Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(release): 2.163.0 #31838

Merged
merged 47 commits into from
Oct 21, 2024
Merged

chore(release): 2.163.0 #31838

merged 47 commits into from
Oct 21, 2024

Conversation

aws-cdk-automation
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation commented Oct 21, 2024

See CHANGELOG

mazyu36 and others added 30 commits October 10, 2024 19:04
…STOM (#30395)

### Issue # (if applicable)

N/A

### Reason for this change
`MARKETPLACE` and `CUSTOM` are not supported in the current L2 Construct. (`SFTP` is also missing, but it is not supported at the moment.)

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-glue-connection-connectioninput.html#cfn-glue-connection-connectioninput-connectiontype



### Description of changes
Add missing connection types.



### Description of how you validated changes
I determined that no testing was needed since this was only an addition of connection types.


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable)

Closes #31717 

### Reason for this change

It should be in sync with the description as mentioned in here https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_codebuild.LinuxArmBuildImage.html



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable)

Closes #30206.

### Reason for this change

AWS FSx for Luster file systems supports HDD storage type and LusterFileSystem construct cannot configure it.

### Description of changes

- Add `storageType` for `fsx.FileStstemProps`
  - For future expansion, `storageType` is added not to `LusterFileSystemProps` but to `FileSystemProps` because HDD storage is also supported by Windows file systems.
- Update the validation of the props below to address the HDD storage type.
  - `LusterConfiguration.perUnitStorageThroughput`
  - `FileSystemProps.storageCapacityGiB`

### Description of how you validated changes

Added both unit and integ tests.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
i believe this is necessary as CDK requires git-lfs now.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
In #31597 we changed `cdk diff` to always use the file asset publishing role, instead of direct CLI credentials. This included a refactor that impacted `cdk import`, which was now not uploading the stack template at all anymore. The operation that is now broken only happens in a case with interactive input, which is why this wasn't caught by integ tests.

In this change, put the requisite asset-handling code around `makeBodyParameter` to make the asset uploading happen properly.

In future PRs:

- Add an integration test for `cdk import` which would have exposed the same error.
- Refactor the contract of `makeBodyParameter`, and perhaps more around asset uploading, to make the expectations and promises of that function more clear; right now it was not obvious what the function would and wouldn't do for you, which led to this error.

I did some refactorings in this PR already (renames, removing an unused argument). I saw an opportunity for more but didn't want to add risk and delay to this patch. Hence, forthcoming 😄 .

Closes #31716.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…31648)

### Issue # (if applicable)

N/A

### Reason for this change
Currently, the ACU limit is 128 on CDK, but since it now supports up to 256.

Ref: [Amazon Aurora Serverless v2 now supports up to 256 ACUs](https://aws.amazon.com/about-aws/whats-new/2024/10/amazon-aurora-serverless-v2-256-acus/)



### Description of changes
Modify the ACU limit for serverless v2 from 128 to 256.



### Description of how you validated changes
Modify unit tests and add an integ test.


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…30611)

### Issue # (if applicable)

Closes #8517 

### Reason for this change

NLB support TLS protocol in listener and target group. 
This changes provide a feature parity in ECS patterns, allowing customer to enhance security with encrypted traffic between NLB and services

### Description of changes

- Add `listenerCertificate` to `NetworkLoadBalancedServiceBaseProps`, default value is `none`
- Change the default value of `listenerPort` and `taskImageOptions.containerPort` to 443, if `listenerCertificate` is provided.

### Description of how you validated changes

- Added both unit test and integration test

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable)

Closes #29409.

### Reason for this change

- For `DistributedMap` state of StepFunctions, `IItemReader` currently only allows S3 bucket as input source to be declared statically in CDK.
- In other words, current CDK implementation only caters to static use-case where we know either `bucket` or `bucketName` (from which we can create `IBucket`) and pass it to `IItemReader`.
- Whereas via AWS management console, if we create `DistributedMap` manually, then we can also convey S3 source dynamically using State Input / JsonPath.
- In other words, for dynamic use-case, we will neither have `bucket` nor `bucketName` i.e. we only know state input variable which will convey `bucketName` e.g. `$.bucketName`.
- So, if we want to use `IItemReader` for dynamic use case also, then, to avoid making breaking change (e.g. changing type of `bucket` from `IBucket` to `string`), we will:
  - (1) need to make `bucket: IBucket` an optional prop in `ItemReaderProps` (refer [Making properties optional](https://github.com/aws/jsii/blob/main/packages/jsii-diff/BREAKING_CHANGES.md#making-properties-optional))
  - (2) and add another optional field `bucketNamePath: string` to convey state input variable name (e.g. $.bucketName)

### Description of changes

- Add `bucketNamePath` as optional prop in `ItemReaderProps`.
- Make `bucket` an optional prop instead of required prop in `ItemReaderProps`.
- Adapt implementing classes of `IItemReader` to handle `bucket` being optional (refer [Making properties optional](https://github.com/aws/jsii/blob/main/packages/jsii-diff/BREAKING_CHANGES.md#making-properties-optional)).
- Add `validateItemReader` in `IItemReader` which implementing classes will implement to handle mutual exclusivity of `bucket` and `bucketNamePath`.
- Modify `DistributedMap:validateState` to validate `IItemReader` if present.
- Modify README to explain and add examples relevant to changes.
- Add new unit-tests for `DistributedMap`.
- Add new integration tests to validate deployment and expected result.

### Description of how you validated changes

- Build changes: `cd ./packages/aws-cdk-lib/ && yarn build aws-stepfunctions && yarn watch`
- Add and run new unit-tests for `DistributedMap`: `yarn test aws-stepfunctions/test`
- Run `yarn rossetta:extract -d aws-stepfunctions -v` to confirm validity of README changes
- Add new integration test and run (with snapshot created):
  - Build once and watch: `npx lerna run build --scope=@aws-cdk-testing/framework-integ && yarn watch`
  - Test: `yarn build --directory test/aws-stepfunctions/test && yarn integ test/aws-stepfunctions/test/integ.item-reader-path-s3-object.js --update-on-failed`
  - Verified expected step function execution result during snapshot creation

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…to 3.0.0 (#31748)

Bumps [thollander/actions-comment-pull-request](https://github.com/thollander/actions-comment-pull-request) from 2.5.0 to 3.0.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/thollander/actions-comment-pull-request/releases">thollander/actions-comment-pull-request's releases</a>.</em></p>
<blockquote>
<h2>v3.0.0</h2>
<h2>What's Changed</h2>
<ul>
<li>chore(deps-dev): bump typescript from 5.2.2 to 5.3.3 by <a href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a href="https://redirect.github.com/thollander/actions-comment-pull-request/pull/326">thollander/actions-comment-pull-request#326</a></li>
<li>chore(deps-dev): bump prettier from 3.0.3 to 3.2.5 by <a href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a href="https://redirect.github.com/thollander/actions-comment-pull-request/pull/350">thollander/actions-comment-pull-request#350</a></li>
<li>chore(deps-dev): bump <code>@​tsconfig/node20</code> from 20.1.2 to 20.1.4 by <a href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a href="https://redirect.github.com/thollander/actions-comment-pull-request/pull/367">thollander/actions-comment-pull-request#367</a></li>
<li>chore(deps-dev): bump typescript from 5.3.3 to 5.6.3 by <a href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a href="https://redirect.github.com/thollander/actions-comment-pull-request/pull/390">thollander/actions-comment-pull-request#390</a></li>
<li>chore(deps-dev): bump <code>@​types/node</code> from 20.8.7 to 22.7.5 by <a href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a href="https://redirect.github.com/thollander/actions-comment-pull-request/pull/389">thollander/actions-comment-pull-request#389</a></li>
<li>feat: manage delete modes in a better way + consistent input naming by <a href="https://github.com/thollander"><code>@​thollander</code></a> in <a href="https://redirect.github.com/thollander/actions-comment-pull-request/pull/391">thollander/actions-comment-pull-request#391</a></li>
</ul>
<h2>Breaking changes</h2>
<h3>Parameters</h3>
<ul>
<li>From <code>filePath</code> to <code>file-path</code></li>
<li>From <code>GITHUB_TOKEN</code> to <code>github-token</code></li>
<li>From <code>pr_number</code> to <code>pr-number</code></li>
<li>From <code>comment_tag</code> to <code>comment-tag</code></li>
<li>From <code>create_if_not_exists</code> to <code>create-if-not-exists</code></li>
</ul>
<h3>Mode</h3>
<p><code>delete</code> now deletes a comment immediately. To delete the comment at the end of the job, use <code>delete-on-completion</code> mode.</p>
<p><strong>Full Changelog</strong>: <a href="https://github.com/thollander/actions-comment-pull-request/compare/v2...v3.0.0">https://github.com/thollander/actions-comment-pull-request/compare/v2...v3.0.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/thollander/actions-comment-pull-request/commit/e2c37e53a7d2227b61585343765f73a9ca57eda9"><code>e2c37e5</code></a> Merge pull request <a href="https://redirect.github.com/thollander/actions-comment-pull-request/issues/391">#391</a> from thollander/v3</li>
<li><a href="https://github.com/thollander/actions-comment-pull-request/commit/65f9e5c9a1f2cd378bd74b2e057c9736982a8e74"><code>65f9e5c</code></a> docs: add migration guide</li>
<li><a href="https://github.com/thollander/actions-comment-pull-request/commit/107ab45b779fd2e067ae8280372c847b18cd4b12"><code>107ab45</code></a> feat: manage delete modes in a better way</li>
<li><a href="https://github.com/thollander/actions-comment-pull-request/commit/ce644a4ba466eb7e94ddef442fbaf2ac1ae7af35"><code>ce644a4</code></a> chore(deps-dev): bump <code>@​types/node</code> from 20.8.7 to 22.7.5 (<a href="https://redirect.github.com/thollander/actions-comment-pull-request/issues/389">#389</a>)</li>
<li><a href="https://github.com/thollander/actions-comment-pull-request/commit/52f13cbcc809c634d886a0c6b129031dc7961f8e"><code>52f13cb</code></a> chore(deps-dev): bump typescript from 5.3.3 to 5.6.3 (<a href="https://redirect.github.com/thollander/actions-comment-pull-request/issues/390">#390</a>)</li>
<li><a href="https://github.com/thollander/actions-comment-pull-request/commit/77f7e428bd96191a58dcf8320c70ef69e1850658"><code>77f7e42</code></a> chore(deps-dev): bump <code>@​tsconfig/node20</code> from 20.1.2 to 20.1.4 (<a href="https://redirect.github.com/thollander/actions-comment-pull-request/issues/367">#367</a>)</li>
<li><a href="https://github.com/thollander/actions-comment-pull-request/commit/e5dae98d09bd6c013ca3f3eb1cf16d7f167922a9"><code>e5dae98</code></a> chore(deps-dev): bump prettier from 3.0.3 to 3.2.5 (<a href="https://redirect.github.com/thollander/actions-comment-pull-request/issues/350">#350</a>)</li>
<li><a href="https://github.com/thollander/actions-comment-pull-request/commit/bc14ce351a6a25022a490f2be0570c700083a7fe"><code>bc14ce3</code></a> chore(deps-dev): bump typescript from 5.2.2 to 5.3.3 (<a href="https://redirect.github.com/thollander/actions-comment-pull-request/issues/326">#326</a>)</li>
<li>See full diff in <a href="https://github.com/thollander/actions-comment-pull-request/compare/fabd468d3a1a0b97feee5f6b9e499eab0dd903f6...e2c37e53a7d2227b61585343765f73a9ca57eda9">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=thollander/actions-comment-pull-request&package-manager=github_actions&previous-version=2.5.0&new-version=3.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)


</details>
Not sure how this is not causing a compilation error at CDK build time, but it's a red underline in my IDE and a compilation error in the new CLI repo.

