chore(release): 2.159.0 #31486

aws-cdk-automation · 2024-09-18T20:50:16Z

### Issue # (if applicable) N/A ### Reason for this change New intern on the CDK Abstractions team, needs to added to list of team members ### Description of changes Add Michelle's GitHub username to list of core members. ### Description of how you validated changes N/A ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* Co-authored-by: Michelle Wang <[email protected]>

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.158.0/CHANGELOG.md)

…31267) ### Issue # (if applicable) This PR ensures the eks fargateCluster compatibility with `AuthenticationMode.API` Closes #30888 ### Reason for this change The FargateCluster assumes the authentication mode is always config map and create the podExectionRole mapping using `props.cluster.awsAuth.addRoleMapping()`. This won't work when authenticationMode is `API` because in this mode, config map is not supported and this statement would just fail. We need to add an conditional check, only when the cluster supports configmap will it run the addRoleMapping() statement. At this moment, the following authenticationMode would support configmap: 1. `undefined` 2. `CONFIG_MAP` 3. `API_AND_CONFIG_MAP` ### Description of changes ### Description of how you validated changes - [x] update the integ test - [x] manual deployments ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) Tracking #[30762](#30762). ### Reason for this change implementing below methods for vpcV2. `routeTable.addroute(destination, target)`: Adds a new route to the existing route table of the subnet. `vpc.enableVpnGatewayV2()`: added a new function for the customer to add VPNGateway to their VPC. In the options, user can specify list of subnets for VPNRoutePropogation. This is similar to previous implementation, only difference is with VPNGateway L2, it is now creating VPNGatewayV2 which implements IRouteTarget and hence can be used a destination to be set up in route tables. `addInternetGateway` : adds internetGW to the VPC. **Default behaviour:** add default route with destination set to ‘0.0.0.0’ and ‘::0’(in case of subnet with ipv6). Also a check in place to verify SubnetType is set to public as IGW is meant to be added to public subnets. `addNatGateway`: NatGateways are subnet specific and are usually associated with PRIVATE_WITH_EGRESS or PUBLIC subnet. Also, one can’t attach NGW(Public) to subnet if VPC doesn’t have an IGW attached to it. This is validated in method implementation to prevent runtime deployment error. **No default behaviour** for the routes, it takes in the single subnet option and associates a NATGW with it. `vpc.addEgressOnlyInternetGateway()`: Egress Only internet GW are meant for outbound ipv6 traffic which can be custom or all ipv6(::/0). **Default behaviour:** Associates a EIGW to the vpc and takes optional input for subnets to define a default route in associated route Table, if a destination is not provided, then it is defined as all outbound ipv6 in subnet’s route table. **Additional changes:** -> Modify Readme -> Separate ipam related Tests ### Use Case Allows user to define gateways in their vpc with a simple method and an optional default route setup on provided subnets. Note: Breaking change since previously VPNGateway was released under route class, we’ve modified it to VPNGatewayV2. `vpc.enableVpnGateway` is marked as deprecated in vpcv2 base class. ### Description of how you validated changes Added unit tests and integration tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Reason for this change The certificate `rds-ca-2019` expired in August, 2024. > Amazon RDS Certificate Authority certificates rds-ca-2019 are set to expire in August, 2024. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html I also confirmed in CLI: ``` ❯ aws rds describe-db-engine-versions --default-only --engine postgres { "DBEngineVersions": [ { ... ... "SupportedCACertificateIdentifiers": [ "rds-ca-ecc384-g1", "rds-ca-rsa4096-g1", "rds-ca-rsa2048-g1" ], } ] } ``` CFn deploy errors: ``` Resource handler returned message: "Certificate not found: rds-ca-2019 (Service: Rds, Status Code: 404, Request ID: ..." ``` ### Description of changes Deprecate the certificate. ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…o highlight that it may cause deletion for existing replicas. (#31432) ### Description of changes Add a warning message to the summary doc of the flag `waitForReplicationToFinish` to highlight that misusing this flag may cause deletion for existing replicas. This change is required to resolve some internal feedback as some people may miss reading the detail documentation of that flag, and so they will may misuse it and then have some serious issues. ### Description of how you validated changes see the below image for the updated doc: <img width="728" alt="Screenshot 2024-09-12 at 3 42 22 PM" src="https://github.com/user-attachments/assets/bc264d5a-d926-47a3-a2a7-98010f7c2c8c"> ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…nt Target (#31435) ### Issue # (if applicable) Closes #31428. ### Reason for this change Kinesis Stream Event Target supports Dead Letter Queue (DLQ). But current [KinesisStream](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events_targets.KinesisStream.html) class in `events-target` does not support it. ### Description of changes Modified [KinesisStreamProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events_targets.KinesisStreamProps.html) to extend [TargetBaseProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events_targets.TargetBaseProps.html), enabling the configuration of DLQ and retry policy. This change has also been applied to other resources in #13600. ### Description of how you validated changes Add a unit test and an integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) None ### Reason for this change There are some missing interface VPC endpoints. - com.amazonaws.iam - com.amazonaws.region.pca-connector-scep - network-firewall - network-firewall-fips - launchwizard ### Description of changes Added these interface vpc endpoints at `vpc-endpoint.ts`. ### Description of how you validated changes I called AWS CLI to describe all endpoints information. ```sh aws ec2 describe-vpc-endpoint-services --filters Name=service-type,Values=Interface Name=owner,Values=amazon --region us-east-1 --query ServiceNames ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) Closes #30256. ### Reason for this change ALB supported a new dual-stack ALB without public IPv4. https://aws.amazon.com/jp/about-aws/whats-new/2024/05/application-load-balancer-ipv6-internet-clients/ ### Description of changes Add `IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4` ### Description of how you validated changes Add unit tests & integ tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…31142) ### Issue # (if applicable) Closes #29926 . ### Reason for this change To support IdleTimeout for EmrCreateCluster. Ref: https://docs.aws.amazon.com/emr/latest/APIReference/API_RunJobFlow.html#EMR-RunJobFlow-request-AutoTerminationPolicy ### Description of changes Add `autoTerminationPolicyIdleTimeout` property to the `EmrCreateCluster` class. ### Description of how you validated changes Add unit tests and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…Server (#31418) This PR supports engine versions for Aurora MySQL and RDS for SQL Server. RDS for SQL Server: 15.00.4385.2.v1 and 16.00.4135.4.v1 https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SQLServer.html ``` ❯ aws rds describe-db-engine-versions --engine sqlserver-ee --query "DBEngineVersions[?EngineVersion=='15.00.4385.2.v1'||EngineVersion=='16.00.4135.4.v1'].[DBEngineVersionDescription,EngineVersion,DBParameterGroupFamily,MajorEngineVersion,Status]" [ [ "SQL Server 2019 15.00.4385.2.v1", "15.00.4385.2.v1", "sqlserver-ee-15.0", "15.00", "available" ], [ "SQL Server 2022 16.00.4135.4.v1", "16.00.4135.4.v1", "sqlserver-ee-16.0", "16.00", "available" ] ] ``` Aurora MySQL: 2.12.3 https://docs.aws.amazon.com/AmazonRDS/latest/AuroraMySQLReleaseNotes/AuroraMySQL.Updates.20Updates.html ``` ❯ aws rds describe-db-engine-versions --engine aurora-mysql --query "DBEngineVersions[?EngineVersion=='5.7.mysql_aurora.2.12.3'].[DBEngineVersionDescription,EngineVersion,DBParameterGroupFamily,MajorEngineVersion,Status]" [ [ "Aurora MySQL 2.12.3 (compatible with MySQL 5.7.44)", "5.7.mysql_aurora.2.12.3", "aurora-mysql5.7", "5.7", "available" ] ] ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

