chore(release): 2.212.0 #35278

aws-cdk-automation · 2025-08-20T08:24:46Z

…pt-oss-20b (#35163) Add new model. * [Anthropic’s Claude Opus 4.1 now in Amazon Bedrock](https://aws.amazon.com/about-aws/whats-new/2025/08/anthropic-claude-opus-4-1-amazon-bedrock/) * [OpenAI open weight models now available on AWS](https://aws.amazon.com/blogs/aws/openai-open-weight-models-now-available-on-aws/) ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --------- Co-authored-by: Jorge Diaz <[email protected]>

…5217) ### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change Mergify needs a designated bot account to automatically execute merge operations for PRs that meet the merge queue conditions. Without this configuration, automatic merging may not function properly. ### Description of changes Configure AWS CDK Automation as the merge bot account to allow Mergify to automatically execute merge operations for PRs that meet the queue conditions. Added `merge_bot_account: AWS CDK Automation` to the `.mergify.yml` configuration file. This designates the AWS CDK Automation account as the bot responsible for executing automatic merges when PRs meet the defined queue conditions. ### Describe any new or updated permissions being added NA ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* Co-authored-by: Jorge Diaz <[email protected]>

…pr build (#35216) ### Reason for this change GitHub Actions workflows with `on: pull_request` triggers do not execute when pull requests are created programmatically via API calls using personal access tokens. Release process creates PRs using the GitHub API, causing CI workflows to be skipped and preventing proper validation of release changes. ### Checklist - [X ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Reason for this change  Mergify seems to be updated with latest branch protection rules, so they can be enabled back to unblock mergify ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4 to 5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/download-artifact/releases">actions/download-artifact's releases</a>.</em></p> <blockquote> <h2>v5.0.0</h2> <h2>What's Changed</h2> <ul> <li>Update README.md by <a href="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/nebuk89"><code>@nebuk89</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/407">actions/download-artifact#407</a></li> <li>BREAKING fix: inconsistent path behavior for single artifact downloads by ID by <a href="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/GrantBirki"><code>@GrantBirki</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/416">actions/download-artifact#416</a></li> </ul> <h2>v5.0.0</h2> <h3>🚨 Breaking Change</h3> <p>This release fixes an inconsistency in path behavior for single artifact downloads by ID. <strong>If you're downloading single artifacts by ID, the output path may change.</strong></p> <h4>What Changed</h4> <p>Previously, <strong>single artifact downloads</strong> behaved differently depending on how you specified the artifact:</p> <ul> <li><strong>By name</strong>: <code>name: my-artifact</code> → extracted to <code>path/</code> (direct)</li> <li><strong>By ID</strong>: <code>artifact-ids: 12345</code> → extracted to <code>path/my-artifact/</code> (nested)</li> </ul> <p>Now both methods are consistent:</p> <ul> <li><strong>By name</strong>: <code>name: my-artifact</code> → extracted to <code>path/</code> (unchanged)</li> <li><strong>By ID</strong>: <code>artifact-ids: 12345</code> → extracted to <code>path/</code> (fixed - now direct)</li> </ul> <h4>Migration Guide</h4> <h5>✅ No Action Needed If:</h5> <ul> <li>You download artifacts by <strong>name</strong></li> <li>You download <strong>multiple</strong> artifacts by ID</li> <li>You already use <code>merge-multiple: true</code> as a workaround</li> </ul> <h5>⚠️ Action Required If:</h5> <p>You download <strong>single artifacts by ID</strong> and your workflows expect the nested directory structure.</p> <p><strong>Before v5 (nested structure):</strong></p> <pre lang="yaml"><code>- uses: actions/download-artifact@v4 with: artifact-ids: 12345 path: dist # Files were in: dist/my-artifact/ </code></pre> <blockquote> <p>Where <code>my-artifact</code> is the name of the artifact you previously uploaded</p> </blockquote> <p><strong>To maintain old behavior (if needed):</strong></p> <pre lang="yaml"><code></tr></table> </code></pre> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/download-artifact/commit/634f93cb2916e3fdff6788551b99b062d0335ce0"><code>634f93c</code></a> Merge pull request <a href="https://redirect.github.com/actions/download-artifact/issues/416">#416</a> from actions/single-artifact-id-download-path</li> <li><a href="https://github.com/actions/download-artifact/commit/b19ff4302770b82aa4694b63703b547756dacce6"><code>b19ff43</code></a> refactor: resolve download path correctly in artifact download tests (mainly ...</li> <li><a href="https://github.com/actions/download-artifact/commit/e262cbee4ab8c473c61c59a81ad8e9dc760e90db"><code>e262cbe</code></a> bundle dist</li> <li><a href="https://github.com/actions/download-artifact/commit/bff23f9308ceb2f06d673043ea6311519be6a87b"><code>bff23f9</code></a> update docs</li> <li><a href="https://github.com/actions/download-artifact/commit/fff8c148a8fdd56aa81fcb019f0b5f6c65700c4d"><code>fff8c14</code></a> fix download path logic when downloading a single artifact by id</li> <li><a href="https://github.com/actions/download-artifact/commit/448e3f862ab3ef47aa50ff917776823c9946035b"><code>448e3f8</code></a> Merge pull request <a href="https://redirect.github.com/actions/download-artifact/issues/407">#407</a> from actions/nebuk89-patch-1</li> <li><a href="https://github.com/actions/download-artifact/commit/47225c44b359a5155efdbbbc352041b3e249fb1b"><code>47225c4</code></a> Update README.md</li> <li>See full diff in <a href="https://github.com/actions/download-artifact/compare/v4...v5">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/download-artifact&package-manager=github_actions&previous-version=4&new-version=5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>