Fixing it.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`

**L1 CloudFormation resource definition changes:**
```
├[~] service aws-b2bi
│ └ resources
│    ├[~] resource AWS::B2BI::Capability
│    │ └ types
│    │    └[~] type EdiConfiguration
│    │      └ properties
│    │         └ CapabilityDirection: (documentation changed)
│    ├[~] resource AWS::B2BI::Partnership
│    │ ├ properties
│    │ │  └ CapabilityOptions: (documentation changed)
│    │ └ types
│    │    ├[~] type CapabilityOptions
│    │    │ ├  - documentation: undefined
│    │    │ │  + documentation: Contains the details for an Outbound EDI capability.
│    │    │ └ properties
│    │    │    └ OutboundEdi: (documentation changed)
│    │    ├[~] type OutboundEdiOptions
│    │    │ ├  - documentation: undefined
│    │    │ │  + documentation: A container for outbound EDI options.
│    │    │ └ properties
│    │    │    └ X12: (documentation changed)
│    │    ├[~] type X12Envelope
│    │    │ ├  - documentation: undefined
│    │    │ │  + documentation: A wrapper structure for an X12 definition object.
│    │    │ │  the X12 envelope ensures the integrity of the data and the efficiency of the information exchange. The X12 message structure has hierarchical levels. From highest to the lowest, they are:
│    │    │ │  - Interchange Envelope
│    │    │ │  - Functional Group
│    │    │ │  - Transaction Set
│    │    │ └ properties
│    │    │    └ Common: (documentation changed)
│    │    └[~] type X12OutboundEdiHeaders
│    │      ├  - documentation: undefined
│    │      │  + documentation: A structure containing the details for an outbound EDI object.
│    │      └ properties
│    │         ├ Delimiters: (documentation changed)
│    │         ├ FunctionalGroupHeaders: (documentation changed)
│    │         ├ InterchangeControlHeaders: (documentation changed)
│    │         └ ValidateEdi: (documentation changed)
│    └[~] resource AWS::B2BI::Transformer
│      └ properties
│         ├ EdiType: (documentation changed)
│         ├ FileFormat: (documentation changed)
│         ├ InputConversion: (documentation changed)
│         ├ Mapping: (documentation changed)
│         ├ MappingTemplate: (documentation changed)
│         ├ OutputConversion: (documentation changed)
│         ├ SampleDocument: (documentation changed)
│         └ SampleDocuments: (documentation changed)
├[~] service aws-cloudformation
│ └ resources
│    ├[~] resource AWS::CloudFormation::ModuleVersion
│    │ └ attributes
│    │    └ Schema: (documentation changed)
│    ├[~] resource AWS::CloudFormation::Publisher
│    │ └ properties
│    │    └ ConnectionArn: (documentation changed)
│    └[~] resource AWS::CloudFormation::TypeActivation
│      └  - documentation: Activates a public third-party extension, making it available for use in stack templates. For more information, see [Using public extensions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry-public.html) in the *AWS CloudFormation User Guide* .
│         Once you have activated a public third-party extension in your account and Region, use [SetTypeConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_SetTypeConfiguration.html) to specify configuration properties for the extension. For more information, see [Configuring extensions at the account level](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry-private.html#registry-set-configuration) in the *AWS CloudFormation User Guide* .
│         + documentation: Activates a public third-party extension, making it available for use in stack templates. Once you have activated a public third-party extension in your account and Region, use [SetTypeConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_SetTypeConfiguration.html) to specify configuration properties for the extension. For more information, see [Using public extensions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry-public.html) in the *AWS CloudFormation User Guide* .
├[~] service aws-docdb
│ └ resources
│    ├[~] resource AWS::DocDB::DBCluster
│    │ └ properties
│    │    ├ CopyTagsToSnapshot: (documentation changed)
│    │    ├ EngineVersion: (documentation changed)
│    │    └ StorageEncrypted: (documentation changed)
│    └[~] resource AWS::DocDB::DBInstance
│      └ properties
│         └ CACertificateIdentifier: (documentation changed)
├[~] service aws-ecs
│ └ resources
│    └[~] resource AWS::ECS::TaskSet
│      ├ properties
│      │  └[+] CapacityProviderStrategy: Array<CapacityProviderStrategyItem> (immutable)
│      └ types
│         └[+] type CapacityProviderStrategyItem
│           ├  name: CapacityProviderStrategyItem
│           └ properties
│              ├CapacityProvider: string
│              ├Base: integer
│              └Weight: integer
├[~] service aws-elasticache
│ └ resources
│    ├[~] resource AWS::ElastiCache::CacheCluster
│    │ ├ properties
│    │ │  ├ AutoMinorVersionUpgrade: (documentation changed)
│    │ │  ├ CacheNodeType: (documentation changed)
│    │ │  ├ EngineVersion: (documentation changed)
│    │ │  ├ IpDiscovery: (documentation changed)
│    │ │  ├ NetworkType: (documentation changed)
│    │ │  ├ SnapshotArns: (documentation changed)
│    │ │  └ SnapshotName: (documentation changed)
│    │ └ attributes
│    │    ├ ConfigurationEndpoint.Address: (documentation changed)
│    │    ├ ConfigurationEndpoint.Port: (documentation changed)
│    │    ├ RedisEndpoint.Address: (documentation changed)
│    │    └ RedisEndpoint.Port: (documentation changed)
│    ├[~] resource AWS::ElastiCache::GlobalReplicationGroup
│    │ ├ properties
│    │ │  ├ AutomaticFailoverEnabled: (documentation changed)
│    │ │  └ EngineVersion: (documentation changed)
│    │ └ types
│    │    └[~] type ReshardingConfiguration
│    │      └ properties
│    │         └ NodeGroupId: (documentation changed)
│    ├[~] resource AWS::ElastiCache::ReplicationGroup
│    │ ├  - documentation: The `AWS::ElastiCache::ReplicationGroup` resource creates an Amazon ElastiCache (Redis OSS) replication group. A Redis OSS (cluster mode disabled) replication group is a collection of cache clusters, where one of the clusters is a primary read-write cluster and the others are read-only replicas.
│    │ │  A Redis OSS (cluster mode enabled) cluster is comprised of from 1 to 90 shards (API/CLI: node groups). Each shard has a primary node and up to 5 read-only replica nodes. The configuration can range from 90 shards and 0 replicas to 15 shards and 5 replicas, which is the maximum number or replicas allowed.
│    │ │  The node or shard limit can be increased to a maximum of 500 per cluster if the Redis OSS engine version is 5.0.6 or higher. For example, you can choose to configure a 500 node cluster that ranges between 83 shards (one primary and 5 replicas per shard) and 500 shards (single primary and no replicas). Make sure there are enough available IP addresses to accommodate the increase. Common pitfalls include the subnets in the subnet group have too small a CIDR range or the subnets are shared and heavily used by other clusters. For more information, see [Creating a Subnet Group](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/SubnetGroups.Creating.html) . For versions below 5.0.6, the limit is 250 per cluster.
│    │ │  To request a limit increase, see [Amazon Service Limits](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html) and choose the limit type *Nodes per cluster per instance type* .
│    │ │  + documentation: The `AWS::ElastiCache::ReplicationGroup` resource creates an Amazon ElastiCache (Valkey or Redis OSS) replication group. A Valkey or Redis OSS (cluster mode disabled) replication group is a collection of cache clusters, where one of the clusters is a primary read-write cluster and the others are read-only replicas.
│    │ │  A Valkey or Redis OSS (cluster mode enabled) cluster is comprised of from 1 to 90 shards (API/CLI: node groups). Each shard has a primary node and up to 5 read-only replica nodes. The configuration can range from 90 shards and 0 replicas to 15 shards and 5 replicas, which is the maximum number or replicas allowed.
│    │ │  The node or shard limit can be increased to a maximum of 500 per cluster if the engine version is Valkey 7.2 or higher, or Redis OSS 5.0.6 or higher. For example, you can choose to configure a 500 node cluster that ranges between 83 shards (one primary and 5 replicas per shard) and 500 shards (single primary and no replicas). Make sure there are enough available IP addresses to accommodate the increase. Common pitfalls include the subnets in the subnet group have too small a CIDR range or the subnets are shared and heavily used by other clusters. For more information, see [Creating a Subnet Group](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/SubnetGroups.Creating.html) . For versions below 5.0.6, the limit is 250 per cluster.
│    │ │  To request a limit increase, see [Amazon Service Limits](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html) and choose the limit type *Nodes per cluster per instance type* .
│    │ ├ properties
│    │ │  ├ AuthToken: (documentation changed)
│    │ │  ├ AutomaticFailoverEnabled: (documentation changed)
│    │ │  ├ AutoMinorVersionUpgrade: (documentation changed)
│    │ │  ├ CacheNodeType: (documentation changed)
│    │ │  ├ CacheParameterGroupName: (documentation changed)
│    │ │  ├ ClusterMode: (documentation changed)
│    │ │  ├ DataTieringEnabled: (documentation changed)
│    │ │  ├ EngineVersion: (documentation changed)
│    │ │  ├ IpDiscovery: (documentation changed)
│    │ │  ├ MultiAZEnabled: (documentation changed)
│    │ │  ├ NetworkType: (documentation changed)
│    │ │  ├ NodeGroupConfiguration: (documentation changed)
│    │ │  ├ NumNodeGroups: (documentation changed)
│    │ │  ├ SnapshotArns: (documentation changed)
│    │ │  ├ SnapshottingClusterId: (documentation changed)
│    │ │  └ TransitEncryptionMode: (documentation changed)
│    │ ├ attributes
│    │ │  └ ConfigurationEndPoint.Address: (documentation changed)
│    │ └ types
│    │    └[~] type NodeGroupConfiguration
│    │      ├  - documentation: `NodeGroupConfiguration` is a property of the `AWS::ElastiCache::ReplicationGroup` resource that configures an Amazon ElastiCache (ElastiCache) Redis OSS cluster node group.
│    │      │  + documentation: `NodeGroupConfiguration` is a property of the `AWS::ElastiCache::ReplicationGroup` resource that configures an Amazon ElastiCache (ElastiCache) Valkey or Redis OSS cluster node group.
│    │      └ properties
│    │         └ NodeGroupId: (documentation changed)
│    ├[~] resource AWS::ElastiCache::SecurityGroup
│    │ └  - documentation: The `AWS::ElastiCache::SecurityGroup` resource creates a cache security group. For more information about cache security groups, go to [CacheSecurityGroups](https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/VPCs.html) in the *Amazon ElastiCache User Guide* or go to [CreateCacheSecurityGroup](https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSecurityGroup.html) in the *Amazon ElastiCache API Reference Guide* .
│    │    For more information, see [CreateCacheSubnetGroup](https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSubnetGroup.html) .
│    │    + documentation: The `AWS::ElastiCache::SecurityGroup` resource creates a cache security group. For more information about cache security groups, go to [CacheSecurityGroups](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/VPCs.html) in the *Amazon ElastiCache User Guide* or go to [CreateCacheSecurityGroup](https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSecurityGroup.html) in the *Amazon ElastiCache API Reference Guide* .
│    │    For more information, see [CreateCacheSubnetGroup](https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSubnetGroup.html) .
│    ├[~] resource AWS::ElastiCache::ServerlessCache
│    │ └ properties
│    │    ├ DailySnapshotTime: (documentation changed)
│    │    ├ SnapshotRetentionLimit: (documentation changed)
│    │    └ UserGroupId: (documentation changed)
│    ├[~] resource AWS::ElastiCache::User
│    │ └  - documentation: For Redis OSS engine version 6.0 onwards: Creates a Redis OSS user. For more information, see [Using Role Based Access Control (RBAC)](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Clusters.RBAC.html) .
│    │    + documentation: For Valkey 7.2 and onwards, or Redis OSS engine version 6.0 and onwards: Creates user. For more information, see [Using Role Based Access Control (RBAC)](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/Clusters.RBAC.html) .
│    └[~] resource AWS::ElastiCache::UserGroup
│      ├  - documentation: For Redis OSS engine version 6.0 onwards: Creates a Redis user group. For more information, see [Using Role Based Access Control (RBAC)](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Clusters.RBAC.html)
│      │  + documentation: For Valkey 7.2 and onwards, or Redis OSS 6.0 and onwards: Creates a user group. For more information, see [Using Role Based Access Control (RBAC)](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/Clusters.RBAC.html)
│      └ properties
│         └ Engine: (documentation changed)
├[~] service aws-emr
│ └ resources
│    ├[~] resource AWS::EMR::Cluster
│    │ └ types
│    │    ├[~] type InstanceFleetConfig
│    │    │ └ properties
│    │    │    └ ResizeSpecifications: (documentation changed)
│    │    ├[~] type InstanceFleetResizingSpecifications
│    │    │ ├  - documentation: undefined
│    │    │ │  + documentation: The resize specification for On-Demand and Spot Instances in the fleet.
│    │    │ └ properties
│    │    │    ├ OnDemandResizeSpecification: (documentation changed)
│    │    │    └ SpotResizeSpecification: (documentation changed)
│    │    ├[~] type InstanceTypeConfig
│    │    │ └ properties
│    │    │    └ Priority: (documentation changed)
│    │    ├[~] type OnDemandCapacityReservationOptions
│    │    │ ├  - documentation: undefined
│    │    │ │  + documentation: Describes the strategy for using unused Capacity Reservations for fulfilling On-Demand capacity.
│    │    │ └ properties
│    │    │    ├ CapacityReservationPreference: (documentation changed)
│    │    │    ├ CapacityReservationResourceGroupArn: (documentation changed)
│    │    │    └ UsageStrategy: (documentation changed)
│    │    ├[~] type OnDemandProvisioningSpecification
│    │    │ └ properties
│    │    │    └ CapacityReservationOptions: (documentation changed)
│    │    ├[~] type OnDemandResizingSpecification
│    │    │ ├  - documentation: undefined
│    │    │ │  + documentation: The resize specification for On-Demand Instances in the instance fleet, which contains the resize timeout period.
│    │    │ └ properties
│    │    │    ├ AllocationStrategy: (documentation changed)
│    │    │    └ TimeoutDurationMinutes: (documentation changed)
│    │    └[~] type SpotResizingSpecification
│    │      ├  - documentation: undefined
│    │      │  + documentation: The resize specification for Spot Instances in the instance fleet, which contains the resize timeout period.
│    │      └ properties
│    │         ├ AllocationStrategy: (documentation changed)
│    │         └ TimeoutDurationMinutes: (documentation changed)
│    └[~] resource AWS::EMR::InstanceFleetConfig
│      ├ properties
│      │  └ ResizeSpecifications: (documentation changed)
│      └ types
│         ├[~] type InstanceFleetResizingSpecifications
│         │ ├  - documentation: undefined
│         │ │  + documentation: The resize specification for On-Demand and Spot Instances in the fleet.
│         │ └ properties
│         │    ├ OnDemandResizeSpecification: (documentation changed)
│         │    └ SpotResizeSpecification: (documentation changed)
│         ├[~] type InstanceTypeConfig
│         │ └ properties
│         │    └ Priority: (documentation changed)
│         ├[~] type OnDemandCapacityReservationOptions
│         │ ├  - documentation: undefined
│         │ │  + documentation: Describes the strategy for using unused Capacity Reservations for fulfilling On-Demand capacity.
│         │ └ properties
│         │    ├ CapacityReservationPreference: (documentation changed)
│         │    ├ CapacityReservationResourceGroupArn: (documentation changed)
│         │    └ UsageStrategy: (documentation changed)
│         ├[~] type OnDemandProvisioningSpecification
│         │ └ properties
│         │    └ CapacityReservationOptions: (documentation changed)
│         ├[~] type OnDemandResizingSpecification
│         │ ├  - documentation: undefined
│         │ │  + documentation: The resize specification for On-Demand Instances in the instance fleet, which contains the resize timeout period.
│         │ └ properties
│         │    ├ AllocationStrategy: (documentation changed)
│         │    └ TimeoutDurationMinutes: (documentation changed)
│         └[~] type SpotResizingSpecification
│           ├  - documentation: undefined
│           │  + documentation: The resize specification for Spot Instances in the instance fleet, which contains the resize timeout period.
│           └ properties
│              ├ AllocationStrategy: (documentation changed)
│              └ TimeoutDurationMinutes: (documentation changed)
├[~] service aws-glue
│ └ resources
│    ├[~] resource AWS::Glue::Job
│    │ └ attributes
│    │    └[-] Id: string
│    └[~] resource AWS::Glue::MLTransform
│      └ types
│         └[~] type TransformParameters
│           └ properties
│              └ TransformType: (documentation changed)
├[~] service aws-identitystore
│ └ resources
│    └[~] resource AWS::IdentityStore::Group
│      └ properties
│         └ DisplayName: (documentation changed)
├[~] service aws-iot
│ └ resources
│    └[~] resource AWS::IoT::DomainConfiguration
│      ├ properties
│      │  ├ ApplicationProtocol: (documentation changed)
│      │  ├ AuthenticationType: (documentation changed)
│      │  └ ClientCertificateConfig: (documentation changed)
│      └ types
│         └[~] type ClientCertificateConfig
│           ├  - documentation: undefined
│           │  + documentation: An object that specifies the client certificate configuration for a domain.
│           │  > This property isn't available in China.
│           └ properties
│              └ ClientCertificateCallbackArn: (documentation changed)
├[~] service aws-kinesis
│ └ resources
│    └[+] resource AWS::Kinesis::ResourcePolicy
│      ├  name: ResourcePolicy
│      │  cloudFormationType: AWS::Kinesis::ResourcePolicy
│      │  documentation: Resource Type definition for AWS::Kinesis::ResourcePolicy
│      │  scrutinizable: ResourcePolicyResource
│      └ properties
│         └ResourcePolicy: json (required)
├[~] service aws-memorydb
│ └ resources
│    └[~] resource AWS::MemoryDB::Cluster
│      └ properties
│         ├ DataTiering: (documentation changed)
│         └ EngineVersion: (documentation changed)
├[~] service aws-quicksight
│ └ resources
│    └[~] resource AWS::QuickSight::Folder
│      └ properties
│         ├ ParentFolderArn: (documentation changed)
│         └ Tags: (documentation changed)
├[~] service aws-route53resolver
│ └ resources
│    └[~] resource AWS::Route53Resolver::ResolverRule
│      └ types
│         └[~] type TargetAddress
│           └ properties
│              └ Protocol: (documentation changed)
├[~] service aws-s3
│ └ resources
│    └[~] resource AWS::S3::Bucket
│      └ types
│         └[~] type LifecycleConfiguration
│           └ properties
│              └ TransitionDefaultMinimumObjectSize: (documentation changed)
├[~] service aws-s3express
│ └ resources
│    └[~] resource AWS::S3Express::DirectoryBucket
│      └ types
│         ├[~] type BucketEncryption
│         │ └  - documentation: Specifies default encryption for a bucket using server-side encryption with Amazon S3 managed keys (SSE-S3) or AWS KMS keys (SSE-KMS).
│         │    + documentation: Specifies default encryption for a bucket using server-side encryption with Amazon S3 managed keys (SSE-S3) or AWS KMS keys (SSE-KMS). For information about default encryption for directory buckets, see [Setting and monitoring default encryption for directory buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-bucket-encryption.html) in the *Amazon S3 User Guide* .
│         ├[~] type ServerSideEncryptionByDefault
│         │ ├  - documentation: Specifies the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied.
│         │ │  + documentation: Describes the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. For more information, see [PutBucketEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html) in the *Amazon S3 API Reference* .
│         │ └ properties
│         │    └ SSEAlgorithm: (documentation changed)
│         └[~] type ServerSideEncryptionRule
│           └ properties
│              └ BucketKeyEnabled: (documentation changed)
└[~] service aws-wisdom
  └ resources
     └[~] resource AWS::Wisdom::KnowledgeBase
       └ types
          └[~] type AppIntegrationsConfiguration
            └ properties
               └ AppIntegrationArn: (documentation changed)
```
### Issue # (if applicable)