cdk-assets is no longer being versioned in line with the cli or with aws-cdk-lib. Because every change must be backward compatible, we can just use `latest` for cdk-assets (not that we will soon be releasing a new major version of cdk-assets but we are releasing that with the `v3-latest` tag at present. When we are ready to swap versions, we will begin labeling the v3 line as `latest` and make the v2 line `v2-latest` as it will be in maintenance mode. Note: the linter and potentially the build will fail for this initially because an integ test needs to be updated. Closes #31253. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…th` (#31202) ### Issue # (if applicable) Closes #31201 . ### Reason for this change If we set a string without a leading `/` for the path property, deployment will fail as shown below. Given: ```ts httpListener.addAction('RedirectAction', { conditions: [elbv2.ListenerCondition.pathPatterns(['/*'])], action: elbv2.ListenerAction.redirect({ protocol: elbv2.ApplicationProtocol.HTTPS, path: 'example/path? ', permanent: true }), }) ``` Result: ```sh Failed resources: MainStack-develop | 1:34:02 AM | CREATE_FAILED | AWS::ElasticLoadBalancingV2::ListenerRule | Alb/HttpListener/RedirectActionRule (AlbHttpListenerRedirectActionRule1D930694) Internal error reported from downstream service during operation 'The Path parameter must be a valid path, should start with a '/', and may contain up to one of each of these placeholders: '#{path}', '#{host}', '#{port}'. (Service: ElasticLoadBalancingV2, Status Code: 400, Request ID: fd4c7f01-9c97-44c1-a177-30ac04b2db26)'. ``` Related docs: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-listenerrule-redirectconfig.html#cfn-elasticloadbalancingv2-listenerrule-redirectconfig-path ### Description of changes Add validation for `path` prop like below. ```ts if (options.path && !options.path.startsWith('/')) { throw new Error('Redirect path must start with a \'/\''); } ``` ### Description of how you validated changes Add unit test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) N/A ### Reason for this change Add missing property. ### Description of changes Add `insecureIngest`property. ### Description of how you validated changes Add unit tests and integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…arameter (#31415) Updates StringParameter.valueFromLookup with an optional "defaultValue" When specified this value will be used: - in place of the standard dummyValue - to signal that an Error should not be raised during synthesis if the parameter is not found in the account. Test are updated to prove that this works ### Issue # (if applicable) Resolves #7051 There are some closed issues which also benefit from this change: - #22064 - #7259 ### Reason for this change We have a library which has a fixed set of SSM parameters on which it depends. The values from those parameters are made available as attributes of a custom Stack. We have many users in many different AWS accounts, and not all of the parameters are guaranteed to exist. This is okay. In general, teams would simply not use those values and be happy with that outcome. Unfortunately, CDK crashes when you look up an SSM parameter that does not exist in the account. This is unacceptable. ### Description of changes To address the issue described above, I implemented an optional parameter on the `valueFromLookup` method: `defaultValue`. The idea is that if this value is specified, and we fail to look up a parameter in the account, we will return this value and suppress the Error that is currently raised when a parameter is not found. To implement that functionality, I added a field to the `GetContextValueOptions` interface which is used to flag that we're not going to raise the error. Then, in `valueFromLookup`, I set that flag to `true` if the `dummyValue` is specified. `valueFromLookup` then calls `ContextProvider.getValue` passing along those values. `ContextProvider.getValue` is modified so that when it calls `stack.reportMissingContextKey` it passes a modified set of `props` which include the `defaultValue` and the `ignoreErrorOnMissingContext` flag. These finally land in the `aws-cdk` context provider for `ssm-parameter`. That code has been updated so that if the value is not found in SSM, and we're told to suppress the error, then we'll simply return the `defaultValue` that was passed in. ### Description of how you validated changes I added a unit tests which covers when the default value is set. I also updated the original unit test as the `props` now contain some additional field. I added an integration test which calls `valueFromLookup` with a `defaultValue` set and then confirms that no exception is raised and that `valueFromLookup` returned the `defaultValue` **NOTE** I considered that the changes made _might_ need to be a part of the `cloud-assembly-schema` but chose to work around that for now. I'm open to incorporating them there if that's a more correct path. **NOTE 2** I'm unsure about how to update API documentation for this change. This does alter the public API for `valueFromLookup` and the function doesn't appear to have a proper `TSDoc` header on it. Please let me know if there's a proper way for me to update the documentation. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ecureValue (#31409) ### Issue # (if applicable) Closes #31378 ### Reason for this change 1. `privateKey` was typed `string` which should be `SecureValue` just as [clientSecretValue](https://github.com/aws/aws-cdk/blob/1e203753519e10e19ef0db87e1382377b609bcaa/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/google.ts#L28) in Google IdP. This PR deprecates `privateKey` and adds `privateKeyValue` with correct type. 2. `apple.ts` was named by mistake and it won't be unit tested. This PR renames it to `apple.test.ts` so it would be covered. Figured an existing test was failed, just fixed that failed one as well. ### Description of changes - Add `privateKeyValue` property of type SecretValue to UserPoolIdentityProviderAppleProps - Deprecate the existing `privateKey` string property - Implement logic to ensure exactly one of `privateKey` or `privateKeyValue` is provided - Update UserPoolIdentityProviderApple to use the new `privateKeyValue` when available - Rename apple.ts test file to apple.test.ts for consistency - Add new test case to verify mutually exclusive properties Users must now provide either `privateKey` or `privateKeyValue`, but not both. This change enhances security by allowing the use of SecretValue for the Apple IDP private key. ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… encryptionKey (#31430) ### Reason for this change The previous `encryption` and `encryptionKey` properties required error handling to enforce when an `encryptionKey` could be specified and when it was invalid (only valid when using `CUSTOMER_MANAGED_KEY`). The properties should be combined to make this user experience more straightforward and only allow a KMS key to be passed in when using a customer-managed key. ### Description of changes BREAKING CHANGE: `encryptionKey` property is removed and `encryption` property type has changed from the `StreamEncryption` enum to the `StreamEncryption` class. To pass in a KMS key for the customer managed key case, use `StreamEncryption.customerManagedKey(key)` #### Details Replaced `encryption` and `encryptionKey` properties with a single property `encryption` of type `StreamEncryption` and is used by calling one of the 3 methods: ```ts SreamEncryption.unencrypted() StreamEncryption.awsOwnedKey() StreamEncryption.customerManagedKey(key?: IKey) ``` This makes it so it's not longer possible to pass in a key when the encryption type is AWS owned or unencrypted. The `key` is an optional parameter in `StreamEncryption.customerManagedKey(key?: IKey)` so following the previous behaviour, if a key is provided it will be used, otherwise a key will be created for the user. ### Description of how you validated changes Generated templates do not change so behaviour remains the same. Updated integ/unit tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Add interface VPC endpoint for Resource Access Manager. Ref: * https://aws.amazon.com/about-aws/whats-new/2024/09/aws-resource-access-manager-privatelink/ * https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…r an HTTP API (#31373) ### Issue # (if applicable) Closes #31104. ### Reason for this change Cloudformation supports for configuring `routeSelectionExpression` but AWS CDK doesn't support this. ### Description of changes Added `routeSelectionExpression` prop to `HttpApiProps`. For HTTP API, `routeSelectionExpression` must be `${request.method} ${request.path}`. Therefore, I defined `routeSelectionExpression` as boolean and set it to `${request.method} ${request.path}`. ### Description of how you validated changes Added unit and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) Closes #30148 ### Reason for this change Users using L1 and L2 bucket policy with `serverAccessLogsBucket` would cause bucket policy overwrite instead of append. ### Description of changes No behavioural change, only readme update to explain the issues and the workaround. ### Description of how you validated changes No behavioural change. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) ### Reason for this change The regex for private ECR repos currently excludes some supported URLs in AWS regions. Updating the regex to be more inclusive of all AWS regions. ### Description of changes Modified private ECR repo URL to be domain agnostic. ### Description of how you validated changes All existing tests pass: - `npx cdk -a test/aws-eks/test/integ.eks-helm-asset.js deploy --all` - `yarn test aws-eks` - `yarn integ --directory test/aws-eks/test` Manually updated lambda function highside to verify change works in isolated regions as well. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…rn (#31433) ### Issue # (if applicable) Closes #29813 ### Reason for this change The current `lambda.Version.fromVersionArn` will incorrectly create the lambda function arn with the version qualifier. This is incorrect behaviour and cause CFN deployment failures. ### Description of changes If the version arn is an unresolved token, use intrinsics to join the first 7 components. Otherwise, split the array and join the first 7 components directly. ### Description of how you validated changes All new and existing tests should pass. New integration tests added with assertions. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

closes #28249. The qualifier property can be set via the context key "@aws-cdk/core:bootstrapQualifier" and if omitted, the arbitrary default is `hnb659fds`. In the case of `cdk bootstrap`, there is an additional way to set the qualifier via the `--qualifier` CLI option. Specific to the `cdk bootstrap` logic, we currently only honor the command line argument, which is an error. Ultimately, the following `cdk bootstrap` calls should be identical: - `cdk bootstrap` with the following `cdk.json` file: ```json { "@aws-cdk/core:bootstrapQualifier": "abcde", } ``` - `cdk bootstrap --qualifier="abcde"` I've made the decision that the `--qualifier` parameter takes precedent over the `cdk.json` context if they are both set.

