chore(release): 2.202.0 #34763
Closed
chore(release): 2.202.0 #34763
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#34256) ### Issue # (if applicable) N/A ### Reason for this change Missing property. ### Description of changes Add kmsKey property to AppConfig Hosted Configuration ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Add a unit test and an integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…en not set (#34613) ### Issue #34612 Closes #34612 ### Reason for this change `USE_CDK_MANAGED_LAMBDA_LOGGROUP` makes CDK create a new log group. This is not backwards compatible with older CDK versions where the log group already exists. ### Description of changes Change the default flag value to false ### Describe any new or updated permissions being added None ### Description of how you validated changes Ran integ tests ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change Synthetics now supports for node-playwright 2.0 runtime https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Library_nodejs_playwright.html ### Description of changes - Add node-playwright 2.0 runtime ### Describe any new or updated permissions being added None ### Description of how you validated changes update both unit and integ test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…perty (#34539) ### Issue # (if applicable) Closes #32318 ### Reason for this change [outputConfigCommand](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_eks.Cluster.html#outputconfigcommand) is true by default. https://github.com/aws/aws-cdk/blob/7538a8431290fe76d9ad6bbf80977eb2cb17e007/packages/aws-cdk-lib/aws-eks/lib/cluster.ts#L506-L513 But if `mastersRole` is not specified, command will not be output because the output command will not be useful as it won't have the necessary role. https://github.com/aws/aws-cdk/blob/7538a8431290fe76d9ad6bbf80977eb2cb17e007/packages/aws-cdk-lib/aws-eks/lib/cluster.ts#L1845 ### Description of changes - Add `mastersRole` requirement to `outputConfigCommand` property. The requirement for `mastersRole` is already documented. https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_eks-readme.html#masters-role > If you do not specify it, you won't have access to the cluster from outside of the CDK application. - Add warning if `outputConfigCommand` is `true` and `mastersRole` is not specified ### Describe any new or updated permissions being added None ### Description of how you validated changes Pass unit test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…G guide (#34622) ### Issue # (if applicable) #34612 Closes #<issue number here>. ### Reason for this change Adding details on Feature flag fields in contributing guide. ### Description of changes ### Describe any new or updated permissions being added N/A ### Description of how you validated changes N/A ### Checklist - [ x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change
New MariaDB versions are available.
Note: Link to the release note will be available later.
### Description of changes
```console
$ aws --region us-east-1 rds describe-db-engine-versions --engine mariadb --query 'DBEngineVersions[].EngineVersion'
[
"10.5.20",
"10.5.21",
"10.5.22",
"10.5.23",
"10.5.24",
"10.5.25",
"10.5.26",
"10.5.27",
"10.5.28",
"10.5.29",
"10.6.13",
"10.6.14",
"10.6.15",
"10.6.16",
"10.6.17",
"10.6.18",
"10.6.19",
"10.6.20",
"10.6.21",
"10.6.22",
"10.11.4",
"10.11.5",
"10.11.6",
"10.11.7",
"10.11.8",
"10.11.9",
"10.11.10",
"10.11.11",
"10.11.13",
"11.4.3",
"11.4.4",
"11.4.5",
"11.4.7"
]
```
### Describe any new or updated permissions being added
N/A
### Description of how you validated changes
Added versions to unit test.
### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
#34626) ### Issue # (if applicable) Closes #34624. ### Reason for this change Correcting the description of the `userData` property in the EC2 launch template construct properties. ### Description of changes Updated the documentation to match the corresponding [Cloudformation documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-ec2-launchtemplate-launchtemplatedata.html#cfn-ec2-launchtemplate-launchtemplatedata-userdata) for `userData`. While the Cloudformation doc also specifies providing a base64-encoded value, this is [performed by the CDK code](https://github.com/aws/aws-cdk/blob/aa97e61140a4aac8531ac71521bde8bcdcbad573/packages/aws-cdk-lib/aws-ec2/lib/launch-template.ts#L690). The `userData` input structure is enforced by the `UserData` type, so no specific formatting instructions are necessary. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Executed the build and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change AWS EBS now supports for specifying [volume initialization rate](https://docs.aws.amazon.com/ebs/latest/userguide/initalize-volume.html#volume-initialization-rate) but AWS CDK cannot configure this parameter. ### Description of changes - Add `volumeInitializationRate` to `VolumeProps` ### Describe any new or updated permissions being added none ### Description of how you validated changes Add both unit and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