…ater in the npm_and_yarn group across 1 directory (#35209) Bumps the npm_and_yarn group with 1 update in the /tools/@aws-cdk/enum-updater directory: [tmp](https://github.com/raszi/node-tmp). Updates `tmp` from 0.2.4 to 0.2.5 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/raszi/node-tmp/commit/3d2fe387f3f91b13830b9182faa02c3231ea8258"><code>3d2fe38</code></a> Bump up the version</li> <li><a href="https://github.com/raszi/node-tmp/commit/e16282879e5d0554fe824e1ab3df724847e91183"><code>e162828</code></a> Merge pull request <a href="https://redirect.github.com/raszi/node-tmp/issues/309">#309</a> from fflorent/fix-tmp-dir-with-dir</li> <li><a href="https://github.com/raszi/node-tmp/commit/b847d2f1a42b625c26149f4a2029ed00a1edf90b"><code>b847d2f</code></a> Fix use of tmp.dir() with <code>dir</code> option</li> <li>See full diff in <a href="https://github.com/raszi/node-tmp/compare/v0.2.4...v0.2.5">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=tmp&package-manager=npm_and_yarn&previous-version=0.2.4&new-version=0.2.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts). </details>

…ry versions (#35215) This change goes together with aws/aws-cdk-cli#782, to undo some decisions made in https://github.com/aws/aws-cdk/pull/35108/files and aws/aws-cdk-cli#742. We used to store `unconfiguredBehavesLike` values for both `v1` and `v2` (and `v3`, `v4`, etc) into the feature flag report, but we only needed to store the value for the *current* library version. We are now defining the "v2" field to hold the current version information, and are updating the feature flag generation code to not emit `v1` data, and stay correct if we ever start releasing `v3`. This is labeled as a `chore` and not a `fix` because it doesn't really fix user-visible behavior. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This PR updates the CDK enum mapping file.

### Issue # (if applicable) ### Reason for this change Test coverage of `json-path.ts` is not enough ### Description of changes ### Describe any new or updated permissions being added - Add unit tests for class and function in `json-path.ts` - Add typescript types ### Description of how you validated changes Pass unit tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.211.0/CHANGELOG.md)

) The feature flag report generated by the core library includes flags that: - Are not configurable for CDKv2 anymore - Whose default value is the same as the recommended value (i.e., they don't need to be configured at all). At the same time, the `recommended-feature-flags.json` file does NOT contain those flags, because they aren't necessary. This means that a newly `cdk init`ed application reports that 18 flags are unconfigured by the user, producing unnecessary warnings. We will address this in 2 parts. - Don't emit flags that don't apply in v2 in the library. - Don't warn about flags where the recommended value is the same as the default value in the CLI. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…35169) ### Issue #35145 Closes #35145. ### Reason for this change The recent fix to Source.jsonData did not work for list tokens such as SSM string list parameters. There was a mistake with the fix that assumed `stack.toJsonString` handled those, when in fact the tokens were serialized by `JSON.stringify`, breaking the token itself. `Token.isUnresolved` does not check all object properties for tokens, so it considered the object resolved and passed it to the regular JSON serializer. ### Description of changes I've rewritten the JSON and YAML serializer such that it will use `stack.toJsonString` whenever it encounteres tokens in any of the object's children. One exception this is if the key in an object is a token, the token is assumed to be a string (because it has to in JSON) and is passed directly. ### Describe any new or updated permissions being added N/A. ### Description of how you validated changes - Unit and Integration tests added. - Via manual inspection of stack in AWS Console, I checked that the JSON result was valid. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ofile (#35033) ### Issue # (if applicable) Closes #35030. ### Reason for this change The `signingProfileName` property set in the AWS CDK's Signer module L2 construct is not being properly propagated to the generated L1 CloudFormation template. This causes AWS Signer profiles to be created without the specified name, which leads to unexpected behavior and difficulty in managing resources. ### Description of changes - Modified the `SigningProfile` class constructor to pass `this.physicalName` to the L1 `CfnSigningProfile` resource's `profileName` property - Updated unit tests to explicitly verify that the `ProfileName` property is correctly included in the CloudFormation template when `signingProfileName` is provided, and absent when not provided These changes ensure that when a user specifies a `signingProfileName`, it will be included in the generated CloudFormation template as the `ProfileName` property. The fix maintains backward compatibility and doesn't introduce any breaking changes to the API. ### Describe any new or updated permissions being added No new or updated IAM permissions are needed for this change. ### Description of how you validated changes - Updated existing unit tests to verify the fix - Verified that the existing integration test for SigningProfile with a name works correctly - Manually tested with a simple test application that uses SigningProfile with signingProfileName ### Why we need a FF to avoid BC If we had specified a `signingProfileName` in their SigningProfile construct, the CloudFormation template will now include this name as the ProfileName property. Previously, this name was ignored in the CloudFormation template, causing CloudFormation to auto-generate a name for the signing profile. Upon deployment with the updated CDK version, CloudFormation will detect this as a change and will: Create a new signing profile with the specified name. Delete the old signing profile that had an auto-generated name This replacement of the signing profile can break existing references to the profile and disrupt workflows that depend on the existing profile hence this PR introduced a FF to avoid this. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) n/a ### Reason for this change The core docs currently shown in [the API Reference](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib-readme.html) (as of before this PR is merged), is the one at [packages/aws-cdk-lib/README.md](https://github.com/aws/aws-cdk/blob/aaaa9cc330ea1e2854e764e164fe432aeb8606ca/packages/aws-cdk-lib/README.md) and not [packages/aws-cdk-lib/core/README.md](https://github.com/aws/aws-cdk/blob/aaaa9cc330ea1e2854e764e164fe432aeb8606ca/packages/aws-cdk-lib/core/README.md). Both have a lot of duplication, but there is content that has been added to the core README that is missing from the main doc. [A long time ago](#14280) we enforced both files to have the have the same content, but this got lost in the [big repo remodel of 2023](#24376). ### Description of changes I'm removing the core README.md in favor of the top-level one. All missing content has been backported and some additional fixes where made. ### Describe any new or updated permissions being added n/a ### Description of how you validated changes I checked and none of the places we publish to uses the current core README.md. This is because the contents get dropped as part of the jsii compilation and doesn't end up in the jsii assembly. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Reason for this change Priority field is not set from the item (issue or PR) labels. ### Description of changes Sets the priority field for project items. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Unit tests and manual testing. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