Closes #<issue number here>.

### Reason for this change



### Description of changes



### Description of how you validated changes



### Checklist
- [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ableExecuteApiEndpoint to make it more clearer. (#31734)

### Issue # (if applicable)

Closes #31729.

### Reason for this change
The current documentation for `disableExecuteApiEndpoint` at [HttpApi](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigatewayv2.HttpApi.html#disableexecuteapiendpoint) is confusing. It states that:
```
Type: boolean (optional, default: false execute-api endpoint enabled.)

Specifies whether clients can invoke your API using the default endpoint.

By default, clients can invoke your API with the default https://{api_id}.execute-api.{region}.amazonaws.com endpoint. Enable this if you would like clients to use your custom domain name.
```

### Description of changes
Rephrased the documentation for `HttpApiProps.disableExecuteApiEndpoint` to make it more clearer.

Refer documentation for`DisableExecuteApiEndpoint` at [AWS::ApiGatewayV2::Api](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-api.html#cfn-apigatewayv2-api-disableexecuteapiendpoint).

### Description of how you validated changes
N/A

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…r and EC2 IConnectable interface. (#31704)

### Issue # (if applicable)

Closes #31644.

### Reason for this change
User reported that using `connections` with NLB without security group specified, doesn't create security group automatically. NLB do not have security groups, and no automatic security group configuration is done.

### Description of changes
Add details about Network Load Balancer and EC2 `IConnectable` interface.

### Description of how you validated changes



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
#31385)

### Issue # (if applicable)

Closes #31375 .

### Reason for this change



Properties for Performance Insights at cluster level are supported in L1, but not in L2.

### Description of changes



Added the properties in props for Database Cluster.

### Description of how you validated changes



Both unit tests and integ tests.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable)

Closes #31458.

### Reason for this change

According to the documentation [here](https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventfiltering.html#filtering-syntax), the FilterPattern should be [null]. However, the function FilterRule.null() currently returns an empty array [] instead. It results an invalid filter pattern definition.

### Description of changes
Change the return value from `[]` to `[null]`

### Description of how you validated changes

Add an integration test to validate the new return value. Also with the old return value, the deployment will fail with error `Invalid request provided: Invalid filter pattern definition.` so it should break existing customers.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

**BREAKING CHANGE**: The function return value changes from `String[]` to `any` which could be a breaking change in some cases. However, the previous return value would fail the deployment hence it reduces the risk of breaking change.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…31416)

### Issue # (if applicable)

Closes #31348.

### Reason for this change
When creating a Bastion host, customer is using instance's userData to write approved public keys to `.ssh/authorized_keys`. However, when changing the list of authorized keys, it does not trigger the instance to be replaced, so the modification has no effect.

### Description of changes
Exposed `userDataCausesReplacement` in `BastionHostLinuxProps`. The value is passed down to downstream `AWS::EC2::Instance` resource.

### Description of how you validated changes
Added unit and integration tests.

**NOTE:** Re-invoking `Template.fromStack(stack)` doesn't change the resource Id, so unit test uses 2 stacks. May be invoking `Template.fromStack(stack)` caches the results and doesn't refresh it.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Add new engine version

Ref: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/MariaDB.Concepts.VersionMgmt.html#MariaDB.Concepts.VersionMgmt.Supported

```sh
% aws rds describe-db-engine-versions --engine mariadb --query "DBEngineVersions[?EngineVersion=='11.4.3'].[DBEngineVersionDescription,EngineVersion,DBParameterGroupFamily,MajorEngineVersion,Status]" --output json
[
    [
        "MariaDB 11.4.3",
        "11.4.3",
        "mariadb11.4",
        "11.4",
        "available"
    ]
]
```


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…to `queue_rules` (#31775)

We are using deprecated parameters that are about to be removed (October 21st, 2024).

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable)

Closes #29383 .

### Reason for this change
To support API destination enrichment for EventBridge pipes.


### Description of changes
Add `ApiDestinationEnrichment` class.


### Description of how you validated changes
Add unit tests and an integ test.



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Add CloudWatch Logs as a Pipe target.
### Issue # (if applicable)

None

### Reason for this change

Cloudformation has `disableApiTermination` property for turning on Termination Protection on EC2 Instance.
This property is not configurable from L2.

### Description of changes

Add `disableApiTermination` property to InstanceProps.

### Description of how you validated changes

I've added both unit and integ tests.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
#30560)

### Issue # (if applicable)

Closes #15671 .

### Reason for this change
To enable contributor insights for a specific global secondary index.

This feature is supported in [CFn](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dynamodb-table-globalsecondaryindex.html#cfn-dynamodb-contributorinsightsspecification-enabled).



### Description of changes
Add `contributorInsightsEnabled` property to the `GlobalSecondaryIndexProps` in `Table`.

In  [AWS::DynamoDB::GlobalTable GlobalSecondaryIndex](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dynamodb-globaltable-globalsecondaryindex.html),  `ContributorInsightsSpecification` does not exist.

So I didn't change `TableV2`.



### Description of how you validated changes
Add unit test and integ tests.



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
#31136)

### Issue # (if applicable)

Closes #31130

### Reason for this change

We cannot specify Lustre version for the file system.

### Description of changes

Add `fileSystemTypeVersion` prop to `LustreFileSystemProps`.

There are some restrictions about `fileSystemTypeVersion`. 

- 2.10 is supported by the Scratch and Persistent_1 Lustre deployment types.
- 2.12 is supported by all Lustre deployment types, except for PERSISTENT_2 with a metadata configuration mode.
- 2.15 is supported by all Lustre deployment types and is recommended for all new file systems.

https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-fsx-filesystem.html#cfn-fsx-filesystem-filesystemtypeversion

I've only added validation of V2.10 is supported by the Scratch and Persistent_1 deployment types because `LustreFileSystemProps` does not have metadata configuration props.

```ts
  private validateFiileSystemTypeVersion(deploymentType: LustreDeploymentType, fileSystemTypeVersion?: FileSystemTypeVersion): void {
    if (fileSystemTypeVersion === undefined) {
      return;
    }

    if (fileSystemTypeVersion === FileSystemTypeVersion.V_2_10) {
      if (!deploymentType.startsWith('SCRATCH') && deploymentType !== LustreDeploymentType.PERSISTENT_1) {
        throw new Error('fileSystemTypeVersion V_2_10 is only supported for SCRATCH and PERSISTENT_1 deployment types');
      }
    }
  }
```

### Description of how you validated changes

 Add both unit and integ tests.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…t multiple types of sources (#31723)

### Reason for this change

The previous API for `source` was designed under the assumption that a Source would either be a `Stream` or `Direct Put` if not. Since the alpha module was written, support on the service side for MSK as a Source has been added so we should update the `source` property to accept an `ISource` which can then be implemented by different types of Sources.

### Description of changes

Replaced the `sourceStream` property with `source`.

Changed the `source` property from `IStream` to `ISource`.

Added an `ISource` interface which is implemented by classes which represent the different Source types. Currently implemented by the `KinesisStreamSource` class. The `MSKSource` class can be added in a separate PR. 

Added a `SourceConfig` which contains the property configs for each respective source (as the fields within these property configs are different across each source). In `delivery-stream.ts` we call the `_bind` method which will populate and return the correct property config for the Source and that gets directly injected where the L1 `CFNDeliveryStream` is created. This pattern is also used for Destinations:

```ts
    const destinationConfig = props.destination.bind(this, {});
    const sourceConfig = props.source?._bind(this, this._role?.roleArn);

    const resource = new CfnDeliveryStream(this, 'Resource', {
      deliveryStreamEncryptionConfigurationInput: encryptionConfig,
      deliveryStreamName: props.deliveryStreamName,
      deliveryStreamType: props.source ? 'KinesisStreamAsSource' : 'DirectPut',
      ...sourceConfig,
      ...destinationConfig,
    });
```

### Description of how you validated changes

no behavioural changes. the updated integ tests and unit tests still pass existing tests. 

exempting integ tests because we don't want the generated CFN to change.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

---

BREAKING CHANGE: Replaced the `sourceStream` property with `source`. Changed the `source` property type from `IStream` to `ISource`. Instead of passing in the source Stream directly, it will be passed in by calling the appropriate class like so: `source: new source.KinesisStreamSource(sourceStream)`.
go-to-k and others added 14 commits October 17, 2024 22:12
…y was not found (#31676)

### Issue # (if applicable)

Closes #31574.

