chore(release): 2.244.0#37286
Closed
aws-cdk-automation wants to merge 36 commits intov2-releasefrom
Closed
Conversation
… across 1 directory (#37222) Bumps the npm_and_yarn group with 1 update in the / directory: [tar](https://github.com/isaacs/node-tar). Updates `tar` from 7.5.10 to 7.5.11 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/isaacs/node-tar/commit/bf776f673164215074b62749e0fe80e5834588f4"><code>bf776f6</code></a> 7.5.11</li> <li><a href="https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad"><code>f48b5fa</code></a> prevent escaping symlinks with drive-relative paths</li> <li><a href="https://github.com/isaacs/node-tar/commit/97cff15d3539a37a4095eb3d287147d9d77c2dc3"><code>97cff15</code></a> docs: more security info</li> <li>See full diff in <a href="https://github.com/isaacs/node-tar/compare/v7.5.10...v7.5.11">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts). </details>
### Reason for this change The existing design docs use "modifies a resource's own configuration" as the primary criterion for choosing a Mixin over a Facade. This framing is too narrow — it implies that Mixins must set properties on the L1 resource, which excludes valid Mixins like `BucketAutoDeleteObjects` and vended logs delivery that create auxiliary resources without touching the L1 at all. This led to confusion when classifying features like vended logs delivery, where the Mixin creates a `DeliverySource`, `DeliveryDestination`, and `Delivery` alongside the target resource. Under the old framing, this looks like a Facade because it "doesn't modify the resource." But it's clearly a feature *of* the target resource — the delivery pipeline exists to serve it. ### Description of changes The core reframing across all three docs is from "does it modify the resource?" to "is this feature *about* the target resource?" In `design/mixins-facades-traits.md`, `docs/DESIGN_GUIDELINES.md`, and `docs/MIXINS_DESIGN_GUIDELINES.md`: The Mixin definition changes from "inward-looking features that modify a resource's own configuration" to "inward-looking features that extend a resource's own behavior." The auxiliary resource pattern (custom resource handlers, delivery sources, policy resources) is elevated from a parenthetical aside to a first-class Mixin pattern with concrete examples. The Facade definition now emphasizes directionality as the defining characteristic: a Facade serves an *external consumer*, not the target resource. The `BucketGrants` example makes this concrete — the grant serves the grantee, not the bucket. The decision table replaces "Does it modify the resource itself?" / "Does it integrate with external things?" with "Is the feature about the target resource?" / "Does it serve an external consumer?" ### Description of how you validated changes Tested the updated docs by giving a separate AI model the classification task with 10 edge-case scenarios (including vended logs delivery, auto-delete objects, S3 notifications with external destination props). The model correctly classified all 10 using the updated heuristics. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change Mixins and Aspects are both implementations of the visitor pattern, but they operate at different phases: Mixins apply immediately (imperative), while Aspects apply during synthesis (declarative). Users who have existing Aspects may want to reuse them as Mixins, and vice versa, without having to rewrite their logic. Currently there is no built-in way to bridge between the two systems. ### Description of changes This PR introduces a `Shims` class in `aws-cdk-lib/core` that provides two static methods for converting between Aspects and Mixins. `Shims.asMixin()` wraps an existing Aspect so it can be applied immediately as a Mixin. Since Aspects don't have a `supports()` filter, the resulting Mixin visits every construct in the scope — matching the behavior users would expect from the original Aspect. `Shims.asAspect()` wraps a Mixin so it can be deferred to the synthesis phase as an Aspect. The key design decision here is that the Mixin's `supports()` method is preserved as a filter in the Aspect's `visit()` call. This means constructs that the Mixin doesn't support are silently skipped, which is consistent with how Mixins normally behave. The README is updated with a new section showing both conversion directions with practical examples. The rosetta fixture is extended to support the new code samples. ### Describe any new or updated permissions being added No new permissions. ### Description of how you validated changes Unit tests cover both conversion directions, including filtering behavior for `asAspect()` and the universal `supports()` behavior for `asMixin()`. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change The `@aws-cdk/cfn-property-mixins` package was recently graduated to a stable standalone package in #37215. During that work, the `scripts/` directory — which contains the code generation tooling (`gen.ts`, `config.ts`, and their compiled outputs) — was not added to `.npmignore`. These files are only needed at build time to generate the mixin source code and serve no purpose for consumers of the published package. Including them unnecessarily increases the package size on npm. ### Description of changes Adds `scripts/` to the `.npmignore` file for `@aws-cdk/cfn-property-mixins`, matching the existing exclusion of `test/`. This ensures the code generation scripts are stripped from the published tarball. ### Describe any new or updated permissions being added No new permissions. ### Description of how you validated changes The `.npmignore` file already follows the same pattern for `test/`. The `scripts/` directory only contains build-time codegen files that are not referenced by any runtime code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change The `aws-codeguruprofiler` integration tests fail when deployed to regions where the `AWS::CodeGuruProfiler::ProfilingGroup` CloudFormation resource type is not available (e.g. eu-west-3, sa-east-1, ap-northeast-2, ap-south-1, ca-central-1). The error is: ``` ValidationError: Template format error: Unrecognized resource types: [AWS::CodeGuruProfiler::ProfilingGroup] ``` ### Description of changes Added `regions` constraint to the `IntegTest` props in both CodeGuruProfiler integ tests, restricting deployment to regions where the CFN resource type is confirmed available: - us-east-1, us-west-2, eu-west-1, eu-central-1, ap-northeast-1, ap-southeast-1, ap-southeast-2 No other code changes. Test logic and assertions are unchanged. **Files modified:** - `test/aws-codeguruprofiler/test/integ.profiler-group-import-functions.ts` - `test/aws-codeguruprofiler/test/integ.profiler-group.ts` ### Describe any new or updated permissions being added N/A ### Description of how you validated changes ```bash yarn integ \ test/aws-codeguruprofiler/test/integ.profiler-group-import-functions.js \ test/aws-codeguruprofiler/test/integ.profiler-group.js \ --disable-update-workflow --update-on-failed --force \ --parallel-regions us-east-1 \ --parallel-regions us-west-2 \ --parallel-regions eu-west-1 \ --parallel-regions eu-central-1 \ --parallel-regions ap-northeast-1 \ --parallel-regions ap-southeast-1 \ --verbose ``` Result: Tests: 2 passed, 2 total - `integ.profiler-group` — SUCCESS (us-east-1, 83.6s) - `integ.profiler-group-import-functions` — SUCCESS (us-west-2, 163.9s) ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…37160) ### Issue # (if applicable) N/A ### Reason for this change The `integ.eks-inference-nodegroup` integration test fails when deployed to regions that don't support AWS Inferentia instance types (`inf1.2xlarge`, `inf2.xlarge`): ``` Could not launch On-Demand Instances. Unsupported - Your requested instance type (inf2.xlarge) is not supported in your requested Availability Zone (sa-east-1b). ``` ### Description of changes Added `regions` constraint to the IntegTest props, limiting deployment to `us-east-1`, `us-east-2`, `us-west-2`, and `eu-west-1` — regions where both `inf1.2xlarge` and `inf2.xlarge` are available. Verified via: ```bash aws ec2 describe-instance-type-offerings --filters Name=instance-type,Values=inf2.xlarge --region <region> ``` ### Describe any new or updated permissions being added N/A ### Description of how you validated changes ```bash yarn integ test/aws-eks/test/integ.eks-inference-nodegroup.js \ --disable-update-workflow --update-on-failed --force \ --parallel-regions eu-west-1 --verbose ``` Result: `Tests: 1 passed, 1 total` (2722s in eu-west-1) ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Overview
---------
We have a mechanism to generate specific grant methods (in `<Resource>Grants`) classes using a `grants.json` file as a source of truth. So, for instance, if we configure methods `publish` and `subscribe` in the file, we will get a `publish()` and a `subscribe()` method in the class.
