chore(release): 2.119.0 #28670
Merged
chore(release): 2.119.0 #28670
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
) This change fixes a bad behavior of the asset bundling if we use the SINGLE_FILE asset type with the OUTPUT hash type. Because only the created file is moved and the temporary bundle dir is left over, subsequent bundling runs fail and create empty asset files. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… template changes (#28336) Adds a new flag to diff, `--change-set`, that creates a new changeset and uses it to determine resource replacement. This new flag is on by default. When the flag is set, the following happens: * Resource metadata changes are obscured * Resource changes that do not appear in the changeset are obscured from the diff When the flag is unset, yaml Fn::GetAtt short-form uses are considered equivalent to their long-form counterpart. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[+] service amzn-sdc │ ├ capitalized: SDC │ │ cloudFormationNamespace: AMZN::SDC │ │ name: amzn-sdc │ │ shortName: sdc │ └ resources │ └resource AMZN::SDC::Deployment │ ├ name: Deployment │ │ cloudFormationType: AMZN::SDC::Deployment │ │ documentation: Resource Type definition for AMZN::SDC::Deployment │ ├ properties │ │ ├ConfigName: string (required) │ │ ├S3Bucket: string (required) │ │ ├TargetRegionOverride: string │ │ ├S3Key: string (required, immutable) │ │ ├Stage: string (required) │ │ ├PipelineId: string │ │ └Dimension: string (required) │ └ attributes │ └Id: string ├[~] service aws-appsync │ └ resources │ └[~] resource AWS::AppSync::GraphQLApi │ └ properties │ ├ IntrospectionConfig: (documentation changed) │ ├ QueryDepthLimit: (documentation changed) │ └ ResolverCountLimit: (documentation changed) ├[~] service aws-cloud9 │ └ resources │ └[~] resource AWS::Cloud9::EnvironmentEC2 │ └ properties │ └ ImageId: (documentation changed) ├[~] service aws-cloudfront │ └ resources │ └[~] resource AWS::CloudFront::Function │ └ types │ ├[~] type FunctionConfig │ │ └ properties │ │ └[+] KeyValueStoreAssociations: Array<KeyValueStoreAssociation> │ └[+] type KeyValueStoreAssociation │ ├ documentation: The Key Value Store association. │ │ name: KeyValueStoreAssociation │ └ properties │ └KeyValueStoreARN: string (required) ├[~] service aws-cloudtrail │ └ resources │ ├[~] resource AWS::CloudTrail::EventDataStore │ │ └ types │ │ └[~] type AdvancedFieldSelector │ │ └ properties │ │ └ Field: (documentation changed) │ └[~] resource AWS::CloudTrail::Trail │ └ types │ └[~] type AdvancedFieldSelector │ └ properties │ └ Field: (documentation changed) ├[~] service aws-codecommit │ └ resources │ └[~] resource AWS::CodeCommit::Repository │ └ properties │ └ KmsKeyId: (documentation changed) ├[+] service aws-codetest │ ├ capitalized: CodeTest │ │ cloudFormationNamespace: AWS::CodeTest │ │ name: aws-codetest │ │ shortName: codetest │ └ resources │ ├resource AWS::CodeTest::PersistentConfiguration │ │├ name: PersistentConfiguration │ ││ cloudFormationType: AWS::CodeTest::PersistentConfiguration │ ││ documentation: Resource Type definition for AWS::CodeTest::PersistentConfiguration │ │├ properties │ ││ ├Version: string │ ││ ├VpcConfig: VpcConfig │ ││ ├Name: string (immutable) │ ││ └ResultsRoleArn: string (required) │ │├ attributes │ ││ └Id: string │ │└ types │ │ └type VpcConfig │ │ ├ name: VpcConfig │ │ └ properties │ │ ├SecurityGroupIds: Array<string> │ │ └Subnets: Array<string> │ └resource AWS::CodeTest::Series │ ├ name: Series │ │ cloudFormationType: AWS::CodeTest::Series │ │ documentation: Resource Type definition for AWS::CodeTest::Series │ ├ properties │ │ ├PersistentConfigurationId: string (required, immutable) │ │ ├RunDefinition: json (required) │ │ ├State: string (required) │ │ └Name: string (immutable) │ └ attributes │ └Id: string ├[~] service aws-cognito │ └ resources │ └[~] resource AWS::Cognito::UserPool │ └ types │ ├[~] type LambdaConfig │ │ └ properties │ │ └[+] PreTokenGenerationConfig: PreTokenGenerationConfig │ └[+] type PreTokenGenerationConfig │ ├ name: PreTokenGenerationConfig │ └ properties │ ├LambdaVersion: string │ └LambdaArn: string ├[~] service aws-connect │ └ resources │ ├[~] resource AWS::Connect::Instance │ │ └ properties │ │ └ Tags: (documentation changed) │ ├[~] resource AWS::Connect::PhoneNumber │ │ └ properties │ │ ├ CountryCode: - string (required, immutable) │ │ │ + string (immutable) │ │ ├[+] SourcePhoneNumberArn: string (immutable) │ │ └ Type: - string (required, immutable) │ │ + string (immutable) │ ├[+] resource AWS::Connect::PredefinedAttribute │ │ ├ name: PredefinedAttribute │ │ │ cloudFormationType: AWS::Connect::PredefinedAttribute │ │ │ documentation: Textual or numeric value that describes an attribute. │ │ ├ properties │ │ │ ├InstanceArn: string (required, immutable) │ │ │ ├Name: string (required, immutable) │ │ │ └Values: Values (required) │ │ └ types │ │ └type Values │ │ ├ documentation: The values of a predefined attribute. │ │ │ name: Values │ │ └ properties │ │ └StringList: Array<string> │ ├[~] resource AWS::Connect::User │ │ ├ properties │ │ │ └[+] UserProficiencies: Array<UserProficiency> │ │ └ types │ │ └[+] type UserProficiency │ │ ├ documentation: > A predefined attribute must be created before using `UserProficiencies` in the Cloudformation *User* template. For more information, see [Predefined attributes](https://docs.aws.amazon.com/connect/latest/adminguide/predefined-attributes.html) . │ │ │ Proficiency of a user. │ │ │ name: UserProficiency │ │ └ properties │ │ ├AttributeName: string (required) │ │ ├AttributeValue: string (required) │ │ └Level: number (required) │ └[~] resource AWS::Connect::UserHierarchyGroup │ └ properties │ └ Tags: (documentation changed) ├[~] service aws-docdb │ └ resources │ └[+] resource AWS::DocDB::EventSubscription │ ├ name: EventSubscription │ │ cloudFormationType: AWS::DocDB::EventSubscription │ │ documentation: Creates an Amazon DocumentDB event notification subscription. This action requires a topic Amazon Resource Name (ARN) created by using the Amazon DocumentDB console, the Amazon SNS console, or the Amazon SNS API. To obtain an ARN with Amazon SNS, you must create a topic in Amazon SNS and subscribe to the topic. The ARN is displayed in the Amazon SNS console. │ │ You can specify the type of source ( `SourceType` ) that you want to be notified of. You can also provide a list of Amazon DocumentDB sources ( `SourceIds` ) that trigger the events, and you can provide a list of event categories ( `EventCategories` ) for events that you want to be notified of. For example, you can specify `SourceType = db-instance` , `SourceIds = mydbinstance1, mydbinstance2` and `EventCategories = Availability, Backup` . │ │ If you specify both the `SourceType` and `SourceIds` (such as `SourceType = db-instance` and `SourceIdentifier = myDBInstance1` ), you are notified of all the `db-instance` events for the specified source. If you specify a `SourceType` but do not specify a `SourceIdentifier` , you receive notice of the events for that source type for all your Amazon DocumentDB sources. If you do not specify either the `SourceType` or the `SourceIdentifier` , you are notified of events generated from all Amazon DocumentDB sources belonging to your customer account. │ ├ properties │ │ ├SourceType: string │ │ ├Enabled: boolean │ │ ├EventCategories: Array<string> │ │ ├SubscriptionName: string (immutable) │ │ ├SnsTopicArn: string (required, immutable) │ │ └SourceIds: Array<string> │ └ attributes │ └Id: string ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::LaunchTemplate │ │ └ types │ │ └[~] type MaintenanceOptions │ │ └ properties │ │ └[+] RebootMigration: string │ ├[~] resource AWS::EC2::NetworkInterface │ │ ├ properties │ │ │ └[+] EnablePrimaryIpv6: boolean │ │ └ attributes │ │ └[+] PrimaryIpv6Address: string │ ├[~] resource AWS::EC2::Subnet │ │ └ properties │ │ ├[+] Ipv4IpamPoolId: string (immutable) │ │ ├[+] Ipv4NetmaskLength: integer (immutable) │ │ ├[+] Ipv6IpamPoolId: string (immutable) │ │ └[+] Ipv6NetmaskLength: integer (immutable) │ └[~] resource AWS::EC2::SubnetCidrBlock │ └ properties │ ├ Ipv6CidrBlock: - string (required, immutable) │ │ + string (immutable) │ ├[+] Ipv6IpamPoolId: string (immutable) │ └[+] Ipv6NetmaskLength: integer (immutable) ├[~] service aws-emrserverless │ └ resources │ └[~] resource AWS::EMRServerless::Application │ └ types │ ├[~] type CloudWatchLoggingConfiguration │ │ ├ - documentation: undefined │ │ │ + documentation: The Amazon CloudWatch configuration for monitoring logs. You can configure your jobs to send log information to CloudWatch . │ │ └ properties │ │ ├ Enabled: (documentation changed) │ │ ├ EncryptionKeyArn: (documentation changed) │ │ ├ LogGroupName: (documentation changed) │ │ └ LogStreamNamePrefix: (documentation changed) │ └[~] type MonitoringConfiguration │ └ properties │ └ CloudWatchLoggingConfiguration: (documentation changed) ├[~] service aws-events │ └ resources │ ├[~] resource AWS::Events::EventBus │ │ └ - documentation: Creates a new event bus within your account. This can be a custom event bus which you can use to receive events from your custom applications and services, or it can be a partner event bus which can be matched to a partner event source. │ │ + documentation: Specifies an event bus within your account. This can be a custom event bus which you can use to receive events from your custom applications and services, or it can be a partner event bus which can be matched to a partner event source. │ │ > As an aid to help you jumpstart developing CloudFormation templates, the EventBridge console enables you to create templates from the existing event buses in your account. For more information, see [Generating CloudFormation