### Issue Closes #32569 ### Description of changes Throw typed errors everywhere. This introduced a new error type `ExecutionError` that is meant for failures from external scripts or code. ### Describe any new or updated permissions being added n/a ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…#31586) ### Issue # (if applicable) Closes #26982 ### Reason for this change The ContextProvider mechanism and various "lookup" functions of a number of constructs support caching resolved values in the cdk.context.json. The context keys are constructed from the parameters of the lookup, which for lookup functions means whenever a resource with the same parameters is resolved, it is resolved as the same value across the entire app. However when a value may change over time, the user may wish to use the latest value when creating creating a new reference to the construct, effectively tying the cached context value to the scope - this patch enables this. The primary use case is looking up an AMI parameter for a "stateful" EC2 instance. Currently if you specify cachedInContext, any future images created would use the same cached AMI, and updating the value would require updating all usages of the image across the entire app. ### Description of changes Adds an `additionalCacheKey` parameter/property to multiple areas of the CDK where lookups can be cached ### Description of how you validated changes Unit + integration tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change Fix small typo found when reading the docs :p *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…#34596) Reopen #33883 The cyclic dependency issue #34592 should be resolved before merging this PR again. ### Issue # (if applicable) Related to #33757. ### Reason for this change `FlowLogDestination.toKinesisDataFirehoseDestination()` includes the former service name Kinesis and receives the string ARN. Also, cross-account log delivery needs an IAM role. https://docs.aws.amazon.com/vpc/latest/userguide/firehose-cross-account-delivery.html ### Description of changes - Added `FlowLogDestination.toFirehose()` with an optional IAM role. - Deprecate `toKinesisDataFirehoseDestination()` Note: CDK cannot create the IAM role for cross-account delivery because the VPC ARN is needed but FlowLog construct doesn't know it. ### Describe any new or updated permissions being added N/A - Users must specify IAM roles for cross account delivery. ### Description of how you validated changes Unit tests and integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change When doing a fresh clone of the repo we get: ``` Encountered 5 files that should have been pointers, but weren't: packages/@aws-cdk-testing/framework-integ/test/aws-appconfig/test/integ.configuration.js.snapshot/asset.8a84a8f465fbe0c48af2c256847ec9abfe095d23781b749728b998315f3ad732.zip packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-addon.js.snapshot/asset.12157b27d30ab71eb24ae65825f672ba5cc2c09dbb1703cd7adfcff3aeaca136.zip packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-addon.js.snapshot/asset.6094cb0ff874f89ab5ab24fb6b9417df0fdeb6966645f90c88ec1d7e28130112.zip packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-addon.js.snapshot/asset.93d96d34e0d3cd20eb082652b91012b131bdc34fcf2bc16eb4170e04772fddb1.zip packages/@aws-cdk-testing/framework-integ/test/aws-synthetics/test/integ.canary.js.snapshot/asset.b1b777dcb79a2fa2790059927207d10bf5f4747d6dd1516e2780726d9d6fa820.zip ``` This can be verified with: `git lfs fsck` which. give the same problematic 5 files. ### Description of changes Ran `git lfs migrate import --no-rewrite <path to the 5 files>`. ### Description of how you validated changes Ran `git lfs fsck`, no more errors. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
) ### Issue # (if applicable) Closes #33584. ### Reason for this change AWS CodePipeline introduces a new action to deploy to Amazon Elastic Compute Cloud (EC2). https://aws.amazon.com/about-aws/whats-new/2025/02/aws-codepipeline-native-ec2-deployment-support/ ### Description of changes Added the `Ec2DeployAction` action class and corresponding helpers. - `Ec2InstanceType` - specify instance type: EC2 or SSM_MANAGED_NODE - `Ec2DeploySpecification` - choose deploy specification: inline or DeploySpec (not yet included) - `Ec2MaxInstances` - specify maxBatch and maxError configuration #### Usage ```ts new cpactions.Ec2DeployAction({ actionName: 'EC2', input: buildOutput, // specify instance type instanceType: cpactions.Ec2InstanceType.EC2, // REQUIRED // specify tag key and value, not ec2.IInstance instanceTagKey: 'Target', // REQUIRED instanceTagValue: 'DeployTarget', // deploy specifications deploySpecifications: cpactions.Ec2DeploySpecifications.inline({ targetDirectory: '/home/ec2-user/deploy', // REQUIRED preScript: 'hooks/pre-script', postScript: 'hooks/post-script', // REQUIRED }), // the action will detach and attach instances from/to target groups targetGroups: [myTargetGroup], // the number or percentage of instances that can deploy in parallel maxBatch: cpactions.Ec2MaxInstances.target(2), maxError: cpactions.Ec2MaxInstances.percent(50), }); ``` ### Describe any new or updated permissions being added `Ec2DeployAction` adds permissions based on CodePipeline documentation: https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-EC2Deploy.html#action-reference-EC2Deploy-permissions-action For details of actions, resource, and condition keys, see the Service Authorization Reference: [EC2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html), [ELBv2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselasticloadbalancingv2.html), [SSM](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html) ### Description of how you validated changes Unit tests and an integ test. The integ test also asserts pipeline execution. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable): Bedrock L2 Construct Closes #<issue number here> [ Issue - 686](aws/aws-cdk-rfcs#686) ### Reason for this change - New Feature , Adding bedrock L2 construct. [RFC 888](aws/aws-cdk-rfcs#688) ### Description of changes Bedrock L2 Construct with following features 1. Agent core functionality (agent.ts) 2. Agent aliases (agent-alias.ts) 3. Action groups (action-group.ts) 4. Agent collaboration (agent-collaborator.ts) 5. Memory configuration (memory.ts) 6. Custom orchestration (orchestration.ts) 7. Prompt overrides (prompt-override.ts) 8. API schemas and executors (api-schema.ts, api-executor.ts) Integration Tests (integ.agent.ts): Tests the creation of a basic Bedrock Agent with default values Verifies the agent creation with foundationModel, instruction, and forceDelete settings Unit Tests for agent.test.ts, agent-collaborator.test.ts,api-executor.test.ts,memory.test.ts,prompt-override.test.ts ### Describe any new or updated permissions being added I am roles for Agent , Knowledgebase, guardrails, inference profiles, prompts. ### Description of how you validated changes Created CDK APP in the repo and deployed the stack. TODO : Unit and Integration test ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… practices (#34638) ### Issue # (if applicable) Closes #34637 . ### Reason for this change See description of issue #34637. ### Description of changes Do not directly pass the `events.OnEventOptions` object directly to the `RuleProps` but rather create an object mapping the needed properties. ### Describe any new or updated permissions being added NA ### Description of how you validated changes Build module and ran existing integ test. No need to add additional testing. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ntifier` (#33982) ### Issue # (if applicable) Closes #33889 ### Reason for this change https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_RestoreFromMultiAZDBClusterSnapshot.html ### Description of changes - `DatabaseInstanceFromSnapshot` support `clusterSnapshotIdentifier` - `clusterSnapshotIdentifier` and `snapshotIdentifier` are mutually exclusive, one must be specified ### Description of how you validated changes Unit + Integ ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #30792 ### Reason for this change The feature enables support to create clusters without the default networking add-ons ### Description of changes ### Describe any new or updated permissions being added Added the prop bootstrapSelfManagedAddons to the cluster and incremented the eks client version. Also validated that existing if bootstrapSelfManagedAddons is undefined to true or vice versa does not replace the cluster as the default is `true`. ### Description of how you validated changes Validated the changes against an existing cluster and made sure it is not replaced unless the change is from true to false or vice versa. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…elector (#34625) ### Issue Closes #34538. ### Reason for this change In the current implementation `itemSelector` must be an object type `Mapping[str, Any]`, but Step Functions supports both object mappings and JSONata expressions as strings. See the [Amazon States Language](https://states-language.net/spec.html#map-state) specification: > A JSONata Map State MAY have an "ItemSelector" field, whose value MUST be a JSON text, or a JSONata string that evaluates to a JSON text. ### Description of changes This PR adds a new field `jsonataItemSelector` of type `string` to support this use case. This new field is mutually exclusive with `itemSelector` (and `parameters` as it is already mutually exclusive with `itemSelector` and deprecated). During synthesis, if `jsonataItemSelector` is used, then it will be used to render the `ItemSelector` in the cloudformation template. I considered creating a class like the [ProvideItems](https://github.com/aws/aws-cdk/blob/ed08f3f0b8ecd79a2fa5e804acc73a9ff23eab80/packages/aws-cdk-lib/aws-stepfunctions/lib/states/map-base.ts#L60-L77) class, however this would have been a breaking change for existing users. ### Describe any new or updated permissions being added None. ### Description of how you validated changes Added unit tests and an integration test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…33802) ### Issue # (if applicable) Closes #33249 ### Reason for this change CloudFront doesn't support resource-level permission for some permission as per [Actions, resources, and condition keys for Amazon CloudFront](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudfront.html) ### Description of changes Use wildcard(*) when grant some cloudfront permission ### Describe any new or updated permissions being added Use wildcard(*) when grant some cloudfront permission ### Description of how you validated changes Unit + Integ ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…34173) ### Issue # (if applicable) Closes #32280. Closes #32563. ### Reason for this change Aurora Serverless v2 DB instances can specify the time period of inactivity before auto-pause. https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless-v2-auto-pause.html ### Description of changes Added the `serverlessV2AutoPauseDuration` prop for `DatabaseCluster`. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Added unit tests and an integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Library_python_selenium.html ### Description of changes - Add selenium 6.0 runtime ### Describe any new or updated permissions being added None ### Description of how you validated changes Unit + Integ ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change AWS CloudWatch synthetics supports for [performing safe canary update](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/performing-safe-canary-upgrades.html#performing-safe-canary-upgrades-limitations). This feature cannot be configurable from AWS CDK L2 construct. ### Description of changes - Add `dryRunAndUpdate` prop to `canaryProps` - Add runtime validation - syn-nodejs-puppeteer-10.0+ - syn-nodejs-playwright-2.0+ - syn-python-selenium-5.1+ ### Describe any new or updated permissions being added None ### Description of how you validated changes Add both unit and integ tets. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… dimension map (#34648) ### Issue # (if applicable) Closes #34643 ### Reason for this change When the metric filter is created, you can specify the dimension map for the metric. When you extract the metric out of the metric filter, the extracted metric will not include the dimension map, and you will be forced to manually add it to the metric. ### Description of changes This PR preserves the dimension map used when creating the metric filter and then applies it back when extracting the metric using the `MetricFilter.metric()` API. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Added new unit and integration test that verify the extracted metric still includes the original dimension map used when creating the metric filter. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…rsions 11.22-rds.20250508 and 12.22-rds.20250508 (#34598) ### Issue # (if applicable) None ### Reason for this change - https://aws.amazon.com/about-aws/whats-new/2025/05/amazon-rds-mariadb-community-mariadb-minor-versions/ - https://aws.amazon.com/about-aws/whats-new/2025/06/amazon-rds-postgresql-extended-support-versions-r2-11-22-rds-20250508-12-22-rds-20250508/ ### Description of changes RDS mariadb add versions 10.5.29 and 10.6.22 ### Description of how you validated changes ```console $ aws rds describe-db-engine-versions --engine mariadb --output table --query 'DBEngineVersions[*].{Engine:Engine,EngineVersion:EngineVersion}' ------------------------------ | DescribeDBEngineVersions | +----------+-----------------+ | Engine | EngineVersion | +----------+-----------------+ | mariadb | 10.5.20 | | mariadb | 10.5.21 | | mariadb | 10.5.22 | | mariadb | 10.5.23 | | mariadb | 10.5.24 | | mariadb | 10.5.25 | | mariadb | 10.5.26 | | mariadb | 10.5.27 | | mariadb | 10.5.28 | | mariadb | 10.5.29 | | mariadb | 10.6.13 | | mariadb | 10.6.14 | | mariadb | 10.6.15 | | mariadb | 10.6.16 | | mariadb | 10.6.17 | | mariadb | 10.6.18 | | mariadb | 10.6.19 | | mariadb | 10.6.20 | | mariadb | 10.6.21 | | mariadb | 10.6.22 | $ aws rds describe-db-engine-versions --engine postgres --output table --query 'DBEngineVersions[*].{Engine:Engine,EngineVersion:EngineVersion}' ------------------------------------ | DescribeDBEngineVersions | +-----------+----------------------+ | Engine | EngineVersion | +-----------+----------------------+ | postgres | 11.22 | | postgres | 11.22-rds.20240418 | | postgres | 11.22-rds.20240509 | | postgres | 11.22-rds.20240808 | | postgres | 11.22-rds.20241121 | | postgres | 11.22-rds.20250220 | | postgres | 11.22-rds.20250508 | | postgres | 12.20 | | postgres | 12.22 | | postgres | 12.22-rds.20250220 | | postgres | 12.22-rds.20250508 | | postgres | 13.15 | ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Related to #15301. ### Reason for this change Users wanted a more detailed guide on how to update the `encodedKey`. ### Description of changes Add an example to show how to update the key, replaced `logical id` by `id` for more clarity. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change Add some interface vpc endpoints missing in cdk. ### Description of changes Added below services. - shield - shield-fips - sqs-fips - sts-fips ### Description of how you validated changes Excuted CLI below `$ aws ec2 describe-vpc-endpoint-services --filters Name=service-type,Values=Interface Name=owner,Values=amazon --region us-east-1 --query ServiceNames` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…g grant methods for the `Bucket` resource (#34733) ### Issue # (if applicable) Closes #34545 . ### Reason for this change Current behavior in some `grant` methods for the `Bucket` resource might cause confusion and be seen as a bug. ### Description of changes Added more details on the policy specifics, explaining why the current behavior is like that, and added additional resources if the implementer needs to restrict even more their permissions. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes N/A. Just documentation being updated. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This PR updates the CDK enum mapping file.
### Reason for this change A new Github action to check for LFS files was added and users without LFS cannot have their PR pass this test if they updated an integ test. ### Description of changes Add instructions on how to check if git lfs is installed, how to install it and fix the problematic files. ### Description of how you validated changes Helped a contributor make the test pass on his PR. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`
**L1 CloudFormation resource definition changes:**
```
├[~] service aws-athena
│ └ resources
│ └[~] resource AWS::Athena::WorkGroup
│ └ types
│ ├[~] type ManagedQueryResultsConfiguration
│ │ ├ - documentation: The configuration for the managed query results and encryption option. ResultConfiguration and ManagedQueryResultsConfiguration cannot be set at the same time
│ │ │ + documentation: The configuration for storing results in Athena owned storage, which includes whether this feature is enabled; whether encryption configuration, if any, is used for encrypting query results.