## Description This PR fixes issue #33593 where the Lambda autoscaling example in the documentation has an incorrect import. ### Current Behavior The example imports `Schedule` from `aws-cdk-lib/aws-autoscaling` which generates a raw cron expression (`0 8 * * *`). ### Issue When using `aws-autoscaling.Schedule.cron()`, the generated CloudFormation template contains a raw cron expression (`Schedule: 0 8 * * *`) which is incompatible with the `AWS::ApplicationAutoScaling::ScalableTarget` resource. This resource requires the cron expression to be wrapped with `cron(...)` and also needs the AWS-specific format with `?` character. ### Fix The correct import should be from `aws-cdk-lib/aws-applicationautoscaling` which generates the proper format (`Schedule: cron(0 8 * * ? *)`) required by `AWS::ApplicationAutoScaling::ScalableTarget`. fixes #33593 ### Description of how you validated changes I created a test CDK app to replicate the issue by implementing two stacks: 1. A stack using the incorrect import (`aws-autoscaling`), which generated: Schedule: 0 8 * * * 2. A stack using the correct import (aws-applicationautoscaling ), which generated: Schedule: cron(0 8 * * ? *) This confirmed that the incorrect import produces an incompatible cron expression format that would fail during CloudFormation deployment. I also verified that the test file ( packages/aws-cdk-lib/aws-lambda/test/integ.autoscaling.lit.ts ) was already using the correct import, which further confirms this is the right approach. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… rebalancing default values (#35233) Reverts PR #35156 due to a related incorrect response returned by DescribeServices. ### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change ### Description of changes ### Describe any new or updated permissions being added ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.