templates from an EventBridge event bus](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-generate-event-bus-template.html) in the *Amazon EventBridge User Guide* . │ └[~] resource AWS::Events::Rule │ ├ - documentation: Creates or updates the specified rule. Rules are enabled by default, or based on value of the state. You can disable a rule using [DisableRule](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html) . │ │ A single rule watches for events from a single event bus. Events generated by AWS services go to your account's default event bus. Events generated by SaaS partner services or applications go to the matching partner event bus. If you have custom applications or services, you can specify whether their events go to your default event bus or a custom event bus that you have created. For more information, see [CreateEventBus](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_CreateEventBus.html) . │ │ If you are updating an existing rule, the rule is replaced with what you specify in this `PutRule` command. If you omit arguments in `PutRule` , the old values for those arguments are not kept. Instead, they are replaced with null values. │ │ When you create or update a rule, incoming events might not immediately start matching to new or updated rules. Allow a short period of time for changes to take effect. │ │ A rule must contain at least an EventPattern or ScheduleExpression. Rules with EventPatterns are triggered when a matching event is observed. Rules with ScheduleExpressions self-trigger based on the given schedule. A rule can have both an EventPattern and a ScheduleExpression, in which case the rule triggers on matching events as well as on a schedule. │ │ Most services in AWS treat : or / as the same character in Amazon Resource Names (ARNs). However, EventBridge uses an exact match in event patterns and rules. Be sure to use the correct ARN characters when creating event patterns so that they match the ARN syntax in the event you want to match. │ │ In EventBridge, it is possible to create rules that lead to infinite loops, where a rule is fired repeatedly. For example, a rule might detect that ACLs have changed on an S3 bucket, and trigger software to change them to the desired state. If the rule is not written carefully, the subsequent change to the ACLs fires the rule again, creating an infinite loop. │ │ To prevent this, write the rules so that the triggered actions do not re-fire the same rule. For example, your rule could fire only if ACLs are found to be in a bad state, instead of after any change. │ │ An infinite loop can quickly cause higher than expected charges. We recommend that you use budgeting, which alerts you when charges exceed your specified limit. For more information, see [Managing Your Costs with Budgets](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/budgets-managing-costs.html) . │ │ + documentation: Creates or updates the specified rule. Rules are enabled by default, or based on value of the state. You can disable a rule using [DisableRule](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html) . │ │ A single rule watches for events from a single event bus. Events generated by AWS services go to your account's default event bus. Events generated by SaaS partner services or applications go to the matching partner event bus. If you have custom applications or services, you can specify whether their events go to your default event bus or a custom event bus that you have created. For more information, see [CreateEventBus](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_CreateEventBus.html) . │ │ If you are updating an existing rule, the rule is replaced with what you specify in this `PutRule` command. If you omit arguments in `PutRule` , the old values for those arguments are not kept. Instead, they are replaced with null values. │ │ When you create or update a rule, incoming events might not immediately start matching to new or updated rules. Allow a short period of time for changes to take effect. │ │ A rule must contain at least an EventPattern or ScheduleExpression. Rules with EventPatterns are triggered when a matching event is observed. Rules with ScheduleExpressions self-trigger based on the given schedule. A rule can have both an EventPattern and a ScheduleExpression, in which case the rule triggers on matching events as well as on a schedule. │ │ Most services in AWS treat : or / as the same character in Amazon Resource Names (ARNs). However, EventBridge uses an exact match in event patterns and rules. Be sure to use the correct ARN characters when creating event patterns so that they match the ARN syntax in the event you want to match. │ │ In EventBridge, it is possible to create rules that lead to infinite loops, where a rule is fired repeatedly. For example, a rule might detect that ACLs have changed