Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(release): 2.139.0 #29953

Merged
merged 29 commits into from
Apr 24, 2024
Merged

chore(release): 2.139.0 #29953

merged 29 commits into from
Apr 24, 2024

Conversation

aws-cdk-automation
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation commented Apr 24, 2024

See CHANGELOG

msambol and others added 28 commits April 18, 2024 18:29
…29734)

Closes #29728. 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Ref:
https://aws.amazon.com/jp/blogs/aws/anthropics-claude-3-haiku-model-is-now-available-in-amazon-bedrock/

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue #29690

Closes #29690

### Reason for this change

Regarding the stack separation of RestApi and Resource, there is no documentation about the fact that Deployment is not automatically created. When I actually add resources to the code documented and try cdk deploy for the second time and beyond, a new deployment is not created, and the latest resources are not reflected.

### Description of changes

I added a note and related links to the documentation.

### Description of how you validated changes

Nothing. It is just to change the description.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…cloudformation rollback (#29581)

### Issue # (if applicable)

Closes #27199

### Reason for this change

Based on the way the custom resource is implemented, it is likely that
unexpected behavior happens on Cloudformation rollback, i.e. the custom
resource will prematurely delete the objects.

Consider the following scenario:

```
UPDATE target resource (replacement, creates a new resource)
UPDATE custom resource (old -> new, objects in old bucket are deleted)
(...stuff happens...)
ERROR, triggers a rollback
UPDATE custom resource (new -> old)
DELETE target resource (deletes the new resource, remembers the existing one)
```

We will have deleted objects in the bucket that has been rolled back to
in this scenario, but the content is now gone.

### Description of changes

Instead of deleting it right during update, we send back
`PhysicalResourceId` in the event handler which if the id changes, it
will let CFN to empty and delete the bucket at the end of the
deployment.

### Description of how you validated changes

New & updated tests. Also manually tested with deploying a template 
```
const bucket = new s3.Bucket(this, 'Bucket', {
      removalPolicy: cdk.RemovalPolicy.DESTROY,
      bucketName: <a bucket name that's not used>,
      autoDeleteObjects: true,
    });

    // Intentionally failure since `mybucket-1` exists
    const bucket2 = new s3.Bucket(this, 'Bucket2', {
      removalPolicy: cdk.RemovalPolicy.DESTROY,
      bucketName: <a bucket name that's not used>,
    });

    bucket2.node.addDependency(bucket);
```

Once the deployment is successful, add some random content to the
bucket, then update the code so that the first bucket's bucketName is
updated to another valid name. Update the second bucket's bucketName to
be an existing bucket name, which will trigger a deployment failure
hence roll back.

After the change, the content will stay there if a deployment failure
happens. The content & bucket will be deleted if deployment is
successful.


### Checklist
- [x] My code adheres to the [CONTRIBUTING
GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and
[DESIGN
GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license*
### Reason for this change

[Aurora MySQL database engine updates 2024-03-26 (version 2.11.5, compatible with MySQL 5.7.12)](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraMySQLReleaseNotes/AuroraMySQL.Updates.2115.html)

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
#29877)

### Issue # (if applicable)

Closes #25736.

### Reason for this change

The bootstrap calls `deployStack` without specifying hotswap, and `deployStack` does not correctly default the hotswap mode to `FULL_DEPLOYMENT`.

### Description of changes

Make `deployStack` correctly default `hotswapMode` to `FULL_DEPLOYMENT`.

### Description of how you validated changes

Manual testing. Before this change:

```
 ✨ hotswap deployment skipped - no changes were detected (use --force to override)

 ✅  Environment aws://123456789012/us-east-1 bootstrapped (no changes).

```

After:

```
 ✅  Environment aws://123456789012/us-east-1 bootstrapped (no changes).
```

Unit tests not added because we don't have any unit tests for bootstrap and this is cosmetic.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… in CompleteHandler (#28706)

This PR fixes the case that `StateMachine` generated for `CompleteHandler` in `Provider` cannot set logging.

The default log group name of the state machine automatically created by the `Provider` with `isCompleteHandler` should start with `/aws/vendedlogs/states`. Otherwise, each time the state machine is created, the log resource policy size increases. 

https://docs.aws.amazon.com/step-functions/latest/dg/bp-cwl.html

Closes #27283
Fixes #28577 #28744

Related PR #27310(reverted by #28699), #28587

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ime (#29500)

### Issue # (if applicable)

Closes #29345.

### Reason for this change

The current L2 AppConfig constructs do not have any guardrails 
that prevent simultaneous Deployments to a single Environment. 
This is not allowed, and will result in Cfn deploy-time conflicts.

### Description of changes

This commit adds a pair of new public methods to IEnvironment that 
enable the addition of a new Deployment for a given IConfiguration.

It then updates the creation of new Deployments in ConfigurationBase 
to utilize these new methods instead of the current resource creation.

These new methods interact with an internal queue. 
This queue creates a chain of Cfn dependencies between Deployments 
in order to enforce that only a single Deployment can be in progress 
for the Environment at any given time.