│ │ └ properties
│ │ ├ Enabled: (documentation changed)
│ │ └ EncryptionConfiguration: (documentation changed)
│ └[~] type WorkGroupConfiguration
│ └ properties
│ └ ManagedQueryResultsConfiguration: (documentation changed)
├[~] service aws-customerprofiles
│ └ resources
│ ├[~] resource AWS::CustomerProfiles::CalculatedAttributeDefinition
│ │ ├ properties
│ │ │ └ UseHistoricalData: (documentation changed)
│ │ └ attributes
│ │ └ Status: (documentation changed)
│ └[~] resource AWS::CustomerProfiles::ObjectType
│ ├ properties
│ │ └ MaxProfileObjectCount: (documentation changed)
│ └ attributes
│ └ MaxAvailableProfileObjectCount: (documentation changed)
├[~] service aws-ec2
│ └ resources
│ ├[~] resource AWS::EC2::EgressOnlyInternetGateway
│ │ ├ - tagInformation: undefined
│ │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ │ └ properties
│ │ └[+] Tags: Array<tag>
│ └[~] resource AWS::EC2::Subnet
│ ├ attributes
│ │ └[+] BlockPublicAccessStates: BlockPublicAccessStates
│ └ types
│ └[+] type BlockPublicAccessStates
│ ├ name: BlockPublicAccessStates
│ └ properties
│ └ InternetGatewayBlockMode: string
├[~] service aws-efs
│ └ resources
│ └[~] resource AWS::EFS::MountTarget
│ └ properties
│ ├ IpAddressType: (documentation changed)
│ └ Ipv6Address: (documentation changed)
├[~] service aws-eks
│ └ resources
│ ├[~] resource AWS::EKS::Addon
│ │ ├ properties
│ │ │ └ PodIdentityAssociations: (documentation changed)
│ │ └ types
│ │ └[~] type PodIdentityAssociation
│ │ └ properties
│ │ └ RoleArn: (documentation changed)
│ ├[~] resource AWS::EKS::Cluster
│ │ ├ properties
│ │ │ └ BootstrapSelfManagedAddons: (documentation changed)
│ │ └ types
│ │ ├[~] type RemoteNetworkConfig
│ │ │ └ properties
│ │ │ ├ RemoteNodeNetworks: (documentation changed)
│ │ │ └ RemotePodNetworks: (documentation changed)
│ │ ├[~] type RemoteNodeNetwork
│ │ │ ├ - documentation: A network CIDR that can contain hybrid nodes.
│ │ │ │ These CIDR blocks define the expected IP address range of the hybrid nodes that join the cluster. These blocks are typically determined by your network administrator.
│ │ │ │ Enter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, `10.2.0.0/16` ).
│ │ │ │ It must satisfy the following requirements:
│ │ │ │ - Each block must be within an `IPv4` RFC-1918 network range. Minimum allowed size is /24, maximum allowed size is /8. Publicly-routable addresses aren't supported.
│ │ │ │ - Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.
│ │ │ │ - Each block must have a route to the VPC that uses the VPC CIDR blocks, not public IPs or Elastic IPs. There are many options including AWS Transit Gateway , AWS Site-to-Site VPN , or AWS Direct Connect .
│ │ │ │ - Each host must allow outbound connection to the EKS cluster control plane on TCP ports `443` and `10250` .
│ │ │ │ - Each host must allow inbound connection from the EKS cluster control plane on TCP port 10250 for logs, exec and port-forward operations.
│ │ │ │ - Each host must allow TCP and UDP network connectivity to and from other hosts that are running `CoreDNS` on UDP port `53` for service and pod DNS names.
│ │ │ │ + documentation: A network CIDR that can contain hybrid nodes.
│ │ │ │ These CIDR blocks define the expected IP address range of the hybrid nodes that join the cluster. These blocks are typically determined by your network administrator.
│ │ │ │ Enter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, `10.2.0.0/16` ).
│ │ │ │ It must satisfy the following requirements:
│ │ │ │ - Each block must be within an `IPv4` RFC-1918 network range. Minimum allowed size is /32, maximum allowed size is /8. Publicly-routable addresses aren't supported.
│ │ │ │ - Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.
│ │ │ │ - Each block must have a route to the VPC that uses the VPC CIDR blocks, not public IPs or Elastic IPs. There are many options including AWS Transit Gateway , AWS Site-to-Site VPN , or AWS Direct Connect .
│ │ │ │ - Each host must allow outbound connection to the EKS cluster control plane on TCP ports `443` and `10250` .
│ │ │ │ - Each host must allow inbound connection from the EKS cluster control plane on TCP port 10250 for logs, exec and port-forward operations.