…ses causes 500s (#34787) ### Issue # (if applicable) Closes #34777 ### Reason for this change The StepFunctions integration in API Gateway has an invalid VTL (Velocity Template Language) response template for 500 errors that generates malformed JSON, causing API Gateway to throw transformation errors instead of properly handling error responses. ### Description of changes - **Fixed invalid VTL template** in `stepfunctions.ts:217-219` - Changed from invalid string to proper JSON object structure - **Updated test expectations** in `stepfunctions.test.ts:561-563` and `stepfunctions-api.test.ts:285-291` - Tests now expect corrected JSON template - **Updated integration test snapshots** - CloudFormation templates now reflect corrected VTL structure **Technical Details:** - Changed 500 response template from `'"error": $input.path(\'$.error\')'` (invalid JSON string) - To `'{"error": "$input.path(\'$.error\')"}'` (valid JSON object) - Template now matches the established pattern used in the 400 response template - Ensures API Gateway can properly transform error responses without throwing 500 errors ### Describe any new or updated permissions being added N/A - No IAM permissions changes required. This is a template formatting fix. ### Description of how you validated changes - **Comprehensive unit testing**: All 19 StepFunctions-related tests passing (14 integration + 5 API tests) - **Module build verification**: Confirmed build completes successfully with no linting violations - **Integration testing**: Executed all 36 API Gateway integration tests with CloudFormation verification - **AWS deployment validation**: Real AWS deployment tests confirm templates work correctly - **Template validation**: Confirmed new template generates valid JSON structure matching 400 response pattern - **Regression testing**: 34/36 integration tests unchanged, confirming no impact to other functionality **Comprehensive Test Results:** ```bash # Unit Tests - All Passing ✓ StepFunctionsIntegration suite: 14/14 tests passing ✓ StepFunctionsAPI suite: 5/5 tests passing ✓ Build completes successfully with no linting violations # Integration Tests - Comprehensive Coverage ✓ Total integration tests run: 36 tests ✓ Unchanged tests: 34/36 (confirms no regressions) ✓ Changed tests: 2/36 (expected - VTL template fix) - integ.stepfunctions-api.js: CHANGED (snapshot updated) - integ.stepfunctions-startexecution-without-default-method-responses.js: CHANGED (snapshot updated) # AWS Deployment Validation ✓ integ.stepfunctions-api: 108.7s successful AWS deployment ✓ integ.stepfunctions-startexecution-without-default-method-responses: 112.0s successful AWS deployment ✓ CloudFormation templates generate valid JSON: {"error": "$input.path('$.error')"} ✓ Real AWS integration confirms fix resolves transformation errors ``` **CloudFormation Impact Verified:** - AWS::ApiGateway::Method IntegrationResponses now contain valid JSON templates - Before: `"application/json": "\"error\": $input.path('$.error')"` (invalid JSON string) - After: `"application/json": "{\n \"error\": \"$input.path('$.error')\"\n }"` (valid JSON object) - Integration test snapshots updated to reflect corrected templates **Regression Testing:** - 34 out of 36 integration tests remained unchanged, confirming no impact to other API Gateway functionality - Cross-module impact assessment: No regressions detected in related modules - Performance impact: No performance degradation - template change is purely structural ## ⚠️ Breaking Change Notice **API Gateway Deployment Replacement Required** This change modifies the integration response template format, which will cause API Gateway deployments to be replaced during stack updates. ### What's Changing - **Before**: `"application/json": "\"error\": $input.path('$.error')"` - **After**: `"application/json": "{\n \"error\": \"$input.path('$.error')\"\n }"` ### Impact - **Deployment**: API Gateway deployments will be replaced (not updated in-place) - **Downtime**: Minimal - replacement happens during CloudFormation update - **Response Format**: Error responses now return proper JSON objects instead of quoted strings ### Affected Resources - `AWS::ApiGateway::Deployment` resources in integration tests - `AWS::ApiGateway::Stage` resources (due to deployment reference changes) ### Migration Notes - No manual intervention required - Existing stacks will automatically replace deployments on next update - Error response format improves from `"error message"` to `{"error": "error message"}` ### Testing - [x] Integration tests pass with new response format - [x] Verified proper JSON structure in error responses - [x] Confirmed deployment replacement behavior in test environments ## Feature Flag Assessment: ❌ Not Required **Rationale**: - Bug fix for malformed JSON response format - Infrastructure-level change with minimal API impact - Improves response consistency and standards compliance - No new functionality being introduced **Risk Level**: Low - Response format improvement only ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) --- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Reduces number of rosetta errors ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…-apigatewayv2 (WebSocketApi) (#35060) ### Issue # (if applicable) Closes #28756. ### Reason for this change Couldn't create `UsagePlans` and `ApiKeys` for `WebSocketApi` (`apigatewayv2`) using L2 constructs, cause these 2 features were supported only by `RestApi` (`apigatewayv1`). ### Description of changes `HttpApi`(`apigatewayv2`) doesn't permit creating `UsagePlans` or `ApiKeys` in any way, so bringing these functionalities from `apigatewayv1` to `apigatewayv2` is possible only for `WebSocketApi`. - Added `UsagePlan` and `ApiKey` files in `aws-apigatewayv2/lib/websocket` folder - Implemented needed interfaces, classes and methods very similar to what was written for `RestApi` (`apigatewayv1`) - Included explicit dependency management between components for proper _CloudFormation_ deployment order - Added new _JSDoc_ in order to be able to build the project ### Describe any new or updated permissions being added N/A ### Description of how you validated changes - Tested manually by deploying a stack containing and linking the new features - Wrote unit and integration tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-apigateway │ └ resources │ └[~] resource AWS::ApiGateway::Deployment │ └ types │ └[~] type MethodSetting │ └ - documentation: The `MethodSetting` property type configures settings for all methods in a stage. │ The `MethodSettings` property of the [Amazon API Gateway Deployment StageDescription](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-deployment-stagedescription.html) property type contains a list of `MethodSetting` property types. │ + documentation: The `MethodSetting` property type configures settings for all methods in a stage. If you modify this property type, you must create a new deployment for your API. │ The `MethodSettings` property of the [Amazon API Gateway Deployment StageDescription](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-deployment-stagedescription.html) property type contains a list of `MethodSetting` property types. ├[~] service aws-appintegrations │ └ resources │ └[~] resource AWS::AppIntegrations::Application │ ├ properties │ │ ├[+] ApplicationConfig: ApplicationConfig │ │ ├[+] IframeConfig: IframeConfig │ │ ├[+] InitializationTimeout: integer │ │ └[+] IsService: boolean (default=false) │ └ types │ ├[+] type ApplicationConfig │ │ ├ name: ApplicationConfig │ │ └ properties │ │ └ ContactHandling: ContactHandling │ ├[+] type