### Description of how you validated changes

Added new unit and integ test coverage.  
Deployed the new integ test without these changes and confirmed that Cfn failed at deployment time. 

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…for ALB (#29907)

### Issue # (if applicable)

Closes #29866

### Reason for this change

`crossZoneEnabled` is not well handled when it's `false` with ALB.  Because:

1. When the L2 prop is set `false`, it will not pass down to the L1 and won't throw any error as ALB does not support being disabled. It just silently ignore it.
2. When the prop is `false` for NLB, the L1 attribute will be `undefined`, which is having the same result but it should be explicitly set as `false` in L1.


This PR covers the following cases:

1. When `crossZoneEnabled` is `true`, `load_balancing.cross_zone.enabled` should be `true`.
2. When `crossZoneEnabled` is `false`, `load_balancing.cross_zone.enabled` should be `false`, rather than `undefined`.
3. When `crossZoneEnabled` is `false` with ALB, cdk throws an error because ALB does not support disabling it per [doc](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-loadbalancer-loadbalancerattribute.html) description.
4. NLB supports either `true` or `false`.
5. This prop can be `undefined` for ALB or NLB.
6. Improve the doc string for the `crossZoneEnabled` prop.

### Description of changes



### Description of how you validated changes



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
One of our tests can remove customPermissionsBoundary creates a policy using createPolicy. Change to IAM policies/roles use eventual consistency. So, while the changes will show up right away if we were to call an API to describe that policy/role, the updates may not have actually propagated to all regions yet. This is likely the cause of the intermittent test failures for this test.

This change adds the eventually block and uses it to retry initial creation of this stack in the case that the policy changes have not made it to the relevant region just yet.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable)

Closes #29811, continuation of @msambol 's #29823

### Reason for this change

Reduce overly broad permissions allocated to SES for the S3 receipt rule action

### Description of changes

* Restrain by both rule set and rule name, as recommended in the [docs](https://docs.aws.amazon.com/ses/latest/dg/receiving-email-permissions.html#receiving-email-permissions-s3)
	* Accomplished by generating the permission lazily, when the rule is rendering the actions for CloudFormation  

### Description of how you validated changes

Updated the unit and integration tests. The integration now uses a free test WorkMail domain. It's a bit of manual setup upfront, but doesn't require the contributor to use one of their own domains

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable)

As #22910 and #25278 were closed for staleness. I am opening a new PR to fix #22442.

To avoid breaking change, this PR introduces a new feature flag for the bug fix.

Closes #22442

### The Code for verification

```ts
import {
  App, Stack,
  aws_eks as eks,
  aws_ec2 as ec2,
  CfnOutput, cx_api,
} from 'aws-cdk-lib';

const app = new App();
const env = { region: process.env.CDK_DEFAULT_REGION, account: process.env.CDK_DEFAULT_ACCOUNT };
const stack = new Stack(app, 'my-test-stack2', { env });

stack.node.setContext(cx_api.EKS_NODEGROUP_NAME, true);

const vpc = ec2.Vpc.fromLookup(stack, 'Vpc', { isDefault: true });

const cluster = new eks.Cluster(stack, 'Cluster', {
  vpc,
  version: eks.KubernetesVersion.V1_29,
  defaultCapacity: 0,
});

const ng1 = new eks.Nodegroup(stack, 'ng-1', {
  cluster,
});

const ng2 = cluster.addNodegroupCapacity('ng-2', {
  nodegroupName: 'custom-name',
});

new CfnOutput(stack, 'ng1-name', { value: ng1.nodegroupName });
new CfnOutput(stack, 'ng2-name', { value: ng2.nodegroupName });
```

The output is like

```
Outputs:
my-test-stack2.ng1name = ng19F1EA947-sSziNMzPVkik
my-test-stack2.ng2name = custom-name
```

Console:

<img width="315" alt="image" src="https://github.com/aws/aws-cdk/assets/278432/019255bd-7d05-43ad-8624-baf5b6eea725">



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Because we already had a library under this namespace, our automation didn't do all the setup steps when the schema was updated. This adds the bedrock L1s.