But it's also important to have an open ended method, that allows users to assign arbitrary permissions to the resource in question. This is already being done in the manually written Grants classes, and the convention that arose was to call this methods `actions()`. This PR introduces the generation of such methods, alongside the specific ones declared in the file.
An example:
```ts
/**
* Grant the given identity custom permissions
*/
public actions(grantee: iam.IGrantable, actions: Array<string>, options: cdk.EncryptedPermissionsOptions): iam.Grant {
const result = (this.policyResource ? iam.Grant.addToPrincipalOrResource({
actions: actions,
grantee: grantee,
resourceArns: (options.resourceArns ?? [sns.CfnTopic.arnForTopic(this.resource)]),
resource: this.policyResource
}) : iam.Grant.addToPrincipal({
actions: actions,
grantee: grantee,
resourceArns: (options.resourceArns ?? [sns.CfnTopic.arnForTopic(this.resource)])
}));
if ((options.keyActions && (options.keyActions.length > 0))) this.encryptedResource?.grantOnKey(grantee, ...options.keyActions);
return result;
}
```
Implementation notes
----------------------
The method signature takes three parameter: `grantee`, `actions` and `options`. Let's focus on `options` because the other two are straightforward. The type of this parameter can be either `PermissionsOptions` or `EncryptedPermissionsOptions`, depending on whether the resource is an "encrypted resource". See definitions below.
```ts
/**
* Options for configuring permissions in the `<Resource>.actions()` method.
*/
export interface PermissionsOptions {
/**
* The ARNs of the resources to grant permissions on.
*
* @default - The ARN of the resource associated with the grant is used.
*/
readonly resourceArns?: Array<string>;
}
/**
* Options for configuring permissions on encrypted resources.
*/
export interface EncryptedPermissionsOptions extends PermissionsOptions {
/**
* The KMS key actions to grant permissions for.
*
* @default - No permission is added to the KMS key, even if it exists
*/
readonly keyActions?: Array<string>;
}
```
A resource is considered encrypted (a better name would have been "encryptable", but it's too late now), if at least one of the specific methods define a `keyActions` array, or if the attribute `isEncrypted` is set to true for the resource. This is a new attribute, being introduced in this PR.
The generated code of the specific methods was now changed to take advantage of this new common method. So, for example, the methods in `TopicGrants` are now:
```ts
public publish(grantee: iam.IGrantable): iam.Grant {
const actions = ["sns:Publish"];
return this.actions(grantee, actions, {
keyActions: ["kms:Decrypt","kms:GenerateDataKey*"]
});
}
public subscribe(grantee: iam.IGrantable): iam.Grant {
const actions = ["sns:Subscribe"];
return this.actions(grantee, actions, {});
}
```
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) N/A — Fixing failing integration tests for `aws-config` module. ### Reason for this change Three `aws-config` integration tests were failing because: 1. **NoAvailableConfigurationRecorder**: AWS Config requires a Configuration Recorder and Delivery Channel to exist before Config Rules can be created. The CDK `aws-config` L2 constructs (`CustomRule`, `CustomPolicy`, `ManagedRule`, `CloudFormationStackDriftDetectionCheck`) create `AWS::Config::ConfigRule` resources but do NOT create these prerequisites. The test account had no Configuration Recorders. 2. **NAME_COLLISION**: `integ.rule.ts` used the same stack name (`aws-cdk-config-custompolicy`) as `integ.custompolicy.ts`, causing conflicts when running in parallel. 3. **Invalid Guard policy**: `integ.custompolicy.ts` used `policyText: 'lazy-create-test'` which is not valid Guard syntax and was never deployable. 4. **Unsupported evaluation modes**: `integ.rule-evaluation-mode.ts` used `PROACTIVE` evaluation mode for rule types that don't support it (Lambda custom rules, `API_GW_XRAY_ENABLED` managed rule). Per [AWS docs](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-evaluation-mode.html), only `eip-attached` supports proactive evaluation for managed rules. Original errors: - `integ.custompolicy`: `Resource handler returned message: "Invalid request provided: NoAvailableConfigurationRecorder"` - `integ.rule`: `Resource handler returned message: "Invalid request provided: NoAvailableConfigurationRecorder"` - `integ.rule-evaluation-mode`: `Resource handler returned message: "Invalid request provided: NoAvailableConfigurationRecorder"` ### Description of changes **All three tests** — Added AWS Config prerequisites to each test stack: - IAM Role for `config.amazonaws.com` with `AWS_ConfigRole` managed policy - `CfnConfigurationRecorder` with the IAM role and scoped recording group - S3 Bucket (`removalPolicy: DESTROY`, `autoDeleteObjects: true`) for the delivery channel - S3 bucket policy granting `config.amazonaws.com` the `s3:GetBucketAcl`, `s3:ListBucket`, and `s3:PutObject` permissions (per [AWS docs](https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html)) - `CfnDeliveryChannel` pointing to the S3 bucket - `DependsOn` from all Config Rule constructs to both the recorder and delivery channel **integ.rule.ts** — Additional fixes: - Fixed stack name from `aws-cdk-config-custompolicy` to `aws-cdk-config-rule` (collision with integ.custompolicy.ts) - Removed the "Warning! This test case can not be deployed!" comment (it now deploys successfully) **integ.custompolicy.ts** — Additional fix: - Replaced invalid Guard policy text `'lazy-create-test'` with valid Guard rule `'rule check_iam_user { resourceType == "AWS::IAM::User" }'` **integ.rule-evaluation-mode.ts** — Additional fixes: - Changed `CustomRule` (Lambda-based) evaluation mode from `PROACTIVE` to `DETECTIVE` (Lambda custom rules don't support proactive evaluation) - Changed `ManagedRule` from `API_GW_XRAY_ENABLED` with `DETECTIVE_AND_PROACTIVE` to `EIP_ATTACHED` with `DETECTIVE` (`API_GW_XRAY_ENABLED` doesn't support proactive; per [AWS docs](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-evaluation-mode.html) only `eip-attached` supports proactive for managed rules) - Changed `CustomPolicy` (Guard) evaluation mode to `DETECTIVE` ### Describe any new or updated permissions being added Each test stack now creates: - An IAM Role for `config.amazonaws.com` with the `AWS_ConfigRole` managed policy (required for Configuration Recorder) - An S3 bucket policy granting `config.amazonaws.com` service principal `s3:GetBucketAcl`, `s3:ListBucket`, and `s3:PutObject` permissions (required for Delivery Channel) - An IAM Role for the S3 auto-delete objects Lambda (from `autoDeleteObjects: true`) These are test-only resources, not library changes. ### Description of how you validated changes ```bash yarn integ test/aws-config/test/integ.custompolicy.js test/aws-config/test/integ.rule.js test/aws-config/test/integ.rule-evaluation-mode.js \ --disable-update-workflow --update-on-failed --force \ --parallel-regions us-east-1 --parallel-regions us-east-2 --parallel-regions us-west-2 --parallel-regions eu-west-1 \ --verbose ``` All 3 tests pass. Snapshots updated via integ-runner `--update-on-failed`. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…nation (#37115) ### Issue # (if applicable) N/A ### Reason for this change The integ test was failing because S3 buckets are only supported as Lambda on-failure destinations, not on-success. The test incorrectly used `S3Destination` for both `onSuccess` and `onFailure`. Error: `The provided destination config DestinationConfig(onSuccess=...s3..., onFailure=...s3...) is invalid.` ### Description of changes Changed the `onSuccess` destination from `S3Destination(successBucket)` to `SqsDestination(successQueue)`. The `onFailure` S3 destination remains unchanged. ### Describe any new or updated permissions being added N/A (SQS permissions are auto-granted by CDK) ### Description of how you validated changes ```bash yarn integ test/aws-lambda-destinations/test/integ.destinations.js \\ --disable-update-workflow --update-on-failed --force \\ --parallel-regions us-east-1 --parallel-regions us-east-2 ``` Result: 1 passed, 1 total ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…LaunchConfig to LaunchTemplate (#37074) ### Issue # (if applicable) N/A — Integration test remediation ### Reason for this change Three `aws-autoscaling` integration tests are failing: 1. **integ.asg-lc**: `"The Launch Configuration creation operation is not available in your account."` — The test explicitly set `AUTOSCALING_GENERATE_LAUNCH_TEMPLATE=false`, forcing deprecated LaunchConfiguration creation which is no longer available. 2. **integ.asg-w-classic-loadbalancer**: `"The requested configuration is currently not supported. Launching EC2 instance failed."` — Uses t2 instance type which is not supported in all regions. 3. **integ.asg-w-elbv2**: Same t2 issue as above. ### Description of changes **integ.asg-lc.ts:** - Removed `AUTOSCALING_GENERATE_LAUNCH_TEMPLATE=false` context override — the last ASG (`AsgWithGp3Blockdevice`) now generates a LaunchTemplate instead of a deprecated LaunchConfiguration - Fixed `deviceName: 'ebs'` → `deviceName: '/dev/xvdf'` — the old name was valid for LaunchConfiguration but not for LaunchTemplate **integ.asg-w-classic-loadbalancer.ts:** - Updated `BURSTABLE2` (t2.micro) → `BURSTABLE3` (t3.micro) **integ.asg-w-elbv2.ts:** - Updated `BURSTABLE2` → `BURSTABLE3` in ElbV2AsgStack **Destructive changes:** `integ.asg-lc` destroys `AsgWithGp3BlockdeviceLaunchConfig24411F5E` (LaunchConfiguration) and replaces it with a LaunchTemplate. This is intentional — LaunchConfigurations are deprecated and cannot be created in newer AWS accounts. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes ```bash yarn integ test/aws-autoscaling/test/integ.asg-lc.js test/aws-autoscaling/test/integ.asg-w-classic-loadbalancer.js test/aws-autoscaling/test/integ.asg-w-elbv2.js \ --disable-update-workflow --update-on-failed --force \ --parallel-regions us-east-1 --parallel-regions us-west-2 --parallel-regions eu-west-1 \ --verbose ``` All 3 tests passed across us-east-1, us-west-2, eu-west-1. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…uts in integ tests (#36956) ### Issue # (if applicable) Closes #. ### Reason for this change Several CodeBuild integration tests were failing across multiple error categories: 1. **`Unrecognized resource types: [AWS::CodeBuild::Fleet]`** — `AWS::CodeBuild::Fleet` CloudFormation resource is not available in all regions 2. **`LambdaCompute feature is not supported in region`** — Lambda compute mode is only available in 10 regions 3. **`Region X is not supported for WINDOWS_SERVER_2022_CONTAINER`** — Windows Server 2022 environment type is only available in 8 regions 4. **Fleet deletion timeout (`NotStabilized`)** — `AWS::CodeBuild::Fleet` resource deletion takes ~40 minutes, exceeding the CFN resource handler's ~21 minute stabilization timeout 5. **macOS fleet build assertion timeout** — macOS dedicated host provisioning takes 20-30+ minutes, exceeding the assertion framework's timeout limits ### Description of changes **Region constraints** (all 11 tests): Added `regions` property to IntegTest constructors, with per-test comments explaining the specific feature constraint: - Fleet tests: `AWS::CodeBuild::Fleet` not available in all regions - Lambda tests: `ARM_LAMBDA_CONTAINER` / `LINUX_LAMBDA_CONTAINER` not available in all regions - Windows fleet tests: `WINDOWS_SERVER_2022_CONTAINER` not available in all regions - macOS fleet tests: `MAC_ARM` only available in 5 regions - Windows image test: `WINDOWS_SERVER_2022_CONTAINER` not available in all regions **Fleet deletion workaround** (8 fleet tests): Added `cdkCommandOptions.destroy.expectError = true` because `AWS::CodeBuild::Fleet` deletion consistently takes ~40 minutes, exceeding the CFN resource handler's ~21 minute stabilization timeout (verified via CloudFormation events across multiple regions). **Assertion timeout increases** (6 fleet tests): Increased `waitForAssertions` `totalTimeout` from 5 to 15 minutes for fleet tests to account for fleet instance provisioning time before builds can execute. **Hardcoded name removal** (5 fleet tests): Removed hardcoded `fleetName` properties (`'MyFleet'`, `'MacOsFleet14'`, `'MacOsFleet15'`) to avoid `NAME_COLLISION` on re-runs. **macOS test simplification** (2 tests): Removed `startBuild`/`batchGetBuilds` assertions from macOS fleet tests since macOS dedicated host provisioning exceeds the assertion framework's timeout limits. The `listFleets` assertion is retained to verify fleet creation. Build execution on fleets is already validated by the Linux fleet tests. ### Describe any new or updated permissions being added N/A — no permission changes. ### Description of how you validated changes All 11 tests validated via `yarn integ` with `--force --update-on-failed` across 5 parallel regions: `us-east-1`, `us-east-2`, `us-west-2`, `ap-southeast-2`, `eu-central-1`. ``` Tests: 11 passed, 11 total ``` Validation command: ```bash yarn integ \ test/aws-codebuild/test/integ.project-fleet.js \ test/aws-codebuild/test/integ.project-fleet-attribute-based-compute.js \ test/aws-codebuild/test/integ.project-fleet-custom-instance-type.js \ test/aws-codebuild/test/integ.project-fleet-overflow-behavior.js \ test/aws-codebuild/test/integ.project-windows-2019-fleet.js \ test/aws-codebuild/test/integ.project-windows-2022-fleet.js \ test/aws-codebuild/test/integ.project-macos-fleet-base14.js \ test/aws-codebuild/test/integ.project-macos-fleet-base15.js \ test/aws-codebuild/test/integ.project-linux-arm-lambda-image.lit.js \ test/aws-codebuild/test/integ.project-linux-lambda-image.lit.js \ test/aws-codebuild/test/integ.project-windows-image.js \ --disable-update-workflow --update-on-failed --force \ --parallel-regions us-east-1 us-east-2 us-west-2 ap-southeast-2 eu-central-1 ``` **Not fixed (external dependency):** - `integ.github-org-webhook` and `integ.github-webhook-batch` require a pre-configured GitHub access token in the AWS account — cannot be fixed in test code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #27762 ### Reason for this change ### Description of changes This change introduces the forceNewDeployment feature for ECS services, which allows users to trigger a new deployment even when there are no service definition changes. CFN public doc: https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-ecs-service-forcenewdeployment.html ### Describe any new or updated permissions being added ### Description of how you validated changes - Added unit test - Ran integ-test locally **Note**: I don't think we can add an integ-test for forceNewDeployment set to true as function generates a new nonce with each run which results in new CFN template. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Closes #37255 ### Reason for this change Somehow there are merge conflict markers in js snapshot files that neither Github pointed out or prevented from merging. ### Description of changes Regenerated snapshots ### Describe any new or updated permissions being added None ### Description of how you validated changes Integ test workflow will ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…odb (#37158) ### Issue # (if applicable) N/A — Integration test remediation. ### Reason for this change `integ.dynamodb` fails because the assertion timeout (2 minutes) is too short. EventBridge Pipes need time to start processing DynamoDB stream events and deliver them to the SQS target queue. ### Description of changes Increased `waitForAssertions` timeout from 2 minutes to 5 minutes. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes ```bash cd packages/@aws-cdk/aws-pipes-sources-alpha yarn integ test/integ.dynamodb.js \ --disable-update-workflow --update-on-failed --force \ --parallel-regions us-east-1 ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
We would like to build a knowledge base of common errors, so that resolution strategies can be described and shared. To that end, it's easier if all errors get an error code. Use AI to invent an error code for all errors. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…nd add `actions` methods to `BucketGrants` (#37239) ### Reason for this change Vended Logs was previously not using the Traits and Facades that have been introduced with the GA of Mixins. `BucketGrants` is a handwritten Grants class and did not benefit from the update a lot of the other Grants classes received which gave them access to the .`actions()` method. ### Description of changes **Note:** most of these changes involve refreshing the e2e test files mostly because policy names have changed and some implementation details are a bit different because of grants, the permissions themselves have not changed This changes the implementation but not the behavior of Vended Logs to use the Facades and Traits. `BucketGrants` now has 2 methods which operate like the `.actions()` method in other Grants classes. `BucketGrants` gets 2 methods while most other classes only get one because `BucketGrants` has a somewhat unique scenario where it always receives some kind of object arn to be able to apply permissions to accessing objects in a bucket, but does not always receive a bucket arn which controls what can be done to the bucket itself. We split these 2 use cases into 2 different grant methods. ### Describe any new or updated permissions being added Corrects Vended Logs S3 Bucket permissions to not grant to log stream, this is inline with Vended Logs documentation: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-S3.html ### Description of how you validated changes Updated unit and integration tests in vended logs and added new unit tests to for `BucketGrants` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change Typo in the multi-account replica docs ### Description of changes Fixed typo ### Describe any new or updated permissions being added No new permissions added. ### Description of how you validated changes N/A ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change ### Description of changes ### Describe any new or updated permissions being added ### Description of how you validated changes ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #37261 ### Reason for this change .NET 10 is now out: [Announcing .NET 10](https://devblogs.microsoft.com/dotnet/announcing-dotnet-10) The prerequisite check does not currently recognize .NET 10 SDK versions. A similar update was previously made for .NET 9, and this change extends the version check so contributors using .NET 10 do not fail setup unnecessarily. ### Description of changes Updated the dotnet prerequisite version check regex to recognize .NET 10 SDK versions. This keeps the existing behavior for previously allowed versions and fixes the case where two-digit major versions were not accepted by the check. ### Describe any new or updated permissions being added No new permissions are required. ### Description of how you validated changes - Reproduced the failure locally with .NET SDK 10.0.105 - Updated the version check to allow 10.x SDKs - Verified the prerequisite check passes with the updated regex ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…eg tests (#37109) ### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change Two `aws-ecr-assets` integration tests (`integ.assets-tarball` and `integ.assets-docker`) were failing: 1. **integ.assets-tarball**: The `hello-world.tar` Docker image tarball was corrupted because `.gitattributes` did not list `*.tar` as binary. Git's `* text=auto` and `* eol=lf` settings converted line endings in the binary tar file, making it unloadable by Docker (`archive/tar: invalid tar header`). 