on an S3 bucket, and trigger software to change them to the desired state. If the rule is not written carefully, the subsequent change to the ACLs fires the rule again, creating an infinite loop. │ │ To prevent this, write the rules so that the triggered actions do not re-fire the same rule. For example, your rule could fire only if ACLs are found to be in a bad state, instead of after any change. │ │ An infinite loop can quickly cause higher than expected charges. We recommend that you use budgeting, which alerts you when charges exceed your specified limit. For more information, see [Managing Your Costs with Budgets](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/budgets-managing-costs.html) . │ │ > As an aid to help you jumpstart developing CloudFormation templates, the EventBridge console enables you to create templates from the existing rules in your account. For more information, see [Generating CloudFormation templates from an EventBridge rule](https://docs.aws.amazon.com/eventbridge/latest/userguide/rule-generate-template.html) in the *Amazon EventBridge User Guide* . │ └ types │ ├[+] type AppSyncParameters │ │ ├ name: AppSyncParameters │ │ └ properties │ │ └GraphQLOperation: string (required) │ └[~] type Target │ └ properties │ └[+] AppSyncParameters: AppSyncParameters ├[~] service aws-fis │ └ resources │ └[~] resource AWS::FIS::ExperimentTemplate │ ├ - documentation: Specifies an experiment template. │ │ An experiment template includes the following components: │ │ - *Targets* : A target can be a specific resource in your AWS environment, or one or more resources that match criteria that you specify, for example, resources that have specific tags. │ │ - *Actions* : The actions to carry out on the target. You can specify multiple actions, the duration of each action, and when to start each action during an experiment. │ │ - *Stop conditions* : If a stop condition is triggered while an experiment is running, the experiment is automatically stopped. You can define a stop condition as a CloudWatch alarm. │ │ For more information, see [Experiment templates](https://docs.aws.amazon.com/fis/latest/userguide/experiment-templates.html) in the *AWS Fault Injection Service User Guide* . │ │ + documentation: Describes an experiment template. │ └ types │ ├[~] type ExperimentTemplateAction │ │ └ - documentation: Specifies an action for an experiment template. │ │ For more information, see [Actions](https://docs.aws.amazon.com/fis/latest/userguide/actions.html) in the *AWS Fault Injection Service User Guide* . │ │ + documentation: Describes an action for an experiment template. │ ├[~] type ExperimentTemplateLogConfiguration │ │ ├ - documentation: Specifies the configuration for experiment logging. │ │ │ For more information, see [Experiment logging](https://docs.aws.amazon.com/fis/latest/userguide/monitoring-logging.html) in the *AWS Fault Injection Service User Guide* . │ │ │ + documentation: Describes the configuration for experiment logging. │ │ └ properties │ │ ├ CloudWatchLogsConfiguration: (documentation changed) │ │ └ S3Configuration: (documentation changed) │ ├[~] type ExperimentTemplateStopCondition │ │ └ - documentation: Specifies a stop condition for an experiment template. │ │ For more information, see [Stop conditions](https://docs.aws.amazon.com/fis/latest/userguide/stop-conditions.html) in the *AWS Fault Injection Service User Guide* . │ │ + documentation: Describes a stop condition for an experiment template. │ ├[~] type ExperimentTemplateTarget │ │ ├ - documentation: Specifies a target for an experiment. You must specify at least one Amazon Resource Name (ARN) or at least one resource tag. You cannot specify both ARNs and tags. │ │ │ For more information, see [Targets](https://docs.aws.amazon.com/fis/latest/userguide/targets.html) in the *AWS Fault Injection Service User Guide* . │ │ │ + documentation: Describes a target for an experiment template. │ │ └ properties │ │ └ Parameters: (documentation changed) │ └[~] type ExperimentTemplateTargetFilter │ └ - documentation: Specifies a filter used for the target resource input in an experiment template. │ For more information, see [Resource filters](https://docs.aws.amazon.com/fis/latest/userguide/targets.html#target-filters) in the *AWS Fault Injection Service User Guide* . │ + documentation: Describes a filter used for the target resources in an experiment template. ├[~] service aws-globalaccelerator │ └ resources │ └[~] resource AWS::GlobalAccelerator::EndpointGroup │ └ types │ └[~] type EndpointConfiguration │ └ properties │ └[+] AttachmentArn: string ├[~] service aws-glue │ └ resources │ └[+] resource AWS::Glue::CustomEntityType │ ├ name: CustomEntityType │ │ cloudFormationType: AWS::Glue::CustomEntityType │ │ documentation: Creates a custom pattern that is used to detect sensitive data across the columns and rows of