ContactHandling │ │ ├ name: ContactHandling │ │ └ properties │ │ └ Scope: string (required) │ └[+] type IframeConfig │ ├ name: IframeConfig │ └ properties │ ├ Allow: Array<string> │ └ Sandbox: Array<string> ├[~] service aws-arcregionswitch │ └ resources │ └[~] resource AWS::ARCRegionSwitch::Plan │ ├ attributes │ │ └[+] Route53HealthChecks: Route53HealthChecks │ └ types │ └[+] type Route53HealthChecks │ ├ name: Route53HealthChecks │ └ properties │ ├ HealthCheckIds: Array<string> │ ├ RecordNames: Array<string> │ ├ Regions: Array<string> │ └ HostedZoneIds: Array<string> ├[~] service aws-batch │ └ resources │ └[~] resource AWS::Batch::JobDefinition │ └ types │ └[~] type RuntimePlatform │ └ properties │ ├ CpuArchitecture: (documentation changed) │ └ OperatingSystemFamily: (documentation changed) ├[~] service aws-billingconductor │ └ resources │ └[~] resource AWS::BillingConductor::CustomLineItem │ └ types │ └[~] type LineItemFilter │ ├ - documentation: A representation of the line item filter for your custom line item. You can use line item filters to include or exclude specific resource values from the billing group's total cost. For example, if you create a custom line item and you want to filter out a value, such as Savings Plan discounts, you can update `LineItemFilter` to exclude it. │ │ + documentation: A representation of the line item filter for your custom line item. You can use line item filters to include or exclude specific resource values from the billing group's total cost. For example, if you create a custom line item and you want to filter out a value, such as Savings Plans discounts, you can update `LineItemFilter` to exclude it. │ └ properties │ └ Values: (documentation changed) ├[~] service aws-cloudfront │ └ resources │ ├[~] resource AWS::CloudFront::Distribution │ │ └ types │ │ └[~] type CustomOriginConfig │ │ └ properties │ │ └[+] IpAddressType: string │ └[~] resource AWS::CloudFront::Function │ └ properties │ └ Name: - string (required) │ + string (required, immutable) ├[~] service aws-codebuild │ └ resources │ └[~] resource AWS::CodeBuild::Project │ └ types │ ├[~] type ProjectTriggers │ │ └ properties │ │ └[+] PullRequestBuildPolicy: PullRequestBuildPolicy │ └[+] type PullRequestBuildPolicy │ ├ name: PullRequestBuildPolicy │ └ properties │ ├ RequiresCommentApproval: string (required) │ └ ApproverRoles: Array<string> ├[~] service aws-codepipeline │ └ resources │ └[~] resource AWS::CodePipeline::Webhook │ ├ properties │ │ └ TargetPipelineVersion: - integer (required) │ │ + integer │ └ attributes │ └ Id: (documentation changed) ├[~] service aws-connect │ └ resources │ ├[~] resource AWS::Connect::PredefinedAttribute │ │ └ properties │ │ └ Values: - Values (required) │ │ + Values │ └[~] resource AWS::Connect::User │ └ types │ └[~] type UserPhoneConfig │ └ properties │ └[+] PersistentConnection: boolean ├[~] service aws-deadline │ └ resources │ └[~] resource AWS::Deadline::Fleet │ ├ attributes │ │ └[+] StatusMessage: string │ └ types │ ├[~] type ServiceManagedEc2FleetConfiguration │ │ └ properties │ │ └ VpcConfiguration: (documentation changed) │ └[~] type VpcConfiguration │ ├ - documentation: undefined │ │ + documentation: The configuration options for a service managed fleet's VPC. │ └ properties │ └ ResourceConfigurationArns: (documentation changed) ├[~] service aws-dynamodb │ └ resources │ ├[~] resource AWS::DynamoDB::GlobalTable │ │ └ types │ │ └[~] type ContributorInsightsSpecification │ │ └ properties │ │ └[+] Mode: string │ └[~] resource AWS::DynamoDB::Table │ └ types │ └[~] type ContributorInsightsSpecification │ └ properties │ └[+] Mode: string ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::EC2Fleet │ │ └ types │ │ └[~] type Placement │ │ └ properties │ │ └ AvailabilityZone: (documentation changed) │ ├[+] resource AWS::EC2::IpPoolRouteTableAssociation │ │ ├ name: IpPoolRouteTableAssociation │ │ │ cloudFormationType: AWS::EC2::IpPoolRouteTableAssociation │ │ │ documentation: Resource Type definition for AWS::EC2::IpPoolRouteTableAssociation │ │ ├ properties │ │ │ ├ PublicIpv4Pool: string (required, immutable) │ │ │ └ RouteTableId: string (required, immutable) │ │ └ attributes │ │ └ AssociationId: string │ ├[~] resource AWS::EC2::LaunchTemplate │ │ └ types │ │ ├[~] type ElasticGpuSpecification │ │ │ ├ - documentation: > Amazon Elastic Graphics reached end of life on January 8, 2024. │ │ │ │ Specifies a specification for an Elastic GPU for an Amazon EC2 launch template. │ │ │ │ `ElasticGpuSpecification` is a property of [AWS::EC2::LaunchTemplate LaunchTemplateData](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html) . │ │ │ │ + documentation: undefined │ │ │ └ properties │ │ │ └ Type: (documentation changed) │ │ ├[~] type LaunchTemplateData │ │ │ └ properties │ │ │ ├ ElasticGpuSpecifications: (documentation changed) │ │ │ └ ElasticInferenceAccelerators: (documentation changed) │ │ ├[~] type LaunchTemplateElasticInferenceAccelerator │ │ │ ├ - documentation: > Amazon Elastic Inference is no longer available. │ │ │ │ Specifies an elastic inference accelerator. │ │ │ │ `LaunchTemplateElasticInferenceAccelerator` is a property of [AWS::EC2::LaunchTemplate LaunchTemplateData](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html) . │ │ │ │ + documentation: undefined │ │ │ └ properties │ │ │ ├ Count: (documentation changed) │ │ │ └ Type: (documentation changed) │ │ ├[~] type NetworkInterface │ │ │ └ properties │ │ │ └ EnaQueueCount: (documentation changed) │ │ └[~] type Placement │ │ └ properties │ │ └ AvailabilityZone: (documentation changed) │ └[~] resource AWS::EC2::Volume │ └ properties │ └ AvailabilityZone: (documentation changed) ├[~] service aws-ecs │ └ resources │ └[~] resource AWS::ECS::CapacityProvider │ └ types │ └[~] type ManagedScaling │ └ properties │ └ MinimumScalingStepSize: (documentation changed) ├[~] service aws-eks │ └ resources │ └[~] resource AWS::EKS::Cluster │ └ properties │ └ DeletionProtection: (documentation changed) ├[~] service aws-elasticloadbalancingv2 │ └ resources │ └[~] resource AWS::ElasticLoadBalancingV2::LoadBalancer │ └ types │ └[~] type LoadBalancerAttribute │ └ properties │ └ Key: (documentation changed) ├[~] service aws-gameliftstreams │ └ resources │ ├[~] resource AWS::GameLiftStreams::Application │ │ └ types │ │ └[~] type RuntimeEnvironment │ │ └ - documentation: Configuration settings that identify the operating system for an application resource. This can also include a compatibility layer and other drivers. │ │ A runtime environment can be one of the following: │ │ - For Linux applications │ │ - Ubuntu 22.04 LTS ( `Type=UBUNTU, Version=22_04_LTS` ) │ │ - For Windows applications │ │ - Microsoft Windows Server 2022 Base ( `Type=WINDOWS, Version=2022` ) │ │ - Proton 8.0-5 ( `Type=PROTON, Version=20241007` ) │ │ - Proton 8.0-2c ( `Type=PROTON, Version=20230704` ) │ │ + documentation: Configuration settings that identify the operating system for an application resource. This can also include a compatibility layer and other drivers. │ │ A runtime environment can be one of the following: │ │ - For Linux applications │ │ - Ubuntu 22.04 LTS ( `Type=UBUNTU, Version=22_04_LTS` ) │ │ - For Windows applications │ │ - Microsoft Windows Server 2022 Base ( `Type=WINDOWS, Version=2022` ) │ │ - Proton 9.0-2 ( `Type=PROTON, Version=20250516` ) │ │ - Proton 8.0-5 ( `Type=PROTON, Version=20241007` ) │ │ - Proton 8.0-2c ( `Type=PROTON, Version=20230704` ) │ └[~] resource AWS::GameLiftStreams::StreamGroup │ ├ - documentation: The `AWS::GameLiftStreams::StreamGroup` resource defines a group of compute resources that will be running and streaming your game. When you create