### Reason for this change



The `fromLookup` method causes an error if the target key was not found. However it would be also good not to cause an error in that case. 

### Description of changes



Added `returnDummyKeyOnMissing` in `KeyLookupOptions`. If the property is set to true, the context method will not cause an error and will return a dummy key if the key was not found.

Originally, I thought to make the method to return undefined in that case, but the return type of method is `IKey`. If we change the type to `IKey | undefined`, it should be a breaking change.

```ts
  public static fromLookup(scope: Construct, id: string, options: KeyLookupOptions): IKey {
```

So I decided to return a dummy key with a dummy key id '1234abcd-12ab-34cd-56ef-1234567890ab'. The dummy key id had been defined originally (see: https://github.com/aws/aws-cdk/blob/v2.161.0/packages/aws-cdk-lib/aws-kms/lib/key.ts#L686).

The property `returnDummyKeyOnMissing` will be passed to `ignoreErrorOnMissingContext` added in the [PR](#31415). If the `ignoreErrorOnMissingContext` is true and the key doesn't exist, an error will be suppressed in the `ContextProvider`.

### Additional information

see: #31574 (comment)

### Description of how you validated changes



Both of unit and integ tests

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ce (#31632)

### Issue #30467 

Closes #30467

### Reason for this change

For custom OpenId providers, there is no way to automatically validate email upon sign-in.
Therefore, we would like to add the `email_verified` attribute to attribute mapping, but it is not present in the member  definition of `AttributeMapping` interface., so we have added it in this PR.

### Description of changes


Added `emailVerified` attribute to `AttributeMapping` interface.

### Description of how you validated changes


Added the `email_verified` assertion to both unit and integration tests.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`