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`

### Issue # (if applicable) Closes #27864 ### Reason for this change When using cdk watch mode, a synth failure causes the CDK CLI to no longer deploy changes. The CDK CLI must be restarted to resume watch mode. The cause of the issue is that CDK CLI never releases the outdir write lock if synthing fails, so subsequent attempts to exec the user's app cannot acquire the outdir writer lock. ### Description of changes I added a try/catch that releases the outdir writer lock & rethrows the error when a synth fails. ### Description of how you validated changes I added a unit test. I also ran the modified cdk cli on a project of my own and simulated the failure of a synth to see whether the issue was resolved, and it is. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) Closes #. Internal Tracking ticket P150271569 ### Reason for this change Expected Endpoints for ECR in some isolated regions are as below gov.ic.hci.csp.us-isof-name.ecr.api, gov.ic.hci.csp.us-isof-name.ecr.dkr, uk.adc-e.cloud.eu-isoe-name.ecr.api, uk.adc-e.cloud.eu-isoe-name.ecr.dkr, ### Description of changes As discussed with the ECR Service team, endpoints for the service are being generated in reverse order of the domain suffix. Since some of the endpoints for other services are still using `com.amazonaws` , added fix only for the partitions and service(ECR) flagged. Cannot do for cn regions on the basis of suffix as both regions have different services under exceptions. ### Description of how you validated changes Added unit test for validation of endpoint, keeping the region names as `us-isoe-test-1` as the regions are in build stage and could be confidential. No changes to integration test as the fix is for isolated regions. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) N/A ### Reason for this change  Add new team member `jiayiwang7` ### Description of changes  Add GitHub user `jiayiwang7` to mergify and merit badger. ### Description of how you validated changes  N/A ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) N/A ### Reason for this change Amazon OpenSearch Service supports OpenSearch version 2.15. Ref: https://aws.amazon.com/about-aws/whats-new/2024/09/amazon-opensearch-service-version-2-15/ ```sh % aws opensearch list-versions --region us-east-1 { "Versions": [ "OpenSearch_2.15", "OpenSearch_2.13", "OpenSearch_2.11", // omit ``` ### Description of changes Add ver 2.15 enum ### Description of how you validated changes Add unit test and integ test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue #[31358](#31358) Closes #31358 . ### Reason for this change Exsiting [CDK Doc on BucketPolicy](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketPolicy.html) mentions as `Prefer to use` which is misleading as it does not clearly states the reprecussions. ### Description of changes I have added a sample of what would happen if this is used along with other Bucket properties. ### Description of how you validated changes This is a minor documentation change ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…n function on the first page (#31406) ### Issue # (if applicable) aws-amplify/amplify-category-api#2307 ### Reason for this change Hotswap for AppSync functions sometimes fails with `Deployment failed: MissingRequiredParameter: Missing required key 'functionId' in params`. This is because the SDK list function only retrieves the first page. In APIs where there are many functions it is possible for the hotswapped function to not be contained in the first page. This results in the previously mentioned error because the `functionId` is never retrieved. ### Description of changes List all AppSync functions for a given API by iterating through the pages with the `nextToken`. The change was modeled after a similar request [here](https://github.com/aws/aws-cdk/blob/1e203753519e10e19ef0db87e1382377b609bcaa/packages/aws-cdk/lib/api/evaluate-cloudformation-template.ts#L23-L36). ### Description of how you validated changes * Unit tests * Integ tests * Manual testing in app from aws-amplify/amplify-category-api#2307 ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) Closes #NA. ### Reason for this change Fixes the doc job build failure for python docs failing with the error in main pipeline ``` TypeError: Cannot create a consistent method resolution order (MRO) for bases IConstruct, IResource, Protocol ``` Issue seemed to have been occured due to IRoute interface extending both IConstruct and IResource, we don't need it as `IResource` already extends `IConstruct` and `IConstruct` extends `IDependable`. ### Description of changes Renamed `IRoute` to `IRouteV2`(as previous release) , we already have an interface in the main lib with name [`IRoute`](https://github.com/aws/aws-cdk/blob/33eea3f7f2e832d63dc2c1823c56f5e235c80076/packages/aws-cdk-lib/aws-apigatewayv2/lib/common/route.ts#L6) for apigateway ### Description of how you validated changes Deployed in test-pipeline for verification using ``` git fetch origin pull/31464/head git push -f origin FETCH_HEAD:test-main-pipeline ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) N/A ### Reason for this change Add new team member `1kaileychen` ### Description of changes Add GitHub user 1kaileychen to mergify and merit badger. ### Description of how you validated changes N/A ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-amplify │ └ resources │ └[~] resource AWS::Amplify::App │ ├ properties │ │ ├ CacheConfig: (documentation changed) │ │ └ Platform: (documentation changed) │ └ types │ └[~] type CacheConfig │ ├ - documentation: undefined │ │ + documentation: Describes the cache configuration for an Amplify app. │ │ For more information about how Amplify applies an optimal cache configuration for your app based on the type of content that is being served, see [Managing cache configuration](https://docs.aws.amazon.com/amplify/latest/userguide/managing-cache-configuration) in the *Amplify User guide* . │ └ properties │ └ Type: (documentation changed) ├[~] service aws-appconfig │ └ resources │ └[~] resource AWS::AppConfig::ConfigurationProfile │ └ properties │ └ LocationUri: (documentation changed) ├[~] service aws-applicationinsights │ └ resources │ └[~] resource AWS::ApplicationInsights::Application │ ├ properties │ │ └ ComponentMonitoringSettings: (documentation changed) │ └ types │ ├[~] type ComponentMonitoringSetting │ │ └ properties │ │ ├ ComponentARN: (documentation changed) │ │ └ ComponentName: (documentation changed) │ ├[~] type ConfigurationDetails │ │ └ properties │ │ ├[+] NetWeaverPrometheusExporter: NetWeaverPrometheusExporter │ │ ├[+] Processes: Array<Process> │ │ └[+] SQLServerPrometheusExporter: SQLServerPrometheusExporter │ ├[+] type NetWeaverPrometheusExporter │ │ ├ documentation: The NetWeaver Prometheus Exporter Settings. │ │ │ name: NetWeaverPrometheusExporter │ │ └ properties │ │ ├SAPSID: string (required) │ │ ├InstanceNumbers: Array<string> (required) │ │ └PrometheusPort: string │ ├[+] type Process │ │ ├ documentation: A process to be monitored for the component. │ │ │ name: Process │ │ └ properties │ │ ├ProcessName: string (required) │ │ └AlarmMetrics: Array<AlarmMetric> (required) │ ├[+] type SQLServerPrometheusExporter │ │ ├ documentation: The SQL prometheus exporter settings. │ │ │ name: SQLServerPrometheusExporter │ │ └ properties │ │ ├PrometheusPort: string (required) │ │ └SQLSecretName: string (required) │ └[~] type SubComponentConfigurationDetails │ └ properties │ └[+] Processes: Array<Process> ├[~] service aws-applicationsignals │ └ resources │ └[~] resource AWS::ApplicationSignals::ServiceLevelObjective │ ├ - documentation: Creates or updates a service level objective (SLO), which can help you ensure that your critical business operations are meeting customer expectations. Use SLOs to set and track specific target levels for the reliability and availability of your applications and services. SLOs use service level indicators (SLIs) to calculate whether the application is performing at the level that you want. │ │ Create an SLO to set a target for a service or operation’s availability or latency. CloudWatch measures this target frequently you can find whether it has been breached. │ │ When you create an SLO, you set an *attainment goal* for it. An *attainment goal* is the ratio of good periods that meet the threshold requirements to the total periods within the interval. For example, an attainment goal of 99.9% means that within your interval, you are targeting 99.9% of the periods to be in healthy state. │ │ After you have created an SLO, you can retrieve error budget reports for it. An *error budget* is the number of periods or amount of time that your service can accumulate during an interval before your overall SLO budget health is breached and the SLO is considered to be unmet. for example, an SLO with a threshold that 99.95% of requests must be completed under 2000ms every month translates to an error budget of 21.9 minutes of downtime per month. │ │ When you call this operation, Application Signals creates the *AWSServiceRoleForCloudWatchApplicationSignals* service-linked role, if it doesn't already exist in your account. This service- linked role has the following permissions: │ │ - `xray:GetServiceGraph` │ │ - `logs:StartQuery` │ │ - `logs:GetQueryResults` │ │ - `cloudwatch:GetMetricData` │ │ - `cloudwatch:ListMetrics` │ │ - `tag:GetResources` │ │ - `autoscaling:DescribeAutoScalingGroups` │ │ You can easily set SLO targets for your applications that are discovered by Application Signals, using critical metrics such as latency and availability. You can also set SLOs against any CloudWatch metric or math expression that produces a time series. │ │ For more information about SLOs, see [Service level objectives (SLOs)](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-ServiceLevelObjectives.html) . │ │ + documentation: Creates or updates a service level objective (SLO), which can help you ensure that your critical business operations are meeting customer expectations. Use SLOs to set and track specific target levels for the reliability and availability of your applications and services. SLOs use service level indicators (SLIs) to calculate whether the application is performing at the level that you want. │ │ Create an SLO to set a target for a service or operation’s availability or latency. CloudWatch measures this target frequently you can find whether it has been breached. │ │ The target performance quality that is defined for an SLO is the *attainment goal* . An attainment goal is the percentage of time or requests that the SLI is expected to meet the threshold over each time interval. For example, an attainment goal of 99.9% means that within your interval, you are targeting 99.9% of the periods to be in healthy state. │ │ When you create an SLO, you specify whether it is a *period-based SLO* or a *request-based SLO* . Each type of SLO has a different way of evaluating your application's performance against its attainment goal. │ │ - A *period-based SLO* uses defined *periods* of time within a specified total time interval. For each period of time, Application Signals determines whether the application met its goal. The attainment rate is calculated as the `number of good periods/number of total periods` . │ │ For example, for a period-based SLO, meeting an attainment goal of 99.9% means that within your interval, your application must meet its performance goal during at least 99.9% of the time periods. │ │ - A *request-based SLO* doesn't use pre-defined periods of time. Instead, the SLO measures `number of good requests/number of total requests` during the interval. At any time, you can find the ratio of good requests to total requests for the interval up to the time stamp that you specify, and measure that ratio against the goal set in your SLO. │ │ After you have created an SLO, you can retrieve error budget reports for it. An *error budget* is the amount of time or amount of requests that your application can be non-compliant with the SLO's goal, and still have your application meet the goal. │ │ - For a period-based SLO, the error budget starts at a number defined by the highest number of periods that can fail to meet the threshold, while still meeting the overall goal. The *remaining error budget* decreases with every failed period that is recorded. The error budget within one interval can never increase. │ │ For example, an SLO with a threshold that 99.95% of requests must be completed under 2000ms every month translates to an error budget of 21.9 minutes of downtime per month. │ │ - For a request-based SLO, the remaining error budget is dynamic and can increase or decrease, depending on the ratio of good requests to total requests. │ │ When you call this operation, Application Signals creates the *AWSServiceRoleForCloudWatchApplicationSignals* service-linked role, if it doesn't already exist in your account. This service- linked role has the following permissions: │ │ - `xray:GetServiceGraph` │ │ - `logs:StartQuery` │ │ - `logs:GetQueryResults` │ │ - `cloudwatch:GetMetricData` │ │ - `cloudwatch:ListMetrics` │ │ - `tag:GetResources` │ │ - `autoscaling:DescribeAutoScalingGroups` │ │ You can easily set SLO targets for your applications that are discovered by Application Signals, using critical metrics such as latency and availability. You can also set SLOs against any CloudWatch metric or math expression that produces a time series. │ │ You cannot change from a period-based SLO to a request-based SLO, or change from a request-based SLO to a period-based SLO. │ │ For more information about SLOs, see [Service level objectives (SLOs)](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-ServiceLevelObjectives.html) . │ ├ properties │ │ ├ RequestBasedSli: (documentation changed) │ │ └ Sli: - Sli (required) │ │ + Sli │ │ (documentation changed) │ └ types │ ├[~] type Goal │ │ └ properties │ │ └ AttainmentGoal: (documentation changed) │ ├[~] type MonitoredRequestCountMetric │ │ └ properties │ │ ├ BadCountMetric: (documentation changed) │ │ └ GoodCountMetric: (documentation changed) │ ├[~] type RequestBasedSli │ │ └ properties │ │ ├ MetricThreshold: (documentation changed) │ │ └ RequestBasedSliMetric: (documentation changed) │ └[~] type RequestBasedSliMetric │ └ properties │ ├ KeyAttributes: (documentation changed) │ ├ MetricType: (documentation changed) │ ├ MonitoredRequestCountMetric: (documentation changed) │ └ TotalRequestCountMetric: (documentation changed) ├[~] service aws-athena │ └ resources │ └[~] resource AWS::Athena::WorkGroup │ └ types │ ├[~] type AclConfiguration │ │ ├ - documentation: Indicates that an Amazon S3 canned ACL should be set to control ownership of stored query results. When Athena stores query results in Amazon S3, the canned ACL is set with the `x-amz-acl` request header. For more information about S3 Object Ownership, see [Object Ownership settings](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html#object-ownership-overview) in the *Amazon S3 User Guide* . │ │ │ + documentation: Indicates that an Amazon S3 canned ACL should be set to control ownership of stored query results, including data files inserted by Athena as the result of statements like CTAS or INSERT INTO. When Athena stores query results in Amazon S3, the canned ACL is set with the `x-amz-acl` request header. For more information about S3 Object Ownership, see [Object Ownership settings](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html#object-ownership-overview) in the *Amazon S3 User Guide* . │ │ └ properties │ │ └ S3AclOption: (documentation changed) │ ├[~] type ResultConfiguration │ │ └ properties │ │ ├ EncryptionConfiguration: (documentation changed) │ │ └ OutputLocation: (documentation changed) │ ├[~] type ResultConfigurationUpdates │ │ └ properties │ │ ├ RemoveEncryptionConfiguration: (documentation changed) │ │ └ RemoveOutputLocation: (documentation changed) │ └[~] type WorkGroupConfiguration │ └ properties │ ├ EnforceWorkGroupConfiguration: (documentation changed) │ └ ResultConfiguration: (documentation changed) ├[~] service aws-auditmanager │ └ resources │ └[~] resource AWS::AuditManager::Assessment │ └ types │ ├[~] type AWSService │ │ ├ - documentation: The `AWSService` property type specifies an such as Amazon S3 , AWS CloudTrail , and so on. │ │ │ + documentation: The `AWSService` property type specifies an AWS service such as Amazon S3 , AWS CloudTrail , and so on. │ │ └ properties │ │ └ ServiceName: (documentation changed) │ └[~] type Scope │ └ properties │ └ AwsServices: (documentation changed) ├[~] service aws-bedrock │ └ resources │ ├[~] resource AWS::Bedrock::Agent │ │ └ types │ │ └[~] type PromptOverrideConfiguration │ │ └ properties │ │ └ OverrideLambda: (documentation changed) │ ├[~] resource AWS::Bedrock::DataSource │ │ └ types │ │ ├[~] type BedrockFoundationModelConfiguration │ │ │ ├ - documentation: Settings for a foundation model used to parse documents for a data source. │ │ │ │ + documentation: Settings for a foundation model or [inference profile](https://docs.aws.amazon.com/bedrock/latest/userguide/cross-region-inference.html) used to parse documents for a data source. │ │ │ └ properties │ │ │ └ ModelArn: (documentation changed) │ │ └[~] type ParsingConfiguration │ │ └ - documentation: Settings for parsing document contents. By default, the service converts the contents of each document into text before splitting it into chunks. To improve processing of PDF files with tables and images, you can configure the data source to convert the pages of text into images and use a model to describe the contents of each page. │ │ To use a model to parse PDF documents, set the parsing strategy to `BEDROCK_FOUNDATION_MODEL` and specify the model to use by ARN. You can also override the default parsing prompt with instructions for how to interpret images and tables in your documents. The following models are supported. │ │ - Anthropic Claude 3 Sonnet - `anthropic.claude-3-sonnet-20240229-v1:0` │ │ - Anthropic Claude 3 Haiku - `anthropic.claude-3-haiku-20240307-v1:0` │ │ You can get the ARN of a model with the [ListFoundationModels](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_ListFoundationModels.html) action. Standard model usage charges apply for the foundation model parsing strategy. │ │ + documentation: Settings for parsing document contents. By default, the service converts the contents of each document into text before splitting it into chunks. To improve processing of PDF files with tables and images, you can configure the data source to convert the pages of text into images and use a model to describe the contents of each page. │ │ To use a model to parse PDF documents, set the parsing strategy to `BEDROCK_FOUNDATION_MODEL` and specify the model or [inference profile](https://docs.aws.amazon.com/bedrock/latest/userguide/cross-region-inference.html) to use by ARN. You can also override the default parsing prompt with instructions for how to interpret images and tables in your documents. The following models are supported. │ │ - Anthropic Claude 3 Sonnet - `anthropic.claude-3-sonnet-20240229-v1:0` │ │ - Anthropic Claude 3 Haiku - `anthropic.claude-3-haiku-20240307-v1:0` │ │ You can get the ARN of a model with the [ListFoundationModels](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_ListFoundationModels.html) action. Standard model usage charges apply for the foundation model parsing strategy. │ └[~] resource AWS::Bedrock::Guardrail │ └ - documentation: Creates a guardrail to block topics and to implement safeguards for your generative AI applications. │ You can configure the following policies in a guardrail to avoid undesirable and harmful content, filter out denied topics and words, and remove sensitive information for privacy protection. │ - *Content filters* - Adjust filter strengths to block input prompts or model responses containing harmful content. │ - *Denied topics* - Define a set of topics that are undesirable in the context of your application. These topics will be blocked if detected in user queries or model responses. │ - *Word filters* - Configure filters to block undesirable words, phrases, and profanity. Such words can include offensive terms, competitor names etc. │ - *Sensitive information filters* - Block or mask sensitive information such as personally identifiable information (PII) or custom regex in user inputs and model responses. │ In addition to the above policies, you can also configure the messages to be returned to the user if a user input or model response is in violation of the policies defined in the guardrail. │ For more information, see [Guardrails for Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails.html) in the *Amazon Bedrock User Guide* . │ + documentation: Creates a guardrail to block topics and to implement safeguards for your generative AI applications. │ You can configure the following policies in a guardrail to avoid undesirable and harmful content, filter out denied topics and words, and remove sensitive information for privacy protection. │ - *Content filters* - Adjust filter strengths to block input prompts or model responses containing harmful content. │ - *Denied topics* - Define a set of topics that are undesirable in the context of your application. These topics will be blocked if detected in user queries or model responses. │ - *Word filters* - Configure filters to block undesirable words, phrases, and profanity. Such words can include offensive terms, competitor names etc. │ - *Sensitive information filters* - Block or mask sensitive information such as personally identifiable information (PII) or custom regex in user inputs and model responses. │ In addition to the above policies, you can also configure the messages to be returned to the user if a user input or model response is in violation of the policies defined in the guardrail. │ For more information, see [Amazon Bedrock Guardrails](https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails.html) in the *Amazon Bedrock User Guide* . ├[~] service aws-codebuild │ └ resources │ └[~] resource AWS::CodeBuild::Fleet │ └ properties │ ├ ComputeType: (documentation changed) │ ├ EnvironmentType: (documentation changed) │ ├ FleetVpcConfig: (documentation changed) │ └ ImageId: (documentation changed) ├[~] service aws-codeconnections │ └ resources │ └[~] resource AWS::CodeConnections::Connection │ └ attributes │ └ ConnectionArn: (documentation changed) ├[~] service aws-cognito │ └ resources │ ├[~] resource AWS::Cognito::LogDeliveryConfiguration │ │ ├ - documentation: The logging parameters of a user pool returned in response to `GetLogDeliveryConfiguration` . │ │ │ + documentation: The logging parameters of a user pool, as returned in the response to a [GetLogDeliveryConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetLogDeliveryConfiguration.html) request. │ │ └ types │ │ ├[~] type CloudWatchLogsConfiguration │ │ │ └ - documentation: Configuration for the CloudWatch log group destination of user pool detailed activity logging, or of user activity log export with advanced security features. │ │ │ + documentation: Configuration for the CloudWatch log group destination of user pool detailed activity logging, or of user activity log export with advanced security features. │ │ │ This data type is a request parameter of [SetLogDeliveryConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetLogDeliveryConfiguration.html) and a response parameter of [GetLogDeliveryConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetLogDeliveryConfiguration.html) . │ │ └[~] type LogConfiguration │ │ ├ - documentation: The logging parameters of a user pool. │ │ │ + documentation: The configuration of user event logs to an external AWS service like Amazon Data Firehose, Amazon S3, or Amazon CloudWatch Logs. │ │ │ This data type is a request parameter of [SetLogDeliveryConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetLogDeliveryConfiguration.html) and a response parameter of [GetLogDeliveryConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetLogDeliveryConfiguration.html) . │ │ └ properties │ │ └ CloudWatchLogsConfiguration: (documentation changed) │ ├[~] resource AWS::Cognito::UserPool │ │ ├ properties │ │ │ ├ AdminCreateUserConfig: (documentation changed) │ │ │ ├[+] EmailAuthenticationMessage: string │ │ │ ├[+] EmailAuthenticationSubject: string │ │ │ ├ LambdaConfig: (documentation changed) │ │ │ ├ Policies: (documentation changed) │ │ │ └ VerificationMessageTemplate: (documentation changed) │ │ └ types │ │ ├[~] type AdminCreateUserConfig │ │ │ └ properties │ │ │ ├ AllowAdminCreateUserOnly: (documentation changed) │ │ │ └ UnusedAccountValidityDays: (documentation changed) │ │ ├[~] type DeviceConfiguration │ │ │ └ - documentation: The device-remembering configuration for a user pool. A [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) request returns a null value for this object when the user pool isn't configured to remember devices. When device remembering is active, you can remember a user's device with a [ConfirmDevice](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmDevice.html) API request. Additionally. when the property `DeviceOnlyRememberedOnUserPrompt` is `true` , you must follow `ConfirmDevice` with an [UpdateDeviceStatus](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateDeviceStatus.html) API request that sets the user's device to `remembered` or `not_remembered` . │ │ │ To sign in with a remembered device, include `DEVICE_KEY` in the authentication parameters in your user's [InitiateAuth](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html) request. If your app doesn't include a `DEVICE_KEY` parameter, the [response](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html#API_InitiateAuth_ResponseSyntax) from Amazon Cognito includes newly-generated `DEVICE_KEY` and `DEVICE_GROUP_KEY` values under `NewDeviceMetadata` . Store these values to use in future device-authentication requests. │ │ │ > When you provide a value for any property of `DeviceConfiguration` , you activate the device remembering for the user pool. │ │ │ + documentation: The device-remembering configuration for a user pool. A [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) request returns a null value for this object when the user pool isn't configured to remember devices. When device remembering is active, you can remember a user's device with a [ConfirmDevice](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmDevice.html) API request. Additionally. when the property `DeviceOnlyRememberedOnUserPrompt` is `true` , you must follow `ConfirmDevice` with an [UpdateDeviceStatus](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateDeviceStatus.html) API request that sets the user's device to `remembered` or `not_remembered` . │ │ │ To sign in with a remembered device, include `DEVICE_KEY` in the authentication parameters in your user's [InitiateAuth](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html) request. If your app doesn't include a `DEVICE_KEY` parameter, the [response](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html#API_InitiateAuth_ResponseSyntax) from Amazon Cognito includes newly-generated `DEVICE_KEY` and `DEVICE_GROUP_KEY` values under `NewDeviceMetadata` . Store these values to use in future device-authentication requests. │ │ │ > When you provide a value for any property of `DeviceConfiguration` , you activate the device remembering for the user pool. │ │ │ > │ │ │ > This data type is a request and response parameter of [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and a response parameter of [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) . │ │ ├[~] type InviteMessageTemplate │ │ │ └ - documentation: The message template to be used for the welcome message to new users. │ │ │ See also [Customizing User Invitation Messages](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization) . │ │ │ + documentation: The template for the welcome message to new users. │ │ │ See also [Customizing User Invitation Messages](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization) . │ │ ├[~] type LambdaConfig │ │ │ ├ - documentation: Specifies the configuration for AWS Lambda triggers. │ │ │ │ + documentation: A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible stages of user pool operations. Triggers can modify the outcome of the operations that invoked them. │ │ │ │ This data type is a request and response parameter of [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and a response parameter of [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) . │ │ │ └ properties │ │ │ ├ CreateAuthChallenge: (documentation changed) │ │ │ ├ CustomMessage: (documentation changed) │ │ │ ├ DefineAuthChallenge: (documentation changed) │ │ │ ├ PostAuthentication: (documentation changed) │ │ │ ├ PostConfirmation: (documentation changed) │ │ │ ├ PreAuthentication: (documentation changed) │ │ │ ├ PreSignUp: (documentation changed) │ │ │ ├ PreTokenGeneration: (documentation changed) │ │ │ ├ PreTokenGenerationConfig: (documentation changed) │ │ │ ├ UserMigration: (documentation changed) │ │ │ └ VerifyAuthChallengeResponse: (documentation changed) │ │ ├[~] type NumberAttributeConstraints │ │ │ └ - documentation: The minimum and maximum values of an attribute that is of the number data type. │ │ │ + documentation: The minimum and maximum values of an attribute that is of the number type, for example `custom:age` . │ │ │ This data type is part of [SchemaAttributeType](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SchemaAttributeType.html) . It defines the length constraints on number-type attributes that you configure in [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and displays the length constraints of all number-type attributes in the response to [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) │ │ ├[~] type PasswordPolicy │ │ │ ├ - documentation: The password policy type. │ │ │ │ + documentation: The password policy settings for a user pool, including complexity, history, and length requirements. │ │ │ │ This data type is a request and response parameter of [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and a response parameter of [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) . │ │ │ └ properties │ │ │ ├ RequireLowercase: (documentation changed) │ │ │ ├ RequireNumbers: (documentation changed) │ │ │ ├ RequireSymbols: (documentation changed) │ │ │ └ RequireUppercase: (documentation changed) │ │ ├[~] type Policies │ │ │ ├ - documentation: The policy associated with a user pool. │ │ │ │ + documentation: A list of user pool policies. Contains the policy that sets password-complexity requirements. │ │ │ │ This data type is a request and response parameter of [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and a response parameter of [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) . │ │ │ └ properties │ │ │ └ PasswordPolicy: (documentation changed) │ │ ├[~] type PreTokenGenerationConfig │ │ │ └ - documentation: The properties of a pre token generation Lambda trigger. │ │ │ + documentation: The properties of a pre token generation Lambda trigger. │ │ │ This data type is a request and response parameter of [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and a response parameter of [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) . │ │ ├[~] type SchemaAttribute │ │ │ └ - documentation: A list of the user attributes and their properties in your user pool. The attribute schema contains standard attributes, custom attributes with a `custom:` prefix, and developer attributes with a `dev:` prefix. For more information, see [User pool attributes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html) . │ │ │ Developer-only attributes are a legacy feature of user pools, are read-only to all app clients. You can create and update developer-only attributes only with IAM-authenticated API operations. Use app client read/write permissions instead. │ │ │ + documentation: A list of the user attributes and their properties in your user pool. The attribute schema contains standard attributes, custom attributes with a `custom:` prefix, and developer attributes with a `dev:` prefix. For more information, see [User pool attributes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html) . │ │ │ Developer-only `dev:` attributes are a legacy feature of user pools, and are read-only to all app clients. You can create and update developer-only attributes only with IAM-authenticated API operations. Use app client read/write permissions instead. │ │ │ This data type is a request and response parameter of [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and a response parameter of [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) . │ │ ├[~] type StringAttributeConstraints │ │ │ └ properties │ │ │ └ MinLength: (documentation changed) │ │ ├[~] type UsernameConfiguration │ │ │ └ properties │ │ │ └ CaseSensitive: (documentation changed) │ │ ├[~] type UserPoolAddOns │ │ │ └ - documentation: User pool add-ons. Contains settings for activation of advanced security features. To log user security information but take no action, set to `AUDIT` . To configure automatic security responses to risky traffic to your user pool, set to `ENFORCED` . │ │ │ For more information, see [Adding advanced security to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html) . │ │ │ + documentation: User pool add-ons. Contains settings for activation of advanced security features. To log user security information but take no action, set to `AUDIT` . To configure automatic security responses to risky traffic to your user pool, set to `ENFORCED` . │ │ │ For more information, see [Adding advanced security to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html) . │ │ │ This data type is a request and response parameter of [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and a response parameter of [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) . │ │ └[~] type VerificationMessageTemplate │ │ ├ - documentation: The template for verification messages. │ │ │ + documentation: The template for the verification message that your user pool delivers to users who set an email address or phone number attribute. │ │ │ This data type is a request and response parameter of [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and a response parameter of [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) . │ │ └ properties │ │ └ DefaultEmailOption: (documentation changed) │ ├[~] resource AWS::Cognito::UserPoolClient │ │ ├ properties │ │ │ └ ReadAttributes: (documentation changed) │ │ └ types │ │ ├[~] type AnalyticsConfiguration │ │ │ ├ - documentation: The Amazon Pinpoint analytics configuration necessary to collect metrics for a user pool. │ │ │ │ > In Regions where Amazon Pinpoint isn't available, user pools only support sending events to Amazon Pinpoint projects in us-east-1. In Regions where Amazon Pinpoint is available, user pools support sending events to Amazon Pinpoint projects within that same Region. │ │ │ │ + documentation: The settings for Amazon Pinpoint analytics configuration. With an analytics configuration, your application can collect user-activity metrics for user notifications with a Amazon Pinpoint campaign. │ │ │ │ Amazon Pinpoint isn't available in all AWS Regions. For a list of available Regions, see [Amazon Cognito and Amazon Pinpoint Region availability](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html#cognito-user-pools-find-region-mappings) . │ │ │ │ This data type is a request parameter of [CreateUserPoolClient](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html) and [UpdateUserPoolClient](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolClient.html) , and a response parameter of [DescribeUserPoolClient](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPoolClient.html) . │ │ │ └ properties │ │ │ ├ ApplicationId: (documentation changed) │ │ │ ├ ExternalId: (documentation changed) │ │ │ └ RoleArn: (documentation changed) │ │ └[~] type TokenValidityUnits │ │ └ properties │ │ ├ AccessToken: (documentation changed) │ │ ├ IdToken: (documentation changed) │ │ └ RefreshToken: (documentation changed) │ ├[~] resource AWS::Cognito::UserPoolDomain │ │ └ types │ │ └[~] type CustomDomainConfigType │ │ └ - documentation: The configuration for a custom domain that hosts the sign-up and sign-in webpages for your application. │ │ + documentation: The configuration for a hosted UI custom domain. │ │ This data type is a request parameter of [CreateUserPoolDomain](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolDomain.html) and [UpdateUserPoolDomain](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolDomain.html) . │ ├[~] resource AWS::Cognito::UserPoolResourceServer │ │ └ types │ │ └[~] type ResourceServerScopeType │ │ ├ - documentation: A resource server scope. │ │ │ + documentation: One custom scope associated with a user pool resource server. This data type is a member of `ResourceServerScopeType` . For more information, see [Scopes, M2M, and API authorization with resource servers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html) . │ │ │ This data type is a request parameter of [CreateResourceServer](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateResourceServer.html) and a response parameter of [DescribeResourceServer](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeResourceServer.html) . │ │ └ properties │ │ ├ ScopeDescription: (documentation changed) │ │ └ ScopeName: (documentation changed) │ ├[~] resource AWS::Cognito::UserPoolRiskConfigurationAttachment │ │ ├ properties │ │ │ ├ AccountTakeoverRiskConfiguration: (documentation changed) │ │ │ ├ CompromisedCredentialsRiskConfiguration: (documentation changed) │ │ │ ├ RiskExceptionConfiguration: (documentation changed) │ │ │ └ UserPoolId: (documentation changed) │ │ └ types │ │ ├[~] type AccountTakeoverActionsType │ │ │ ├ - documentation: Account takeover actions type. │ │ │ │ + documentation: A list of account-takeover actions for each level of risk that Amazon Cognito might assess with advanced security features. │ │ │ │ This data type is a request parameter of [SetRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html) and a response parameter of [DescribeRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html) . │ │ │ └ properties │ │ │ ├ HighAction: (documentation changed) │ │ │ ├ LowAction: (documentation changed) │ │ │ └ MediumAction: (documentation changed) │ │ ├[~] type AccountTakeoverActionType │ │ │ ├ - documentation: Account takeover action type. │ │ │ │ + documentation: The automated response to a risk level for adaptive authentication in full-function, or `ENFORCED` , mode. You can assign an action to each risk level that advanced security features evaluates. │ │ │ │ This data type is a request parameter of [SetRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html) and a response parameter of [DescribeRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html) . │ │ │ └ properties │ │ │ ├ EventAction: (documentation changed) │ │ │ └ Notify: (documentation changed) │ │ ├[~] type AccountTakeoverRiskConfigurationType │ │ │ ├ - documentation: Configuration for mitigation actions and notification for different levels of risk detected for a potential account takeover. │ │ │ │ + documentation: The settings for automated responses and notification templates for adaptive authentication with advanced security features. │ │ │ │ This data type is a request parameter of [SetRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html) and a response parameter of [DescribeRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html) . │ │ │ └ properties │ │ │ ├ Actions: (documentation changed) │ │ │ └ NotifyConfiguration: (documentation changed) │ │ ├[~] type CompromisedCredentialsActionsType │ │ │ ├ - documentation: The compromised credentials actions type. │ │ │ │ + documentation: Settings for user pool actions when Amazon Cognito detects compromised credentials with advanced security features in full-function `ENFORCED` mode. │ │ │ │ This data type is a request parameter of [SetRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html) and a response parameter of [DescribeRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html) . │ │ │ └ properties │ │ │ └ EventAction: (documentation changed) │ │ ├[~] type CompromisedCredentialsRiskConfigurationType │ │ │ ├ - documentation: The compromised credentials risk configuration type. │ │ │ │ + documentation: Settings for compromised-credentials actions and authentication-event sources with advanced security features in full-function `ENFORCED` mode. │ │ │ │ This data type is a request parameter of [SetRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html) and a response parameter of [DescribeRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html) . │ │ │ └ properties │ │ │ ├ Actions: (documentation changed) │ │ │ └ EventFilter: (documentation changed) │ │ ├[~] type NotifyConfigurationType │ │ │ ├ - documentation: The notify configuration type. │ │ │ │ + documentation: The configuration for Amazon SES email messages that advanced security features sends to a user when your adaptive authentication automated response has a *Notify* action. │ │ │ │ This data type is a request parameter of [SetRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html) and a response parameter of [DescribeRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html) . │ │ │ └ properties │ │ │ ├ BlockEmail: (documentation changed) │ │ │ ├ From: (documentation changed) │ │ │ ├ MfaEmail: (documentation changed) │ │ │ ├ NoActionEmail: (documentation changed) │ │ │ └ ReplyTo: (documentation changed) │ │ ├[~] type NotifyEmailType │ │ │ ├ - documentation: The notify email type. │ │ │ │ + documentation: The template for email messages that advanced security features sends to a user when your threat protection automated response has a *Notify* action. │ │ │ │ This data type is a request parameter of [SetRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html) and a response parameter of [DescribeRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html) . │ │ │ └ properties │ │ │ ├ HtmlBody: (documentation changed) │ │ │ ├ Subject: (documentation changed) │ │ │ └ TextBody: (documentation changed) │ │ └[~] type RiskExceptionConfigurationType │ │ ├ - documentation: The type of the configuration to override the risk decision. │ │ │ + documentation: Exceptions to the risk evaluation configuration, including always-allow and always-block IP address ranges. │ │ │ This data type is a request parameter of [SetRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html) and a response parameter of [DescribeRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html) . │ │ └ properties │ │ ├ BlockedIPRangeList: (documentation changed) │ │ └ SkippedIPRangeList: (documentation changed) │ └[~] resource AWS::Cognito::UserPoolUser │ └ types │ └[~] type AttributeType │ └ - documentation: Specifies whether the attribute is standard or custom. │ + documentation: The name and value of a user attribute. │ This data type is a request parameter of [AdminUpdateUserAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html) and [UpdateUserAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html) . ├[~] service aws-connect │ └ resources │ ├[+] resource AWS::Connect::AgentStatus │ │ ├ name: AgentStatus │ │ │ cloudFormationType: AWS::Connect::AgentStatus │ │ │ documentation: Contains information about an agent status. │ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ ├ properties │ │ │ ├InstanceArn: string (required) │ │ │ ├Description: string │ │ │ ├Name: string (required) │ │ │ ├DisplayOrder: integer │ │ │ ├State: string (required) │ │ │ ├Type: string │ │ │ ├ResetOrderNumber: boolean │ │ │ └Tags: Array<tag> │ │ └ attributes │ │ ├AgentStatusArn: string │ │ ├LastModifiedRegion: string │ │ └LastModifiedTime: number │ └[+] resource AWS::Connect::UserHierarchyStructure │ ├ name: UserHierarchyStructure │ │ cloudFormationType: AWS::Connect::UserHierarchyStructure │ │ documentation: Contains information about a hierarchy structure. │ ├ properties │ │ ├InstanceArn: string (required, immutable) │ │ └UserHierarchyStructure: UserHierarchyStructure │ ├ attributes │ │ └UserHierarchyStructureArn: string │ └ types │ ├type UserHierarchyStructure │ │├ documentation: Contains information about a hierarchy structure. │ ││ name: UserHierarchyStructure │ │└ properties │ │ ├LevelOne: LevelOne │ │ ├LevelTwo: LevelTwo │ │ ├LevelThree: LevelThree │ │ ├LevelFour: LevelFour │ │ └LevelFive: LevelFive │ ├type LevelOne │ │├ documentation: Information about level one. │ ││ name: LevelOne │ │└ properties │ │ ├HierarchyLevelArn: string │ │ ├HierarchyLevelId: string │ │ └Name: string (required) │ ├type LevelTwo │ │├ documentation: The update for level two. │ ││ name: LevelTwo │ │└ properties │ │ ├HierarchyLevelArn: string │ │ ├HierarchyLevelId: string │ │ └Name: string (required) │ ├type LevelThree │ │├ documentation: The update for level three. │ ││ name: LevelThree │ │└ properties │ │ ├HierarchyLevelArn: string │ │ ├HierarchyLevelId: string │ │ └Name: string (required) │ ├type LevelFour │ │├ documentation: The update for level four. │ ││ name: LevelFour │ │└ properties │ │ ├HierarchyLevelArn: string │ │ ├HierarchyLevelId: string │ │ └Name: string (required) │ └type LevelFive │ ├ documentation: The update for level five. │ │ name: LevelFive │ └ properties │ ├HierarchyLevelArn: string │ ├HierarchyLevelId: string │ └Name: string (required) ├[~] service aws-databrew │ └ resources │ ├[~] resource AWS::DataBrew::Recipe │ │ └ types │ │ └[~] type RecipeParameters │ │ └ properties │ │ └ Input: - json │ │ + Input ⇐ json │ └[~] resource AWS::DataBrew::Ruleset │ └ properties │ └ Tags: - Array<tag> │ + Array<tag> (immutable) ├[~] service aws-datazone │ └ resources │ ├[~] resource AWS::DataZone::Environment │ │ └ properties │ │ ├[+] EnvironmentAccountIdentifier: string (immutable) │ │ ├[+] EnvironmentAccountRegion: string (immutable) │ │ ├ EnvironmentProfileIdentifier: - string (required, immutable) │ │ │ + string (immutable) │ │ └[+] EnvironmentRoleArn: string │ └[+] resource AWS::DataZone::EnvironmentActions │ ├ name: EnvironmentActions │ │ cloudFormationType: AWS::DataZone::EnvironmentActions │ │ documentation: The details about the specified action configured for an environment. For example, the details of the specified console links for an analytics tool that is available in this environment. │ ├ properties │ │ ├Description: string │ │ ├DomainIdentifier: string (immutable) │ │ ├EnvironmentIdentifier: string (immutable) │ │ ├Identifier: string │ │ ├Name: string (required) │ │ └Parameters: AwsConsoleLinkParameters │ ├ attributes │ │ ├DomainId: string │ │ ├EnvironmentId: string │ │ └Id: string │ └ types │ └type AwsConsoleLinkParameters │ ├ documentation: The parameters of the console link specified as part of the environment action. │ │ name: AwsConsoleLinkParameters │ └ properties │ └Uri: string ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::LaunchTemplate │ │ ├ properties │ │ │ └ TagSpecifications: (documentation changed) │ │ └ types │ │ ├[~] type LaunchTemplateData │ │ │ └ properties │ │ │ └ TagSpecifications: (documentation changed) │ │ ├[~] type LaunchTemplateTagSpecification │ │ │ └ - documentation: Specifies the tags to apply to the launch template during creation. │ │ │ `LaunchTemplateTagSpecification` is a property of [AWS::EC2::LaunchTemplate](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html) . │ │ │ + documentation: Specifies the tags to apply to the launch template during creation. │ │ │ To specify the tags for the resources that are created during instance launch, use [AWS::EC2::LaunchTemplate TagSpecification](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-tagspecification.html) . │ │ │ `LaunchTemplateTagSpecification` is a property of [AWS::EC2::LaunchTemplate](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html) . │ │ └[~] type TagSpecification │ │ └ - documentation: Specifies the tags to apply to a resource when the resource is created for the launch template. │ │ `TagSpecification` is a property type of [`TagSpecifications`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html#cfn-ec2-launchtemplate-launchtemplatedata-tagspecifications) . [`TagSpecifications`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html#cfn-ec2-launchtemplate-launchtemplatedata-tagspecifications) is a property of [AWS::EC2::LaunchTemplate LaunchTemplateData](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html) . │ │ + documentation: Specifies the tags to apply to resources that are created during instance launch. │ │ `TagSpecification` is a property type of [`TagSpecifications`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html#cfn-ec2-launchtemplate-launchtemplatedata-tagspecifications) . [`TagSpecifications`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html#cfn-ec2-launchtemplate-launchtemplatedata-tagspecifications) is a property of [AWS::EC2::LaunchTemplate LaunchTemplateData](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html) . │ ├[~] resource AWS::EC2::VPCEndpoint │ │ └ - documentation: Specifies a VPC endpoint. A VPC endpoint provides a private connection between your VPC and an endpoint service. You can use an endpoint service provided by AWS , an AWS Marketplace Partner, or another AWS accounts in your organization. For more information, see the [AWS PrivateLink User Guide](https://docs.aws.amazon.com/vpc/latest/privatelink/) . │ │ An endpoint of type `Interface` establishes connections between the subnets in your VPC and an , your own service, or a service hosted by another AWS account . With an interface VPC endpoint, you specify the subnets in which to create the endpoint and the security groups to associate with the endpoint network interfaces. │ │ An endpoint of type `gateway` serves as a target for a route in your route table for traffic destined for Amazon S3 or DynamoDB . You can specify an endpoint policy for the endpoint, which controls access to the service from your VPC. You can also specify the VPC route tables that use the endpoint. For more information about connectivity to Amazon S3 , see [Why can't I connect to an S3 bucket using a gateway VPC endpoint?](https://docs.aws.amazon.com/premiumsupport/knowledge-center/connect-s3-vpc-endpoint) │ │ An endpoint of type `GatewayLoadBalancer` provides private connectivity between your VPC and virtual appliances from a service provider. │ │ + documentation: Specifies a VPC endpoint. A VPC endpoint provides a private connection between your VPC and an endpoint service. You can use an endpoint service provided by AWS , an AWS Marketplace Partner, or another AWS accounts in your organization. For more information, see the [AWS PrivateLink User Guide](https://docs.aws.amazon.com/vpc/latest/privatelink/) . │ │ An endpoint of type `Interface` establishes connections between the subnets in your VPC and an AWS service , your own service, or a service hosted by another AWS account . With an interface VPC endpoint, you specify the subnets in which to create the endpoint and the security groups to associate with the endpoint network interfaces. │ │ An endpoint of type `gateway` serves as a target for a route in your route table for traffic destined for Amazon S3 or DynamoDB . You can specify an endpoint policy for the endpoint, which controls access to the service from your VPC. You can also specify the VPC route tables that use the endpoint. For more information about connectivity to Amazon S3 , see [Why can't I connect to an S3 bucket using a gateway VPC endpoint?](https://docs.aws.amazon.com/premiumsupport/knowledge-center/connect-s3-vpc-endpoint) │ │ An endpoint of type `GatewayLoadBalancer` provides private connectivity between your VPC and virtual appliances from a service provider. │ └[~] resource AWS::EC2::VPNConnection │ └ properties │ ├ LocalIpv4NetworkCidr: (documentation changed) │ ├ LocalIpv6NetworkCidr: (documentation changed) │ ├ OutsideIpAddressType: (documentation changed) │ ├ RemoteIpv4NetworkCidr: (documentation changed) │ ├ RemoteIpv6NetworkCidr: (documentation changed) │ ├ TransportTransitGatewayAttachmentId: (documentation changed) │ └ TunnelInsideIpVersion: (documentation changed) ├[~] service aws-ecr │ └ resources │ ├[~] resource AWS::ECR::Repository │ │ └ types │ │ └[~] type EncryptionConfiguration │ │ └ properties │ │ └ EncryptionType: (documentation changed) │ └[~] resource AWS::ECR::RepositoryCreationTemplate │ └ types │ └[~] type EncryptionConfiguration │ └ properties │ └ EncryptionType: (documentation changed) ├[~] service aws-ecs │ └ resources │ └[~] resource AWS::ECS::TaskDefinition │ └ types │ ├[~] type ContainerDefinition │ │ └ properties │ │ ├ EntryPoint: (documentation changed) │ │ ├ Hostname: (documentation changed) │ │ ├ Name: (documentation changed) │ │ ├ PseudoTerminal: (documentation changed) │ │ ├ StopTimeout: (documentation changed) │ │ ├ SystemControls: (documentation changed) │ │ └ VolumesFrom: (documentation changed) │ ├[~] type HealthCheck │ │ └ properties │ │ └ Command: (documentation changed) │ ├[~] type LinuxParameters │ │ └ properties │ │ └ Devices: (documentation changed) │ └[~] type SystemControl │ └ - documentation: A list of namespaced kernel parameters to set in the container. This parameter maps to `Sysctls` in tthe docker container create command and the `--sysctl` option to docker run. For example, you can configure `net.ipv4.tcp_keepalive_time` setting to maintain longer lived connections. │ We don't recommend that you specify network-related `systemControls` parameters for multiple containers in a single task that also uses either the `awsvpc` or `host` network mode. Doing this has the following disadvantages: │ - For tasks that use the `awsvpc` network mode including Fargate, if you set `systemControls` for any container, it applies to all containers in the task. If you set different `systemControls` for multiple containers in a single task, the container that's started last determines which `systemControls` take effect. │ - For tasks that use the `host` network mode, the network namespace `systemControls` aren't supported. │ If you're setting an IPC resource namespace to use for the containers in the task, the following conditions apply to your system controls. For more information, see [IPC mode](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_definition_ipcmode) . │ - For tasks that use the `host` IPC mode, IPC namespace `systemControls` aren't supported. │ - For tasks that use the `task` IPC mode, IPC namespace `systemControls` values apply to all containers within a task. │ > This parameter is not supported for Windows containers. > This parameter is only supported for tasks that are hosted on AWS Fargate if the tasks are using platform version `1.4.0` or later (Linux). This isn't supported for Windows containers on Fargate. │ + documentation: A list of namespaced kernel parameters to set in the container. This parameter maps to `Sysctls` in the docker container create command and the `--sysctl` option to docker run. For example, you can configure `net.ipv4.tcp_keepalive_time` setting to maintain longer lived connections. │ We don't recommend that you specify network-related `systemControls` parameters for multiple containers in a single task that also uses either the `awsvpc` or `host` network mode. Doing this has the following disadvantages: │ - For tasks that use the `awsvpc` network mode including Fargate, if you set `systemControls` for any container, it applies to all containers in the task. If you set different `systemControls` for multiple containers in a single task, the container that's started last determines which `systemControls` take effect. │ - For tasks that use the `host` network mode, the network namespace `systemControls` aren't supported. │ If you're setting an IPC resource namespace to use for the containers in the task, the following conditions apply to your system controls. For more information, see [IPC mode](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_definition_ipcmode) . │ - For tasks that use the `host` IPC mode, IPC namespace `systemControls` aren't supported. │ - For tasks that use the `task` IPC mode, IPC namespace `systemControls` values apply to all containers within a task. │ > This parameter is not supported for Windows containers. > This parameter is only supported for tasks that are hosted on AWS Fargate if the tasks are using platform version `1.4.0` or later (Linux). This isn't supported for Windows containers on Fargate. ├[~] service aws-elasticloadbalancingv2 │ └ resources │ └[~] resource AWS::ElasticLoadBalancingV2::Listener │ ├ properties │ │ └[+] ListenerAttributes: Array<ListenerAttribute> │ └ types │ └[+] type ListenerAttribute │ ├ documentation: Information about a listener attribute. │ │ name: ListenerAttribute │ └ properties │ ├Value: string │ └Key: string ├[~] service aws-emr │ └ resources │ ├[~] resource AWS::EMR::Cluster │ │ └ types │ │ └[~] type InstanceFleetProvisioningSpecifications │ │ └ properties │ │ ├ OnDemandSpecification: (documentation changed) │ │ └ SpotSpecification: (documentation changed) │ └[~] resource AWS::EMR::InstanceFleetConfig │ └ types │ └[~] type InstanceFleetProvisioningSpecifications │ └ properties │ ├ OnDemandSpecification: (documentation changed) │ └ SpotSpecification: (documentation changed) ├[~] service aws-events │ └ resources │ └[~] resource AWS::Events::Connection │ ├ properties │ │ └ AuthParameters: - AuthParameters │ │ + AuthParameters (required) │ └ types │ └[~] type Parameter │ └ properties │ └ IsValueSecret: - boolean │ + boolean (default=true) ├[~] service aws-fms │ └ resources │ └[~] resource AWS::FMS::Policy │ └ types │ ├[+] type NetworkAclCommonPolicy │ │ └ documentation: Defines a Firewall Manager network ACL policy. This is used in the `PolicyOption` of a `SecurityServicePolicyData` for a `Policy` , when the `SecurityServicePolicyData` type is set to `NETWORK_ACL_COMMON` . │ │ For information about network ACLs, see [Control traffic to subnets using network ACLs](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html) in the *Amazon Virtual Private Cloud User Guide* . │ │ name: NetworkAclCommonPolicy │ └[~] type PolicyOption │ └ properties │ └[+] NetworkAclCommonPolicy: NetworkAclCommonPolicy ├[~] service aws-fsx │ └ resources │ └[~] resource AWS::FSx::DataRepositoryAssociation │ └ properties │ └ DataRepositoryPath: (documentation changed) ├[~] service aws-gamelift │ └ resources │ ├[~] resource AWS::GameLift::ContainerGroupDefinition │ │ ├ - documentation: *This data type is currently not available. It is under improvement as we respond to customer feedback from the Containers public preview.* │ │ │ The properties that describe a container group resource. Container group definition properties can't be updated. To change a property, create a new container group definition. │ │ │ *Used with:* `CreateContainerGroupDefinition` │ │ │ *Returned by:* `DescribeContainerGroupDefinition` , `ListContainerGroupDefinitions` │ │ │ + documentation: *This data type is used with the Amazon GameLift containers feature, which is currently in public preview.* │ │ │ The properties that describe a container group resource. Container group definition properties can't be updated. To change a property, create a new container group definition. │ │ │ *Used with:* `CreateContainerGroupDefinition` │ │ │ *Returned by:* `DescribeContainerGroupDefinition` , `ListContainerGroupDefinitions` │ │ ├ properties │ │ │ ├ TotalCpuLimit: (documentation changed) │ │ │ └ TotalMemoryLimit: (documentation changed) │ │ └ …