a stream group, you specify the hardware configuration (CPU, GPU, RAM) that will run your game (known as the *stream class* ), the geographical locations where your game can run, and the number of streams that can run simultaneously in each location (known as *stream capacity* ). Stream groups manage how Amazon GameLift Streams allocates resources and handles concurrent streams, allowing you to effectively manage capacity and costs. │ │ There are two types of stream capacity: always-on and on-demand. │ │ - *Always-on* : The streaming capacity that is allocated and ready to handle stream requests without delay. You pay for this capacity whether it's in use or not. Best for quickest time from streaming request to streaming session. │ │ - *On-demand* : The streaming capacity that Amazon GameLift Streams can allocate in response to stream requests, and then de-allocate when the session has terminated. This offers a cost control measure at the expense of a greater startup time (typically under 5 minutes). │ │ > Application association is not currently supported in AWS CloudFormation . To link additional applications to a stream group, use the Amazon GameLift Streams console or the AWS CLI . │ │ + documentation: The `AWS::GameLiftStreams::StreamGroup` resource defines a group of compute resources that will be running and streaming your game. When you create a stream group, you specify the hardware configuration (CPU, GPU, RAM) that will run your game (known as the *stream class* ), the geographical locations where your game can run, and the number of streams that can run simultaneously in each location (known as *stream capacity* ). Stream groups manage how Amazon GameLift Streams allocates resources and handles concurrent streams, allowing you to effectively manage capacity and costs. │ │ There are two types of stream capacity: always-on and on-demand. │ │ - *Always-on* : The streaming capacity that is allocated and ready to handle stream requests without delay. You pay for this capacity whether it's in use or not. Best for quickest time from streaming request to streaming session. Default is 1 when creating a stream group or adding a location. │ │ - *On-demand* : The streaming capacity that Amazon GameLift Streams can allocate in response to stream requests, and then de-allocate when the session has terminated. This offers a cost control measure at the expense of a greater startup time (typically under 5 minutes). Default is 0 when creating a stream group or adding a location. │ │ > Application association is not currently supported in AWS CloudFormation . To link additional applications to a stream group, use the Amazon GameLift Streams console or the AWS CLI . │ └ types │ └[~] type LocationConfiguration │ └ properties │ ├ AlwaysOnCapacity: (documentation changed) │ └ OnDemandCapacity: (documentation changed) ├[~] service aws-glue │ └ resources │ └[~] resource AWS::Glue::Job │ └ properties │ └ WorkerType: (documentation changed) ├[~] service aws-guardduty │ └ resources │ ├[+] resource AWS::GuardDuty::ThreatEntitySet │ │ ├ name: ThreatEntitySet │ │ │ cloudFormationType: AWS::GuardDuty::ThreatEntitySet │ │ │ documentation: Resource Type definition for AWS::GuardDuty::ThreatEntitySet │ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ ├ properties │ │ │ ├ Format: string (required, immutable) │ │ │ ├ Activate: boolean │ │ │ ├ DetectorId: string (immutable) │ │ │ ├ Name: string │ │ │ ├ Location: string (required) │ │ │ ├ ExpectedBucketOwner: string │ │ │ └ Tags: Array<TagItem> │ │ ├ attributes │ │ │ ├ Id: string │ │ │ ├ Status: string │ │ │ ├ CreatedAt: string │ │ │ ├ UpdatedAt: string │ │ │ └ ErrorDetails: string │ │ └ types │ │ └ type TagItem │ │ ├ name: TagItem │ │ └ properties │ │ ├ Key: string (required) │ │ └ Value: string (required) │ └[+] resource AWS::GuardDuty::TrustedEntitySet │ ├ name: TrustedEntitySet │ │ cloudFormationType: AWS::GuardDuty::TrustedEntitySet │ │ documentation: Resource Type definition for AWS::GuardDuty::TrustedEntitySet │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ ├ properties │ │ ├ Format: string (required, immutable) │ │ ├ Activate: boolean │ │ ├ DetectorId: string (immutable) │ │ ├ Name: string │ │ ├ Location: string (required) │ │ ├ ExpectedBucketOwner: string │ │ └ Tags: Array<TagItem> │ ├ attributes │ │ ├ Id: string │ │ ├ Status: string │ │ ├ CreatedAt: string │ │ ├ UpdatedAt: string │ │ └ ErrorDetails: string │ └ types │ └ type TagItem │ ├ name: TagItem │ └ properties │ ├ Key: string (required) │ └ Value: string (required) ├[~] service aws-imagebuilder │ └ resources │ ├[~] resource AWS::ImageBuilder::Component │ │ └ properties │ │ └ KmsKeyId: (documentation changed) │ ├[~] resource AWS::ImageBuilder::ContainerRecipe │ │ ├ properties │ │ │ └ KmsKeyId: (documentation changed) │ │ └ types │ │ └[~] type EbsInstanceBlockDeviceSpecification │ │ └ properties │ │ └ KmsKeyId: (documentation changed) │ ├[~] resource AWS::ImageBuilder::DistributionConfiguration │ │ └ types │ │ └[~] type AmiDistributionConfiguration │ │ └ properties │ │ └ KmsKeyId: (documentation changed) │ ├[~] resource AWS::ImageBuilder::ImageRecipe │ │ └ types │ │ ├[~] type EbsInstanceBlockDeviceSpecification │ │ │ └ properties │ │ │ └ KmsKeyId: (documentation changed) │ │ └[~] type SystemsManagerAgent │ │ └ properties │ │ └ UninstallAfterBuild: (documentation changed) │ └[~] resource AWS::ImageBuilder::Workflow │ └ properties │ └ KmsKeyId: (documentation changed) ├[~] service aws-inspectorv2 │ └ resources │ ├[+] resource AWS::InspectorV2::CodeSecurityIntegration │ │ ├ name: CodeSecurityIntegration │ │ │ cloudFormationType: AWS::InspectorV2::CodeSecurityIntegration │ │ │ documentation: Inspector CodeSecurityIntegration resource schema │ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"map"} │ │ ├ properties │ │ │ ├ Name: string │ │ │ ├ Type: string │ │ │ ├ CreateIntegrationDetails: CreateDetails (immutable) │ │ │ ├ UpdateIntegrationDetails: UpdateDetails │ │ │ └ Tags: Map<string, string> (immutable) │ │ ├ attributes │ │ │ ├ Arn: string │ │ │ ├ Status: string │ │ │ ├ StatusReason: string │ │ │ ├ AuthorizationUrl: string │ │ │ ├ CreatedAt: string │ │ │ └ LastUpdatedAt: string │ │ └ types │ │ ├ type CreateDetails │ │ │ ├ name: CreateDetails │ │ │ └ properties │ │ │ └ gitlabSelfManaged: CreateGitLabSelfManagedIntegrationDetail (required) │ │ ├ type CreateGitLabSelfManagedIntegrationDetail │ │ │ ├ name: CreateGitLabSelfManagedIntegrationDetail │ │ │ └ properties │ │ │ ├ instanceUrl: string (required) │ │ │ └ accessToken: string (required) │ │ ├ type UpdateDetails │ │ │ ├ name: UpdateDetails │ │ │ └ properties │ │ │ ├ gitlabSelfManaged: UpdateGitLabSelfManagedIntegrationDetail │ │ │ └ github: UpdateGitHubIntegrationDetail │ │ ├ type UpdateGitHubIntegrationDetail │ │ │ ├ name: UpdateGitHubIntegrationDetail │ │ │ └ properties │ │ │ ├ code: string (required) │ │ │ └ installationId: string (required) │ │ └ type UpdateGitLabSelfManagedIntegrationDetail │ │ ├ name: UpdateGitLabSelfManagedIntegrationDetail │ │ └ properties │ │ └ authCode: string (required) │ └[+] resource AWS::InspectorV2::CodeSecurityScanConfiguration │ ├ name: CodeSecurityScanConfiguration │ │ cloudFormationType: AWS::InspectorV2::CodeSecurityScanConfiguration │ │ documentation: Inspector CodeSecurityScanConfiguration resource schema │ │ tagInformation: {"tagPropertyName":"Tags","variant":"map"} │ ├ properties │ │ ├ Name: string (immutable) │ │ ├ Level: string (immutable) │ │ ├ Configuration: CodeSecurityScanConfiguration │ │ ├ ScopeSettings: ScopeSettings (immutable) │ │ └ Tags: Map<string, string> (immutable) │ ├ attributes │ │ └ Arn: string │ └ types │ ├ type