Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(release): 2.139.0 #29953

Merged
merged 29 commits into from
Apr 24, 2024
Merged

chore(release): 2.139.0 #29953

merged 29 commits into from
Apr 24, 2024

Commits on Apr 18, 2024

  1. feat(ecs): support adding docker labels after container construction (#… 

    …29734)

Closes #29728. 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
    @msambol
    msambol authored Apr 18, 2024
    Configuration menu
    Copy the full SHA
    8e215b3 View commit details
    Browse the repository at this point in the history

  2. chore(bedrock): claude3-haiku model (#29587) 

    Ref:
https://aws.amazon.com/jp/blogs/aws/anthropics-claude-3-haiku-model-is-now-available-in-amazon-bedrock/

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
    @watany-dev
    watany-dev authored Apr 18, 2024
    Configuration menu
    Copy the full SHA
    ffe46b5 View commit details
    Browse the repository at this point in the history

  3. docs(apigateway): add warning about split stack technique (#29691) 

    ### Issue #29690

Closes #29690

### Reason for this change

Regarding the stack separation of RestApi and Resource, there is no documentation about the fact that Deployment is not automatically created. When I actually add resources to the code documented and try cdk deploy for the second time and beyond, a new deployment is not created, and the latest resources are not reflected.

### Description of changes

I added a note and related links to the documentation.

### Description of how you validated changes

Nothing. It is just to change the description.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
    @engineer-taro
    engineer-taro authored Apr 18, 2024
    Configuration menu
    Copy the full SHA
    91246ac View commit details
    Browse the repository at this point in the history

  4. Merge branch 'main' into merge-back/2.138.0

    @mergify
    mergify[bot] authored Apr 18, 2024
    Configuration menu
    Copy the full SHA
    713377d View commit details
    Browse the repository at this point in the history

Commits on Apr 19, 2024

  1. fix(custom-resource-handler): auto-delete-[objects|images] breaks on … 

    …cloudformation rollback (#29581)

### Issue # (if applicable)

Closes #27199

### Reason for this change

Based on the way the custom resource is implemented, it is likely that
unexpected behavior happens on Cloudformation rollback, i.e. the custom
resource will prematurely delete the objects.

Consider the following scenario:

```
UPDATE target resource (replacement, creates a new resource)
UPDATE custom resource (old -> new, objects in old bucket are deleted)
(...stuff happens...)
ERROR, triggers a rollback
UPDATE custom resource (new -> old)
DELETE target resource (deletes the new resource, remembers the existing one)
```

We will have deleted objects in the bucket that has been rolled back to
in this scenario, but the content is now gone.

### Description of changes

Instead of deleting it right during update, we send back
`PhysicalResourceId` in the event handler which if the id changes, it
will let CFN to empty and delete the bucket at the end of the
deployment.

### Description of how you validated changes

New & updated tests. Also manually tested with deploying a template 
```
const bucket = new s3.Bucket(this, 'Bucket', {
      removalPolicy: cdk.RemovalPolicy.DESTROY,
      bucketName: <a bucket name that's not used>,
      autoDeleteObjects: true,
    });

    // Intentionally failure since `mybucket-1` exists
    const bucket2 = new s3.Bucket(this, 'Bucket2', {
      removalPolicy: cdk.RemovalPolicy.DESTROY,
      bucketName: <a bucket name that's not used>,
    });

    bucket2.node.addDependency(bucket);
```

Once the deployment is successful, add some random content to the
bucket, then update the code so that the first bucket's bucketName is
updated to another valid name. Update the second bucket's bucketName to
be an existing bucket name, which will trigger a deployment failure
hence roll back.

After the change, the content will stay there if a deployment failure
happens. The content & bucket will be deleted if deployment is
successful.


### Checklist
- [x] My code adheres to the [CONTRIBUTING
GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and
[DESIGN
GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license*
    @GavinZZ
    GavinZZ authored Apr 19, 2024
    1 Configuration menu
    Copy the full SHA
    69ea52f View commit details
    Browse the repository at this point in the history

  2. chore(rds): add new AuroraMysql version (#29888) 

    ### Reason for this change

[Aurora MySQL database engine updates 2024-03-26 (version 2.11.5, compatible with MySQL 5.7.12)](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraMySQLReleaseNotes/AuroraMySQL.Updates.2115.html)

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
    @Jared0430
    Jared0430 authored Apr 19, 2024
    1 Configuration menu
    Copy the full SHA
    301451d View commit details
    Browse the repository at this point in the history

  3. Merge branch 'main' into merge-back/2.138.0

    @mergify
    mergify[bot] authored Apr 19, 2024
    Configuration menu
    Copy the full SHA
    c60eb75 View commit details
    Browse the repository at this point in the history

  4. chore(merge-back): 2.138.0 (#29895) 

    See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.138.0/CHANGELOG.md)
    @mergify
    mergify[bot] authored Apr 19, 2024
    1 Configuration menu
    Copy the full SHA
    cc4c96c View commit details
    Browse the repository at this point in the history

  5. fix(CLI): bootstrap shows no hotswap changes when there are no changes ( 

    #29877)

### Issue # (if applicable)

Closes #25736.

### Reason for this change

The bootstrap calls `deployStack` without specifying hotswap, and `deployStack` does not correctly default the hotswap mode to `FULL_DEPLOYMENT`.

### Description of changes

Make `deployStack` correctly default `hotswapMode` to `FULL_DEPLOYMENT`.

### Description of how you validated changes

Manual testing. Before this change:

```
 ✨ hotswap deployment skipped - no changes were detected (use --force to override)

 ✅  Environment aws://123456789012/us-east-1 bootstrapped (no changes).