… log configured (under feature flag) (#31475) ### Issue # (if applicable) Closes #31397 ### Reason for this change If a FargateService or EC2 Service has `enableExecuteCommand: true` and the ECS cluster it runs on has `executeCommandConfiguration.logging` set to anything but `ecs.ExecuteCommandLogging.NONE` then the CDK automatically grants the underlying TaskDefinition overly broad cloudwatch logs permissions regardless of need even if the logging configuration has no cloudwatch logs config set. This is not right behaviour as these permissions are not needed. ### Description of changes Add feature flag and if feature flag is on and cloudwatch log is configured, reduce the permissions. ### Description of how you validated changes New unit tests, integration tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

aws-cdk-automation · 2024-09-18T21:19:51Z

AWS CodeBuild CI Report

CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
Commit ID: 7ecfae4
Result: SUCCEEDED
Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

mergify · 2024-09-18T21:20:22Z

Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork).

github-actions · 2024-09-18T21:20:43Z

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

michelle-wangg and others added 30 commits September 11, 2024 15:08

Merge branch 'main' into merge-back/2.158.0

112a476

chore(merge-back): 2.158.0 (#31414)

3724931

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.158.0/CHANGELOG.md)

feat: update L1 CloudFormation resource definitions (#31460)

e220e90

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`

khushail and others added 7 commits September 17, 2024 15:56

chore(release): 2.159.0

7ecfae4

aws-cdk-automation added auto-approve pr/no-squash This PR should be merged instead of squash-merging it labels Sep 18, 2024

aws-cdk-automation requested a review from a team September 18, 2024 20:50

github-actions bot added the p2 label Sep 18, 2024

github-actions bot approved these changes Sep 18, 2024

View reviewed changes

aws-cdk-automation had a problem deploying to test-pipeline September 18, 2024 20:51 — with GitHub Actions Failure

mergify bot merged commit d77a1b2 into v2-release Sep 18, 2024
27 of 29 checks passed

mergify bot deleted the bump/2.159.0 branch September 18, 2024 21:20

github-actions bot locked as resolved and limited conversation to collaborators Sep 18, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(release): 2.159.0 #31486

chore(release): 2.159.0 #31486

aws-cdk-automation commented Sep 18, 2024 •

edited

Loading

aws-cdk-automation commented Sep 18, 2024

mergify bot commented Sep 18, 2024

github-actions bot commented Sep 18, 2024

chore(release): 2.159.0 #31486

chore(release): 2.159.0 #31486

Conversation

aws-cdk-automation commented Sep 18, 2024 • edited Loading

aws-cdk-automation commented Sep 18, 2024

AWS CodeBuild CI Report

mergify bot commented Sep 18, 2024

github-actions bot commented Sep 18, 2024

aws-cdk-automation commented Sep 18, 2024 •

edited

Loading