### Checklist
- [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`

**L1 CloudFormation resource definition changes:**
```
├[~] service aws-appintegrations
│ └ resources
│    └[~] resource AWS::AppIntegrations::Application
│      ├ properties
│      │  └[+] Permissions: Array<string>
│      └ types
│         └[~] type ExternalUrlConfig
│           └ properties
│              └ ApprovedOrigins: - Array<string> (required)
│                                 + Array<string>
├[~] service aws-autoscaling
│ └ resources
│    ├[~] resource AWS::AutoScaling::AutoScalingGroup
│    │ ├ properties
│    │ │  ├ Cooldown: (documentation changed)
│    │ │  ├ DesiredCapacityType: (documentation changed)
│    │ │  ├ HealthCheckType: (documentation changed)
│    │ │  ├ MaxInstanceLifetime: (documentation changed)
│    │ │  ├ NewInstancesProtectedFromScaleIn: (documentation changed)
│    │ │  └ TerminationPolicies: (documentation changed)
│    │ └ types
│    │    ├[~] type LaunchTemplateOverrides
│    │    │ └ properties
│    │    │    └ InstanceType: (documentation changed)
│    │    ├[~] type LifecycleHookSpecification
│    │    │ └ properties
│    │    │    └ RoleARN: (documentation changed)
│    │    └[~] type MetricsCollection
│    │      └ properties
│    │         └ Metrics: (documentation changed)
│    ├[~] resource AWS::AutoScaling::LaunchConfiguration
│    │ ├ properties
│    │ │  ├ AssociatePublicIpAddress: (documentation changed)
│    │ │  ├ EbsOptimized: (documentation changed)
│    │ │  ├ ImageId: (documentation changed)
│    │ │  ├ InstanceMonitoring: (documentation changed)
│    │ │  ├ KeyName: (documentation changed)
│    │ │  ├ MetadataOptions: (documentation changed)
│    │ │  └ PlacementTenancy: (documentation changed)
│    │ └ types
│    │    └[~] type BlockDevice
│    │      └ properties
│    │         ├ Encrypted: (documentation changed)
│    │         └ VolumeType: (documentation changed)
│    ├[~] resource AWS::AutoScaling::LifecycleHook
│    │ └ properties
│    │    └ RoleARN: (documentation changed)
│    └[~] resource AWS::AutoScaling::ScalingPolicy
│      ├ properties
│      │  └ Cooldown: (documentation changed)
│      └ types
│         └[~] type PredictiveScalingConfiguration
│           └ properties
│              └ MaxCapacityBreachBehavior: (documentation changed)
├[~] service aws-backup
│ └ resources
│    ├[~] resource AWS::Backup::BackupPlan
│    │ ├ properties
│    │ │  └ BackupPlanTags: (documentation changed)
│    │ └ types
│    │    ├[~] type BackupRuleResourceType
│    │    │ └ properties
│    │    │    └ RecoveryPointTags: (documentation changed)
│    │    └[~] type LifecycleResourceType
│    │      └ properties
│    │         └ OptInToArchiveForSupportedResources: (documentation changed)
│    ├[~] resource AWS::Backup::BackupSelection
│    │ └ types
│    │    └[~] type ConditionParameter
│    │      └  - documentation: Includes information about tags you define to assign tagged resources to a backup plan.
│    │         + documentation: Includes information about tags you define to assign tagged resources to a backup plan.
│    │         Include the prefix `aws:ResourceTag` in your tags. For example, `"aws:ResourceTag/TagKey1": "Value1"` .
│    ├[~] resource AWS::Backup::BackupVault
│    │ └ properties
│    │    └ BackupVaultTags: (documentation changed)
│    ├[~] resource AWS::Backup::Framework
│    │ ├ properties
│    │ │  └ FrameworkTags: (documentation changed)
│    │ └ types
│    │    ├[~] type ControlInputParameter
│    │    │ └  - documentation: A list of parameters for a control. A control can have zero, one, or more than one parameter. An example of a control with two parameters is: "backup plan frequency is at least `daily` and the retention period is at least `1 year` ". The first parameter is `daily` . The second parameter is `1 year` .
│    │    │    + documentation: The parameters for a control. A control can have zero, one, or more than one parameter. An example of a control with two parameters is: "backup plan frequency is at least `daily` and the retention period is at least `1 year` ". The first parameter is `daily` . The second parameter is `1 year` .
│    │    └[~] type FrameworkControl
│    │      └ properties
│    │         └ ControlInputParameters: (documentation changed)
│    ├[~] resource AWS::Backup::ReportPlan
│    │ ├ properties
│    │ │  └ ReportPlanTags: (documentation changed)
│    │ └ types
│    │    └[~] type ReportDeliveryChannel
│    │      └ properties
│    │         └ Formats: (documentation changed)
│    ├[~] resource AWS::Backup::RestoreTestingPlan
│    │ └  - documentation: This is the first of two steps to create a restore testing plan; once this request is successful, finish the procedure with request CreateRestoreTestingSelection.
│    │    You must include the parameter RestoreTestingPlan. You may optionally include CreatorRequestId and Tags.
│    │    + documentation: Creates a restore testing plan.
│    │    The first of two steps to create a restore testing plan. After this request is successful, finish the procedure using CreateRestoreTestingSelection.