**L1 CloudFormation resource definition changes:**
```
├[~] service aws-apigatewayv2
│ └ resources
│    └[~] resource AWS::ApiGatewayV2::DomainName
│      └ properties
│         └ DomainName: (documentation changed)
├[~] service aws-appflow
│ └ resources
│    ├[~] resource AWS::AppFlow::ConnectorProfile
│    │ └ types
│    │    ├[~] type SalesforceConnectorProfileCredentials
│    │    │ └ properties
│    │    │    └ OAuth2GrantType: (documentation changed)
│    │    ├[~] type SAPODataConnectorProfileProperties
│    │    │ └ properties
│    │    │    └ DisableSSO: (documentation changed)
│    │    └[~] type ServiceNowConnectorProfileCredentials
│    │      └ properties
│    │         └ OAuth2Credentials: (documentation changed)
│    └[~] resource AWS::AppFlow::Flow
│      └ types
│         ├[~] type SAPODataPaginationConfig
│         │ ├  - documentation: SAP Source connector page size
│         │ │  + documentation: Sets the page size for each *concurrent process* that transfers OData records from your SAP instance. A concurrent process is query that retrieves a batch of records as part of a flow run. Amazon AppFlow can run multiple concurrent processes in parallel to transfer data faster.
│         │ └ properties
│         │    └ maxPageSize: (documentation changed)
│         ├[~] type SAPODataParallelismConfig
│         │ ├  - documentation: SAP Source connector parallelism factor
│         │ │  + documentation: Sets the number of *concurrent processes* that transfer OData records from your SAP instance. A concurrent process is query that retrieves a batch of records as part of a flow run. Amazon AppFlow can run multiple concurrent processes in parallel to transfer data faster.
│         │ └ properties
│         │    └ maxParallelism: (documentation changed)
│         └[~] type SAPODataSourceProperties
│           └ properties
│              ├ paginationConfig: (documentation changed)
│              └ parallelismConfig: (documentation changed)
├[~] service aws-appsync
│ └ resources
│    └[~] resource AWS::AppSync::DataSource
│      ├ properties
│      │  └ ElasticsearchConfig: - ElasticsearchConfig
│      │                         + ElasticsearchConfig (deprecated=WARN)
│      │                         (documentation changed)
│      ├ attributes
│      │  └[-] Id: string
│      └ types
│         └[~] type ElasticsearchConfig
│           └  - documentation: The `ElasticsearchConfig` property type specifies the `AwsRegion` and `Endpoints` for an Amazon OpenSearch Service domain in your account for an AWS AppSync data source.
│              ElasticsearchConfig is a property of the [AWS::AppSync::DataSource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-appsync-datasource.html) property type.
│              As of September 2021, Amazon Elasticsearch Service is Amazon OpenSearch Service . This property is deprecated. For new data sources, use *OpenSearchServiceConfig* to specify an OpenSearch Service data source.
│              + documentation: undefined
├[~] service aws-autoscaling
│ └ resources
│    └[~] resource AWS::AutoScaling::AutoScalingGroup
│      ├ properties
│      │  └[+] TrafficSources: Array<TrafficSourceIdentifier>
│      └ types
│         └[+] type TrafficSourceIdentifier
│           ├  name: TrafficSourceIdentifier
│           └ properties
│              ├Type: string (required)
│              └Identifier: string (required)
├[~] service aws-codebuild
│ └ resources
│    └[~] resource AWS::CodeBuild::Fleet
│      └ properties
│         ├ ComputeType: (documentation changed)
│         ├ EnvironmentType: (documentation changed)
│         ├ FleetVpcConfig: (documentation changed)
│         └ ImageId: (documentation changed)
├[~] service aws-codepipeline
│ └ resources
│    └[~] resource AWS::CodePipeline::Pipeline
│      └ types
│         ├[~] type ActionDeclaration
│         │ └ properties
│         │    ├[+] Commands: Array<string>
│         │    └[+] OutputVariables: Array<string>
│         └[~] type OutputArtifact
│           └ properties
│              └[+] Files: Array<string>
├[~] service aws-cognito
│ └ resources
│    ├[~] resource AWS::Cognito::LogDeliveryConfiguration
│    │ ├  - documentation: The logging parameters of a user pool, as returned in the response to a [GetLogDeliveryConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetLogDeliveryConfiguration.html) request.
│    │ │  + documentation: Sets up or modifies the logging configuration of a user pool. User pools can export user notification logs and advanced security features user activity logs.
│    │ └ types
│    │    └[~] type CloudWatchLogsConfiguration
│    │      └  - documentation: Configuration for the CloudWatch log group destination of user pool detailed activity logging, or of user activity log export with advanced security features.
│    │         This data type is a request parameter of [SetLogDeliveryConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetLogDeliveryConfiguration.html) and a response parameter of [GetLogDeliveryConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetLogDeliveryConfiguration.html) .
│    │         + documentation: Configuration for the CloudWatch log group destination of user pool detailed activity logging, or of user activity log export with advanced security features.
│    ├[~] resource AWS::Cognito::UserPool
│    │ ├ properties
│    │ │  ├ AccountRecoverySetting: (documentation changed)
│    │ │  ├ AliasAttributes: (documentation changed)
│    │ │  ├ EmailVerificationMessage: (documentation changed)
│    │ │  ├ EmailVerificationSubject: (documentation changed)
│    │ │  ├ EnabledMfas: (documentation changed)
│    │ │  ├ Schema: (documentation changed)
│    │ │  ├ SmsAuthenticationMessage: (documentation changed)
│    │ │  ├ SmsVerificationMessage: (documentation changed)
│    │ │  ├ UsernameAttributes: (documentation changed)
│    │ │  └ UsernameConfiguration: (documentation changed)
│    │ ├ attributes
│    │ │  └ ProviderName: (documentation changed)
│    │ └ types
│    │    ├[~] type AccountRecoverySetting
│    │    │ ├  - documentation: Use this setting to define which verified available method a user can use to recover their password when they call `ForgotPassword` . It allows you to define a preferred method when a user has more than one method available. With this setting, SMS does not qualify for a valid password recovery mechanism if the user also has SMS MFA enabled. In the absence of this setting, Cognito uses the legacy behavior to determine the recovery method where SMS is preferred over email.
│    │    │ │  + documentation: The available verified method a user can use to recover their password when they call `ForgotPassword` . You can use this setting to define a preferred method when a user has more than one method available. With this setting, SMS doesn't qualify for a valid password recovery mechanism if the user also has SMS multi-factor authentication (MFA) activated. In the absence of this setting, Amazon Cognito uses the legacy behavior to determine the recovery method where SMS is preferred through email.
│    │    │ └ properties
│    │    │    └ RecoveryMechanisms: (documentation changed)
│    │    ├[~] type AdminCreateUserConfig
│    │    │ ├  - documentation: The configuration for `AdminCreateUser` requests.
│    │    │ │  + documentation: The settings for administrator creation of users in a user pool. Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire.
│    │    │ │  This data type is a request and response parameter of [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and a response parameter of [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) .
│    │    │ └ properties
│    │    │    └ InviteMessageTemplate: (documentation changed)
│    │    ├[~] type CustomEmailSender
│    │    │ ├  - documentation: A custom email sender AWS Lambda trigger.
│    │    │ │  + documentation: The configuration of a custom email sender Lambda trigger. This trigger routes all email notifications from a user pool to a Lambda function that delivers the message using custom logic.
│    │    │ └ properties
│    │    │    ├ LambdaArn: (documentation changed)
│    │    │    └ LambdaVersion: (documentation changed)
│    │    ├[~] type CustomSMSSender
│    │    │ ├  - documentation: A custom SMS sender AWS Lambda trigger.
│    │    │ │  + documentation: The configuration of a custom SMS sender Lambda trigger. This trigger routes all SMS notifications from a user pool to a Lambda function that delivers the message using custom logic.
│    │    │ └ properties
│    │    │    ├ LambdaArn: (documentation changed)
│    │    │    └ LambdaVersion: (documentation changed)
│    │    ├[~] type EmailConfiguration
│    │    │ └ properties
│    │    │    ├ ConfigurationSet: (documentation changed)
│    │    │    └ From: (documentation changed)
│    │    ├[~] type LambdaConfig
│    │    │ └ properties
│    │    │    ├ CustomEmailSender: (documentation changed)
│    │    │    ├ CustomSMSSender: (documentation changed)
│    │    │    └ KMSKeyID: (documentation changed)
│    │    ├[~] type RecoveryOption
│    │    │ ├  - documentation: A map containing a priority as a key, and recovery method name as a value.
│    │    │ │  + documentation: A recovery option for a user. The `AccountRecoverySettingType` data type is an array of this object. Each `RecoveryOptionType` has a priority property that determines whether it is a primary or secondary option.
│    │    │ │  For example, if `verified_email` has a priority of `1` and `verified_phone_number` has a priority of `2` , your user pool sends account-recovery messages to a verified email address but falls back to an SMS message if the user has a verified phone number. The `admin_only` option prevents self-service account recovery.
│    │    │ │  This data type is a request and response parameter of [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and a response parameter of [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) .
│    │    │ └ properties
│    │    │    ├ Name: (documentation changed)
│    │    │    └ Priority: (documentation changed)
│    │    ├[~] type SchemaAttribute
│    │    │ └ properties
│    │    │    └ DeveloperOnlyAttribute: (documentation changed)
│    │    ├[~] type SmsConfiguration
│    │    │ ├  - documentation: The SMS configuration type that includes the settings the Cognito User Pool needs to call for the Amazon SNS service to send an SMS message from your AWS account . The Cognito User Pool makes the request to the Amazon SNS Service by using an IAM role that you provide for your AWS account .
│    │    │ │  + documentation: User pool configuration for delivery of SMS messages with Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account .
│    │    │ │  This data type is a request parameter of [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) , [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and [SetUserPoolMfaConfig](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html) , and a response parameter of [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) , [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and [GetUserPoolMfaConfig](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUserPoolMfaConfig.html) .
│    │    │ └ properties
│    │    │    └ ExternalId: (documentation changed)
│    │    ├[~] type StringAttributeConstraints
│    │    │ └  - documentation: The `StringAttributeConstraints` property type defines the string attribute constraints of an Amazon Cognito user pool. `StringAttributeConstraints` is a subproperty of the [SchemaAttribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-schemaattribute.html) property type.
│    │    │    + documentation: The minimum and maximum length values of an attribute that is of the string type, for example `custom:department` .
│    │    │    This data type is part of [SchemaAttributeType](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SchemaAttributeType.html) . It defines the length constraints on string-type attributes that you configure in [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) , and displays the length constraints of all string-type attributes in the response to [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html)
│    │    └[~] type UsernameConfiguration
│    │      └  - documentation: The `UsernameConfiguration` property type specifies case sensitivity on the username input for the selected sign-in option.
│    │         + documentation: Case sensitivity of the username input for the selected sign-in option. When case sensitivity is set to `False` (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, `username` , `USERNAME` , or `UserName` , or for email, `[email protected]` or `[email protected]` . For most use cases, set case sensitivity to `False` (case insensitive) as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user.
│    │         This configuration is immutable after you set it. For more information, see [UsernameConfigurationType](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UsernameConfigurationType.html) .
│    ├[~] resource AWS::Cognito::UserPoolClient
│    │ ├ properties
│    │ │  ├ AccessTokenValidity: (documentation changed)
│    │ │  ├ IdTokenValidity: (documentation changed)
│    │ │  ├ PreventUserExistenceErrors: (documentation changed)
│    │ │  └ RefreshTokenValidity: (documentation changed)
│    │ └ types
│    │    └[~] type AnalyticsConfiguration
│    │      └ properties
│    │         └ ApplicationArn: (documentation changed)
│    ├[~] resource AWS::Cognito::UserPoolDomain
│    │ └ properties
│    │    ├ Domain: (documentation changed)
│    │    └ UserPoolId: (documentation changed)
│    ├[~] resource AWS::Cognito::UserPoolGroup
│    │ └  - documentation: A user pool group that you can add a user to.
│    │    + documentation: A user pool group. Contains details about the group and the way that it contributes to IAM role decisions with identity pools. Identity pools can make decisions about the IAM role to assign based on groups: users get credentials for the role associated with their highest-priority group.
│    │    This data type is a response parameter of [AdminListGroupsForUser](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminListGroupsForUser.html) , [CreateGroup](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateGroup.html) , [GetGroup](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetGroup.html) , [ListGroups](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListGroups.html) , and [UpdateGroup](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateGroup.html) .
│    ├[~] resource AWS::Cognito::UserPoolResourceServer
│    │ └ properties
│    │    └ Identifier: (documentation changed)
│    ├[~] resource AWS::Cognito::UserPoolRiskConfigurationAttachment
│    │ └ properties
│    │    └ ClientId: (documentation changed)
│    ├[~] resource AWS::Cognito::UserPoolUICustomizationAttachment
│    │ ├  - documentation: The `AWS::Cognito::UserPoolUICustomizationAttachment` resource sets the UI customization information for a user pool's built-in app UI.
│    │ │  You can specify app UI customization settings for a single client (with a specific `clientId` ) or for all clients (by setting the `clientId` to `ALL` ). If you specify `ALL` , the default configuration is used for every client that has had no UI customization set previously. If you specify UI customization settings for a particular client, it no longer falls back to the `ALL` configuration.
│    │ │  > Before you create this resource, your user pool must have a domain associated with it. You can create an `AWS::Cognito::UserPoolDomain` resource first in this user pool. 
│    │ │  Setting a logo image isn't supported from AWS CloudFormation . Use the Amazon Cognito [SetUICustomization](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUICustomization.html#API_SetUICustomization_RequestSyntax) API operation to set the image.
│    │ │  + documentation: A container for the UI customization information for the hosted UI in a user pool.
│    │ │  This data type is a response parameter of [GetUICustomization](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPoolClient.html) .
│    │ └ properties
│    │    └ ClientId: (documentation changed)
│    ├[~] resource AWS::Cognito::UserPoolUser
│    │ └ properties
│    │    └ UserAttributes: (documentation changed)
│    └[~] resource AWS::Cognito::UserPoolUserToGroupAttachment
│      ├  - documentation: Adds the specified user to the specified group.
│      │  + documentation: Adds a user to a group. A user who is in a group can present a preferred-role claim to an identity pool, and populates a `cognito:groups` claim to their access and identity tokens.
│      │  > Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
│      │  > 
│      │  > **Learn more** - [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html)
│      │  > - [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html)
│      └ properties
│         └ Username: (documentation changed)
├[~] service aws-dms
│ └ resources
│    ├[~] resource AWS::DMS::DataProvider
│    │ ├ properties
│    │ │  └[+] Settings: Settings
│    │ └ types
│    │    ├[+] type MicrosoftSqlServerSettings
│    │    │ ├  documentation: Provides information that defines a Microsoft SQL Server endpoint.
│    │    │ │  name: MicrosoftSqlServerSettings
│    │    │ └ properties
│    │    │    ├ServerName: string (required)
│    │    │    ├Port: integer (required)
│    │    │    ├DatabaseName: string (required)
│    │    │    ├SslMode: string (required)
│    │    │    └CertificateArn: string
│    │    ├[+] type MySqlSettings
│    │    │ ├  documentation: Provides information that defines a MySQL endpoint.
│    │    │ │  name: MySqlSettings
│    │    │ └ properties
│    │    │    ├ServerName: string (required)
│    │    │    ├Port: integer (required)
│    │    │    ├SslMode: string (required)
│    │    │    └CertificateArn: string
│    │    ├[+] type OracleSettings
│    │    │ ├  documentation: Provides information that defines an Oracle endpoint.
│    │    │ │  name: OracleSettings
│    │    │ └ properties
│    │    │    ├ServerName: string (required)
│    │    │    ├Port: integer (required)
│    │    │    ├DatabaseName: string (required)
│    │    │    ├SslMode: string (required)
│    │    │    ├CertificateArn: string
│    │    │    ├AsmServer: string
│    │    │    ├SecretsManagerOracleAsmSecretId: string
│    │    │    ├SecretsManagerOracleAsmAccessRoleArn: string
│    │    │    ├SecretsManagerSecurityDbEncryptionSecretId: string
│    │    │    └SecretsManagerSecurityDbEncryptionAccessRoleArn: string
│    │    ├[+] type PostgreSqlSettings
│    │    │ ├  documentation: Provides information that defines a PostgreSQL endpoint.
│    │    │ │  name: PostgreSqlSettings
│    │    │ └ properties
│    │    │    ├ServerName: string (required)
│    │    │    ├Port: integer (required)
│    │    │    ├DatabaseName: string (required)
│    │    │    ├SslMode: string (required)
│    │    │    └CertificateArn: string
│    │    └[+] type Settings
│    │      ├  documentation: The property identifies the exact type of settings for the data provider.
│    │      │  name: Settings
│    │      └ properties
│    │         ├PostgreSqlSettings: PostgreSqlSettings
│    │         ├MySqlSettings: MySqlSettings
│    │         ├OracleSettings: OracleSettings
│    │         └MicrosoftSqlServerSettings: MicrosoftSqlServerSettings
│    └[~] resource AWS::DMS::ReplicationInstance
│      └ properties
│         └[+] NetworkType: string
├[~] service aws-ec2
│ └ resources
│    ├[~] resource AWS::EC2::CapacityReservation
│    │ └ properties
│    │    └[+] UnusedReservationBillingOwnerId: string
│    ├[~] resource AWS::EC2::EC2Fleet
│    │ └ types
│    │    └[~] type InstanceRequirementsRequest
│    │      ├  - documentation: The attributes for the instance types. When you specify instance attributes, Amazon EC2 will identify instance types with these attributes.
│    │      │  You must specify `VCpuCount` and `MemoryMiB` . All other attributes are optional. Any unspecified optional attribute is set to its default.
│    │      │  When you specify multiple attributes, you get instance types that satisfy all of the specified attributes. If you specify multiple values for an attribute, you get instance types that satisfy any of the specified values.
│    │      │  To limit the list of instance types from which Amazon EC2 can identify matching instance types, you can use one of the following parameters, but not both in the same request:
│    │      │  - `AllowedInstanceTypes` - The instance types to include in the list. All other instance types are ignored, even if they match your specified attributes.
│    │      │  - `ExcludedInstanceTypes` - The instance types to exclude from the list, even if they match your specified attributes.
│    │      │  > If you specify `InstanceRequirements` , you can't specify `InstanceType` .
│    │      │  > 
│    │      │  > Attribute-based instance type selection is only supported when using Auto Scaling groups, EC2 Fleet, and Spot Fleet to launch instances. If you plan to use the launch template in the [launch instance wizard](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-instance-wizard.html) , or with the [RunInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html) API or [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html) AWS CloudFormation resource, you can't specify `InstanceRequirements` . 
│    │      │  For more information, see [Attribute-based instance type selection for EC2 Fleet](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-attribute-based-instance-type-selection.html) , [Attribute-based instance type selection for Spot Fleet](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-fleet-attribute-based-instance-type-selection.html) , and [Spot placement score](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-placement-score.html) in the *Amazon EC2 User Guide* .
│    │      │  + documentation: The attributes for the instance types. When you specify instance attributes, Amazon EC2 will identify instance types with these attributes.
│    │      │  You must specify `VCpuCount` and `MemoryMiB` . All other attributes are optional. Any unspecified optional attribute is set to its default.
│    │      │  When you specify multiple attributes, you get instance types that satisfy all of the specified attributes. If you specify multiple values for an attribute, you get instance types that satisfy any of the specified values.
│    │      │  To limit the list of instance types from which Amazon EC2 can identify matching instance types, you can use one of the following parameters, but not both in the same request:
│    │      │  - `AllowedInstanceTypes` - The instance types to include in the list. All other instance types are ignored, even if they match your specified attributes.
│    │      │  - `ExcludedInstanceTypes` - The instance types to exclude from the list, even if they match your specified attributes.
│    │      │  > If you specify `InstanceRequirements` , you can't specify `InstanceType` .
│    │      │  > 
│    │      │  > Attribute-based instance type selection is only supported when using Auto Scaling groups, EC2 Fleet, and Spot Fleet to launch instances. If you plan to use the launch template in the [launch instance wizard](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-instance-wizard.html) , or with the [RunInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html) API or [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html) AWS CloudFormation resource, you can't specify `InstanceRequirements` . 
│    │      │  For more information, see [Specify attributes for instance type selection for EC2 Fleet or Spot Fleet](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-attribute-based-instance-type-selection.html) and [Spot placement score](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-placement-score.html) in the *Amazon EC2 User Guide* .
│    │      └ properties
│    │         └ AcceleratorTypes: (documentation changed)
│    ├[~] resource AWS::EC2::Instance
│    │ └ properties
│    │    └ ElasticInferenceAccelerators: (documentation changed)
│    ├[~] resource AWS::EC2::InstanceConnectEndpoint
│    │ └  - documentation: Creates an EC2 Instance Connect Endpoint.
│    │    An EC2 Instance Connect Endpoint allows you to connect to an instance, without requiring the instance to have a public IPv4 address. For more information, see [Connect to your instances without requiring a public IPv4 address using EC2 Instance Connect Endpoint](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect-Endpoint.html) in the *Amazon EC2 User Guide* .
│    │    + documentation: Creates an EC2 Instance Connect Endpoint.
│    │    An EC2 Instance Connect Endpoint allows you to connect to an instance, without requiring the instance to have a public IPv4 address. For more information, see [Connect to your instances using EC2 Instance Connect Endpoint](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect-Endpoint.html) in the *Amazon EC2 User Guide* .
│    │    With the replacement update behavior, AWS CloudFormation usually creates the new resource first, changes references to point to the new resource, and then deletes the old resource. However, you can create only one EC2 Instance Connect Endpoint per VPC, so the replacement process fails. If you need to modify an EC2 Instance Connect Endpoint, you must replace the resource manually.
│    ├[~] resource AWS::EC2::LaunchTemplate
│    │ └ types
│    │    ├[~] type Ebs
│    │    │ └ properties
│    │    │    └ KmsKeyId: (documentation changed)
│    │    ├[~] type InstanceRequirements
│    │    │ ├  - documentation: The attributes for the instance types. When you specify instance attributes, Amazon EC2 will identify instance types with these attributes.
│    │    │ │  You must specify `VCpuCount` and `MemoryMiB` . All other attributes are optional. Any unspecified optional attribute is set to its default.
│    │    │ │  When you specify multiple attributes, you get instance types that satisfy all of the specified attributes. If you specify multiple values for an attribute, you get instance types that satisfy any of the specified values.
│    │    │ │  To limit the list of instance types from which Amazon EC2 can identify matching instance types, you can use one of the following parameters, but not both in the same request:
│    │    │ │  - `AllowedInstanceTypes` - The instance types to include in the list. All other instance types are ignored, even if they match your specified attributes.
│    │    │ │  - `ExcludedInstanceTypes` - The instance types to exclude from the list, even if they match your specified attributes.
│    │    │ │  > If you specify `InstanceRequirements` , you can't specify `InstanceType` .
│    │    │ │  > 
│    │    │ │  > Attribute-based instance type selection is only supported when using Auto Scaling groups, EC2 Fleet, and Spot Fleet to launch instances. If you plan to use the launch template in the [launch instance wizard](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-instance-wizard.html) , or with the [RunInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html) API or [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html) AWS CloudFormation resource, you can't specify `InstanceRequirements` . 
│    │    │ │  For more information, see [Attribute-based instance type selection for EC2 Fleet](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-attribute-based-instance-type-selection.html) , [Attribute-based instance type selection for Spot Fleet](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-fleet-attribute-based-instance-type-selection.html) , and [Spot placement score](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-placement-score.html) in the *Amazon EC2 User Guide* .
│    │    │ │  + documentation: The attributes for the instance types. When you specify instance attributes, Amazon EC2 will identify instance types with these attributes.
│    │    │ │  You must specify `VCpuCount` and `MemoryMiB` . All other attributes are optional. Any unspecified optional attribute is set to its default.
│    │    │ │  When you specify multiple attributes, you get instance types that satisfy all of the specified attributes. If you specify multiple values for an attribute, you get instance types that satisfy any of the specified values.
│    │    │ │  To limit the list of instance types from which Amazon EC2 can identify matching instance types, you can use one of the following parameters, but not both in the same request:
│    │    │ │  - `AllowedInstanceTypes` - The instance types to include in the list. All other instance types are ignored, even if they match your specified attributes.
│    │    │ │  - `ExcludedInstanceTypes` - The instance types to exclude from the list, even if they match your specified attributes.
│    │    │ │  > If you specify `InstanceRequirements` , you can't specify `InstanceType` .
│    │    │ │  > 
│    │    │ │  > Attribute-based instance type selection is only supported when using Auto Scaling groups, EC2 Fleet, and Spot Fleet to launch instances. If you plan to use the launch template in the [launch instance wizard](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-instance-wizard.html) , or with the [RunInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html) API or [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html) AWS CloudFormation resource, you can't specify `InstanceRequirements` . 
│    │    │ │  For more information, see [Specify attributes for instance type selection for EC2 Fleet or Spot Fleet](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-attribute-based-instance-type-selection.html) and [Spot placement score](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-placement-score.html) in the *Amazon EC2 User Guide* .
│    │    │ └ properties
│    │    │    └ AcceleratorTypes: (documentation changed)
│    │    └[~] type LaunchTemplateData
│    │      └ properties
│    │         ├ ElasticInferenceAccelerators: (documentation changed)
│    │         └ InstanceRequirements: (documentation changed)
│    ├[~] resource AWS::EC2::NetworkAcl
│    │ └  - documentation: Specifies a network ACL for your VPC.
│    │    + documentation: Specifies a network ACL for your VPC.
│    │    To add a network ACL entry, see [AWS::EC2::NetworkAclEntry](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkaclentry.html) .
│    ├[~] resource AWS::EC2::NetworkAclEntry
│    │ └  - documentation: Specifies an entry, known as a rule, in a network ACL with a rule number you specify. Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules.
│    │    For information about the protocol value, see [Protocol Numbers](https://docs.aws.amazon.com/https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) on the Internet Assigned Numbers Authority (IANA) website.
│    │    + documentation: Specifies an entry, known as a rule, in a network ACL with a rule number you specify. Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules.
│    │    To create the network ACL, see [AWS::EC2::NetworkAcl](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkacl.html) .
│    │    For information about the protocol value, see [Protocol Numbers](https://docs.aws.amazon.com/https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) on the Internet Assigned Numbers Authority (IANA) website.
│    ├[~] resource AWS::EC2::PrefixList
│    │ └ properties
│    │    └ MaxEntries: (documentation changed)
│    ├[~] resource AWS::EC2::SpotFleet
│    │ └ types
│    │    └[~] type InstanceRequirementsRequest
│    │      ├  - documentation: The attributes for the instance types. When you specify instance attributes, Amazon EC2 will identify instance types with these attributes.
│    │      │  You must specify `VCpuCount` and `MemoryMiB` . All other attributes are optional. Any unspecified optional attribute is set to its default.
│    │      │  When you specify multiple attributes, you get instance types that satisfy all of the specified attributes. If you specify multiple values for an attribute, you get instance types that satisfy any of the specified values.
│    │      │  To limit the list of instance types from which Amazon EC2 can identify matching instance types, you can use one of the following parameters, but not both in the same request:
│    │      │  - `AllowedInstanceTypes` - The instance types to include in the list. All other instance types are ignored, even if they match your specified attributes.
│    │      │  - `ExcludedInstanceTypes` - The instance types to exclude from the list, even if they match your specified attributes.
│    │      │  > If you specify `InstanceRequirements` , you can't specify `InstanceType` .
│    │      │  > 
│    │      │  > Attribute-based instance type selection is only supported when using Auto Scaling groups, EC2 Fleet, and Spot Fleet to launch instances. If you plan to use the launch template in the [launch instance wizard](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-instance-wizard.html) , or with the [RunInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html) API or [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html) AWS CloudFormation resource, you can't specify `InstanceRequirements` . 
│    │      │  For more information, see [Attribute-based instance type selection for EC2 Fleet](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-attribute-based-instance-type-selection.html) , [Attribute-based instance type selection for Spot Fleet](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-fleet-attribute-based-instance-type-selection.html) , and [Spot placement score](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-placement-score.html) in the *Amazon EC2 User Guide* .
│    │      │  + documentation: The attributes for the instance types. When you specify instance attributes, Amazon EC2 will identify instance types with these attributes.
│    │      │  You must specify `VCpuCount` and `MemoryMiB` . All other attributes are optional. Any unspecified optional attribute is set to its default.
│    │      │  When you specify multiple attributes, you get instance types that satisfy all of the specified attributes. If you specify multiple values for an attribute, you get instance types that satisfy any of the specified values.
│    │      │  To limit the list of instance types from which Amazon EC2 can identify matching instance types, you can use one of the following parameters, but not both in the same request:
│    │      │  - `AllowedInstanceTypes` - The instance types to include in the list. All other instance types are ignored, even if they match your specified attributes.
│    │      │  - `ExcludedInstanceTypes` - The instance types to exclude from the list, even if they match your specified attributes.
│    │      │  > If you specify `InstanceRequirements` , you can't specify `InstanceType` .
│    │      │  > 
│    │      │  > Attribute-based instance type selection is only supported when using Auto Scaling groups, EC2 Fleet, and Spot Fleet to launch instances. If you plan to use the launch template in the [launch instance wizard](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-instance-wizard.html) , or with the [RunInstances](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html) API or [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html) AWS CloudFormation resource, you can't specify `InstanceRequirements` . 
│    │      │  For more information, see [Specify attributes for instance type selection for EC2 Fleet or Spot Fleet](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-attribute-based-instance-type-selection.html) and [Spot placement score](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-placement-score.html) in the *Amazon EC2 User Guide* .
│    │      └ properties
│    │         └ AcceleratorTypes: (documentation changed)
│    ├[~] resource AWS::EC2::VPCPeeringConnection
│    │ └  - documentation: Requests a VPC peering connection between two VPCs: a requester VPC that you own and an accepter VPC with which to create the connection. The accepter VPC can belong to a different AWS account and can be in a different Region than the requester VPC.
│    │    The requester VPC and accepter VPC cannot have overlapping CIDR blocks. If you create a VPC peering connection request between VPCs with overlapping CIDR blocks, the VPC peering connection has a status of `failed` .
│    │    If the VPCs belong to different accounts, the acceptor account must have a role that allows the requester account to accept the VPC peering connection. For more information, see [Walkthough: Peer with a VPC in another AWS account](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/peer-with-vpc-in-another-account.html) .
│    │    If the requester and acceptor VPCs are in the same account, the peering request is accepted without a peering role.
│    │    + documentation: Requests a VPC peering connection between two VPCs: a requester VPC that you own and an accepter VPC with which to create the connection. The accepter VPC can belong to a different AWS account and can be in a different Region than the requester VPC.
│    │    The requester VPC and accepter VPC cannot have overlapping CIDR blocks. If you create a VPC peering connection request between VPCs with overlapping CIDR blocks, the VPC peering connection has a status of `failed` .
│    │    If the VPCs belong to different accounts, the acceptor account must have a role that allows the requester account to accept the VPC peering connection. For an example, see [Walkthrough: Peer with a VPC in another AWS account](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/peer-with-vpc-in-another-account.html) .
│    │    If the requester and acceptor VPCs are in the same account, the peering request is accepted without a peering role.
│    └[~] resource AWS::EC2::VPNConnection
│      └ types
│         ├[+] type CloudwatchLogOptionsSpecification
│         │ ├  documentation: Options for sending VPN tunnel logs to CloudWatch.
│         │ │  name: CloudwatchLogOptionsSpecification
│         │ └ properties
│         │    ├LogEnabled: boolean
│         │    ├LogOutputFormat: string
│         │    └LogGroupArn: string
│         ├[+] type IKEVersionsRequestListValue
│         │ ├  documentation: The IKE version that is permitted for the VPN tunnel.
│         │ │  name: IKEVersionsRequestListValue
│         │ └ properties
│         │    └Value: string
│         ├[+] type Phase1DHGroupNumbersRequestListValue
│         │ ├  documentation: Specifies a Diffie-Hellman group number for the VPN tunnel for phase 1 IKE negotiations.
│         │ │  name: Phase1DHGroupNumbersRequestListValue
│         │ └ properties
│         │    └Value: integer
│         ├[+] type Phase1EncryptionAlgorithmsRequestListValue
│         │ ├  documentation: Specifies the encryption algorithm for the VPN tunnel for phase 1 IKE negotiations.
│         │ │  name: Phase1EncryptionAlgorithmsRequestListValue
│         │ └ properties
│         │    └Value: string
│         ├[+] type Phase1IntegrityAlgorithmsRequestListValue
│         │ ├  documentation: Specifies the integrity algorithm for the VPN tunnel for phase 1 IKE negotiations.
│         │ │  name: Phase1IntegrityAlgorithmsRequestListValue
│         │ └ properties
│         │    └Value: string
│         ├[+] type Phase2DHGroupNumbersRequestListValue
│         │ ├  documentation: Specifies a Diffie-Hellman group number for the VPN tunnel for phase 2 IKE negotiations.
│         │ │  name: Phase2DHGroupNumbersRequestListValue
│         │ └ properties
│         │    └Value: integer
│         ├[+] type Phase2EncryptionAlgorithmsRequestListValue
│         │ ├  documentation: Specifies the encryption algorithm for the VPN tunnel for phase 2 IKE negotiations.
│         │ │  name: Phase2EncryptionAlgorithmsRequestListValue
│         │ └ properties
│         │    └Value: string
│         ├[+] type Phase2IntegrityAlgorithmsRequestListValue
│         │ ├  documentation: Specifies the integrity algorithm for the VPN tunnel for phase 2 IKE negotiations.
│         │ │  name: Phase2IntegrityAlgorithmsRequestListValue
│         │ └ properties
│         │    └Value: string
│         ├[+] type VpnTunnelLogOptionsSpecification
│         │ ├  documentation: Options for logging VPN tunnel activity.
│         │ │  name: VpnTunnelLogOptionsSpecification
│         │ └ properties
│         │    └CloudwatchLogOptions: CloudwatchLogOptionsSpecification
│         └[~] type VpnTunnelOptionsSpecification
│           └ properties
│              ├[+] DPDTimeoutAction: string
│              ├[+] DPDTimeoutSeconds: integer
│              ├[+] EnableTunnelLifecycleControl: boolean
│              ├[+] IKEVersions: Array<IKEVersionsRequestListValue>
│              ├[+] LogOptions: VpnTunnelLogOptionsSpecification