your structured data. │ │ Each custom pattern you create specifies a regular expression and an optional list of context words. If no context words are passed only a regular expression is checked. │ │ tagInformation: {"tagPropertyName":"Tags","variant":"map"} │ ├ properties │ │ ├RegexString: string │ │ ├ContextWords: Array<string> │ │ ├Tags: json │ │ └Name: string │ └ attributes │ └Id: string ├[~] service aws-iot │ └ resources │ └[~] resource AWS::IoT::DomainConfiguration │ ├ properties │ │ └[+] ServerCertificateConfig: ServerCertificateConfig │ └ types │ └[+] type ServerCertificateConfig │ ├ name: ServerCertificateConfig │ └ properties │ └EnableOCSPCheck: boolean ├[~] service aws-iotsitewise │ └ resources │ └[~] resource AWS::IoTSiteWise::Gateway │ └ types │ ├[~] type GatewayPlatform │ │ └ properties │ │ └ GreengrassV2: (documentation changed) │ └[~] type GreengrassV2 │ └ - documentation: Contains details for a gateway that runs on AWS IoT Greengrass V2. To create a gateway that runs on AWS IoT Greengrass V2, you must deploy the IoT SiteWise Edge component to your gateway device. Your [Greengrass device role](https://docs.aws.amazon.com/greengrass/v2/developerguide/device-service-role.html) must use the `AWSIoTSiteWiseEdgeAccess` policy. For more information, see [Using AWS IoT SiteWise at the edge](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/sw-gateways.html) in the *AWS IoT SiteWise User Guide* . │ + documentation: Contains details for a gateway that runs on AWS IoT Greengrass V2 . To create a gateway that runs on AWS IoT Greengrass V2 , you must deploy the IoT SiteWise Edge component to your gateway device. Your [Greengrass device role](https://docs.aws.amazon.com/greengrass/v2/developerguide/device-service-role.html) must use the `AWSIoTSiteWiseEdgeAccess` policy. For more information, see [Using AWS IoT SiteWise at the edge](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/sw-gateways.html) in the *AWS IoT SiteWise User Guide* . ├[~] service aws-kendra │ └ resources │ └[~] resource AWS::Kendra::DataSource │ └ types │ └[~] type S3DataSourceConfiguration │ └ properties │ └ ExclusionPatterns: (documentation changed) ├[~] service aws-kinesisfirehose │ └ resources │ └[~] resource AWS::KinesisFirehose::DeliveryStream │ └ types │ ├[+] type SplunkBufferingHints │ │ ├ documentation: The buffering options. If no value is specified, the default values for Splunk are used. │ │ │ name: SplunkBufferingHints │ │ └ properties │ │ ├IntervalInSeconds: integer │ │ └SizeInMBs: integer │ └[~] type SplunkDestinationConfiguration │ └ properties │ └[+] BufferingHints: SplunkBufferingHints ├[~] service aws-location │ └ resources │ ├[+] resource AWS::Location::APIKey │ │ ├ name: APIKey │ │ │ cloudFormationType: AWS::Location::APIKey │ │ │ documentation: The API key resource in your AWS account, which lets you grant actions for Amazon Location resources to the API key bearer. │ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ ├ properties │ │ │ ├Description: string │ │ │ ├ExpireTime: string │ │ │ ├ForceUpdate: boolean │ │ │ ├KeyName: string (required, immutable) │ │ │ ├NoExpiry: boolean │ │ │ ├Restrictions: ApiKeyRestrictions (required) │ │ │ ├Tags: Array<tag> │ │ │ └ForceDelete: boolean │ │ ├ attributes │ │ │ ├CreateTime: string │ │ │ ├Arn: string │ │ │ ├KeyArn: string │ │ │ └UpdateTime: string │ │ └ types │ │ └type ApiKeyRestrictions │ │ ├ documentation: API Restrictions on the allowed actions, resources, and referers for an API key resource. │ │ │ name: ApiKeyRestrictions │ │ └ properties │ │ ├AllowActions: Array<string> (required) │ │ ├AllowResources: Array<string> (required) │ │ └AllowReferers: Array<string> │ ├[~] resource AWS::Location::GeofenceCollection │ │ ├ - tagInformation: undefined │ │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ └ properties │ │ └[+] Tags: Array<tag> │ ├[~] resource AWS::Location::Map │ │ ├ - tagInformation: undefined │ │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ ├ properties │ │ │ └[+] Tags: Array<tag> │ │ ├ attributes │ │ │ └ DataSource: (documentation changed) │ │ └ types │ │ └[~] type MapConfiguration │ │ └ properties │ │ └[+] PoliticalView: string │ ├[~] resource AWS::Location::PlaceIndex │ │ ├ - tagInformation: undefined │ │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ └ properties │ │ └[+] Tags: Array<tag> │ ├[~] resource AWS::Location::RouteCalculator │ │ ├ - tagInformation: undefined │ │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ └ properties │ │ └[+] Tags: Array<tag> │ └[~] resource AWS::Location::Tracker │ ├ - tagInformation: undefined │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ └ properties │ ├[+] EventBridgeEnabled: boolean │ ├[+] KmsKeyEnableGeospatialQueries: boolean │ └[+] Tags: Array<tag> ├[~] service aws-mediatailor │ └ resources │ └[~] resource AWS::MediaTailor::Channel │ ├ properties │ │ └[+] TimeShiftConfiguration: TimeShiftConfiguration │ └ types │ ├[~] type DashPlaylistSettings │ │ └ properties │ │ ├ ManifestWindowSeconds: - number (default=0) │ │ │ + number │ │ ├ MinBufferTimeSeconds: - number (default=0) │ │ │ + number │ │ ├ MinUpdatePeriodSeconds: - number (default=0) │ │ │ + number │ │ └ SuggestedPresentationDelaySeconds: - number (default=0) │ │ + number │ ├[~] type HlsPlaylistSettings │ │ └ properties │ │ └ ManifestWindowSeconds: - number (default=0) │ │ + number │ └[+] type TimeShiftConfiguration │ ├ documentation: The configuration for time-shifted viewing. │ │ name: TimeShiftConfiguration │ └ properties │ └MaxTimeDelaySeconds: number (required) ├[~] service aws-networkfirewall │ └ resources │ └[~] resource AWS::NetworkFirewall::FirewallPolicy │ └ types │ └[~] type FirewallPolicy │ └ properties │ └ TLSInspectionConfigurationArn: (documentation changed) ├[~] service aws-networkmanager │ └ resources │ └[~] resource AWS::NetworkManager::Device │ └ attributes │ └ CreatedAt: (documentation changed) ├[~] service aws-omics │ └ resources │ └[~] resource AWS::Omics::Workflow │ └ properties │ └ StorageCapacity: (documentation changed) ├[~] service aws-pinpoint │ └ resources │ └[~] resource AWS::Pinpoint::GCMChannel │ └ properties │ ├ DefaultAuthenticationMethod: (documentation changed) │ └ ServiceJson: (documentation changed) ├[~] service aws-pipes │ └ resources │ └[~] resource AWS::Pipes::Pipe │ ├ - documentation: Create a pipe. Amazon EventBridge Pipes connect event sources to targets and reduces the need for specialized knowledge and integration code. │ │ + documentation: Specifies a pipe. Amazon EventBridge Pipes connect event sources to targets and reduces the need for specialized knowledge and integration code. │ │ > As an aid to help you jumpstart developing CloudFormation templates, the EventBridge console enables you to create templates from the existing pipes in your account. For more information, see [Generate an CloudFormation template from EventBridge Pipes](https://docs.aws.amazon.com/eventbridge/latest/userguide/pipes-generate-template.html) in the *Amazon EventBridge User Guide* . │ └ types │ └[~] type PipeLogConfiguration │ └ properties │ └ IncludeExecutionData: (documentation changed) ├[~] service aws-rds │ └ resources │ └[~] resource AWS::RDS::DBInstance │ └ properties │ └ CACertificateIdentifier: (documentation changed) ├[~] service aws-redshift │ └ resources │ └[~] resource AWS::Redshift::Cluster │ ├ properties │ │ ├[+] ManageMasterPassword: boolean │ │ └[+] MasterPasswordSecretKmsKeyId: string │ └ attributes │ └[+] MasterPasswordSecretArn: string ├[~] service aws-s3 │ └ resources │ └[~] resource AWS::S3::Bucket │ └ types │ └[~] type OwnershipControlsRule │ └ properties │ └ ObjectOwnership: (documentation changed) ├[~] service aws-s3objectlambda │ └ resources │ └[~] resource AWS::S3ObjectLambda::AccessPoint │ └ types │ └[~] type TransformationConfiguration │ └ properties │ └ Actions: (documentation changed) ├[~] service aws-servicecatalogappregistry │ └ resources │ └[~] resource AWS::ServiceCatalogAppRegistry::Application │ └ attributes │ ├ ApplicationTagKey: (documentation changed) │ └ ApplicationTagValue: (documentation changed) └[~] service aws-ssm └ resources └[~] resource AWS::SSM::PatchBaseline ├ properties │ ├ ApprovedPatchesComplianceLevel: - string │ │ + string (default="UNSPECIFIED") │ ├ ApprovedPatchesEnableNonSecurity: - boolean │ │ + boolean (default=false) │ ├[+] DefaultBaseline: boolean (default=false) │ ├ OperatingSystem: - string (immutable) │ │ + string (default="WINDOWS", immutable) │ └ RejectedPatchesAction: - string │ + string (default="ALLOW_AS_DEPENDENCY") ├ attributes │ └ Id: (documentation changed) └ types ├[~] type PatchSource │ ├ - documentation: `PatchSource` is the property type for the `Sources` resource of the [AWS::SSM::PatchBaseline](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-patchbaseline.html) resource. │ │ The AWS CloudFormation `AWS::SSM::PatchSource` resource is used to provide information about the patches to use to update target instances, including target operating systems and source repository. Applies to Linux instances only. │ │ + documentation: `PatchSource` is the property type for the `Sources` resource of the [AWS::SSM::PatchBaseline](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-patchbaseline.html) resource. │ │ The AWS CloudFormation `AWS::SSM::PatchSource` resource is used to provide information about the patches to use to update target instances, including target operating systems and source repository. Applies to Linux managed nodes only. │ └ properties │ └ Products: (documentation changed) └[~] type Rule └ properties ├ ApproveUntilDate: - json ⇐ string │ + string └ EnableNonSecurity: - boolean + boolean (default=false) ```
This PR supports RDS for SQL Server 15.00.4345.5.v1.