│    └[~] resource AWS::Backup::RestoreTestingSelection
│      ├ properties
│      │  └ RestoreTestingSelectionName: (documentation changed)
│      └ types
│         └[~] type ProtectedResourceConditions
│           └  - documentation: A list of conditions that you define for resources in your restore testing plan using tags.
│              For example, `"StringEquals": { "Key": "aws:ResourceTag/CreatedByCryo", "Value": "true" },` . Condition operators are case sensitive.
│              + documentation: The conditions that you define for resources in your restore testing plan using tags.
│              For example, `"StringEquals": { "Key": "aws:ResourceTag/CreatedByCryo", "Value": "true" },` . Condition operators are case sensitive.
├[~] service aws-batch
│ └ resources
│    └[~] resource AWS::Batch::JobDefinition
│      └ types
│         └[~] type ImagePullSecret
│           ├  - documentation: undefined
│           │  + documentation: References a Kubernetes secret resource. This name of the secret must start and end with an alphanumeric character, is required to be lowercase, can include periods (.) and hyphens (-), and can't contain more than 253 characters.
│           └ properties
│              └ Name: (documentation changed)
├[~] service aws-bedrock
│ └ resources
│    ├[~] resource AWS::Bedrock::Agent
│    │ ├ properties
│    │ │  ├ AgentResourceRoleArn: (documentation changed)
│    │ │  └ CustomerEncryptionKeyArn: (documentation changed)
│    │ ├ attributes
│    │ │  └ AgentArn: (documentation changed)
│    │ └ types
│    │    ├[~] type ActionGroupExecutor
│    │    │ └ properties
│    │    │    └ Lambda: (documentation changed)
│    │    └[~] type AgentActionGroup
│    │      └ properties
│    │         └ ActionGroupExecutor: (documentation changed)
│    ├[~] resource AWS::Bedrock::AgentAlias
│    │ └ attributes
│    │    └ AgentAliasArn: (documentation changed)
│    ├[~] resource AWS::Bedrock::DataSource
│    │ └ types
│    │    ├[~] type S3DataSourceConfiguration
│    │    │ └ properties
│    │    │    └ BucketArn: (documentation changed)
│    │    └[~] type ServerSideEncryptionConfiguration
│    │      └ properties
│    │         └ KmsKeyArn: (documentation changed)
│    └[~] resource AWS::Bedrock::KnowledgeBase
│      ├ properties
│      │  └ RoleArn: (documentation changed)
│      ├ attributes
│      │  └ KnowledgeBaseArn: (documentation changed)
│      └ types
│         └[~] type VectorKnowledgeBaseConfiguration
│           └ properties
│              └ EmbeddingModelArn: (documentation changed)
├[~] service aws-cloudwatch
│ └ resources
│    └[~] resource AWS::CloudWatch::AnomalyDetector
│      ├ properties
│      │  └[+] MetricCharacteristics: MetricCharacteristics (immutable)
│      └ types
│         └[+] type MetricCharacteristics
│           ├  documentation: This object includes parameters that you can use to provide information to CloudWatch to help it build more accurate anomaly detection models.
│           │  name: MetricCharacteristics
│           └ properties
│              └PeriodicSpikes: boolean
├[~] service aws-datazone
│ └ resources
│    └[~] resource AWS::DataZone::DataSource
│      └ types
│         └[~] type GlueRunConfigurationInput
│           └ properties
│              └[+] AutoImportDataQualityResult: boolean
├[~] service aws-dms
│ └ resources
│    └[~] resource AWS::DMS::Endpoint
│      └ types
│         └[~] type PostgreSqlSettings
│           └ properties
│              └ CaptureDdls: (documentation changed)
├[~] service aws-ec2
│ └ resources
│    ├[~] resource AWS::EC2::CustomerGateway
│    │ └ properties
│    │    ├ BgpAsn: - integer (required, default=65000, immutable)
│    │    │         + integer (default=65000, immutable)
│    │    └[+] BgpAsnExtended: number (immutable)
│    └[~] resource AWS::EC2::TransitGatewayRoute
│      └ properties
│         └ DestinationCidrBlock: - string (immutable)
│                                 + string (required, immutable)
├[~] service aws-ecr
│ └ resources
│    └[+] resource AWS::ECR::RepositoryCreationTemplate
│      ├  name: RepositoryCreationTemplate
│      │  cloudFormationType: AWS::ECR::RepositoryCreationTemplate
│      │  documentation: AWS::ECR::RepositoryCreationTemplate is used to create repository with configuration from a pre-defined template.
│      ├ properties
│      │  ├Prefix: string (required, immutable)
│      │  ├Description: string
│      │  ├ImageTagMutability: string
│      │  ├RepositoryPolicy: string
│      │  ├LifecyclePolicy: string
│      │  ├EncryptionConfiguration: EncryptionConfiguration
│      │  ├ResourceTags: Array<tag>
│      │  └AppliedFor: Array<string> (required)
│      ├ attributes
│      │  ├CreatedAt: string
│      │  └UpdatedAt: string
│      └ types
│         └type EncryptionConfiguration
│          ├  documentation: The encryption configuration for the repository. This determines how the contents of your repository are encrypted at rest.