│ │ │ │ - Each host must allow TCP and UDP network connectivity to and from other hosts that are running `CoreDNS` on UDP port `53` for service and pod DNS names.
│ │ │ └ properties
│ │ │ └ Cidrs: (documentation changed)
│ │ └[~] type RemotePodNetwork
│ │ ├ - documentation: A network CIDR that can contain pods that run Kubernetes webhooks on hybrid nodes.
│ │ │ These CIDR blocks are determined by configuring your Container Network Interface (CNI) plugin. We recommend the Calico CNI or Cilium CNI. Note that the Amazon VPC CNI plugin for Kubernetes isn't available for on-premises and edge locations.
│ │ │ Enter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, `10.2.0.0/16` ).
│ │ │ It must satisfy the following requirements:
│ │ │ - Each block must be within an `IPv4` RFC-1918 network range. Minimum allowed size is /24, maximum allowed size is /8. Publicly-routable addresses aren't supported.
│ │ │ - Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.
│ │ │ + documentation: A network CIDR that can contain pods that run Kubernetes webhooks on hybrid nodes.
│ │ │ These CIDR blocks are determined by configuring your Container Network Interface (CNI) plugin. We recommend the Calico CNI or Cilium CNI. Note that the Amazon VPC CNI plugin for Kubernetes isn't available for on-premises and edge locations.
│ │ │ Enter one or more IPv4 CIDR blocks in decimal dotted-quad notation (for example, `10.2.0.0/16` ).
│ │ │ It must satisfy the following requirements:
│ │ │ - Each block must be within an `IPv4` RFC-1918 network range. Minimum allowed size is /32, maximum allowed size is /8. Publicly-routable addresses aren't supported.
│ │ │ - Each block cannot overlap with the range of the VPC CIDR blocks for your EKS resources, or the block of the Kubernetes service IP range.
│ │ └ properties
│ │ └ Cidrs: (documentation changed)
│ └[~] resource AWS::EKS::PodIdentityAssociation
│ ├ properties
│ │ ├ DisableSessionTags: (documentation changed)
│ │ ├ Namespace: (documentation changed)
│ │ ├ RoleArn: (documentation changed)
│ │ └ TargetRoleArn: (documentation changed)
│ └ attributes
│ └ ExternalId: (documentation changed)
├[~] service aws-lambda
│ └ resources
│ ├[~] resource AWS::Lambda::EventInvokeConfig
│ │ └ types
│ │ ├[~] type DestinationConfig
│ │ │ └ - documentation: A configuration object that specifies the destination of an event after Lambda processes it.
│ │ │ + documentation: A configuration object that specifies the destination of an event after Lambda processes it. For more information, see [Adding a destination](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async-retain-records.html#invocation-async-destinations) .
│ │ ├[~] type OnFailure
│ │ │ └ - documentation: A destination for events that failed processing. See [Capturing records of Lambda asynchronous invocations](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async-retain-records.html) for more information.
│ │ │ + documentation: A destination for events that failed processing. For more information, see [Adding a destination](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async-retain-records.html#invocation-async-destinations) .
│ │ └[~] type OnSuccess
│ │ └ - documentation: A destination for events that were processed successfully.
│ │ To retain records of successful [asynchronous invocations](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async.html#invocation-async-destinations) , you can configure an Amazon SNS topic, Amazon SQS queue, Lambda function, or Amazon EventBridge event bus as the destination.
│ │ + documentation: A destination for events that were processed successfully.
│ │ To retain records of successful [asynchronous invocations](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async.html#invocation-async-destinations) , you can configure an Amazon SNS topic, Amazon SQS queue, Lambda function, or Amazon EventBridge event bus as the destination.
│ │ > `OnSuccess` is not supported in `CreateEventSourceMapping` or `UpdateEventSourceMapping` requests.
│ └[~] resource AWS::Lambda::EventSourceMapping
│ └ types
│ ├[~] type DestinationConfig
│ │ └ - documentation: A configuration object that specifies the destination of an event after Lambda processes it.
│ │ + documentation: A configuration object that specifies the destination of an event after Lambda processes it. For more information, see [Adding a destination](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async-retain-records.html#invocation-async-destinations) .
│ └[~] type OnFailure
│ └ - documentation: A destination for events that failed processing. See [Capturing records of Lambda asynchronous invocations](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async-retain-records.html) for more information.
│ + documentation: A destination for events that failed processing. For more information, see [Adding a destination](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async-retain-records.html#invocation-async-destinations) .