```
aws rds describe-db-engine-versions \
--engine sqlserver-ee \
--query "DBEngineVersions[?EngineVersion=='15.00.4345.5.v1'].[DBEngineVersionDescription,EngineVersion,DBParameterGroupFamily,MajorEngineVersion,Status]"
[
[
"SQL Server 2019 15.00.4345.5.v1",
"15.00.4345.5.v1",
"sqlserver-ee-15.0",
"15.00",
"available"
]
]
```
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Adds support for the `Notation-OCI-SHA384-ECDSA` signing profile platform. Also, refactors the `Platform` class to an enum-like class to allow custom platforms (and prevent blocking users if added platforms are missing on the `enum` declaration). Closes #28580. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Closes #28446. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Unify the orphaned line back into to the blockquote  https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.pipelines-readme.html#cdk-pipelines ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
The update on eslint is causing the following error: ``` @aws-cdk/spec2cdk: 165:3 error An array of Promises may be unintentional. Consider handling the promises' fulfillment or rejection with Promise.all or similar, or explicitly marking the expression as ignored with the `void` operator @typescript-eslint/no-floating-promises ``` This PR has been separated out from [28434](#28434) because there are other failures. I am splitting these out to make clear which code is fixing which issue. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Currently it is not possible to set Retry for the Task when using CustomState construct. There are two ways to add Retry: by adding the `addRetry` method or by rendering the `Retry` property of `stateJson`. The `addRetry` method was added in this PR because rendering the `Retry` property of `stateJson`, which was not rendered before, could result in an unexpected StateMachine for the user. Closes #28586 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Fixes by Specifying key pair reference in cfnInstance. This will change behavior if both `keyName` and `keyPair` is set on an existing resource, since we will use `keyPair.keyPairName` instead of `keyName` now. However, there is no correct use case for specifying both `keyPair` and `keyName`, and given `keyName` is deprecated, this PR is introducing the correct behavior. Closes #28478. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
> REPLACE THIS TEXT BLOCK > > Describe the reason for this change, what the solution is, and any > important design decisions you made. > > Remember to follow the [CONTRIBUTING GUIDE] and [DESIGN GUIDELINES] for any > code you submit. > > [CONTRIBUTING GUIDE]: https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md > [DESIGN GUIDELINES]: https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md Closes #<issue number here>. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…forward secrecy (#28583) This PR supports new TLS security policy 'Policy-Min-TLS-1-2-PFS-2023-10' for TLS 1.3 and perfect forward secrecy. The description from [CLI reference](https://docs.aws.amazon.com/cli/latest/reference/opensearch/update-domain-config.html): > Policy-Min-TLS-1-2-PFS-2023-10: TLS security policy that supports TLS version 1.2 to TLS version 1.3 with perfect forward secrecy cipher suites - Release notes - https://aws.amazon.com/jp/about-aws/whats-new/2024/01/amazon-opensearch-service-tls-1-3-perfect-forward-secrecy/ - CloudFormation - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-opensearchservice-domain-domainendpointoptions.html#cfn-opensearchservice-domain-domainendpointoptions-tlssecuritypolicy ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.3 to 1.15.4. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/follow-redirects/follow-redirects/commit/65858205e59f1e23c9bf173348a7a7cbb8ac47f5"><code>6585820</code></a> Release version 1.15.4 of the npm package.</li> <li><a href="https://github.com/follow-redirects/follow-redirects/commit/7a6567e16dfa9ad18a70bfe91784c28653fbf19d"><code>7a6567e</code></a> Disallow bracketed hostnames.</li> <li><a href="https://github.com/follow-redirects/follow-redirects/commit/05629af696588b90d64e738bc2e809a97a5f92fc"><code>05629af</code></a> Prefer native URL instead of deprecated url.parse.</li> <li><a href="https://github.com/follow-redirects/follow-redirects/commit/1cba8e85fa73f563a439fe460cf028688e4358df"><code>1cba8e8</code></a> Prefer native URL instead of legacy url.resolve.</li> <li><a href="https://github.com/follow-redirects/follow-redirects/commit/72bc2a4229bc18dc9fbd57c60579713e6264cb92"><code>72bc2a4</code></a> Simplify _processResponse error handling.</li> <li><a href="https://github.com/follow-redirects/follow-redirects/commit/3d42aecdca39b144a0a2f27ea134b4cf67dd796a"><code>3d42aec</code></a> Add bracket tests.</li> <li><a href="https://github.com/follow-redirects/follow-redirects/commit/bcbb096b32686ecad6cd34235358ed6f2217d4f0"><code>bcbb096</code></a> Do not directly set Error properties.</li> <li>See full diff in <a href="https://github.com/follow-redirects/follow-redirects/compare/v1.15.3...v1.15.4">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts). </details>
This was unintentionally commented out in a previous PR. Adding it back in. This also includes the changes that pkglint would have picked up, if not commented out. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…8615) This PR supports version 16 for RDS for SQL Server without a specific minor version. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Change the documentation as it showing wrong description. InterfaceVpcEndpoint class does have a open property that is default true which states traffic is automatically allowed from the VPC CIDR. Closes #28350. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…te` and `Certificate` (#28597) Add support for key algorithm when requesting a certificate `keyAlgorithm` support for `DnsValidatedCertificate` is not supported since the construct was _deprecated_. Added a warning if user tries to use `keyAlgorithm` for the construct instead. CloudFormation docs for [key algorithm](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html#cfn-certificatemanager-certificate-keyalgorithm). Closes #22887. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
The upgrade workflow is still failing so I'm continuing to pull out smaller pieces. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