2. **integ.assets-docker**: Required environment setup (QEMU user-static for ARM64 cross-platform Docker builds and SSH agent for `buildSsh` feature) ### Description of changes 1. **`.gitattributes`**: Added `*.tar binary` alongside the existing `*.tgz binary` and `*.tar.gz binary` entries to prevent git from corrupting `.tar` files with line ending conversion. 2. **`demo-tarball-hello-world/hello-world.tar`**: Regenerated using `docker save` of the official `hello-world` image (same ~22KB size as the original before corruption). 3. **Snapshot updates**: All three `aws-ecr-assets` integ test snapshots updated via `integ-runner --update-on-failed`. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes All three `aws-ecr-assets` integration tests pass: ```bash # Environment prerequisites for integ.assets-docker: docker run --rm --privileged multiarch/qemu-user-static --reset -p yes # ARM64 support eval $(ssh-agent -s) # SSH agent for buildSsh feature # Run all tests yarn integ test/aws-ecr-assets/test/integ.assets-tarball.js \ test/aws-ecr-assets/test/integ.assets-docker.js \ test/aws-ecr-assets/test/integ.nested-stacks-docker.js \ --disable-update-workflow --update-on-failed --force \ --parallel-regions us-east-1 --parallel-regions us-east-2 --parallel-regions us-west-2 ``` Result: **3 passed, 3 total** - `integ.assets-tarball` — SUCCESS (us-west-2, 113s) - `integ.assets-docker` — SUCCESS (us-east-2, 107s) - `integ.nested-stacks-docker` — SUCCESS (us-east-1, 130s) **Original errors:** - `integ.assets-tarball`: `ToolkitError: Failed to publish asset integ-assets-tarball Template (current_account-current_region-8620c748)` — caused by corrupted tarball - `integ.assets-docker`: `ToolkitError: Failed to publish asset DockerImage5 (current_account-current_region-bcb4ae9b)` / `Failed to publish asset DockerImage3` — caused by missing QEMU/SSH agent ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change ### Description of changes Introduction of a Bitrate utility function (similar to Duration) which can be used in AWS Elemental Media Services. Example of usage: video_bitrate in https://docs.aws.amazon.com/mediapackage/latest/ug/manifest-filtering.html maxBitrate in https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_mediaconnect.CfnFlow.SourceProperty.html ### Describe any new or updated permissions being added ### Description of how you validated changes Added tests ### Checklist - [ X ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…#37271) ### Description of changes Build failure caused in new log-source update PR: cdklabs/awscdk-service-spec#2535. The `respectOverrides` was not set to false, causing it to inherit `aws-cdk-lib` dotnet namespace overrides from [scope-map.json](https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/scripts/scope-map.json); causing both `aws-cdk-lib` and `mixins-preview` emit to the same dotnet namespace "Amazon.CDK.AWS.APIGateway". The PR build is failing with [error](https://github.com/cdklabs/awscdk-service-spec/actions/runs/23177806351/job/67343784969?pr=2535) ``` Error: 3-17T04:15:12.459] [ERROR] jsii/compiler - Type model errors prevented the JSII assembly from being created warning JSII4010: Multiple modules emit to the same dotnet namespace "Amazon.CDK.AWS.APIGateway": aws-cdk-lib.aws_apigateway, @aws-cdk/mixins-preview.aws_apigateway [jsii-config/submodule-conflict] ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
These are not intended to be suppressed, so that is not a feature. But they can be tracked in order to find errors that users are running into a lot. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) ### Reason for this change 10 ECS integration tests were failing due to various issues: - Teardown failures from capacity providers / managed instances still in use during stack deletion - Cross-stack export deletion ordering when `IntegTest` is scoped to the stack - `t2.micro` instance type unavailability in certain AZs - Container health check targeting wrong port (8000 instead of 80) - Missing NLB-to-service security group ingress rule with `networkLoadBalancerWithSecurityGroupByDefault` feature flag - Managed instances tests using incorrect instance profile naming (missing `ecsInstanceRole` prefix required by `AmazonECSInfrastructureRolePolicyForManagedInstances`) and overly restrictive instance requirements (NVIDIA GPU + Intel CPU only) - EBS volume initialization rate test requiring an external EBS snapshot that does not exist ### Description of changes **10 tests fixed across the aws-ecs module:** 1. **fargate/integ.capacity-providers** — Wrapped in `IntegTest` with `destroy.expectError: true` ([#19275](#19275)). 2. **external/integ.daemon-service** — Changed `IntegTest` scope from `stack` to `app` to fix cross-stack export deletion ordering. When scoped to the stack, the deploy-assert stack holds a reference to the main stack exports, preventing deletion. 3. **ec2/integ.capacity-provider** — Wrapped in `IntegTest` with `destroy.expectError: true` ([#19275](#19275)). 4. **ec2/integ.pseudo-terminal** — Changed instance type from `t2.micro` to `t3.micro`. `t2.micro` is not available in all AZs, causing ASG launch failures. 5. **fargate/integ.exec-command** — Fixed container health check from `curl localhost:8000` to `curl localhost:80`. The `amazon/amazon-ecs-sample` image serves on port 80; port 8000 always fails, preventing service stabilization. 6. **fargate/integ.enable-execute-command** — Same health check port fix (8000 → 80). 7. **fargate/integ.nlb-awsvpc-nw** — Added `service.connections.allowFrom(lb, ec2.Port.tcp(80))`. With the `networkLoadBalancerWithSecurityGroupByDefault` feature flag, the NLB gets a security group but no ingress rules were created on the service SG, so NLB health checks always failed. Also wrapped in `IntegTest`. 8. **fargate/integ.ebs-volume-initialization-rate** — Replaced external `SNAPSHOT_ID` env var dependency with an in-stack EBS volume + snapshot created via a `NodejsFunction`-backed custom resource that waits for snapshot completion before returning. 9. **integ.managedinstances-no-default-capacity-provider** — Removed custom IAM roles/instance profile with hardcoded names. The `AmazonECSInfrastructureRolePolicyForManagedInstances` managed policy requires instance profiles prefixed with `ecsInstanceRole`; the test used `InstanceProfile` which does not match. Now lets the construct create defaults with the correct prefix. Removed NVIDIA accelerator and Intel CPU manufacturer constraints. Removed hardcoded `regions: ['us-west-2']` since FMI is available in all commercial regions. Added `destroy.expectError: true` ([#36071](#36071)). 