│          │  By default, when no encryption configuration is set or the `AES256` encryption type is used, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts your data at rest using an AES-256 encryption algorithm. This does not require any action on your part.
│          │  For more control over the encryption of the contents of your repository, you can use server-side encryption with AWS Key Management Service key stored in AWS Key Management Service ( AWS KMS ) to encrypt your images. For more information, see [Amazon ECR encryption at rest](https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html) in the *Amazon Elastic Container Registry User Guide* .
│          │  name: EncryptionConfiguration
│          └ properties
│             ├EncryptionType: string (required)
│             └KmsKey: string
├[~] service aws-kms
│ └ resources
│    └[~] resource AWS::KMS::Key
│      └ properties
│         └[+] RotationPeriodInDays: integer (default=365)
├[~] service aws-lambda
│ └ resources
│    └[~] resource AWS::Lambda::Alias
│      └ attributes
│         └[+] AliasArn: string
├[~] service aws-oam
│ └ resources
│    └[~] resource AWS::Oam::Link
│      ├ properties
│      │  └[+] LinkConfiguration: LinkConfiguration
│      └ types
│         ├[+] type LinkConfiguration
│         │ ├  name: LinkConfiguration
│         │ └ properties
│         │    ├MetricConfiguration: LinkFilter
│         │    └LogGroupConfiguration: LinkFilter
│         └[+] type LinkFilter
│           ├  name: LinkFilter
│           └ properties
│              └Filter: string (required)
├[~] service aws-quicksight
│ └ resources
│    ├[~] resource AWS::QuickSight::Dashboard
│    │ └ attributes
│    │    └ Version: (documentation changed)
│    └[~] resource AWS::QuickSight::Template
│      └ attributes
│         └ Version: (documentation changed)
├[~] service aws-rds
│ └ resources
│    └[~] resource AWS::RDS::DBInstance
│      └ properties
│         ├ Engine: (documentation changed)
│         ├ KmsKeyId: (documentation changed)
│         └ StorageEncrypted: (documentation changed)
├[~] service aws-redshiftserverless
│ └ resources
│    └[~] resource AWS::RedshiftServerless::Namespace
│      ├ properties
│      │  └[+] SnapshotCopyConfigurations: Array<SnapshotCopyConfiguration>
│      └ types
│         └[+] type SnapshotCopyConfiguration
│           ├  name: SnapshotCopyConfiguration
│           └ properties
│              ├DestinationRegion: string (required)
│              ├DestinationKmsKeyId: string
│              └SnapshotRetentionPeriod: integer
├[~] service aws-securitylake
│ └ resources
│    ├[~] resource AWS::SecurityLake::AwsLogSource
│    │ ├  - documentation: Resource Type definition for AWS::SecurityLake::AwsLogSource
│    │ │  + documentation: Adds a natively supported AWS service as an AWS source. Enables source types for member accounts in required AWS Regions, based on the parameters you specify. You can choose any source type in any Region for either accounts that are part of a trusted organization or standalone accounts. Once you add an AWS service as a source, Security Lake starts collecting logs and events from it.
│    │ │  > If you want to create multiple sources using `AWS::SecurityLake::AwsLogSource` , you must use the `DependsOn` attribute to create the sources sequentially. With the `DependsOn` attribute you can specify that the creation of a specific `AWSLogSource` follows another. When you add a `DependsOn` attribute to a resource, that resource is created only after the creation of the resource specified in the `DependsOn` attribute. For an example, see [Add AWS log sources](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-resource-securitylake-awslogsource.html#aws-resource-securitylake-awslogsource--examples) .
│    │ └ properties
│    │    ├ Accounts: (documentation changed)
│    │    ├ DataLakeArn: (documentation changed)
│    │    ├ SourceName: (documentation changed)
│    │    └ SourceVersion: (documentation changed)
│    ├[~] resource AWS::SecurityLake::DataLake
│    │ ├  - documentation: Resource Type definition for AWS::SecurityLake::DataLake
│    │ │  + documentation: Initializes an Amazon Security Lake instance with the provided (or default) configuration. You can enable Security Lake in AWS Regions with customized settings before enabling log collection in Regions. To specify particular Regions, configure these Regions using the `configurations` parameter. If you have already enabled Security Lake in a Region when you call this command, the command will update the Region if you provide new configuration parameters. If you have not already enabled Security Lake in the Region when you call this API, it will set up the data lake in the Region with the specified configurations.
│    │ │  When you enable Security Lake , it starts ingesting security data after the `CreateAwsLogSource` call. This includes ingesting security data from sources, storing data, and making data accessible to subscribers. Security Lake also enables all the existing settings and resources that it stores or maintains for your AWS account in the current Region, including security log and event data. For more information, see the [Amazon Security Lake User Guide](https://docs.aws.amazon.com//security-lake/latest/userguide/what-is-security-lake.html) .