https://aws.amazon.com/about-aws/whats-new/2024/01/aws-codebuild-x-large-linux-compute-type/ ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…n today (#28646) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
I'm new to development on this package—any feedback regarding testing is appreciated. Closes #28371. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
When reading through the CONTRIBUTING.md there was a few issues which confused me. These changes correct those so the next new contributor can read it more easily. Also, makes brand names consistent in the file and with the brands public name (E.g. "cloudformation" to "CloudFormation"). ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Reference [issue 28596](#28596) The motivation is to help CDK builders understand how to take advantage of IAM scope-down capabilities to ensure least-privilege cross-account role access related to cross account zone delegation. The Cross Account Zone Delegation guidance currently includes reference to creating a crossAccountRole, but provides no suggestion on how to safely scope down the role for least-privilege access. We can and should provide this guidance. E.g. ``` const crossAccountRole = new iam.Role(this, 'CrossAccountRole', { // The role name must be predictable roleName: 'MyDelegationRole', // The other account assumedBy: new iam.AccountPrincipal('12345678901'), }); ``` should be more like: ``` const crossAccountRole = new iam.Role(this, 'CrossAccountRole', { // The role name must be predictable roleName: 'MyDelegationRole', // The other account assumedBy: new iam.AccountPrincipal('12345678901'), // You can scope down this role policy to be least privileged. // If you want the other account to be able to manage specific records, // you can scope down by resource and/or normalized record names inlinePolicies: { "crossAccountPolicy": new iam.PolicyDocument({ statements: [ new iam.PolicyStatement({ sid: "ListHostedZonesByName", effect: iam.Effect.ALLOW, actions: ["route53:ListHostedZonesByName"], resources: ["*"] }), new iam.PolicyStatement({ sid: "GetHostedZoneAndChangeResourceRecordSet", effect: iam.Effect.ALLOW, actions: ["route53:GetHostedZone", "route53:ChangeResourceRecordSet"], // This example assumes the RecordSet subdomain.somexample.com // is contained in the HostedZone resources: ["arn:aws:route53:::hostedzone/HZID00000000000000000"], conditions: { "ForAllValues:StringLike": { "route53:ChangeResourceRecordSetsNormalizedRecordNames": [ "subdomain.someexample.com" ] } } }) }); ``` Closes #28596. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Add a GitHub action that will update the current repository from upstream on a daily basis. This makes it so that various forks of this repository automatically keep themselves up-to-date with the parent repo, and it will be that much easier to make PRs off of a recent, up-to-date clone, without having to do additional manual syncing. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This has been stabilized and replaced with aws-synthetics now. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
This PR modified to avoid creating unnecessary `ResourcePolicy` in CloudWatch Logs. ## issue summary The related issue reports an error when using the awslogs driver on ECS. This error is caused by the creation of a ResourcePolicy in CloudWatch Logs that reaches the maximum number of ResourcePolicies. https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/cloudwatch_limits_cwl.html ## Current behavior In some cases, this ResourcePolicy will be created and in other cases it will not be created. Currently, `Grant.addToPrincipalOrResource` is used to grant permissions to ExecutionRole and Log Group in the ECS taskDef. https://github.com/aws/aws-cdk/blob/607dccb0fd920d25f0fe2613b83c9830322c439e/packages/aws-cdk-lib/aws-ecs/lib/log-drivers/aws-log-driver.ts#L138 https://github.com/aws/aws-cdk/blob/607dccb0fd920d25f0fe2613b83c9830322c439e/packages/aws-cdk-lib/aws-logs/lib/log-group.ts#L194 https://github.com/aws/aws-cdk/blob/607dccb0fd920d25f0fe2613b83c9830322c439e/packages/aws-cdk-lib/aws-iam/lib/grant.ts#L122 `Grant.addToPrincipalOrResource` first grants permissions to the Grantee (ExecutionRole) and creates a resource base policy for cross account access in cases where certain conditions are not met. This condition is determined by the contents of the `principalAccount` of the ExecutionRole and the accountID in the `env.account` and whether or not these are Tokens, but in this scenario, cross account access is not necessary. https://github.com/aws/aws-cdk/blob/607dccb0fd920d25f0fe2613b83c9830322c439e/packages/aws-cdk-lib/aws-iam/lib/grant.ts#L141 Also, when the `LogGroup.grantWrite` call was added to `aws-log-driver.ts`, the ResourcePolicy for logs could not be created from CFn and only granted to the ExecutionRole. #1291  https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/ReleaseHistory.html Therefore, the resource base policy should not be necessary when using the awslogs driver. ## Major changes This PR changed to grant permissions only to ExecutionRole when using the awslogs driver. With this fix, ResourcePolicy will no longer be created when using the awslogs driver. I don't consider this a breaking change, as it changes the content of the generated template, but does not change the behavior of forwarding logs to CloudWatch Logs. However, if this is a breaking change, I think it is necessary to use the feature flag. fixes #22307, fixes #20313 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Add GavinZZ to mergify and github merit badger Closes #<issue number here>. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This PR implements support for the [v1.3 engine](https://docs.aws.amazon.com/neptune/latest/userguide/engine-releases-1.3.0.0.html). Closes #28648. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
I noticed this while reading the Design Guidelines and fixed it. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
feat(cloudwatch-action): support alarm lambda action Closes #28483 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws-cdk-automation
added
auto-approve
pr/no-squash
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
aws-cdk-automation
had a problem deploying
to
test-pipeline
GitHub Actions
Failure
MrArnoldPalmer
added
the
pr/do-not-merge
MrArnoldPalmer
removed
the
pr/do-not-merge
MrArnoldPalmer
had a problem deploying
to
test-pipeline
GitHub Actions
Failure
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See CHANGELOG