├[~] service aws-msk
│ └ resources
│ └[~] resource AWS::MSK::Cluster
│ └ types
│ └[~] type BrokerNodeGroupInfo
│ └ properties
│ └ InstanceType: (documentation changed)
├[~] service aws-mwaa
│ └ resources
│ └[~] resource AWS::MWAA::Environment
│ └ properties
│ └[+] WorkerReplacementStrategy: string
├[~] service aws-rds
│ └ resources
│ └[~] resource AWS::RDS::DBProxyTargetGroup
│ └ types
│ └[~] type ConnectionPoolConfigurationInfoFormat
│ └ properties
│ └ InitQuery: (documentation changed)
├[~] service aws-sagemaker
│ └ resources
│ └[~] resource AWS::SageMaker::Domain
│ └ types
│ ├[~] type DomainSettings
│ │ └ properties
│ │ └ UnifiedStudioSettings: (documentation changed)
│ └[~] type UnifiedStudioSettings
│ ├ - documentation: A collection of settings that apply to an Amazon SageMaker AI domain when you use it in Amazon SageMaker Unified Studio.
│ │ + documentation: The settings that apply to an Amazon SageMaker AI domain when you use it in Amazon SageMaker Unified Studio.
│ └ properties
│ └ StudioWebPortalAccess: (documentation changed)
└[~] service aws-wafv2
└ resources
├[~] resource AWS::WAFv2::RuleGroup
│ └ types
│ ├[+] type AsnMatchStatement
│ │ ├ name: AsnMatchStatement
│ │ └ properties
│ │ ├ AsnList: Array<integer>
│ │ └ ForwardedIPConfig: ForwardedIPConfiguration
│ ├[~] type RateBasedStatementCustomKey
│ │ └ properties
│ │ └[+] ASN: json
│ └[~] type Statement
│ └ properties
│ └[+] AsnMatchStatement: AsnMatchStatement
└[~] resource AWS::WAFv2::WebACL
├ properties
│ └ OnSourceDDoSProtectionConfig: - json
│ + OnSourceDDoSProtectionConfig ⇐ json
│ (documentation changed)
└ types
├[+] type AsnMatchStatement
│ ├ name: AsnMatchStatement
│ └ properties
│ ├ AsnList: Array<integer>
│ └ ForwardedIPConfig: ForwardedIPConfiguration
├[~] type AWSManagedRulesACFPRuleSet
│ └ - documentation: Details for your use of the account creation fraud prevention managed rule group, `AWSManagedRulesACFPRuleSet` . This configuration is used in `ManagedRuleGroupConfig` .
│ + documentation: Details for your use of the account creation fraud prevention managed rule group, `AWSManagedRulesACFPRuleSet` . This configuration is used in `ManagedRuleGroupConfig` .
│ For additional information about this and the other intelligent threat mitigation rule groups, see [Intelligent threat mitigation in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-managed-protections) and [AWS Managed Rules rule groups list](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list) in the *AWS WAF Developer Guide* .
├[+] type AWSManagedRulesAntiDDoSRuleSet
│ ├ documentation: Configures how to use the AntiDDOS AWS managed rule group in the web ACL
│ │ name: AWSManagedRulesAntiDDoSRuleSet
│ └ properties
│ ├ ClientSideActionConfig: ClientSideActionConfig (required)
│ └ SensitivityToBlock: string
├[~] type AWSManagedRulesATPRuleSet
│ └ - documentation: Details for your use of the account takeover prevention managed rule group, `AWSManagedRulesATPRuleSet` . This configuration is used in `ManagedRuleGroupConfig` .
│ + documentation: Details for your use of the account takeover prevention managed rule group, `AWSManagedRulesATPRuleSet` . This configuration is used in `ManagedRuleGroupConfig` .
│ For additional information about this and the other intelligent threat mitigation rule groups, see [Intelligent threat mitigation in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-managed-protections) and [AWS Managed Rules rule groups list](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list) in the *AWS WAF Developer Guide* .
├[~] type AWSManagedRulesBotControlRuleSet
│ └ - documentation: Details for your use of the Bot Control managed rule group, `AWSManagedRulesBotControlRuleSet` . This configuration is used in `ManagedRuleGroupConfig` .
│ + documentation: Details for your use of the Bot Control managed rule group, `AWSManagedRulesBotControlRuleSet` . This configuration is used in `ManagedRuleGroupConfig` .
│ For additional information about this and the other intelligent threat mitigation rule groups, see [Intelligent threat mitigation in AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-managed-protections) and [AWS Managed Rules rule groups list](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list) in the *AWS WAF Developer Guide* .
├[+] type ClientSideAction
│ ├ documentation: Client side action config for AntiDDOS AMR.
│ │ name: ClientSideAction
│ └ properties
│ ├ UsageOfAction: string (required)
│ ├ Sensitivity: string
│ └ ExemptUriRegularExpressions: Array<Regex>
├[+] type ClientSideActionConfig
│ ├ documentation: Client side action config for AntiDDOS AMR.