```

After:

```
 ✅  Environment aws://123456789012/us-east-1 bootstrapped (no changes).
```

Unit tests not added because we don't have any unit tests for bootstrap and this is cosmetic.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
    @comcalvi
    comcalvi authored Apr 19, 2024
    1 Configuration menu
    Copy the full SHA
    2126ee5 View commit details
    Browse the repository at this point in the history

  6. fix(custom-resources): cannot set logging for state machine generated… 

    … in CompleteHandler (#28706)

This PR fixes the case that `StateMachine` generated for `CompleteHandler` in `Provider` cannot set logging.

The default log group name of the state machine automatically created by the `Provider` with `isCompleteHandler` should start with `/aws/vendedlogs/states`. Otherwise, each time the state machine is created, the log resource policy size increases. 

https://docs.aws.amazon.com/step-functions/latest/dg/bp-cwl.html

Closes #27283
Fixes #28577 #28744

Related PR #27310(reverted by #28699), #28587

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
    @go-to-k
    go-to-k authored Apr 19, 2024
    1 Configuration menu
    Copy the full SHA
    99041b2 View commit details
    Browse the repository at this point in the history

  7. feat(appconfig): constrain environments to a single deployment at a t… 

    …ime (#29500)

### Issue # (if applicable)

Closes #29345.

### Reason for this change

The current L2 AppConfig constructs do not have any guardrails 
that prevent simultaneous Deployments to a single Environment. 
This is not allowed, and will result in Cfn deploy-time conflicts.

### Description of changes

This commit adds a pair of new public methods to IEnvironment that 
enable the addition of a new Deployment for a given IConfiguration.

It then updates the creation of new Deployments in ConfigurationBase 
to utilize these new methods instead of the current resource creation.

These new methods interact with an internal queue. 
This queue creates a chain of Cfn dependencies between Deployments 
in order to enforce that only a single Deployment can be in progress 
for the Environment at any given time.

### Description of how you validated changes

Added new unit and integ test coverage.  
Deployed the new integ test without these changes and confirmed that Cfn failed at deployment time. 

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
    @M-Hawkins
    M-Hawkins authored Apr 19, 2024
    1 Configuration menu
    Copy the full SHA
    3dd834d View commit details
    Browse the repository at this point in the history

  8. fix(elasticloadbalancingv2): crossZoneEnabled does not support false … 

    …for ALB (#29907)

### Issue # (if applicable)

Closes #29866

### Reason for this change

`crossZoneEnabled` is not well handled when it's `false` with ALB.  Because:

1. When the L2 prop is set `false`, it will not pass down to the L1 and won't throw any error as ALB does not support being disabled. It just silently ignore it.
2. When the prop is `false` for NLB, the L1 attribute will be `undefined`, which is having the same result but it should be explicitly set as `false` in L1.


This PR covers the following cases:

1. When `crossZoneEnabled` is `true`, `load_balancing.cross_zone.enabled` should be `true`.
2. When `crossZoneEnabled` is `false`, `load_balancing.cross_zone.enabled` should be `false`, rather than `undefined`.
3. When `crossZoneEnabled` is `false` with ALB, cdk throws an error because ALB does not support disabling it per [doc](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-loadbalancer-loadbalancerattribute.html) description.
4. NLB supports either `true` or `false`.
5. This prop can be `undefined` for ALB or NLB.
6. Improve the doc string for the `crossZoneEnabled` prop.

### Description of changes



### Description of how you validated changes



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
    @pahud
    pahud authored Apr 19, 2024
    1 Configuration menu
    Copy the full SHA
    f6c902e View commit details
    Browse the repository at this point in the history

  9. chore(cli-testing): add a retry for test (#29908) 

    One of our tests can remove customPermissionsBoundary creates a policy using createPolicy. Change to IAM policies/roles use eventual consistency. So, while the changes will show up right away if we were to call an API to describe that policy/role, the updates may not have actually propagated to all regions yet. This is likely the cause of the intermittent test failures for this test.

This change adds the eventually block and uses it to retry initial creation of this stack in the case that the policy changes have not made it to the relevant region just yet.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
    @aws-cdk-automation
    aws-cdk-automation authored Apr 19, 2024
    1 Configuration menu
    Copy the full SHA
    9eb21bd View commit details
    Browse the repository at this point in the history

  10. fix(ses-actions): permissions too wide for S3 action (#29833) 

    ### Issue # (if applicable)

Closes #29811, continuation of @msambol 's #29823

### Reason for this change

Reduce overly broad permissions allocated to SES for the S3 receipt rule action

### Description of changes

* Restrain by both rule set and rule name, as recommended in the [docs](https://docs.aws.amazon.com/ses/latest/dg/receiving-email-permissions.html#receiving-email-permissions-s3)
	* Accomplished by generating the permission lazily, when the rule is rendering the actions for CloudFormation  

### Description of how you validated changes

Updated the unit and integration tests. The integration now uses a free test WorkMail domain. It's a bit of manual setup upfront, but doesn't require the contributor to use one of their own domains

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
    @nmussy
    nmussy authored Apr 19, 2024
    1 Configuration menu
    Copy the full SHA
    2da544f View commit details
    Browse the repository at this point in the history

  11. fix(eks): incorrect nodegroupName(under feature flag) (#29794) 

    ### Issue # (if applicable)

As #22910 and #25278 were closed for staleness. I am opening a new PR to fix #22442.

To avoid breaking change, this PR introduces a new feature flag for the bug fix.