10. **integ.managedinstances-capacity-provider** — Same fixes as above. Added `destroy.expectError: true` ([#36071](#36071)). ### Describe any new or updated permissions being added No new IAM permissions. The NLB fix adds a security group ingress rule (port 80 TCP) to the Fargate service security group to allow traffic from the NLB — required for health checks and traffic routing to function correctly. ### Description of how you validated changes All 10 fixed tests were deployed and validated via `integ-runner` with `--update-on-failed` across multiple regions (us-east-1, us-west-2, eu-west-1, eu-central-1, ap-northeast-1): ```bash yarn integ \ test/aws-ecs/test/fargate/integ.capacity-providers.js \ test/aws-ecs/test/external/integ.daemon-service.js \ test/aws-ecs/test/ec2/integ.capacity-provider.js \ test/aws-ecs/test/ec2/integ.pseudo-terminal.js \ test/aws-ecs/test/fargate/integ.nlb-awsvpc-nw.js \ test/aws-ecs/test/fargate/integ.exec-command.js \ test/aws-ecs/test/fargate/integ.enable-execute-command.js \ test/aws-ecs/test/fargate/integ.ebs-volume-initialization-rate.js \ test/aws-ecs/test/integ.managedinstances-no-default-capacity-provider.js \ test/aws-ecs/test/integ.managedinstances-capacity-provider.js \ --disable-update-workflow \ --update-on-failed \ --force \ --parallel-regions us-east-1 us-west-2 ``` **Destructive changes (expected):** - `integ.exec-command` and `integ.enable-execute-command`: `TaskDef` replaced (health check change) - `integ.managedinstances-*`: IAM roles/instance profiles replaced (removed hardcoded names, switched to construct defaults) ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #9741 ### Reason for this change Since #8959, ParameterGroup uses a lazy creation pattern where CloudFormation resources are only generated when the parameter group is bound to an instance or cluster (either explicitly via `bindToInstance()`/`bindToCluster()` or implicitly when passed to a `DatabaseInstance`/`DatabaseCluster`). This change adds an explicit static methods `ParameterGroup.forInstance()` / `ParameterGroup.forCluster()` that allows users to create standalone parameter groups while maintaining the lazy instantiation pattern and backward compatibility. ### Description of changes Added two static factory methods to the ParameterGroup class similar to SingletonPolicy.forRole(): * `ParameterGroup.forInstance()`: Creates a standalone instance parameter group (`AWS::RDS::DBParameterGroup`) * `ParameterGroup.forCluster()`: Creates a standalone cluster parameter group (`AWS::RDS::DBClusterParameterGroup`) ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Validated with new unit-tests and integ test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable)
N/A — Fixes 5 failing DynamoDB integration tests.
### Reason for this change
Five `aws-dynamodb` integration tests were failing due to:
- Hardcoded physical resource names causing `EarlyValidation::ResourceExistenceCheck` errors (name collisions)
- Hardcoded `env.region` preventing the integ-runner from controlling deployment regions
- A CloudFormation limitation where a replica cannot be created in the same stack operation that sets a resource-based policy
- A Lambda handler with hardcoded region and table name, and an assertion expecting `Payload` as an object when Lambda invoke returns it as a JSON string
### Description of changes
**integ.table-v2-global.ts / integ.dynamodb-v2.ondemand.ts** — Removed hardcoded `tableName: 'my-global-table'` to let CDK generate unique names, preventing `ResourceExistenceCheck` failures. Replaced hardcoded `env: { region: 'us-east-1' }` with `process.env.CDK_DEFAULT_REGION || 'us-east-1'` (global tables with replicas require a region-aware stack, but the region should come from the integ-runner rather than being hardcoded). Renamed the ondemand test's stack from `aws-cdk-global-table` to `aws-cdk-global-table-ondemand` to avoid collision with the provisioned test when running in parallel.
**integ.dynamodb.deletion-protection.ts** — Removed hardcoded `tableName: 'deletion-protection-test'`. Replaced the fragile `postDeploy` shell hook (which used CLI v2-only flags) with an `integ.assertions.awsApiCall('DynamoDB', 'updateTable', ...)` to disable deletion protection after deploy, enabling clean teardown. Removed explicit `env` to avoid cross-environment reference issues with the assertion stack.
**integ.dynamodb-v2.policy-ff.ts** — Deleted and converted to a unit test in `table-v2.test.ts`. CloudFormation does not allow creating a new replica in the same stack operation that has a resource-based policy on any replica — the error is `"A replica cannot be created in the same stack update as putting a resource-based policy on that new replica"`. This is a CloudFormation-level constraint (https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/rbac-considerations.html), not a CDK bug: the feature flag `resourcePolicyPerReplica` correctly scopes the policy to the primary region only (confirmed in `table-v2.ts:905-907`), but CloudFormation rejects the combination regardless.
A two-stack approach (table+replica first, then add policy) was also attempted but fails because `addToResourcePolicy` mutates the table's CFN resource in the original stack, so the replica and policy always end up in the same CloudFormation template. Since the test's intent is to verify that the feature flag scopes the policy to the primary replica and does not copy it to new replicas — a synth-time concern — it is better validated as a unit test using `Template.fromStack()`.
**integ.table-v2-replica.ts / replica-handler/index.py** — Replaced hardcoded `env: { region: 'us-east-1' }` with `process.env.CDK_DEFAULT_REGION || 'us-east-1'`. Added `TABLE_NAME` and `REPLICA_REGION` environment variables to the Lambda function, and updated the Python handler to read from `os.environ` instead of hardcoding `'global-table'` and `'us-west-1'`. Fixed the assertion to use `Match.stringLikeRegexp('status_code.*200')` since Lambda invoke returns `Payload` as a JSON string, not a parsed object.
### Describe any new or updated permissions being added
None
### Description of how you validated changes
The 4 remaining integration tests deployed and passed via `integ-runner`:
```bash
yarn integ \
test/aws-dynamodb/test/integ.table-v2-global.js \
test/aws-dynamodb/test/integ.dynamodb.deletion-protection.js \
test/aws-dynamodb/test/integ.dynamodb-v2.ondemand.js \
test/aws-dynamodb/test/integ.table-v2-replica.js \
--disable-update-workflow --update-on-failed --force \
--parallel-regions us-east-1 us-west-2 --verbose
```
Regions: us-east-1, us-west-2 (parallel-regions), with replica regions us-east-2, us-west-1, eu-west-1.