│ │ name: ClientSideActionConfig
│ └ properties
│ └ Challenge: ClientSideAction (required)
├[~] type ManagedRuleGroupConfig
│ └ properties
│ └[+] AWSManagedRulesAntiDDoSRuleSet: AWSManagedRulesAntiDDoSRuleSet
├[~] type ManagedRuleGroupStatement
│ └ properties
│ ├ ManagedRuleGroupConfigs: (documentation changed)
│ └ RuleActionOverrides: (documentation changed)
├[+] type OnSourceDDoSProtectionConfig
│ ├ documentation: Configures the options for on-source DDoS protection provided by supported resource type.
│ │ name: OnSourceDDoSProtectionConfig
│ └ properties
│ └ ALBLowReputationMode: string (required)
├[~] type RateBasedStatementCustomKey
│ └ properties
│ └[+] ASN: json
├[+] type Regex
│ ├ documentation: Regex
│ │ name: Regex
│ └ properties
│ └ RegexString: string
├[~] type RuleGroupReferenceStatement
│ └ properties
│ └ RuleActionOverrides: (documentation changed)
└[~] type Statement
└ properties
└[+] AsnMatchStatement: AsnMatchStatement
```
### Reason for this change Corrects link to `integ-runner` after it has been moved to the `aws-cdk-cli` repo. ### Description of changes Changed link. ### Describe any new or updated permissions being added None. ### Description of how you validated changes Link works. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) N/A ### Reason for this change Amplify supports branch-level compute role setting. But current L2 Construct doesn't support it. ### Description of changes Add `computeRole` property for `Branch` construct. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Add a unit test and an integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change
Lambda is introducing a new property in Event Sources named `SchemaRegistryConfig` in `SelfManagedKafkaEventSourceConfig` and `AmazonManagedKafkaEventSourceConfig` to set configuration settings for a schema registry that will be used to de-serialize the event read from these Kafka event sources. When specified, it allows de-serialization events before they are passed to target function and validation of their format. The users may use a Confluent registry, a self managed registry or AWS Glue Registry. Note, the even source mapping must have `ProvisionedPollerConfig` set (be on provisioned mode) for this feature to be used.
This feature is currently supported for MSK and Self-managed Kafka event sources.
### Description of changes
This new property can be opted in by setting `SchemaRegistryConfig` in `SelfManagedKafkaEventSourceConfig` or `AmazonManagedKafkaEventSourceConfig`. An example is shown bellow:
```
myFunction.addEventSource(new ManagedKafkaEventSource({
clusterArn,
topic,
startingPosition: lambda.StartingPosition.TRIM_HORIZON,
provisionedPollerConfig: {
minimumPollers: 1,
maximumPollers: 3,
},
schemaRegistryConfig: {
schemaRegistryUri: 'https://example.com',
eventRecordFormat: lambda.EventRecordFormat.JSON,
accessConfigs: [
{
type: lambda.SchemaRegistryAccessConfigType.BASIC_AUTH,
uri: 'https://example.com',
},
],
schemaValidationConfigs: [{ attribute: lambda.SchemaValidationAttribute.KEY }],
},
}));
```
### Describe any new or updated permissions being added
Following IAM permissions will be added to the target function execution role **only if user passed a Glue registry**.
```
{
Action: 'glue:GetRegistry',
Effect: 'Allow',
Resource: {
'Fn::GetAtt': ['Registry', 'Arn'], // Glue registry ARN
},
},
{
Action: [
'glue:GetSchemaVersion',
'glue:GetSchema',
],
Effect: 'Allow',
Resource: [
{
'Fn::GetAtt': ['Registry', 'Arn'],
},
'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:schema/lambda-gp-test-glue-schema-registry/*',
],
},
```
### Description of how you validated changes
Unit tests for each case have been added in the PR. Note, MSK and SMK validations follow the same path so for validations there are only unit tests for MSK cases which should apply for both.
Integration test for both Glue and confluent case have been added for SMK. Since, MSK requires a Kafka cluster in VPC that we typically do not add integration tests for it.
### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ctures (#31771) ### Issue # (if applicable) Closes #31758. ### Reason for this change The current custom response headers implementation does not support Amplify apps with monorepo structures, this is due to a difference in the YAML formats for these apps: https://docs.aws.amazon.com/amplify/latest/userguide/custom-header-YAML-format.html ### Description of changes An `appRoot` property has been added to `CustomResponseHeader`, which specifies the appRoot from the build spec to use for the output YAML. ### Description of how you validated changes I added unit tests and tested the implementation using a sample deployment. I'm happy to add integration tests if required. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws-cdk-automation
added
auto-approve
pr/no-squash
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
aws-cdk-automation
had a problem deploying
to
test-pipeline
GitHub Actions
Failure
Contributor
|
Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork). |
Collaborator
Author
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Contributor
|
Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork). |
Collaborator
Author
|
➡️ PR build request submitted to A maintainer must now check the pipeline and add the |
Contributor
|
Comments on closed issues and PRs are hard for our team to see. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
35 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See CHANGELOG