CodeSecurityScanConfiguration │ │ ├ name: CodeSecurityScanConfiguration │ │ └ properties │ │ ├ periodicScanConfiguration: PeriodicScanConfiguration │ │ ├ continuousIntegrationScanConfiguration: ContinuousIntegrationScanConfiguration │ │ └ ruleSetCategories: Array<string> (required) │ ├ type ContinuousIntegrationScanConfiguration │ │ ├ name: ContinuousIntegrationScanConfiguration │ │ └ properties │ │ └ supportedEvents: Array<string> (required) │ ├ type PeriodicScanConfiguration │ │ ├ name: PeriodicScanConfiguration │ │ └ properties │ │ ├ frequency: string │ │ └ frequencyExpression: string │ └ type ScopeSettings │ ├ name: ScopeSettings │ └ properties │ └ projectSelectionScope: string ├[~] service aws-ivs │ └ resources │ └[~] resource AWS::IVS::Stage │ └ types │ └[~] type ThumbnailConfiguration │ └ - documentation: A complex type that allows you to enable/disable the recording of thumbnails for individual participant recording and modify the interval at which thumbnails are generated for the live session. │ + documentation: An object representing a configuration of thumbnails for recorded video. ├[~] service aws-omics │ └ resources │ └[~] resource AWS::Omics::WorkflowVersion │ └ - documentation: Creates a new workflow version for the workflow that you specify with the `workflowId` parameter. │ When you create a new version of a workflow, you need to specify the configuration for the new version. It doesn't inherit any configuration values from the workflow. │ Provide a version name that is unique for this workflow. You cannot change the name after HealthOmics creates the version. │ > Don’t include any personally identifiable information (PII) in the version name. Version names appear in the workflow version ARN. │ For more information, see [Workflow versioning in AWS HealthOmics](https://docs.aws.amazon.com/omics/latest/dev/workflow-versions.html) in the *AWS HealthOmics User Guide* . │ + documentation: Creates a new workflow version for the workflow that you specify with the `workflowId` parameter. │ When you create a new version of a workflow, you need to specify the configuration for the new version. It doesn't inherit any configuration values from the workflow. │ Provide a version name that is unique for this workflow. You cannot change the name after HealthOmics creates the version. │ > Don't include any personally identifiable information (PII) in the version name. Version names appear in the workflow version ARN. │ For more information, see [Workflow versioning in AWS HealthOmics](https://docs.aws.amazon.com/omics/latest/dev/workflow-versions.html) in the *AWS HealthOmics User Guide* . ├[~] service aws-opensearchservice │ └ resources │ └[~] resource AWS::OpenSearchService::Domain │ └ types │ ├[~] type AdvancedSecurityOptionsInput │ │ └ properties │ │ └[+] IAMFederationOptions: IAMFederationOptions │ └[+] type IAMFederationOptions │ ├ name: IAMFederationOptions │ └ properties │ ├ Enabled: boolean │ ├ RolesKey: string │ └ SubjectKey: string ├[~] service aws-pcs │ └ resources │ ├[~] resource AWS::PCS::Cluster │ │ └ types │ │ ├[~] type Endpoint │ │ │ └ properties │ │ │ ├ Ipv6Address: (documentation changed) │ │ │ └ PrivateIpAddress: (documentation changed) │ │ └[~] type Networking │ │ ├ - documentation: TThe networking configuration for the cluster's control plane. │ │ │ + documentation: The networking configuration for the cluster's control plane. │ │ └ properties │ │ └ NetworkType: (documentation changed) │ └[~] resource AWS::PCS::Queue │ └ types │ └[~] type ErrorInfo │ └ properties │ └ Message: (documentation changed) ├[~] service aws-quicksight │ └ resources │ └[~] resource AWS::QuickSight::DataSet │ └ types │ ├[~] type CastColumnTypeOperation │ │ └ properties │ │ └ ColumnName: - string (required) │ │ + string │ ├[~] type FilterOperation │ │ └ properties │ │ └ ConditionExpression: - string (required) │ │ + string │ ├[~] type ProjectOperation │ │ └ properties │ │ └ ProjectedColumns: - Array<string> (required) │ │ + Array<string> │ ├[~] type RenameColumnOperation │ │ └ properties │ │ └ ColumnName: - string (required) │ │ + string │ ├[~] type RowLevelPermissionTagRule │ │ └ properties │ │ └ ColumnName: - string (required) │ │ + string │ └[~] type UniqueKey │ └ properties │ └ ColumnNames: - Array<string> (required) │ + Array<string> ├[~] service aws-rds │ └ resources │ ├[~] resource AWS::RDS::DBInstance │ │ └ properties │ │ └[-] StatusInfos: Array<DBInstanceStatusInfo> │ └[~] resource AWS::RDS::DBProxy │ └ properties │ └ DebugLogging: (documentation changed) ├[~] service aws-s3express │ └ resources │ └[~] resource AWS::S3Express::AccessPoint │ └ properties │ └ Tags: (documentation changed) ├[~] service aws-s3tables │ └ resources │ ├[~] resource AWS::S3Tables::TableBucketPolicy │ │ └ - documentation: Creates a new maintenance configuration or replaces an existing table bucket policy for a table bucket. For more information, see [Adding a table bucket policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-bucket-policy.html#table-bucket-policy-add) in the *Amazon Simple Storage Service User Guide* . │ │ - **Permissions** - You must have the `s3tables:PutTableBucketPolicy` permission to use this operation. │ │ + documentation: Creates a new table bucket policy or replaces an existing table bucket policy for a table bucket. For more information, see [Adding a table bucket policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-bucket-policy.html#table-bucket-policy-add) in the *Amazon Simple Storage Service User Guide* . │ │ - **Permissions** - You must have the `s3tables:PutTableBucketPolicy` permission to use this operation. │ └[~] resource AWS::S3Tables::TablePolicy │ └ - documentation: Creates a new maintenance configuration or replaces an existing table policy for a table. For more information, see [Adding a table policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-table-policy.html#table-policy-add) in the *Amazon Simple Storage Service User Guide* . │ - **Permissions** - You must have the `s3tables:PutTablePolicy` permission to use this operation. │ + documentation: Creates a new table policy or replaces an existing table policy for a table. For more information, see [Adding a table policy](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-table-policy.html#table-policy-add) in the *Amazon Simple Storage Service User Guide* . │ - **Permissions** - You must have the `s3tables:PutTablePolicy` permission to use this operation. ├[~] service aws-sagemaker │ └ resources │ ├[~] resource AWS::SageMaker::Cluster │ │ ├ properties │ │ │ └[+] NodeProvisioningMode: string │ │ └ types │ │ └[~] type ClusterInstanceGroup │ │ └ properties │ │ └[+] ImageId: string │ └[~] resource AWS::SageMaker::Domain │ └ types │ └[~] type UnifiedStudioSettings │ └ properties │ └[-] SingleSignOnApplicationArn: string ├[~] service aws-sqs │ └ resources │ └[~] resource AWS::SQS::Queue │ └ properties │ └ MaximumMessageSize: (documentation changed) └[~] service aws-synthetics └ resources └[~] resource AWS::Synthetics::Canary └ types ├[~] type Code │ └ properties │ └[+] Dependencies: Array<Dependency> └[+] type Dependency ├ name: Dependency └ properties ├ Type: string └ Reference: string (required) ``` CHANGES TO L1 RESOURCES: L1 resources are automatically generated from public CloudFormation Resource Schemas. They are build to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed: * **aws-rds**: AWS::RDS::DBInstance:`StatusInfos` property is removed. * **aws-sagemaker**: AWS::SageMaker::Domain: `SingleSignOnApplicationArn` property is removed. * **aws-cloudfront**: AWS::CloudFront::Function: `Name` property is now set as immutable.

