameters may only used if the tagStatus is tagged. > There is a maximum limit of four wildcards (\*) per string. For example, ["\*test\*1\*2\*3", "test\*1\*2\*3\*"] is valid but ["test\*1\*2\*3\*4\*5\*6"] is invalid. https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html#lp_tag_pattern_list ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
The current wording made it hard for beginners to understand what the PRs actually do. This should improve discoverability of L1 changes. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* Co-authored-by: Sumu Pitchayan <35242245+sumupitchayan@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
… create correct iam policy (#28379) In the case for a hosted rotation with a master secret by `fromSecretNameV2()`, IAM policy for lambda is not correct. The secret by the method has a partial ARN, so a generated IAM policy should use an ARN with `'-??????'`, but it will not use the ARN. Closes #28308. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… in excessively long IAM policy names (#27548) When the importedRoleStackSafeDefaultPolicyName feature flag is enabled, the method to calculate the IAM Policy Name within `aws_iam.ImportedRole.addToPrincipalPolicy()` changes. Specifically, if the generated IAM Policy Name exceeds the maximum allowed length of 128 characters, it will be truncated using `Names.uniqueResourceName()`. Previously, the `Names.UniqueId()` method was used to generate the Policy Name. This method does not allow you to set a maximum length, so if the name exceeded the limit, it would be overwritten using `Names.uniqueResourceName()`—a function that allows for length specification. I considered replacing `Names.UniqueId()` entirely with `Names.uniqueResourceName()`. However, this is on hold due to concerns that existing Policy Names could be affected. If a complete replacement poses no issues, your guidance is appreciated, as I'm not fully versed in the logic behind these methods. Closes #27409 , #24441 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Recently Amazon SNS supports configuring delivery status logging with AWS CloudFormation. https://aws.amazon.com/about-aws/whats-new/2023/12/amazon-sns-configuring-delivery-status-logging-aws-cloudformation/?nc1=h_ls This is also configurable via L1 CfnTopic construct. https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.CfnTopic.html This PR introduces the feature to add delivery status logging configuration via L2 Topic construct. Closes #21971 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…28165) (#28285) This PR fixes the bug where imported SQS queue cannot be used as Rule DeadLetterQueue, since fromQueueArn can resolve region and account from v2.109.0 Closes #28165 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This PR changes to add the `waiterProvider` property to an `IApiCall` for `awsApiCall` in integ-tests-alpha.
By default `awsApiCall` in integ tests, the AwsApiCall construct will automatically add the correct IAM policies to allow the Lambda function to make the API call. It does this based on the service and api that is provided. In the following example the service is SQS and the api is receiveMessage so it will create a policy with Action: 'sqs:ReceiveMessage'.
```ts
const integ = new IntegTest(app, 'Integ', {
testCases: [stack],
});
integ.assertions.awsApiCall('SQS', 'receiveMessage', {
QueueUrl: 'url',
});
```
There are some cases where the permissions do not exactly match the service/api call, for example the S3 listObjectsV2 api. In these cases it is possible to add the correct policy by accessing the `provider` object.
```ts
const apiCall = integ.assertions.awsApiCall('S3', 'listObjectsV2', {
Bucket: 'mybucket',
});
apiCall.provider.addToRolePolicy({
Effect: 'Allow',
Action: ['s3:GetObject', 's3:ListBucket'],
Resource: ['*'],
});
```
On the other hand, there is the case to use `waitForAssertions` when using `awsApiCall` in integ tests. This causes `apiCall` to have a `waiterProvider` property in addition to `provider`.
```ts
const apiCall = integ.assertions.awsApiCall('S3', 'listObjectsV2', {
Bucket: 'mybucket',
}).expect(ExpectedResult.objectLike({
KeyCount: 1,
})).waitForAssertions({
interval: cdk.Duration.seconds(30),
totalTimeout: cdk.Duration.minutes(10),
});
```
In the case, `waiterProvider` actually calls to the service/api, so it should have the proper policies.
However a type of a return value of `apiCall` is `IApiCall` interface so that the interface has a `provider` property, `waiterProvider` is not in `IApiCall` but in `AwsApiCall`.
Then it cannot take the policies without casting the following. (`apiCall instanceof AwsApiCall`)
```ts
if (apiCall instanceof AwsApiCall) {
apiCall.waiterProvider?.addToRolePolicy({
Effect: 'Allow',
Action: ['s3:GetObject', 's3:ListBucket'],
Resource: ['*'],
});
}
```
So I add `waiterProvider` to `IApiCall`, so that it can take the policies without casting:
```ts
// if (apiCall instanceof AwsApiCall) {
apiCall.waiterProvider?.addToRolePolicy({
Effect: 'Allow',
Action: ['s3:GetObject', 's3:ListBucket'],
Resource: ['*'],
});
//}
```
In my opinion, I see no negative impact from this.
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws-cdk-automation
added
auto-approve
pr/no-squash
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See CHANGELOG