Closes #22442

### The Code for verification

```ts
import {
  App, Stack,
  aws_eks as eks,
  aws_ec2 as ec2,
  CfnOutput, cx_api,
} from 'aws-cdk-lib';

const app = new App();
const env = { region: process.env.CDK_DEFAULT_REGION, account: process.env.CDK_DEFAULT_ACCOUNT };
const stack = new Stack(app, 'my-test-stack2', { env });

stack.node.setContext(cx_api.EKS_NODEGROUP_NAME, true);

const vpc = ec2.Vpc.fromLookup(stack, 'Vpc', { isDefault: true });

const cluster = new eks.Cluster(stack, 'Cluster', {
  vpc,
  version: eks.KubernetesVersion.V1_29,
  defaultCapacity: 0,
});

const ng1 = new eks.Nodegroup(stack, 'ng-1', {
  cluster,
});

const ng2 = cluster.addNodegroupCapacity('ng-2', {
  nodegroupName: 'custom-name',
});

new CfnOutput(stack, 'ng1-name', { value: ng1.nodegroupName });
new CfnOutput(stack, 'ng2-name', { value: ng2.nodegroupName });
```

The output is like

```
Outputs:
my-test-stack2.ng1name = ng19F1EA947-sSziNMzPVkik
my-test-stack2.ng2name = custom-name
```

Console:

<img width="315" alt="image" src="https://github.com/aws/aws-cdk/assets/278432/019255bd-7d05-43ad-8624-baf5b6eea725">



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
    @pahud
    pahud authored Apr 19, 2024
    1 Configuration menu
    Copy the full SHA
    8bb8c55 View commit details
    Browse the repository at this point in the history

Commits on Apr 20, 2024

  1. chore: add l1s into bedrock library (#29911) 

    Because we already had a library under this namespace, our automation didn't do all the setup steps when the schema was updated. This adds the bedrock L1s.


### Checklist
- [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
    @TheRealAmazonKendra
    TheRealAmazonKendra authored Apr 20, 2024
    1 Configuration menu
    Copy the full SHA
    1d16304 View commit details
    Browse the repository at this point in the history

Commits on Apr 22, 2024

  1. feat: update L1 CloudFormation resource definitions (#29924) 

    Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`

**L1 CloudFormation resource definition changes:**
```
├[~] service aws-appintegrations
│ └ resources
│    └[~] resource AWS::AppIntegrations::Application
│      ├ properties
│      │  └[+] Permissions: Array<string>
│      └ types
│         └[~] type ExternalUrlConfig
│           └ properties
│              └ ApprovedOrigins: - Array<string> (required)
│                                 + Array<string>
├[~] service aws-autoscaling
│ └ resources
│    ├[~] resource AWS::AutoScaling::AutoScalingGroup
│    │ ├ properties
│    │ │  ├ Cooldown: (documentation changed)
│    │ │  ├ DesiredCapacityType: (documentation changed)
│    │ │  ├ HealthCheckType: (documentation changed)
│    │ │  ├ MaxInstanceLifetime: (documentation changed)
│    │ │  ├ NewInstancesProtectedFromScaleIn: (documentation changed)
│    │ │  └ TerminationPolicies: (documentation changed)
│    │ └ types
│    │    ├[~] type LaunchTemplateOverrides
│    │    │ └ properties
│    │    │    └ InstanceType: (documentation changed)
│    │    ├[~] type LifecycleHookSpecification
│    │    │ └ properties
│    │    │    └ RoleARN: (documentation changed)
│    │    └[~] type MetricsCollection
│    │      └ properties
│    │         └ Metrics: (documentation changed)
│    ├[~] resource AWS::AutoScaling::LaunchConfiguration
│    │ ├ properties
│    │ │  ├ AssociatePublicIpAddress: (documentation changed)
│    │ │  ├ EbsOptimized: (documentation changed)
│    │ │  ├ ImageId: (documentation changed)
│    │ │  ├ InstanceMonitoring: (documentation changed)
│    │ │  ├ KeyName: (documentation changed)
│    │ │  ├ MetadataOptions: (documentation changed)
│    │ │  └ PlacementTenancy: (documentation changed)
│    │ └ types
│    │    └[~] type BlockDevice
│    │      └ properties
│    │         ├ Encrypted: (documentation changed)
│    │         └ VolumeType: (documentation changed)
│    ├[~] resource AWS::AutoScaling::LifecycleHook
│    │ └ properties
│    │    └ RoleARN: (documentation changed)
│    └[~] resource AWS::AutoScaling::ScalingPolicy
│      ├ properties
│      │  └ Cooldown: (documentation changed)
│      └ types
│         └[~] type PredictiveScalingConfiguration
│           └ properties
│              └ MaxCapacityBreachBehavior: (documentation changed)
├[~] service aws-backup
│ └ resources
│    ├[~] resource AWS::Backup::BackupPlan
│    │ ├ properties
│    │ │  └ BackupPlanTags: (documentation changed)
│    │ └ types
│    │    ├[~] type BackupRuleResourceType
│    │    │ └ properties
│    │    │    └ RecoveryPointTags: (documentation changed)
│    │    └[~] type LifecycleResourceType
│    │      └ properties
│    │         └ OptInToArchiveForSupportedResources: (documentation changed)
│    ├[~] resource AWS::Backup::BackupSelection
│    │ └ types
│    │    └[~] type ConditionParameter
│    │      └  - documentation: Includes information about tags you define to assign tagged resources to a backup plan.
│    │         + documentation: Includes information about tags you define to assign tagged resources to a backup plan.
│    │         Include the prefix `aws:ResourceTag` in your tags. For example, `"aws:ResourceTag/TagKey1": "Value1"` .
│    ├[~] resource AWS::Backup::BackupVault
│    │ └ properties
│    │    └ BackupVaultTags: (documentation changed)
│    ├[~] resource AWS::Backup::Framework
│    │ ├ properties
│    │ │  └ FrameworkTags: (documentation changed)
│    │ └ types
│    │    ├[~] type ControlInputParameter
│    │    │ └  - documentation: A list of parameters for a control. A control can have zero, one, or more than one parameter. An example of a control with two parameters is: "backup plan frequency is at least `daily` and the retention period is at least `1 year` ". The first parameter is `daily` . The second parameter is `1 year` .
│    │    │    + documentation: The parameters for a control. A control can have zero, one, or more than one parameter. An example of a control with two parameters is: "backup plan frequency is at least `daily` and the retention period is at least `1 year` ". The first parameter is `daily` . The second parameter is `1 year` .
│    │    └[~] type FrameworkControl
│    │      └ properties
│    │         └ ControlInputParameters: (documentation changed)
│    ├[~] resource AWS::Backup::ReportPlan
│    │ ├ properties
│    │ │  └ ReportPlanTags: (documentation changed)
│    │ └ types
│    │    └[~] type ReportDeliveryChannel
│    │      └ properties
│    │         └ Formats: (documentation changed)
│    ├[~] resource AWS::Backup::RestoreTestingPlan
│    │ └  - documentation: This is the first of two steps to create a restore testing plan; once this request is successful, finish the procedure with request CreateRestoreTestingSelection.
│    │    You must include the parameter RestoreTestingPlan. You may optionally include CreatorRequestId and Tags.
│    │    + documentation: Creates a restore testing plan.
│    │    The first of two steps to create a restore testing plan. After this request is successful, finish the procedure using CreateRestoreTestingSelection.
│    └[~] resource AWS::Backup::RestoreTestingSelection
│      ├ properties
│      │  └ RestoreTestingSelectionName: (documentation changed)
│      └ types
│         └[~] type ProtectedResourceConditions
│           └  - documentation: A list of conditions that you define for resources in your restore testing plan using tags.
│              For example, `"StringEquals": { "Key": "aws:ResourceTag/CreatedByCryo", "Value": "true" },` . Condition operators are case sensitive.
│              + documentation: The conditions that you define for resources in your restore testing plan using tags.
│              For example, `"StringEquals": { "Key": "aws:ResourceTag/CreatedByCryo", "Value": "true" },` . Condition operators are case sensitive.
├[~] service aws-batch
│ └ resources
│    └[~] resource AWS::Batch::JobDefinition
│      └ types
│         └[~] type ImagePullSecret
│           ├  - documentation: undefined
│           │  + documentation: References a Kubernetes secret resource. This name of the secret must start and end with an alphanumeric character, is required to be lowercase, can include periods (.) and hyphens (-), and can't contain more than 253 characters.
│           └ properties
│              └ Name: (documentation changed)
├[~] service aws-bedrock
│ └ resources
│    ├[~] resource AWS::Bedrock::Agent
│    │ ├ properties
│    │ │  ├ AgentResourceRoleArn: (documentation changed)
│    │ │  └ CustomerEncryptionKeyArn: (documentation changed)
│    │ ├ attributes
│    │ │  └ AgentArn: (documentation changed)
│    │ └ types
│    │    ├[~] type ActionGroupExecutor
│    │    │ └ properties
│    │    │    └ Lambda: (documentation changed)
│    │    └[~] type AgentActionGroup
│    │      └ properties
│    │         └ ActionGroupExecutor: (documentation changed)
│    ├[~] resource AWS::Bedrock::AgentAlias
│    │ └ attributes
│    │    └ AgentAliasArn: (documentation changed)
│    ├[~] resource AWS::Bedrock::DataSource
│    │ └ types
│    │    ├[~] type S3DataSourceConfiguration
│    │    │ └ properties
│    │    │    └ BucketArn: (documentation changed)
│    │    └[~] type ServerSideEncryptionConfiguration
│    │      └ properties
│    │         └ KmsKeyArn: (documentation changed)
│    └[~] resource AWS::Bedrock::KnowledgeBase
│      ├ properties
│      │  └ RoleArn: (documentation changed)
│      ├ attributes
│      │  └ KnowledgeBaseArn: (documentation changed)
│      └ types
│         └[~] type VectorKnowledgeBaseConfiguration
│           └ properties
│              └ EmbeddingModelArn: (documentation changed)
├[~] service aws-cloudwatch
│ └ resources
│    └[~] resource AWS::CloudWatch::AnomalyDetector
│      ├ properties
│      │  └[+] MetricCharacteristics: MetricCharacteristics (immutable)
│      └ types
│         └[+] type MetricCharacteristics
│           ├  documentation: This object includes parameters that you can use to provide information to CloudWatch to help it build more accurate anomaly detection models.
│           │  name: MetricCharacteristics
│           └ properties
│              └PeriodicSpikes: boolean
├[~] service aws-datazone
│ └ resources
│    └[~] resource AWS::DataZone::DataSource
│      └ types
│         └[~] type GlueRunConfigurationInput
│           └ properties
│              └[+] AutoImportDataQualityResult: boolean
├[~] service aws-dms
│ └ resources
│    └[~] resource AWS::DMS::Endpoint