│    │ ├ properties
│    │ │  ├ EncryptionConfiguration: (documentation changed)
│    │ │  ├ LifecycleConfiguration: (documentation changed)
│    │ │  ├ MetaStoreManagerRoleArn: (documentation changed)
│    │ │  └ Tags: (documentation changed)
│    │ ├ attributes
│    │ │  ├ Arn: (documentation changed)
│    │ │  └ S3BucketArn: (documentation changed)
│    │ └ types
│    │    ├[~] type EncryptionConfiguration
│    │    │ ├  - documentation: Provides encryption details of Amazon Security Lake object.
│    │    │ │  + documentation: Provides encryption details of the Amazon Security Lake object. The AWS shared responsibility model applies to data protection in Amazon Security Lake . As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. For more details, see [Data protection](https://docs.aws.amazon.com//security-lake/latest/userguide/data-protection.html) in the Amazon Security Lake User Guide.
│    │    │ └ properties
│    │    │    └ KmsKeyId: (documentation changed)
│    │    ├[~] type Expiration
│    │    │ ├  - documentation: Provides data expiration details of Amazon Security Lake object.
│    │    │ │  + documentation: Provides data expiration details of the Amazon Security Lake object. You can specify your preferred Amazon S3 storage class and the time period for S3 objects to stay in that storage class before they expire. For more information about Amazon S3 Lifecycle configurations, see [Managing your storage lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) in the *Amazon Simple Storage Service User Guide* .
│    │    │ └ properties
│    │    │    └ Days: (documentation changed)
│    │    ├[~] type LifecycleConfiguration
│    │    │ ├  - documentation: Provides lifecycle details of Amazon Security Lake object.
│    │    │ │  + documentation: Provides lifecycle details of Amazon Security Lake object. To manage your data so that it is stored cost effectively, you can configure retention settings for the data. You can specify your preferred Amazon S3 storage class and the time period for Amazon S3 objects to stay in that storage class before they transition to a different storage class or expire. For more information about Amazon S3 Lifecycle configurations, see [Managing your storage lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) in the *Amazon Simple Storage Service User Guide* .
│    │    │ │  In Security Lake , you specify retention settings at the Region level. For example, you might choose to transition all S3 objects in a specific AWS Region to the `S3 Standard-IA` storage class 30 days after they're written to the data lake. The default Amazon S3 storage class is S3 Standard.
│    │    │ │  > Security Lake doesn't support Amazon S3 Object Lock. When the data lake buckets are created, S3 Object Lock is disabled by default. Enabling S3 Object Lock with default retention mode interrupts the delivery of normalized log data to the data lake.
│    │    │ └ properties
│    │    │    ├ Expiration: (documentation changed)
│    │    │    └ Transitions: (documentation changed)
│    │    ├[~] type ReplicationConfiguration
│    │    │ ├  - documentation: Provides replication details of Amazon Security Lake object.
│    │    │ │  + documentation: Provides replication configuration details for objects stored in the Amazon Security Lake data lake.
│    │    │ └ properties
│    │    │    ├ Regions: (documentation changed)
│    │    │    └ RoleArn: (documentation changed)
│    │    └[~] type Transitions
│    │      ├  - documentation: undefined
│    │      │  + documentation: Provides transition lifecycle details of the Amazon Security Lake object. For more information about Amazon S3 Lifecycle configurations, see [Managing your storage lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) in the *Amazon Simple Storage Service User Guide* .
│    │      └ properties
│    │         ├ Days: (documentation changed)
│    │         └ StorageClass: (documentation changed)
│    └[~] resource AWS::SecurityLake::Subscriber
│      ├  - documentation: Resource Type definition for AWS::SecurityLake::Subscriber
│      │  + documentation: Creates a subscriber for accounts that are already enabled in Amazon Security Lake. You can create a subscriber with access to data in the current AWS Region.
│      ├ properties
│      │  ├ AccessTypes: (documentation changed)
│      │  ├ DataLakeArn: (documentation changed)
│      │  ├ Sources: (documentation changed)
│      │  ├ SubscriberDescription: (documentation changed)
│      │  └ SubscriberName: (documentation changed)
│      ├ attributes
│      │  ├ ResourceShareArn: (documentation changed)
│      │  ├ ResourceShareName: (documentation changed)
│      │  ├ S3BucketArn: (documentation changed)
│      │  ├ SubscriberArn: (documentation changed)