│              ├[+] Phase1DHGroupNumbers: Array<Phase1DHGroupNumbersRequestListValue>
│              ├[+] Phase1EncryptionAlgorithms: Array<Phase1EncryptionAlgorithmsRequestListValue>
│              ├[+] Phase1IntegrityAlgorithms: Array<Phase1IntegrityAlgorithmsRequestListValue>
│              ├[+] Phase1LifetimeSeconds: integer
│              ├[+] Phase2DHGroupNumbers: Array<Phase2DHGroupNumbersRequestListValue>
│              ├[+] Phase2EncryptionAlgorithms: Array<Phase2EncryptionAlgorithmsRequestListValue>
│              ├[+] Phase2IntegrityAlgorithms: Array<Phase2IntegrityAlgorithmsRequestListValue>
│              ├[+] Phase2LifetimeSeconds: integer
│              ├[+] RekeyFuzzPercentage: integer
│              ├[+] RekeyMarginTimeSeconds: integer
│              ├[+] ReplayWindowSize: integer
│              ├[+] StartupAction: string
│              └[+] TunnelInsideIpv6Cidr: string
├[~] service aws-ecs
│ └ resources
│    ├[~] resource AWS::ECS::CapacityProvider
│    │ └ properties
│    │    └ AutoScalingGroupProvider: - AutoScalingGroupProvider (required)
│    │                                + AutoScalingGroupProvider
│    └[~] resource AWS::ECS::TaskSet
│      ├ properties
│      │  └ CapacityProviderStrategy: (documentation changed)
│      └ types
│         └[~] type CapacityProviderStrategyItem
│           ├  - documentation: undefined
│           │  + documentation: The details of a capacity provider strategy. A capacity provider strategy can be set when using the [RunTask](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RunTask.html) or [CreateCluster](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_CreateCluster.html) APIs or as the default capacity provider strategy for a cluster with the `CreateCluster` API.
│           │  Only capacity providers that are already associated with a cluster and have an `ACTIVE` or `UPDATING` status can be used in a capacity provider strategy. The [PutClusterCapacityProviders](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_PutClusterCapacityProviders.html) API is used to associate a capacity provider with a cluster.
│           │  If specifying a capacity provider that uses an Auto Scaling group, the capacity provider must already be created. New Auto Scaling group capacity providers can be created with the [CreateClusterCapacityProvider](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_CreateClusterCapacityProvider.html) API operation.
│           │  To use a AWS Fargate capacity provider, specify either the `FARGATE` or `FARGATE_SPOT` capacity providers. The AWS Fargate capacity providers are available to all accounts and only need to be associated with a cluster to be used in a capacity provider strategy.
│           │  With `FARGATE_SPOT` , you can run interruption tolerant tasks at a rate that's discounted compared to the `FARGATE` price. `FARGATE_SPOT` runs tasks on spare compute capacity. When AWS needs the capacity back, your tasks are interrupted with a two-minute warning. `FARGATE_SPOT` supports Linux tasks with the X86_64 architecture on platform version 1.3.0 or later. `FARGATE_SPOT` supports Linux tasks with the ARM64 architecture on platform version 1.4.0 or later.
│           │  A capacity provider strategy may contain a maximum of 6 capacity providers.
│           └ properties
│              ├ Base: (documentation changed)
│              ├ CapacityProvider: (documentation changed)
│              └ Weight: (documentation changed)
├[~] service aws-eks
│ └ resources
│    └[~] resource AWS::EKS::Cluster
│      └ properties
│         └ Name: (documentation changed)
├[~] service aws-elasticloadbalancingv2
│ └ resources
│    └[~] resource AWS::ElasticLoadBalancingV2::LoadBalancer
│      └ types
│         └[~] type LoadBalancerAttribute
│           └ properties
│              └ Key: (documentation changed)
├[~] service aws-fms
│ └ resources
│    └[~] resource AWS::FMS::Policy
│      └ types
│         ├[+] type IcmpTypeCode
│         │ ├  documentation: ICMP protocol: The ICMP type and code.
│         │ │  name: IcmpTypeCode
│         │ └ properties
│         │    ├Code: integer (required)
│         │    └Type: integer (required)
│         ├[~] type NetworkAclCommonPolicy
│         │ └ properties
│         │    └[+] NetworkAclEntrySet: NetworkAclEntrySet (required)
│         ├[+] type NetworkAclEntry
│         │ ├  documentation: Describes a rule in a network ACL.
│         │ │  Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules. When determining
│         │ │  whether a packet should be allowed in or out of a subnet associated with the network ACL, AWS processes the entries in the network ACL according to the rule numbers, in ascending order.
│         │ │  When you manage an individual network ACL, you explicitly specify the rule numbers. When you specify the network ACL rules in a Firewall Manager policy, you provide the rules to run first, in the order that you want them to run, and the rules to run last, in the order that you want them to run. Firewall Manager assigns the rule numbers for you when you save the network ACL policy specification.
│         │ │  name: NetworkAclEntry
│         │ └ properties
│         │    ├CidrBlock: string
│         │    ├Egress: boolean (required)
│         │    ├IcmpTypeCode: IcmpTypeCode
│         │    ├Ipv6CidrBlock: string
│         │    ├PortRange: PortRange
│         │    ├Protocol: string (required)
│         │    └RuleAction: string (required)
│         ├[+] type NetworkAclEntrySet
│         │ ├  documentation: The configuration of the first and last rules for the network ACL policy, and the remediation settings for each.
│         │ │  name: NetworkAclEntrySet
│         │ └ properties
│         │    ├FirstEntries: Array<NetworkAclEntry>
│         │    ├ForceRemediateForFirstEntries: boolean (required)
│         │    ├LastEntries: Array<NetworkAclEntry>
│         │    └ForceRemediateForLastEntries: boolean (required)
│         └[+] type PortRange
│           ├  documentation: TCP or UDP protocols: The range of ports the rule applies to.
│           │  name: PortRange
│           └ properties
│              ├From: integer (required)
│              └To: integer (required)
├[~] service aws-gamelift
│ └ resources
│    └[~] resource AWS::GameLift::ContainerGroupDefinition
│      ├ properties
│      │  ├[+] SourceVersionNumber: integer
│      │  └[+] SupportContainerDefinitions: Array<json>
│      └ attributes
│         ├[+] Status: string
│         └[+] StatusReason: string
├[~] service aws-glue
│ └ resources
│    ├[~] resource AWS::Glue::Crawler
│    │ └ attributes
│    │    └[-] Id: string
│    ├[~] resource AWS::Glue::Schema
│    │ └ properties
│    │    └ SchemaDefinition: - string (required, immutable)
│    │                        + string (immutable)
│    └[~] resource AWS::Glue::UsageProfile
│      ├ properties
│      │  └[+] Configuration: ProfileConfiguration
│      └ types
│         ├[+] type ConfigurationObject
│         │ ├  documentation: Specifies the values that an admin sets for each job or session parameter configured in a AWS Glue usage profile.
│         │ │  name: ConfigurationObject
│         │ └ properties
│         │    ├DefaultValue: string
│         │    ├AllowedValues: Array<string>
│         │    ├MinValue: string
│         │    └MaxValue: string
│         └[+] type ProfileConfiguration
│           ├  documentation: Specifies the job and session values that an admin configures in an AWS Glue usage profile.
│           │  name: ProfileConfiguration
│           └ properties
│              ├JobConfiguration: Map<string, ConfigurationObject>
│              └SessionConfiguration: Map<string, ConfigurationObject>
├[~] service aws-kinesis
│ └ resources
│    └[~] resource AWS::Kinesis::ResourcePolicy
│      ├  - documentation: Resource Type definition for AWS::Kinesis::ResourcePolicy
│      │  + documentation: Attaches a resource-based policy to a data stream or registered consumer. If you are using an identity other than the root user of the AWS account that owns the resource, the calling identity must have the `PutResourcePolicy` permissions on the specified Kinesis Data Streams resource and belong to the owner's account in order to use this operation. If you don't have `PutResourcePolicy` permissions, Amazon Kinesis Data Streams returns a `403 Access Denied error` . If you receive a `ResourceNotFoundException` , check to see if you passed a valid stream or consumer resource.
│      │  Request patterns can be one of the following:
│      │  - Data stream pattern: `arn:aws.*:kinesis:.*:\d{12}:.*stream/\S+`
│      │  - Consumer pattern: `^(arn):aws.*:kinesis:.*:\d{12}:.*stream\/[a-zA-Z0-9_.-]+\/consumer\/[a-zA-Z0-9_.-]+:[0-9]+`
│      │  For more information, see [Controlling Access to Amazon Kinesis Data Streams Resources Using IAM](https://docs.aws.amazon.com/streams/latest/dev/controlling-access.html) .
│      └ properties
│         ├[+] ResourceArn: string (required, immutable)
│         └ ResourcePolicy: (documentation changed)
├[~] service aws-mediapackagev2
│ └ resources
│    ├[~] resource AWS::MediaPackageV2::Channel
│    │ └ properties
│    │    └ InputType: (documentation changed)
│    └[~] resource AWS::MediaPackageV2::OriginEndpoint
│      ├ properties
│      │  └ ForceEndpointErrorConfiguration: (documentation changed)
│      └ types
│         └[~] type ForceEndpointErrorConfiguration
│           ├  - documentation: <p>The failover settings for the endpoint.</p>
│           │  + documentation: The failover settings for the endpoint.
│           └ properties
│              └ EndpointErrorConditions: (documentation changed)
├[~] service aws-networkfirewall
│ └ resources
│    └[~] resource AWS::NetworkFirewall::FirewallPolicy
│      └ types
│         ├[+] type FlowTimeouts
│         │ ├  name: FlowTimeouts
│         │ └ properties
│         │    └TcpIdleTimeoutSeconds: integer
│         └[~] type StatefulEngineOptions
│           └ properties
│              └[+] FlowTimeouts: FlowTimeouts
├[~] service aws-qbusiness
│ └ resources
│    ├[~] resource AWS::QBusiness::DataSource
│    │ └ properties
│    │    └ Configuration: (documentation changed)
│    └[~] resource AWS::QBusiness::WebExperience
│      └ properties
│         └[+] Origins: Array<string>
├[~] service aws-quicksight
│ └ resources
│    ├[~] resource AWS::QuickSight::Analysis
│    │ ├ properties
│    │ │  └[+] FolderArns: Array<string>
│    │ └ types
│    │    └[~] type DestinationParameterValueConfiguration
│    │      └ properties
│    │         └ SourceColumn: (documentation changed)
│    ├[~] resource AWS::QuickSight::Dashboard
│    │ ├ properties
│    │ │  └[+] FolderArns: Array<string>
│    │ └ types
│    │    └[~] type DestinationParameterValueConfiguration
│    │      └ properties
│    │         └ SourceColumn: (documentation changed)
│    ├[~] resource AWS::QuickSight::DataSet
│    │ └ types
│    │    ├[~] type CustomSql
│    │    │ └ properties
│    │    │    └ Columns: - Array<InputColumn> (required)
│    │    │               + Array<InputColumn>
│    │    ├[~] type RelationalTable
│    │    │ └ properties
│    │    │    └ InputColumns: - Array<InputColumn> (required)
│    │    │                    + Array<InputColumn>
│    │    └[~] type TransformOperation
│    │      └ properties
│    │         └ OverrideDatasetParameterOperation: (documentation changed)
│    ├[~] resource AWS::QuickSight::DataSource
│    │ └ properties
│    │    └[+] FolderArns: Array<string>
│    ├[~] resource AWS::QuickSight::Folder
│    │ └ properties
│    │    ├ AwsAccountId: (documentation changed)
│    │    ├ ParentFolderArn: (documentation changed)
│    │    └ Permissions: (documentation changed)
│    ├[~] resource AWS::QuickSight::Template
│    │ └ types
│    │    └[~] type DestinationParameterValueConfiguration
│    │      └ properties
│    │         └ SourceColumn: (documentation changed)
│    └[~] resource AWS::QuickSight::Theme
│      └ types
│         └[~] type ThemeConfiguration
│           └ properties
│              └ Typography: (documentation changed)
├[~] service aws-redshift
│ └ resources
│    ├[~] resource AWS::Redshift::Cluster
│    │ ├ properties
│    │ │  ├[+] MasterPasswordSecretKmsKeyId: string
│    │ │  └ NodeType: (documentation changed)
│    │ └ types
│    │    └[~] type LoggingProperties
│    │      └ properties
│    │         └ S3KeyPrefix: (documentation changed)
│    └[+] resource AWS::Redshift::Integration
│      ├  name: Integration
│      │  cloudFormationType: AWS::Redshift::Integration
│      │  documentation: Integration from a source AWS service to a Redshift cluster
│      │  tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│      ├ properties
│      │  ├IntegrationName: string
│      │  ├SourceArn: string (required, immutable)
│      │  ├TargetArn: string (required, immutable)
│      │  ├Tags: Array<tag>
│      │  ├KMSKeyId: string (immutable)
│      │  └AdditionalEncryptionContext: Map<string, string> (immutable)
│      └ attributes
│         ├IntegrationArn: string
│         └CreateTime: string
├[~] service aws-route53profiles
│ └ resources
│    └[~] resource AWS::Route53Profiles::ProfileAssociation
│      └ properties
│         └ ProfileId: (documentation changed)
├[~] service aws-route53resolver
│ └ resources
│    └[~] resource AWS::Route53Resolver::ResolverRule
│      ├ properties
│      │  └[-] DelegationRecord: string
│      └ types
│         └[~] type TargetAddress
│           └ properties
│              └[+] ServerNameIndication: string
├[~] service aws-s3
│ └ resources
│    ├[~] resource AWS::S3::Bucket
│    │ └ types
│    │    ├[~] type LifecycleConfiguration
│    │    │ └ properties
│    │    │    ├ Rules: (documentation changed)
│    │    │    └ TransitionDefaultMinimumObjectSize: (documentation changed)
│    │    └[~] type ServerSideEncryptionByDefault
│    │      └  - documentation: Describes the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. For more information, see [PutBucketEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html) .
│    │         > - *General purpose buckets* - If you don't specify a customer managed key at configuration, Amazon S3 automatically creates an AWS KMS key ( `aws/s3` ) in your AWS account the first time that you add an object encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS.
│    │         > - *Directory buckets* - Your SSE-KMS configuration can only support 1 [customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) per directory bucket for the lifetime of the bucket. [AWS managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) ( `aws/s3` ) isn't supported.
│    │         > - *Directory buckets* - For directory buckets, there are only two supported options for server-side encryption: SSE-S3 and SSE-KMS.
│    │         + documentation: Describes the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. For more information, see [PutBucketEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html) .
│    │         > - *General purpose buckets* - If you don't specify a customer managed key at configuration, Amazon S3 automatically creates an AWS KMS key ( `aws/s3` ) in your AWS account the first time that you add an object encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS.
│    │         > - *Directory buckets* - Your SSE-KMS configuration can only support 1 [customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) per directory bucket for the lifetime of the bucket. The [AWS managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) ( `aws/s3` ) isn't supported.
│    │         > - *Directory buckets* - For directory buckets, there are only two supported options for server-side encryption: SSE-S3 and SSE-KMS.
│    └[~] resource AWS::S3::StorageLens
│      └ types
│         └[~] type AccountLevel
│           └ properties
│              └ BucketLevel: (documentation changed)
├[~] service aws-s3express
│ └ resources
│    └[~] resource AWS::S3Express::DirectoryBucket
│      └ types
│         └[~] type ServerSideEncryptionByDefault
│           └ properties
│              └[+] KMSMasterKeyID: string
├[~] service aws-s3outposts
│ └ resources
│    └[~] resource AWS::S3Outposts::Bucket
│      └ types
│         ├[~] type Filter
│         │ ├  - documentation: undefined
│         │ │  + documentation: The container for the filter of the lifecycle rule.
│         │ └ properties
│         │    ├ Prefix: (documentation changed)
│         │    └ Tag: (documentation changed)
│         ├[~] type FilterAndOperator
│         │ └ properties
│         │    ├ Prefix: (documentation changed)
│         │    └ Tags: (documentation changed)
│         ├[~] type FilterTag
│         │ └  - documentation: undefined
│         │    + documentation: Tag used to identify a subset of objects for an Amazon S3Outposts bucket.
│         └[~] type Rule
│           └ properties
│              ├ Filter: - json
│              │         + Filter ⇐ json
│              └ Id: (documentation changed)
├[~] service aws-sagemaker
│ └ resources
│    └[~] resource AWS::SageMaker::ImageVersion
│      ├ properties
│      │  └[-] Version: integer
│      └ attributes
│         └ Version: (documentation changed)
├[~] service aws-ssmquicksetup
│ └ resources
│    └[~] resource AWS::SSMQuickSetup::ConfigurationManager
│      └ types
│         └[~] type ConfigurationDefinition
│           └ properties
│              └ Parameters: (documentation changed)
├[~] service aws-transfer
│ └ resources
│    └[~] resource AWS::Transfer::Server
│      ├ properties
│      │  ├ IdentityProviderDetails: (documentation changed)
│      │  ├ Protocols: - Array<json> ⇐ Array<string>
│      │  │            + Array<string>
│      │  └ StructuredLogDestinations: - Array<json> ⇐ Array<string>
│      │                               + Array<string>
│      ├ attributes
│      │  └[+] As2ServiceManagedEgressIpAddresses: Array<string>
│      └ types
│         ├[~] type IdentityProviderDetails
│         │ └  - documentation: Required when `IdentityProviderType` is set to `AWS_DIRECTORY_SERVICE` , `AWS _LAMBDA` or `API_GATEWAY` . Accepts an array containing all of the information required to use a directory in `AWS_DIRECTORY_SERVICE` or invoke a customer-supplied authentication API, including the API Gateway URL. Not required when `IdentityProviderType` is set to `SERVICE_MANAGED` .
│         │    + documentation: Required when `IdentityProviderType` is set to `AWS_DIRECTORY_SERVICE` , `AWS _LAMBDA` or `API_GATEWAY` . Accepts an array containing all of the information required to use a directory in `AWS_DIRECTORY_SERVICE` or invoke a customer-supplied authentication API, including the API Gateway URL. Cannot be specified when `IdentityProviderType` is set to `SERVICE_MANAGED` .
│         └[~] type ProtocolDetails
│           └ properties
│              └ As2Transports: - Array<json> ⇐ Array<string>
│                               + Array<string>
├[~] service aws-waf
│ └ resources
│    ├[~] resource AWS::WAF::ByteMatchSet
│    │ └ types
│    │    ├[~] type ByteMatchTuple
│    │    │ └  - documentation: > Deprecation notice: AWS WAF Classic support will end on September 30, 2025.
│    │    │    > 
│    │    │    > This is *AWS WAF Classic* documentation. For more information, see [AWS WAF Classic](https://docs.aws.amazon.com/waf/latest/developerguide/classic-waf-chapter.html) in the developer guide.
│    │    │    > 
│    │    │    > *For the latest version of AWS WAF* , use the AWS WAF V2 API and see the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) . With the latest version, AWS WAF has a single set of endpoints for regional and global use. 
│    │    │    The bytes (typically a string that corresponds with ASCII characters) that you want AWS WAF to search for in web requests, the location in requests that you want AWS WAF to search, and other settings.
│    │    │    + documentation: > AWS WAF Classic support will end on September 30, 2025.
│    │    │    > 
│    │    │    > This is *AWS WAF Classic* documentation. For more information, see [AWS WAF Classic](https://docs.aws.amazon.com/waf/latest/developerguide/classic-waf-chapter.html) in the developer guide.
│    │    │    > 
│    │    │    > *For the latest version of AWS WAF* , use the AWS WAF V2 API and see the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/d…
…31806)

### Issue # (if applicable)

Closes #<issue number here>.

### Reason for this change



If there is a lifecycle rule that does not contain one of the specified properties, an error is raised.