│      └ types
│         └[~] type PostgreSqlSettings
│           └ properties
│              └ CaptureDdls: (documentation changed)
├[~] service aws-ec2
│ └ resources
│    ├[~] resource AWS::EC2::CustomerGateway
│    │ └ properties
│    │    ├ BgpAsn: - integer (required, default=65000, immutable)
│    │    │         + integer (default=65000, immutable)
│    │    └[+] BgpAsnExtended: number (immutable)
│    └[~] resource AWS::EC2::TransitGatewayRoute
│      └ properties
│         └ DestinationCidrBlock: - string (immutable)
│                                 + string (required, immutable)
├[~] service aws-ecr
│ └ resources
│    └[+] resource AWS::ECR::RepositoryCreationTemplate
│      ├  name: RepositoryCreationTemplate
│      │  cloudFormationType: AWS::ECR::RepositoryCreationTemplate
│      │  documentation: AWS::ECR::RepositoryCreationTemplate is used to create repository with configuration from a pre-defined template.
│      ├ properties
│      │  ├Prefix: string (required, immutable)
│      │  ├Description: string
│      │  ├ImageTagMutability: string
│      │  ├RepositoryPolicy: string
│      │  ├LifecyclePolicy: string
│      │  ├EncryptionConfiguration: EncryptionConfiguration
│      │  ├ResourceTags: Array<tag>
│      │  └AppliedFor: Array<string> (required)
│      ├ attributes
│      │  ├CreatedAt: string
│      │  └UpdatedAt: string
│      └ types
│         └type EncryptionConfiguration
│          ├  documentation: The encryption configuration for the repository. This determines how the contents of your repository are encrypted at rest.
│          │  By default, when no encryption configuration is set or the `AES256` encryption type is used, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts your data at rest using an AES-256 encryption algorithm. This does not require any action on your part.
│          │  For more control over the encryption of the contents of your repository, you can use server-side encryption with AWS Key Management Service key stored in AWS Key Management Service ( AWS KMS ) to encrypt your images. For more information, see [Amazon ECR encryption at rest](https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html) in the *Amazon Elastic Container Registry User Guide* .
│          │  name: EncryptionConfiguration
│          └ properties
│             ├EncryptionType: string (required)
│             └KmsKey: string
├[~] service aws-kms
│ └ resources
│    └[~] resource AWS::KMS::Key
│      └ properties
│         └[+] RotationPeriodInDays: integer (default=365)
├[~] service aws-lambda
│ └ resources
│    └[~] resource AWS::Lambda::Alias
│      └ attributes
│         └[+] AliasArn: string
├[~] service aws-oam
│ └ resources
│    └[~] resource AWS::Oam::Link
│      ├ properties
│      │  └[+] LinkConfiguration: LinkConfiguration
│      └ types
│         ├[+] type LinkConfiguration
│         │ ├  name: LinkConfiguration
│         │ └ properties
│         │    ├MetricConfiguration: LinkFilter
│         │    └LogGroupConfiguration: LinkFilter
│         └[+] type LinkFilter
│           ├  name: LinkFilter
│           └ properties
│              └Filter: string (required)
├[~] service aws-quicksight
│ └ resources
│    ├[~] resource AWS::QuickSight::Dashboard
│    │ └ attributes
│    │    └ Version: (documentation changed)
│    └[~] resource AWS::QuickSight::Template
│      └ attributes
│         └ Version: (documentation changed)
├[~] service aws-rds
│ └ resources
│    └[~] resource AWS::RDS::DBInstance
│      └ properties
│         ├ Engine: (documentation changed)
│         ├ KmsKeyId: (documentation changed)
│         └ StorageEncrypted: (documentation changed)
├[~] service aws-redshiftserverless
│ └ resources
│    └[~] resource AWS::RedshiftServerless::Namespace
│      ├ properties
│      │  └[+] SnapshotCopyConfigurations: Array<SnapshotCopyConfiguration>
│      └ types
│         └[+] type SnapshotCopyConfiguration
│           ├  name: SnapshotCopyConfiguration
│           └ properties
│              ├DestinationRegion: string (required)
│              ├DestinationKmsKeyId: string
│              └SnapshotRetentionPeriod: integer
├[~] service aws-securitylake
│ └ resources
│    ├[~] resource AWS::SecurityLake::AwsLogSource
│    │ ├  - documentation: Resource Type definition for AWS::SecurityLake::AwsLogSource
│    │ │  + documentation: Adds a natively supported AWS service as an AWS source. Enables source types for member accounts in required AWS Regions, based on the parameters you specify. You can choose any source type in any Region for either accounts that are part of a trusted organization or standalone accounts. Once you add an AWS service as a source, Security Lake starts collecting logs and events from it.
│    │ │  > If you want to create multiple sources using `AWS::SecurityLake::AwsLogSource` , you must use the `DependsOn` attribute to create the sources sequentially. With the `DependsOn` attribute you can specify that the creation of a specific `AWSLogSource` follows another. When you add a `DependsOn` attribute to a resource, that resource is created only after the creation of the resource specified in the `DependsOn` attribute. For an example, see [Add AWS log sources](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/aws-resource-securitylake-awslogsource.html#aws-resource-securitylake-awslogsource--examples) .
│    │ └ properties
│    │    ├ Accounts: (documentation changed)
│    │    ├ DataLakeArn: (documentation changed)
│    │    ├ SourceName: (documentation changed)
│    │    └ SourceVersion: (documentation changed)
│    ├[~] resource AWS::SecurityLake::DataLake
│    │ ├  - documentation: Resource Type definition for AWS::SecurityLake::DataLake
│    │ │  + documentation: Initializes an Amazon Security Lake instance with the provided (or default) configuration. You can enable Security Lake in AWS Regions with customized settings before enabling log collection in Regions. To specify particular Regions, configure these Regions using the `configurations` parameter. If you have already enabled Security Lake in a Region when you call this command, the command will update the Region if you provide new configuration parameters. If you have not already enabled Security Lake in the Region when you call this API, it will set up the data lake in the Region with the specified configurations.
│    │ │  When you enable Security Lake , it starts ingesting security data after the `CreateAwsLogSource` call. This includes ingesting security data from sources, storing data, and making data accessible to subscribers. Security Lake also enables all the existing settings and resources that it stores or maintains for your AWS account in the current Region, including security log and event data. For more information, see the [Amazon Security Lake User Guide](https://docs.aws.amazon.com//security-lake/latest/userguide/what-is-security-lake.html) .
│    │ ├ properties
│    │ │  ├ EncryptionConfiguration: (documentation changed)
│    │ │  ├ LifecycleConfiguration: (documentation changed)
│    │ │  ├ MetaStoreManagerRoleArn: (documentation changed)
│    │ │  └ Tags: (documentation changed)
│    │ ├ attributes
│    │ │  ├ Arn: (documentation changed)
│    │ │  └ S3BucketArn: (documentation changed)
│    │ └ types
│    │    ├[~] type EncryptionConfiguration
│    │    │ ├  - documentation: Provides encryption details of Amazon Security Lake object.
│    │    │ │  + documentation: Provides encryption details of the Amazon Security Lake object. The AWS shared responsibility model applies to data protection in Amazon Security Lake . As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. For more details, see [Data protection](https://docs.aws.amazon.com//security-lake/latest/userguide/data-protection.html) in the Amazon Security Lake User Guide.
│    │    │ └ properties
│    │    │    └ KmsKeyId: (documentation changed)
│    │    ├[~] type Expiration
│    │    │ ├  - documentation: Provides data expiration details of Amazon Security Lake object.
│    │    │ │  + documentation: Provides data expiration details of the Amazon Security Lake object. You can specify your preferred Amazon S3 storage class and the time period for S3 objects to stay in that storage class before they expire. For more information about Amazon S3 Lifecycle configurations, see [Managing your storage lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) in the *Amazon Simple Storage Service User Guide* .
