See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.127.0/CHANGELOG.md)

…itution (#29029)

### Issue # (if applicable)

Closes #28450 

### Reason for this change

Currently, the filename is automatically generated based on its fingerprint. There's no way to override the resulting filename.

### Description of changes

Added an optional `destinationKey` parameter. If this is provided, the construct would use the `destinationKey` when uploading the resulting processed file to S3. If the `destinationKey` is not provided, the current approach would be the default.

### Description of how you validated changes

Added a unit test to confirm that the correct filename is being used.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

#27891)

While working on [#27803](#27803), I noticed the integration tests for `aws-stepfunctions-tasks/ecs` were not fully working (they deployed but the state machines did not run successfully). This PR addresses two issues:

1. Missing permissions for `ecs:RunTask` on the task definition version.
<img width="1587" alt="sfn-role" src="https://github.com/aws/aws-cdk/assets/3310356/13a0d402-8cbb-4852-9708-290f3a3b6711">

2. The sample container was from a Lambda image. This resulted in the following error: `entrypoint requires the handler name to be the first argument`. I changed the image to `docker/library/python:3.12`.

These changes result in the successful execution of all four state machines in `aws-stepfunctions-tasks/ecs`.


----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable)

Closes #<issue number here>.

### Reason for this change


Updated according to [this document](https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html#runtime-support-policy).

### Description of changes



### Description of how you validated changes



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…oups (#26957)

The alarms on a CodeDeploy group are configurable to be enabled or disabled through the SDK or UI. Bringing in that functionality to the CDK to have parity. The parameter name mirrors the "Ignore alarm configuration" checkbox in the alarm configuration section of the UI.

Motivation: Developers are able to disable _rollback_ on alarm, but this leaves deployments in a stopped state should any alarms be active. Including this configuration will align with the expectation that alarms will not block a deployment in lower environments via a flag rather than logic to include/exclude alarms on the deployment group based on environment. I'm sure there are other use cases for disabling the alarm configuration on a deployment group.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue

Closes #29083

### Reason for this change

When granting send email access to a lambda the grant needs to be constructed manually, including constructing the ARN for the identity. e.g.

```
  Grant.addToPrincipal({
    grantee,
    actions: ["ses:SendEmail"],
    resourceArns: [
      this.stack.formatArn({
        service: 'ses',
        resource: 'identity',
        resourceName: 'test@example.com',
      }),
    ],
    scope: this
  })
```

This is dissimilar to other constructs, which generally expose a grant method and one or more convenience methods for particularly relevant groups of actions.

### Description of changes

Added `grant` and `grantSendEmail` to `IEmailIdentity`, and added a common abstract class, `BaseEmailIdentity` with the relevant grant code. This is to avoid code duplication between the full `EmailIdentity` and the `Import` class.

### Description of how you validated changes

Tests added for grants on both new and imported email identities, and a test to validate the `grantSendEmail` method.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable)

closes #28975.

### Reason for this change

add support for table widget https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/add_remove_table_dashboard.html

### Description of changes

add a new `TableWidget` and its supporting property classes/interfaces

### Description of how you validated changes

added both unit/integ tests

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable)

Closes #<issue number here>.

### Reason for this change


This PR adds a new alpha module to for EvenBridge pipes targets.

This is the base setup for future work and additional targets.

### Description of changes



The initial target is the SQS target.


### Description of how you validated changes


- [x] Unittests
- [x]  Integration test

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…d triggers (#28538)

This PR supports pipeline type v2 with pipeline-level variables and triggers.

When referring to a variable in pipeline actions, it must be specified according to the format `#{variables.variableName}`. In order to avoid the need to specify directly in this form, a new class `Variable` with a `reference()` method was created.

```ts
const myVariable = new codepipeline.Variable({
  variableName: 'bucket-var',
  description: 'description',
  defaultValue: 'sample',
});

const pipeline = new codepipeline.Pipeline(stack, 'Pipeline', {
  artifactBucket: sourceBucket,
  pipelineType: codepipeline.PipelineType.V2,
  variables: [myVariable],
  stages: [
    {
      stageName: 'Source',
      actions: [sourceAction],
    },
    {
      stageName: 'Deploy',
      actions: [
        new S3DeployAction({
          actionName: 'DeployAction',
          extract: false,
          // objectKey: '#{variables.bucket-var}.txt',
          objectKey: `${myVariable.reference()}.txt`,
          input: sourceOutput,
          bucket: deployBucket,
        }),
      ],
    },
  ],
});
```

- user guide
  - https://docs.aws.amazon.com/codepipeline/latest/userguide/pipeline-types-planning.html
  - https://docs.aws.amazon.com/codepipeline/latest/userguide/reference-variables.html#reference-variables-workflow
  - https://docs.aws.amazon.com/codepipeline/latest/userguide/tutorials-github-tags.html
- CloudFormation
  - https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-codepipeline-pipeline.html
  - https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-variabledeclaration.html
  - https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-pipelinetriggerdeclaration.html

Closes #28476 #28694.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…et (#28927)

This PR adds SageMakerStartPipelineExecution Target for EventBridge Scheduler.

Closes #27457

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…le (#29063)

### Issue # (if applicable)

Closes #<issue number here>.

### Reason for this change

This PR adds a new alpha module to for EvenBridge pipes enrichments.

This is the base setup for future work and additional enrichments.

### Description of changes

The initial enrichment is the Lambda enrichment.

### Description of how you validated changes

- [x] Unittests
- [x] Integration test


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…cryption` and note that we intend to default to `S3_MANAGED` in the future (#28978)

### Issue # (if applicable)

Relates to #28815

### Reason for this change

The App Staging Synthesizer is great - I've moved to using it for most of my stacks. However, the current default uses a Customer-Managed KMS key, which costs $1/month.

The default synthesizer bucket uses SSE-S3 encryption by default. This is nice because users do not incur additional fees for a KMS key.

In my opinion, SSE-S3 is good enough for most people. If folks need additional security, they should opt-in to SSE-KMS, which they can do via the `stagingBucketEncryption` property @msambol introduced with #28903.

### Description of changes

With guidance from @kaizencc [below](#28978 (comment)), this PR makes `stagingBucketEncryption` a required property, with a user-facing note that we intend to default to `S3_MANAGED` as the module is stablized.

### Description of how you validated changes

Updated unit tests.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)


BREAKING CHANGE: `stagingBucketEncryption` property is now required. For existing apps, specify `BucketEncryption.KMS` to retain existing behavior. For new apps, choose the bucket encryption that makes most sense for your use case. `BucketEncryption.S3_MANAGED` is available and is intended to be the default when this module is stabilized.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Every time I perform a CDK deployment, the logicalId hash of the deployment resource changes and causes the deployment resource to be deleted and recreated. I'm assuming it is because the configuration `content` is part of the hash creation and I am creating the content using `lazy` and at the time of the hash creation it is still a token.

Looking at the [CloudFormation
docs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-appconfig-deployment.html) for the deployment resource, a change to _any_ property causes a replacement so I don't think we need to control the recreation logic ourselves, we should just let CloudFormation do the resource replacement for us.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Signed-off-by: Vinayak Kukreja <vinakuk@amazon.com>