│      │  └ SubscriberRoleArn: (documentation changed)
│      └ types
│         ├[~] type AwsLogSource
│         │ ├  - documentation: Amazon Security Lake supports log and event collection for natively supported AWS services.
│         │ │  + documentation: Adds a natively supported AWS service as an Amazon Security Lake source. Enables source types for member accounts in required AWS Regions, based on the parameters you specify. You can choose any source type in any Region for either accounts that are part of a trusted organization or standalone accounts. Once you add an AWS service as a source, Security Lake starts collecting logs and events from it.
│         │ └ properties
│         │    ├ SourceName: (documentation changed)
│         │    └ SourceVersion: (documentation changed)
│         ├[~] type CustomLogSource
│         │ ├  - documentation: undefined
│         │ │  + documentation: Third-party custom log source that meets the requirements to be added to Amazon Security Lake . For more details, see [Custom log source](https://docs.aws.amazon.com//security-lake/latest/userguide/custom-sources.html#iam-roles-custom-sources) in the *Amazon Security Lake User Guide* .
│         │ └ properties
│         │    ├ SourceName: (documentation changed)
│         │    └ SourceVersion: (documentation changed)
│         ├[~] type Source
│         │ ├  - documentation: undefined
│         │ │  + documentation: Sources are logs and events generated from a single system that match a specific event class in the Open Cybersecurity Schema Framework (OCSF) schema. Amazon Security Lake can collect logs and events from a variety of sources, including natively supported AWS services and third-party custom sources.
│         │ └ properties
│         │    ├ AwsLogSource: (documentation changed)
│         │    └ CustomLogSource: (documentation changed)
│         └[~] type SubscriberIdentity
│           ├  - documentation: The AWS identity used to access your data.
│           │  + documentation: Specify the AWS account ID and external ID that the subscriber will use to access source data.
│           └ properties
│              ├ ExternalId: (documentation changed)
│              └ Principal: (documentation changed)
├[~] service aws-ssm
│ └ resources
│    └[~] resource AWS::SSM::Document
│      └ properties
│         └ Name: (documentation changed)
├[~] service aws-timestream
│ └ resources
│    └[+] resource AWS::Timestream::InfluxDBInstance
│      ├  name: InfluxDBInstance
│      │  cloudFormationType: AWS::Timestream::InfluxDBInstance
│      │  documentation: A DB instance is an isolated database environment running in the cloud. It is the basic building block of Amazon Timestream for InfluxDB. A DB instance can contain multiple user-created databases (or organizations and buckets for the case of InfluxDb 2.x databases), and can be accessed using the same client tools and applications you might use to access a standalone self-managed InfluxDB instance.
│      │  tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│      ├ properties
│      │  ├Username: string (immutable)
│      │  ├Password: string (immutable)
│      │  ├Organization: string (immutable)
│      │  ├Bucket: string (immutable)
│      │  ├DbInstanceType: string (immutable)
│      │  ├VpcSubnetIds: Array<string> (immutable)
│      │  ├VpcSecurityGroupIds: Array<string> (immutable)
│      │  ├PubliclyAccessible: boolean (default=false, immutable)
│      │  ├DbStorageType: string (immutable)
│      │  ├AllocatedStorage: integer (immutable)
│      │  ├DbParameterGroupIdentifier: string
│      │  ├LogDeliveryConfiguration: LogDeliveryConfiguration
│      │  ├Name: string (immutable)
│      │  ├DeploymentType: string (immutable)
│      │  └Tags: Array<tag>
│      ├ attributes
│      │  ├Status: string
│      │  ├Arn: string
│      │  ├Id: string
│      │  ├AvailabilityZone: string
│      │  ├Endpoint: string
│      │  ├SecondaryAvailabilityZone: string
│      │  └InfluxAuthParametersSecretArn: string
│      └ types
│         ├type LogDeliveryConfiguration
│         │├  documentation: Configuration for sending InfluxDB engine logs to a specified S3 bucket.
│         ││  name: LogDeliveryConfiguration
│         │└ properties
│         │   └S3Configuration: S3Configuration (required)
│         └type S3Configuration
│          ├  documentation: Configuration for S3 bucket log delivery.
│          │  name: S3Configuration
│          └ properties
│             ├BucketName: string (required)
│             └Enabled: boolean (required)
├[~] service aws-transfer
│ └ resources
│    ├[~] resource AWS::Transfer::Certificate
│    │ └ properties
│    │    └ Usage: (documentation changed)
│    └[~] resource AWS::Transfer::Server
│      └ properties
│         └ Domain: (documentation changed)
└[~] service aws-wisdom
  └ resources
     └[~] resource AWS::Wisdom::KnowledgeBase
       └ types
          └[~] type AppIntegrationsConfiguration
            └ properties
               └ ObjectFields: (documentation changed)
```
### Issue # (if applicable)