│    │    │ └ properties
│    │    │    └ Days: (documentation changed)
│    │    ├[~] type LifecycleConfiguration
│    │    │ ├  - documentation: Provides lifecycle details of Amazon Security Lake object.
│    │    │ │  + documentation: Provides lifecycle details of Amazon Security Lake object. To manage your data so that it is stored cost effectively, you can configure retention settings for the data. You can specify your preferred Amazon S3 storage class and the time period for Amazon S3 objects to stay in that storage class before they transition to a different storage class or expire. For more information about Amazon S3 Lifecycle configurations, see [Managing your storage lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) in the *Amazon Simple Storage Service User Guide* .
│    │    │ │  In Security Lake , you specify retention settings at the Region level. For example, you might choose to transition all S3 objects in a specific AWS Region to the `S3 Standard-IA` storage class 30 days after they're written to the data lake. The default Amazon S3 storage class is S3 Standard.
│    │    │ │  > Security Lake doesn't support Amazon S3 Object Lock. When the data lake buckets are created, S3 Object Lock is disabled by default. Enabling S3 Object Lock with default retention mode interrupts the delivery of normalized log data to the data lake.
│    │    │ └ properties
│    │    │    ├ Expiration: (documentation changed)
│    │    │    └ Transitions: (documentation changed)
│    │    ├[~] type ReplicationConfiguration
│    │    │ ├  - documentation: Provides replication details of Amazon Security Lake object.
│    │    │ │  + documentation: Provides replication configuration details for objects stored in the Amazon Security Lake data lake.
│    │    │ └ properties
│    │    │    ├ Regions: (documentation changed)
│    │    │    └ RoleArn: (documentation changed)
│    │    └[~] type Transitions
│    │      ├  - documentation: undefined
│    │      │  + documentation: Provides transition lifecycle details of the Amazon Security Lake object. For more information about Amazon S3 Lifecycle configurations, see [Managing your storage lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) in the *Amazon Simple Storage Service User Guide* .
│    │      └ properties
│    │         ├ Days: (documentation changed)
│    │         └ StorageClass: (documentation changed)
│    └[~] resource AWS::SecurityLake::Subscriber
│      ├  - documentation: Resource Type definition for AWS::SecurityLake::Subscriber
│      │  + documentation: Creates a subscriber for accounts that are already enabled in Amazon Security Lake. You can create a subscriber with access to data in the current AWS Region.
│      ├ properties
│      │  ├ AccessTypes: (documentation changed)
│      │  ├ DataLakeArn: (documentation changed)
│      │  ├ Sources: (documentation changed)
│      │  ├ SubscriberDescription: (documentation changed)
│      │  └ SubscriberName: (documentation changed)
│      ├ attributes
│      │  ├ ResourceShareArn: (documentation changed)
│      │  ├ ResourceShareName: (documentation changed)
│      │  ├ S3BucketArn: (documentation changed)
│      │  ├ SubscriberArn: (documentation changed)
│      │  └ SubscriberRoleArn: (documentation changed)
│      └ types
│         ├[~] type AwsLogSource
│         │ ├  - documentation: Amazon Security Lake supports log and event collection for natively supported AWS services.
│         │ │  + documentation: Adds a natively supported AWS service as an Amazon Security Lake source. Enables source types for member accounts in required AWS Regions, based on the parameters you specify. You can choose any source type in any Region for either accounts that are part of a trusted organization or standalone accounts. Once you add an AWS service as a source, Security Lake starts collecting logs and events from it.
│         │ └ properties
│         │    ├ SourceName: (documentation changed)
│         │    └ SourceVersion: (documentation changed)
│         ├[~] type CustomLogSource
│         │ ├  - documentation: undefined
│         │ │  + documentation: Third-party custom log source that meets the requirements to be added to Amazon Security Lake . For more details, see [Custom log source](https://docs.aws.amazon.com//security-lake/latest/userguide/custom-sources.html#iam-roles-custom-sources) in the *Amazon Security Lake User Guide* .
│         │ └ properties
│         │    ├ SourceName: (documentation changed)
│         │    └ SourceVersion: (documentation changed)
│         ├[~] type Source
│         │ ├  - documentation: undefined
│         │ │  + documentation: Sources are logs and events generated from a single system that match a specific event class in the Open Cybersecurity Schema Framework (OCSF) schema. Amazon Security Lake can collect logs and events from a variety of sources, including natively supported AWS services and third-party custom sources.
│         │ └ properties
│         │    ├ AwsLogSource: (documentation changed)
│         │    └ CustomLogSource: (documentation changed)
│         └[~] type SubscriberIdentity
│           ├  - documentation: The AWS identity used to access your data.
│           │  + documentation: Specify the AWS account ID and external ID that the subscriber will use to access source data.
│           └ properties
│              ├ ExternalId: (documentation changed)
│              └ Principal: (documentation changed)
├[~] service aws-ssm
│ └ resources
│    └[~] resource AWS::SSM::Document
│      └ properties
│         └ Name: (documentation changed)
├[~] service aws-timestream
│ └ resources
│    └[+] resource AWS::Timestream::InfluxDBInstance
│      ├  name: InfluxDBInstance
│      │  cloudFormationType: AWS::Timestream::InfluxDBInstance
│      │  documentation: A DB instance is an isolated database environment running in the cloud. It is the basic building block of Amazon Timestream for InfluxDB. A DB instance can contain multiple user-created databases (or organizations and buckets for the case of InfluxDb 2.x databases), and can be accessed using the same client tools and applications you might use to access a standalone self-managed InfluxDB instance.
│      │  tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│      ├ properties
│      │  ├Username: string (immutable)
│      │  ├Password: string (immutable)
│      │  ├Organization: string (immutable)
│      │  ├Bucket: string (immutable)
│      │  ├DbInstanceType: string (immutable)
│      │  ├VpcSubnetIds: Array<string> (immutable)
│      │  ├VpcSecurityGroupIds: Array<string> (immutable)
│      │  ├PubliclyAccessible: boolean (default=false, immutable)
│      │  ├DbStorageType: string (immutable)
│      │  ├AllocatedStorage: integer (immutable)
│      │  ├DbParameterGroupIdentifier: string
│      │  ├LogDeliveryConfiguration: LogDeliveryConfiguration
│      │  ├Name: string (immutable)
│      │  ├DeploymentType: string (immutable)
│      │  └Tags: Array<tag>
│      ├ attributes
│      │  ├Status: string
│      │  ├Arn: string
│      │  ├Id: string
│      │  ├AvailabilityZone: string
│      │  ├Endpoint: string
│      │  ├SecondaryAvailabilityZone: string
│      │  └InfluxAuthParametersSecretArn: string
│      └ types
│         ├type LogDeliveryConfiguration
│         │├  documentation: Configuration for sending InfluxDB engine logs to a specified S3 bucket.
│         ││  name: LogDeliveryConfiguration
│         │└ properties
│         │   └S3Configuration: S3Configuration (required)
│         └type S3Configuration
│          ├  documentation: Configuration for S3 bucket log delivery.
│          │  name: S3Configuration
│          └ properties
│             ├BucketName: string (required)
│             └Enabled: boolean (required)
├[~] service aws-transfer
│ └ resources
│    ├[~] resource AWS::Transfer::Certificate
│    │ └ properties
│    │    └ Usage: (documentation changed)
│    └[~] resource AWS::Transfer::Server
│      └ properties
│         └ Domain: (documentation changed)
└[~] service aws-wisdom
  └ resources
     └[~] resource AWS::Wisdom::KnowledgeBase
       └ types
          └[~] type AppIntegrationsConfiguration
            └ properties
               └ ObjectFields: (documentation changed)
```
    @aws-cdk-automation
    aws-cdk-automation authored Apr 22, 2024
    1 Configuration menu
    Copy the full SHA
    27b7a45 View commit details
    Browse the repository at this point in the history