mergify · 2025-08-20T09:06:42Z

Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork).

github-actions · 2025-08-20T09:06:57Z

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

mazyu36 and others added 25 commits August 12, 2025 12:09

chore(enum-updater): update enum static mapping (#35187)

208e666

This PR updates the CDK enum mapping file.

Merge branch 'main' into merge-back/2.211.0

6885ab5

chore(merge-back): 2.211.0 (#35226)

f4ab336

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.211.0/CHANGELOG.md)

chore: npm-check-updates && yarn upgrade (#35206)

46021f5

Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.

chore: add a missing Rosetta dependency (#35269)

aa1f7df

Reduces number of rosetta errors ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

chore(release): 2.212.0

1ac6678

aws-cdk-automation requested a review from a team as a code owner August 20, 2025 08:24

aws-cdk-automation added auto-approve pr/no-squash This PR should be merged instead of squash-merging it labels Aug 20, 2025

aws-cdk-automation requested a review from a team August 20, 2025 08:24

github-actions bot added the p2 label Aug 20, 2025

github-actions bot approved these changes Aug 20, 2025

View reviewed changes

mergify bot added the contribution/core This is a PR that came from AWS. label Aug 20, 2025

aws-cdk-automation requested a deployment to test-pipeline August 20, 2025 08:25 — with GitHub Actions Waiting

mergify bot requested a deployment to test-pipeline August 20, 2025 08:26 Waiting

chore: update analytics metadata blueprints

4f0b0aa

Abogical added pr/do-not-merge This PR should not be merged at this time. and removed auto-approve labels Aug 20, 2025

Abogical requested a deployment to test-pipeline August 20, 2025 08:37 — with GitHub Actions Waiting

Update CHANGELOG.v2.md breaking change notice

29a3ec8

Abogical requested a deployment to test-pipeline August 20, 2025 08:38 — with GitHub Actions Waiting

Abogical added auto-approve and removed pr/do-not-merge This PR should not be merged at this time. labels Aug 20, 2025

Abogical requested a deployment to test-pipeline August 20, 2025 08:39 — with GitHub Actions Waiting

Abogical requested a deployment to test-pipeline August 20, 2025 08:40 — with GitHub Actions Waiting

mergify bot merged commit 7b92895 into v2-release Aug 20, 2025
24 of 27 checks passed

mergify bot deleted the bump/2.212.0 branch August 20, 2025 09:06

github-actions bot locked as resolved and limited conversation to collaborators Aug 20, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(release): 2.212.0 #35278

chore(release): 2.212.0 #35278

Uh oh!

aws-cdk-automation commented Aug 20, 2025 •

edited

Loading

Uh oh!

mergify bot commented Aug 20, 2025

Uh oh!

Uh oh!

github-actions bot commented Aug 20, 2025

Uh oh!

Uh oh!

chore(release): 2.212.0 #35278

chore(release): 2.212.0 #35278

Uh oh!

Conversation

aws-cdk-automation commented Aug 20, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

mergify bot commented Aug 20, 2025

Uh oh!

Uh oh!

github-actions bot commented Aug 20, 2025

Uh oh!

Uh oh!

aws-cdk-automation commented Aug 20, 2025 •

edited

Loading