Closes #29619.

### Reason for this change

Support [`pidMode`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html#cfn-ecs-taskdefinition-pidmode) for `FargateTaskDefinition`.

### Description of changes

Added support for the `pidMode` property along with the necessary validation, documentation, and test coverage.

### Description of how you validated changes

- [x] Unit tests
- [x] Integration tests

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…throughput (#29905)

### Issue # (if applicable)

N/A

### Reason for this change

[Anthropic's Claude 3 Opus mode is now available](https://aws.amazon.com/jp/blogs/aws/anthropics-claude-3-opus-model-on-amazon-bedrock/), and new model IDs are published in [the guide](https://docs.aws.amazon.com/bedrock/latest/userguide/model-ids.html).

### Description of changes

I added model IDs for Claude 3 Opus for on-demand throughput and Claude 3 Sonnet/Haiku for provisioned throughput.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Closes #29937 

### Reason for this change

Adding assertions for `AwsCustomResource` will improve our test coverage.

### Description of changes

Added assertions for `AwsCustomResource` to integ tests that were impacted by this [PR](#29868).

### Description of how you validated changes

Assertions were validated by running the integ tests and verifying that it succeeded.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable)

None as far as I could tell

### Reason for this change

Update the CDK listed ALB controller versions to match the current availability

### Description of changes

* Added missing controller versions
* Updated the Helm version of existing controller versions

### Description of how you validated changes

I listed the list of available versions by using the `ecr:ListImages` command on the `amazon/aws-load-balancer-controller` repository. I'm also filtering out tags that do not match a `v1.2.3` pattern, e.g. `v2.0.0-rc5`, `v2.0.0-test-linux_amd64`

For the Helm chart version, I **initially** manually went through the blame history of https://github.com/aws/eks-charts/blob/master/stable/aws-load-balancer-controller/Chart.yaml. @guessi then recommended I use the [Helm CLI](https://helm.sh/) to obtain the corresponding versions, which worked a ton better and was easily integrated to my tool:

```sh
helm repo add eks https://aws.github.io/eks-charts
helm repo update
helm search repo aws-load-balancer-controller --versions --output json
```

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
#29397)

### Issue

Closes [#16423](#16423).

### Reason for this change

The CDK construct to set an APIGatway as the target for an EventBridge rule only accepted RestApi. It should instead accept the interface IRestApi.

### Description of changes

This change was attempted once earlier, but [the PR](#16542) was closed.

Changed the `ApiGateway` target's constructor's first argument from `api.RestApi` to `api.IRestApi`.

To fix compatibility failures caused by the previous `restApi` being a public member of the class, I've followed the approach suggested [here](#16542 (comment)). Some other alternatives are suggested [here](#16542 (comment)).

### Description of how you validated changes

Added a unit test that creates a dummy `SpecRestApi`. Also added an integ test that creates a `SpecRestApi` from a dummy OpenAPI spec and creates a rule on the default event bus with the APIGateway as target. Nothing is executed in the integ test. The assertion only checks if the target is created using the `ListTargetsByRule` API.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Reverts #29470

Reverting due to potential unwanted updating of resources with helm chart version changes.
…ication events (#29939)

### Issue # (if applicable)

Closes #29004

### Reason for this change

`cdk destroy` removes all event notifications configured on an existing S3 bucket instead of only CDK managed event notifications. This occurs whenever a stack that creates an event notification for an existing bucket is deleted or rolled back.

### Description of changes

Add a `Delete` statement which will only remove the ones created from within the stack

### Description of how you validated changes

Manually tested this.

### Checklist
- [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable)

Closes #29890.

### Reason for this change

`cdk diff` crashes with `--template`.

### Description of changes

The addition of changeset logic had a leftover refactor that should not have been leftover (trying to pass a template directly instead of a stack artifact). Removes changeset creation code from fixed template mode, which should never create a changeset, and adds a unit test for fixed template diffs so we don't break this in the future.

### Description of how you validated changes

unit tests + manual testing. CLI integ tests will be added in a follow-up PR. 

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable)

None that I could find

### Reason for this change

Adds missing `WorkMail` SES rule action

### Description of changes

* Implement `WorkMail` action

### Description of how you validated changes

Added unit test, integ test

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable)

Closes #21455.

### Reason for this change

EFS supports [replicating file systems](https://docs.aws.amazon.com/efs/latest/ug/efs-replication.html) but AWS CDK cannot configure it.

### Description of changes

Add `replicationConfiguration` to `FileSystemProps`

```ts
declare const vpc: ec2.Vpc;
declare const kmsKey: kms.Key;

// auto generate a replication destination file system
new efs.FileSystem(this, 'ReplicationSourceFileSystem1', {
  vpc,
  replicationConfiguration: {
    kmsKey, // optional
    region: 'us-east-1', // optional
    availabilityZone: 'us-east-1a', // optional, Specifing the AZ means creating a One Zone file system as the replication destination
  }
});

// specify the replication destination file system
const destinationFileSystem = new efs.FileSystem(this, 'DestinationFileSystem', {
  vpc,
  // set as the read-only file system for use as a replication destination
  replicationOverwriteProtection: efs.ReplicationOverwriteProtection.DISABLED,
});

new efs.FileSystem(this, 'ReplicationSourceFileSystem2', {
  vpc,
  replicationConfiguration: {
    destinationFileSystem,
    // cannot configure other properties when destinationFileSystem is specified
  }
});
```

### Description of how you validated changes

I have added both unit and integ tests.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@aws-cdk-automation aws-cdk-automation added auto-approve pr/no-squash This PR should be merged instead of squash-merging it labels Apr 24, 2024
@github-actions github-actions bot added the p2 label Apr 24, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team April 24, 2024 19:30
@aws-cdk-automation
Copy link
Collaborator Author

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 9616fd2
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Copy link
Contributor

mergify bot commented Apr 24, 2024

Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Apr 24, 2024
@mergify mergify bot merged commit 2699ffd into v2-release Apr 24, 2024
11 of 12 checks passed
@mergify mergify bot deleted the bump/2.139.0 branch April 24, 2024 20:07
@aws-cdk-automation
Copy link
Collaborator Author

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
auto-approve p2 pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. pr/no-squash This PR should be merged instead of squash-merging it
Projects
None yet
Development

Successfully merging this pull request may close these issues.