  2. feat(ecs): support pidMode for FargateTaskDefinition (#29670) 

    ### Issue # (if applicable)

Closes #29619.

### Reason for this change

Support [`pidMode`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html#cfn-ecs-taskdefinition-pidmode) for `FargateTaskDefinition`.

### Description of changes

Added support for the `pidMode` property along with the necessary validation, documentation, and test coverage.

### Description of how you validated changes

- [x] Unit tests
- [x] Integration tests

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
    @lpizzinidev
    lpizzinidev authored Apr 22, 2024
    1 Configuration menu
    Copy the full SHA
    ed75b16 View commit details
    Browse the repository at this point in the history

  3. chore(bedrock): support claude3-opus and base models for provisioned … 

    …throughput (#29905)

### Issue # (if applicable)

N/A

### Reason for this change

[Anthropic's Claude 3 Opus mode is now available](https://aws.amazon.com/jp/blogs/aws/anthropics-claude-3-opus-model-on-amazon-bedrock/), and new model IDs are published in [the guide](https://docs.aws.amazon.com/bedrock/latest/userguide/model-ids.html).

### Description of changes

I added model IDs for Claude 3 Opus for on-demand throughput and Claude 3 Sonnet/Haiku for provisioned throughput.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
    @ymhiroki
    ymhiroki authored Apr 22, 2024
    1 Configuration menu
    Copy the full SHA
    31492c6 View commit details
    Browse the repository at this point in the history

Commits on Apr 23, 2024

  1. chore: add assertions to integ tests using AwsCustomResource (#29929) 

    Closes #29937 

### Reason for this change

Adding assertions for `AwsCustomResource` will improve our test coverage.

### Description of changes

Added assertions for `AwsCustomResource` to integ tests that were impacted by this [PR](#29868).

### Description of how you validated changes

Assertions were validated by running the integ tests and verifying that it succeeded.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
    @colifran
    colifran authored Apr 23, 2024
    1 Configuration menu
    Copy the full SHA
    1bdd3fa View commit details
    Browse the repository at this point in the history

  2. chore(eks): update ALB controller versions (#29470) 

    ### Issue # (if applicable)

None as far as I could tell

### Reason for this change

Update the CDK listed ALB controller versions to match the current availability

### Description of changes

* Added missing controller versions
* Updated the Helm version of existing controller versions

### Description of how you validated changes

I listed the list of available versions by using the `ecr:ListImages` command on the `amazon/aws-load-balancer-controller` repository. I'm also filtering out tags that do not match a `v1.2.3` pattern, e.g. `v2.0.0-rc5`, `v2.0.0-test-linux_amd64`

For the Helm chart version, I **initially** manually went through the blame history of https://github.com/aws/eks-charts/blob/master/stable/aws-load-balancer-controller/Chart.yaml. @guessi then recommended I use the [Helm CLI](https://helm.sh/) to obtain the corresponding versions, which worked a ton better and was easily integrated to my tool:

```sh
helm repo add eks https://aws.github.io/eks-charts
helm repo update
helm search repo aws-load-balancer-controller --versions --output json
```

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
    @nmussy
    nmussy authored Apr 23, 2024
    1 Configuration menu
    Copy the full SHA
    f00f918 View commit details
    Browse the repository at this point in the history

Commits on Apr 24, 2024

  1. fix(events-targets): ApiGateway events target should accept IRestApi ( 

    #29397)

### Issue

Closes [#16423](#16423).