```ts
const app = new App();
const stack = new Stack(app, 'aws-cdk-s3');

// An error occurs
new Bucket(stack, 'MyBucket', {
  lifecycleRules: [
    // is invalid
    {
      objectSizeLessThan: 300000,
      objectSizeGreaterThan: 200000,
    },
  ],
});
```

```ts
const app = new App();
const stack = new Stack(app, 'aws-cdk-s3');

// An error occurs
new Bucket(stack, 'MyBucket', {
  lifecycleRules: [
    // is valid
    {
      abortIncompleteMultipartUploadAfter: Duration.days(365),
    },
    // is invalid
    {
      objectSizeLessThan: 300000,
      objectSizeGreaterThan: 200000,
    },
  ],
});
```

A CFn message:

```
Invalid request provided: At least one of [ExpirationDate,ExpirationInDays,AbortIncompleteMultipartUpload,Transition,Transitions,NoncurrentVersionExpirationInDays,NoncurrentVersionTransition,NoncurrentVersionTransitions,NoncurrentVersionExpiration,ExpiredObjectDeleteMarker] needs to be specified
```

The properties in CFn properties:

- AbortIncompleteMultipartUpload
- ExpirationDate
- ExpirationInDays
- ExpiredObjectDeleteMarker
- NoncurrentVersionExpirationInDays
- NoncurrentVersionTransition
- NoncurrentVersionTransitions
- NoncurrentVersionExpiration
- Transition
- Transitions

The properties in L2 props:

- abortIncompleteMultipartUploadAfter
- expiration
- expirationDate
- expiredObjectDeleteMarker
- noncurrentVersionExpiration
- noncurrentVersionsToRetain
- noncurrentVersionTransitions
- transitions

### Description of changes



Check whether a rule has required properties in lifecycleRules for L2 BucketProps.

```ts
     if (
        rule.abortIncompleteMultipartUploadAfter === undefined &&
        rule.expiration === undefined &&
        rule.expirationDate === undefined &&
        rule.expiredObjectDeleteMarker === undefined &&
        rule.noncurrentVersionExpiration === undefined &&
        rule.noncurrentVersionsToRetain === undefined &&
        rule.noncurrentVersionTransitions === undefined &&
        rule.transitions === undefined
      ) {
        throw new Error('All rules for `lifecycleRules` must have at least one of the following properties: `abortIncompleteMultipartUploadAfter`, `expiration`, `expirationDate`, `expiredObjectDeleteMarker`, `noncurrentVersionExpiration`, `noncurrentVersionsToRetain`, `noncurrentVersionTransitions`, or `transitions`');
      }
```

### Description of how you validated changes



Unit tests.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…#31778)

### Issue # (if applicable)

Closes #31777.

### Reason for this change



TransitionDefaultMinimumObjectSize for lifecycles has been supported. It can be possible to indicate which default minimum object size behavior is applied to the lifecycle configuration.

what's new: https://aws.amazon.com/about-aws/whats-new/2024/09/amazon-s3-default-minimum-object-size-lifecycle-transition-rules

UserGuide: https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-transition-general-considerations.html#lifecycle-configuration-constraints

Cfn doc: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-lifecycleconfiguration.html#cfn-s3-bucket-lifecycleconfiguration-transitiondefaultminimumobjectsize

API: https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-lifecycle-configuration.html

Still CFn documentation says “Property description not available”, so it is good to look at the API documentation for the description.

```
--transition-default-minimum-object-size (string)

Indicates which default minimum object size behavior is applied to the lifecycle configuration.

all_storage_classes_128K - Objects smaller than 128 KB will not transition to any storage class by default.
varies_by_storage_class - Objects smaller than 128 KB will transition to Glacier Flexible Retrieval or Glacier Deep Archive storage classes. By default, all other storage classes will prevent transitions smaller than 128 KB.
To customize the minimum object size for any transition you can add a filter that specifies a custom ObjectSizeGreaterThan or ObjectSizeLessThan in the body of your transition rule. Custom filters always take precedence over the default transition behavior.

Possible values:

varies_by_storage_class
all_storage_classes_128K
```

### Description of changes



Add `TransitionDefaultMinimumObjectSize` to BucketProps.

### Description of how you validated changes



Both unit and integ tests.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change


The [CfnAccessPoint](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_efs.CfnAccessPoint.html) construct supports client token specification. However, the current L2 implementation of [AccessPoint](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_efs.AccessPoint.html) does not support this property. 

The `disable-update-workflow` option was needed when running the updated integration test.

### Description of changes


Added the `clientToken` prop to the existing props of AccessPoint. 
### Description of how you validated changes


Validated with unit and integration testing. 

### Checklist
- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…alid policy for default StateMachineRole (#31801)

### Issue # (if applicable)

Closes #31714.

### Reason for this change

Currently, the step functions `runEcsTask()` will create an IAM policy. The `Resource` section is an ARN constructed by CDK with wildcard `*` appending at the end. However, CDK should `Ref` the resource directly instead of constructing the ARN, while keeping the revision number.

### Description of changes

The same solution as #31615. However this change needs to behind a feature flag because it could be a breaking change.

### Description of how you validated changes

Integration test. Also checked the synth template.

### Checklist
- [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…uster (#31803)

### Issue # (if applicable)

Closes #31802.

### Reason for this change



Amazon Aurora PostgreSQL now supports local write forwarding:

Whats new: https://aws.amazon.com/about-aws/whats-new/2024/10/amazon-aurora-postgresql-local-write-forwarding/

Reference: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-postgresql-write-forwarding.html

The current CDK L2 construct only supports MySQL, but PostgreSQL needs to be supported as well.

### Description of changes



Remove the validation that engineType is either aurora or aurora-mysql, and modify docs.

### Description of how you validated changes



Both unit tests and an integ test.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable)

Closes #30531.

### Reason for this change

EventBus L2 construct doesn't support for configuring dead letter queue.

### Description of changes

Add `deadLetterQueue` prop to `EventBusProps`

### Description of how you validated changes

Add both unit and integ test

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…31813)

### Issue # (if applicable)

Closes #31731

### Reason for this change



As @GavinZZ [commented](#31731 (comment)) in issue #31731, the official AWS S3 documentation stated that uppercase characters were permitted in bucket names prior to March 1, 2018.

### Description of changes


- add support for uppercase characters in legacy bucket names

### Description of how you validated changes



- added new unit test cases and updated the integration test cases with legacy bucket names

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…1799)

### Issue # (if applicable)

N/A

### Reason for this change

The `targetOverrides` prop is adding confusion to the API as it override what is set on the target. A better way to reuse target props would be:
```ts
const targetBaseProps = { input: ...someInput... }

const schedule1 = new Schedule(this, 'Schedule', {
    scheduleExpression: ScheduleExpression.cron({ day: '20' }),
    target: new targets.LambdaInvoke(props.func, {
        ...targetBaseProps,
        // override whatever or not to override
        }),
    }),
});
```

### Description of changes

Removed `targetOverrides` prop and the related tests. Also updated the integ test which was using the prop.

### Description of how you validated changes

Removing a prop so n/a.

### Checklist
- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

----

BREAKING CHANGE: This PR removes the `targetOverrides` prop from the `Schedule` construct.
## S3 Asset Garbage Collection

This PR introduces a new CLI command under the new `--unstable` flag. This flag ensures that users understand and opt-in to experimental or incomplete CLI features.

`cdk gc` will garbage collect unused assets in your bootstrapped S3 bucket. It goes through each object in the bucket, checks to see if the asset hash shows up in a cloudformation stack, and if not, tags the object as unused and/or deletes the object (depending on your configuration).

## **THIS COMMAND WILL DELETE OBJECTS IN YOUR BOOTSTRAPPED S3 BUCKET**

basic garbage collection (immediately deletes objects that are unused):

```bash
cdk gc aws://0123456789012/us-east-1 \
  --unstable='gc' \
  --type='s3'
```

garbage collection with a buffer (deletes unused objects > # of days specified):

```bash
cdk gc aws://0123456789012/us-east-1 \
  --unstable='gc' \
  --type='s3' \
  --rollback-buffer-days=30
```

garbage collection with a created at buffer (deletes unused objects only if they have lived longer than this many days):

```bash
cdk gc aws://0123456789012/us-east-1 \
  --unstable='gc' \
  --type='s3' \
  --created-buffer-days=5
```

garbage collect a specific bootstrap stack:

```bash
cdk gc aws://0123456789012/us-east-1 \
  --unstable='gc' \
  --type='s3' \
  --bootstrap-stack-name=cdktest-0lc2i3vebi7-bootstrap-stack
```

before actually deleting your assets, you will be prompted one last time:

```bash
Found 1 objects to delete based off of the following criteria:
- objects have been isolated for > 0 days
- objects were created > 0 days ago

Delete this batch (yes/no/delete-all)?
```

To disable this, specify the `--skip-delete-prompt` option.

## Todo in another PR

- [ ] ECR asset collection

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@aws-cdk-automation aws-cdk-automation added auto-approve pr/no-squash This PR should be merged instead of squash-merging it labels Oct 21, 2024
@github-actions github-actions bot added the p2 label Oct 21, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team October 21, 2024 21:07
@moelasmar moelasmar added pr/do-not-merge This PR should not be merged at this time. and removed pr/do-not-merge This PR should not be merged at this time. labels Oct 21, 2024
@aws-cdk-automation
Copy link
Collaborator Author

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: f03e52f
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Copy link
Contributor

mergify bot commented Oct 21, 2024

Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit ad5325a into v2-release Oct 21, 2024
8 of 9 checks passed
@mergify mergify bot deleted the bump/2.163.0 branch October 21, 2024 21:57
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 21, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
auto-approve p2 pr/no-squash This PR should be merged instead of squash-merging it
Projects
None yet
Development

Successfully merging this pull request may close these issues.