### Reason for this change

The CDK construct to set an APIGatway as the target for an EventBridge rule only accepted RestApi. It should instead accept the interface IRestApi.

### Description of changes

This change was attempted once earlier, but [the PR](#16542) was closed.

Changed the `ApiGateway` target's constructor's first argument from `api.RestApi` to `api.IRestApi`.

To fix compatibility failures caused by the previous `restApi` being a public member of the class, I've followed the approach suggested [here](#16542 (comment)). Some other alternatives are suggested [here](#16542 (comment)).

### Description of how you validated changes

Added a unit test that creates a dummy `SpecRestApi`. Also added an integ test that creates a `SpecRestApi` from a dummy OpenAPI spec and creates a rule on the default event bus with the APIGateway as target. Nothing is executed in the integ test. The assertion only checks if the target is created using the `ListTargetsByRule` API.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
    @n-k1
    n-k1 authored Apr 24, 2024
    1 Configuration menu
    Copy the full SHA
    8e1fefd View commit details
    Browse the repository at this point in the history

  2. revert: "chore(eks): update ALB controller versions" (#29941) 

    Reverts #29470

Reverting due to potential unwanted updating of resources with helm chart version changes.
    @paulhcsun
    paulhcsun authored Apr 24, 2024
    1 Configuration menu
    Copy the full SHA
    209ffd9 View commit details
    Browse the repository at this point in the history

  3. fix(s3-notifications): cdk destroy deletes external/existing s3 notif… 

    …ication events (#29939)

### Issue # (if applicable)

Closes #29004

### Reason for this change

`cdk destroy` removes all event notifications configured on an existing S3 bucket instead of only CDK managed event notifications. This occurs whenever a stack that creates an event notification for an existing bucket is deleted or rolled back.

### Description of changes

Add a `Delete` statement which will only remove the ones created from within the stack

### Description of how you validated changes

Manually tested this.

### Checklist
- [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
    @GavinZZ
    GavinZZ authored Apr 24, 2024
    Configuration menu
    Copy the full SHA
    7360a88 View commit details
    Browse the repository at this point in the history

  4. fix(CLI): diff --template crashes (#29896) 

    ### Issue # (if applicable)

Closes #29890.

### Reason for this change

`cdk diff` crashes with `--template`.

### Description of changes

The addition of changeset logic had a leftover refactor that should not have been leftover (trying to pass a template directly instead of a stack artifact). Removes changeset creation code from fixed template mode, which should never create a changeset, and adds a unit test for fixed template diffs so we don't break this in the future.

### Description of how you validated changes

unit tests + manual testing. CLI integ tests will be added in a follow-up PR. 

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
    @comcalvi
    comcalvi authored Apr 24, 2024
    Configuration menu
    Copy the full SHA
    466f170 View commit details
    Browse the repository at this point in the history

  5. feat(ses-actions): WorkMail rule action (#29854) 

    ### Issue # (if applicable)

None that I could find

### Reason for this change

Adds missing `WorkMail` SES rule action

### Description of changes

* Implement `WorkMail` action

### Description of how you validated changes

Added unit test, integ test

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
    @nmussy
    nmussy authored Apr 24, 2024
    Configuration menu
    Copy the full SHA
    6fdc458 View commit details
    Browse the repository at this point in the history

  6. feat(efs): replicating file systems (#29347) 

    ### Issue # (if applicable)

Closes #21455.

### Reason for this change

EFS supports [replicating file systems](https://docs.aws.amazon.com/efs/latest/ug/efs-replication.html) but AWS CDK cannot configure it.

### Description of changes

Add `replicationConfiguration` to `FileSystemProps`

```ts
declare const vpc: ec2.Vpc;
declare const kmsKey: kms.Key;

// auto generate a replication destination file system
new efs.FileSystem(this, 'ReplicationSourceFileSystem1', {
  vpc,
  replicationConfiguration: {
    kmsKey, // optional
    region: 'us-east-1', // optional
    availabilityZone: 'us-east-1a', // optional, Specifing the AZ means creating a One Zone file system as the replication destination
  }
});

// specify the replication destination file system
const destinationFileSystem = new efs.FileSystem(this, 'DestinationFileSystem', {
  vpc,
  // set as the read-only file system for use as a replication destination
  replicationOverwriteProtection: efs.ReplicationOverwriteProtection.DISABLED,
});

new efs.FileSystem(this, 'ReplicationSourceFileSystem2', {
  vpc,
  replicationConfiguration: {
    destinationFileSystem,
    // cannot configure other properties when destinationFileSystem is specified
  }
});
```

### Description of how you validated changes

I have added both unit and integ tests.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
    @badmintoncryer
    badmintoncryer authored Apr 24, 2024
    Configuration menu
    Copy the full SHA
    a15dc93 View commit details
    Browse the repository at this point in the history

  7. chore(release): 2.139.0

    AWS CDK Team committed Apr 24, 2024
    Configuration menu
    Copy the full SHA
    6964b78 View commit details
    Browse the repository at this point in the history

  8. Update CHANGELOG.v2.md

    @moelasmar
    moelasmar authored Apr 24, 2024
    Configuration menu
    Copy the full SHA
    9616fd2 View commit details
    Browse the repository at this point in the history