The converted unit test passes:
```bash
npx jest aws-dynamodb/test/table-v2.test.ts -t "resourcePolicyPerReplica"
```
### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`
**L1 CloudFormation resource definition changes:**
```
├[~] service aws-bedrockagentcore
│ └ resources
│ ├[~] resource AWS::BedrockAgentCore::Evaluator
│ │ └ - arnTemplate: undefined
│ │ + arnTemplate: arn:${Partition}:bedrock-agentcore:${Region}:${Account}:evaluator/${EvaluatorId}
│ ├[~] resource AWS::BedrockAgentCore::OnlineEvaluationConfig
│ │ └ - arnTemplate: undefined
│ │ + arnTemplate: arn:${Partition}:bedrock-agentcore:${Region}:${Account}:online-evaluation-config/${OnlineEvaluationConfigId}
│ └[~] resource AWS::BedrockAgentCore::PolicyEngine
│ └ - arnTemplate: undefined
│ + arnTemplate: arn:${Partition}:bedrock-agentcore:${Region}:${Account}:policy-engine/${PolicyEngineId}
├[~] service aws-devopsagent
│ └ resources
│ └[~] resource AWS::DevOpsAgent::Service
│ └ - arnTemplate: undefined
│ + arnTemplate: arn:${Partition}:aidevops:${Region}:${Account}:service/${ServiceId}
├[~] service aws-directoryservice
│ └ resources
│ └[~] resource AWS::DirectoryService::MicrosoftAD
│ └ - arnTemplate: arn:${Partition}:ds:${Region}:${Account}:directory/${DirectoryId}
│ + arnTemplate: arn:${Partition}:ds:${Region}:${Account}:${DirectoryId}
├[~] service aws-ecr
│ ├ resources
│ │ └[~] resource AWS::ECR::Repository
│ │ └ events
│ │ ├[~] event aws.ecr@ECRImageAction
│ │ │ └ types
│ │ │ └[~] type ECRImageAction
│ │ │ └ properties
│ │ │ ├[+] last-activated-at: string
│ │ │ └[+] target-storage-class: string
│ │ └[~] event aws.ecr@ECRReferrerAction
│ │ └ types
│ │ └[~] type ECRReferrerAction
│ │ └ properties
│ │ ├[+] last-activated-at: string
│ │ └[+] target-storage-class: string
│ └ events
│ ├[~] event aws.ecr@ECRImageAction
│ │ └ types
│ │ └[~] type ECRImageAction
│ │ └ properties
│ │ ├[+] last-activated-at: string
│ │ └[+] target-storage-class: string
│ └[~] event aws.ecr@ECRReferrerAction
│ └ types
│ └[~] type ECRReferrerAction
│ └ properties
│ ├[+] last-activated-at: string
│ └[+] target-storage-class: string
├[~] service aws-networkfirewall
│ └ events
│ ├[+] event aws.networkfirewall@FirewallAttachmentStatusChanged
│ │ ├ description: Schema for event type FirewallAttachmentStatusChanged, published by AWS service aws.networkfirewall
│ │ │ source: aws.network-firewall
│ │ │ detailType: Firewall Attachment Status Changed
│ │ │ rootProperty: FirewallAttachmentStatusChanged
│ │ └ types
│ │ ├ type DataItem
│ │ │ └ properties
│ │ │ ├ Availability Zone: string (required)
│ │ │ ├ Current Attachment Status: string (required)
│ │ │ ├ Endpoint ID: string
│ │ │ └ Previous Attachment Status: string
│ │ ├ type FirewallAttachmentStatusChanged
│ │ │ └ properties
│ │ │ ├ data: DataItem[] (required)
│ │ │ ├ metadata: Metadata (required)
│ │ │ └ version: string (required)
│ │ └ type Metadata
│ │ └ properties
│ │ └ State Change ID: string (required)
│ ├[+] event aws.networkfirewall@FirewallConfigurationChanged
│ │ ├ description: Schema for event type FirewallConfigurationChanged, published by AWS service aws.networkfirewall
│ │ │ source: aws.network-firewall
│ │ │ detailType: Firewall Configuration Changed
│ │ │ rootProperty: FirewallConfigurationChanged
│ │ └ types
│ │ ├ type DataItem
│ │ │ └ properties
│ │ │ ├ Availability Zone: string (required)
│ │ │ ├ Configuration Resource ARN: string (required)
│ │ │ ├ Current Configuration Sync Status: string (required)
│ │ │ ├ Previous Configuration Sync Status: string
│ │ │ ├ Current Configuration Update Token: string
│ │ │ └ Previous Configuration Update Token: string
│ │ ├ type FirewallConfigurationChanged
│ │ │ └ properties
│ │ │ ├ data: DataItem[] (required)
│ │ │ ├ metadata: Metadata (required)
│ │ │ └ version: string (required)
│ │ └ type Metadata
│ │ └ properties
│ │ └ State Change ID: string (required)
│ └[+] event aws.networkfirewall@FirewallTransitGatewayAttachmentStatusChanged
│ ├ description: Schema for event type FirewallTransitGatewayAttachmentStatusChanged, published by AWS service aws.networkfirewall
│ │ source: aws.network-firewall
│ │ detailType: Firewall Transit Gateway Attachment Status Changed
│ │ rootProperty: FirewallTransitGatewayAttachmentStatusChanged
│ └ types
│ ├ type Data
│ │ └ properties
│ │ ├ Current Transit Gateway Attachment Status: string (required)
│ │ ├ Attachment ID: string
│ │ └ Previous Transit Gateway Attachment Status: string
│ ├ type FirewallTransitGatewayAttachmentStatusChanged
│ │ └ properties
│ │ ├ data: Data (required)
│ │ ├ metadata: Metadata (required)
│ │ └ version: string (required)
│ └ type Metadata
│ └ properties
│ └ State Change ID: string (required)
├[~] service aws-pinpoint
│ └ resources
│ └[~] resource AWS::Pinpoint::InAppTemplate
│ └ - arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/SMS
│ + arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/VOICE
└[~] service aws-ram
└ resources
└[~] resource AWS::RAM::Permission
└ - arnTemplate: arn:${Partition}:ram:${Region}:${Account}:permission/${ResourcePath}
+ arnTemplate: arn:${Partition}:ram::${Account}:permission/${ResourcePath}
```
…deprecated (#37155) ### Issue # (if applicable) N/A — Integration test remediation. ### Reason for this change `integ.application.lit` fails because it creates Flink applications using deprecated runtimes (FLINK-1_6, FLINK-1_8, FLINK-1_11, FLINK-1_13). These runtimes are EOL in Amazon Managed Service for Apache Flink: - FLINK 1.6, 1.8, 1.11: Dead since Feb/Jul 2025 - FLINK 1.13: Deprecating, support ends Oct 16, 2025 Ref: https://docs.aws.amazon.com/managed-flink/latest/java/release-version-list.html ### Description of changes Removed deprecated runtimes from the test array. Kept only currently supported versions: FLINK_1_15, FLINK_1_18, FLINK_1_19, FLINK_1_20. Added @deprecated tags to deprecated ones. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes ```bash yarn integ test/integ.application.lit.js \ --disable-update-workflow --update-on-failed --force \ --parallel-regions us-east-1 ``` **Destructive change:** 4 `AWS::KinesisAnalyticsV2::Application` resources and 4 `AWS::CloudWatch::Alarm` resources removed (the deprecated runtime versions). ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #37241. ### Reason for this change Codebuild supports the macOS base:26 image ([ref](https://docs.aws.amazon.com/codebuild/latest/userguide/available-runtimes.html#macOS-runtimes:~:text=arm%2Dbase%3A15-,macos%2Darm%2Dbase%3A26,-clang)). AWS CDK should be updated to provide availability of this image through CDK. ### Description of changes I added an option for the BASE_26 image. This leveraged the extensible test.each() pattern I introduced in #35836 — adding a new macOS image now only requires adding one line to each of the three parameterized test blocks, plus the constant and integration test. The code changes followed the same approach: copying the logic for BASE_15 and changing 15 to 26. ### Describe any new or updated permissions being added NA. ### Description of how you validated changes All 90 unit tests (aws-codebuild/test/project.test.ts) passed locally. I highlight relevant tests: ``` ✓ has build image for Base 14 (6 ms) ✓ has build image for Base 15 (13 ms) ✓ has build image for Base 26 (4 ms) ✓ can set macOS fleet with BASE_14 (5 ms) ✓ can set macOS fleet with BASE_15 (5 ms) ✓ can set macOS fleet with BASE_26 (5 ms) ✓ can set imported macOS fleet with BASE_14 (4 ms) ✓ can set imported macOS fleet with BASE_15 (4 ms) ✓ can set imported macOS fleet with BASE_26 (3 ms) ``` The integration test (integ.project-macos-fleet-base26) was deployed successfully to ap-southeast-2. The fleet provisioned, a build was started, and batchGetBuilds confirmed SUCCEEDED. Here is evidence via command tail of log: ``` export AWS_PROFILE={redacted} && cdk bootstrap aws://{redacted}/ap-southeast-2 && export AWS_REGION=ap-southeast-2 && cd /Users/ayushkp/Documents/aws-cdk/packages/@aws-cdk-testing/framework-integ && npx cdk deploy --all --require-approval never --app "npx ts-node test/aws-codebuild/test/integ.project-macos-fleet-base26.ts" 2>&1 | tee /tmp/deploy-apse2-results.txt ... ✅ MacOsProjectIntegTest/DefaultTest/DeployAssert ✨ Deployment time: 629.86s Outputs: MacOsProjectIntegTestDefaultTestDeployAssertB425ECC4.AssertionResultsAwsApiCallCodeBuildbatchGetBuildsca7a972abba879df6e6f630c076385fc = {"status":"success"} MacOsProjectIntegTestDefaultTestDeployAssertB425ECC4.AssertionResultsAwsApiCallCodebuildlistFleets = {"status":"success"} Stack ARN: arn:aws:cloudformation:ap-southeast-2:{redacted}:stack/MacOsProjectIntegTestDefaultTestDeployAssertB425ECC4/16ba9e00-1e4d-11f1-9c2f-02f634838305 ``` Snapshot is included as required. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) N/A ### Reason for this change Security guardian check on PRs is currently an experimental feature but it seems like contributors are sometimes confused if the check is a blocker. When security guardian fails, contributors think it's blocking and spend a lot of time on fixing it. So we are improving the messaging to make it clear for contributors that it is currently NOT a blocker for reviews. Once the security guardian check is stable, this can be changed to be a blocker for reviews. ### Description of changes Updated the security-report disclaimer to the following - >⚠️ **Experimental Feature**: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined. >**This security report is NOT a review blocker.** Please try `merge from main` to avoid findings unrelated to the PR. ### Describe any new or updated permissions being added ### Description of how you validated changes N/A ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
) Bumps [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact) from 16 to 18. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/dawidd6/action-download-artifact/releases">dawidd6/action-download-artifact's releases</a>.</em></p> <blockquote> <h2>v18</h2> <h2>What's Changed</h2> <ul> <li>build(deps): bump <code>@actions/artifact</code> from 6.2.0 to 6.2.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/dawidd6/action-download-artifact/pull/381">dawidd6/action-download-artifact#381</a></li> <li>build(deps): bump undici from 6.23.0 to 6.24.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/dawidd6/action-download-artifact/pull/382">dawidd6/action-download-artifact#382</a></li> <li>node_modules: update by <a href="https://github.com/dawidd6"><code>@dawidd6</code></a> in <a href="https://redirect.github.com/dawidd6/action-download-artifact/pull/383">dawidd6/action-download-artifact#383</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/dawidd6/action-download-artifact/compare/v17...v18">https://github.com/dawidd6/action-download-artifact/compare/v17...v18</a></p> <h2>v17</h2> <h2>What's Changed</h2> <ul> <li>build(deps): bump <code>@actions/artifact</code> from 6.1.0 to 6.2.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/dawidd6/action-download-artifact/pull/376">dawidd6/action-download-artifact#376</a></li> <li>build(deps): bump actions/upload-artifact from 6 to 7 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/dawidd6/action-download-artifact/pull/377">dawidd6/action-download-artifact#377</a></li> <li>build(deps): bump fast-xml-parser from 5.3.6 to 5.4.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/dawidd6/action-download-artifact/pull/378">dawidd6/action-download-artifact#378</a></li> <li>node_modules: update by <a href="https://github.com/dawidd6"><code>@dawidd6</code></a> in <a href="https://redirect.github.com/dawidd6/action-download-artifact/pull/379">dawidd6/action-download-artifact#379</a></li> <li>Update Node version from 20 to 24</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/dawidd6/action-download-artifact/compare/v16...v17">https://github.com/dawidd6/action-download-artifact/compare/v16...v17</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/dawidd6/action-download-artifact/commit/1f8785ff7a5130826f848e7f72725c85d241860f"><code>1f8785f</code></a> node_modules: update (<a href="https://redirect.github.com/dawidd6/action-download-artifact/issues/383">#383</a>)</li> <li><a href="https://github.com/dawidd6/action-download-artifact/commit/6f25e15bc3f94c1cba8593190ddbb8272f8969f3"><code>6f25e15</code></a> build(deps): bump undici from 6.23.0 to 6.24.0 (<a href="https://redirect.github.com/dawidd6/action-download-artifact/issues/382">#382</a>)</li> <li><a href="https://github.com/dawidd6/action-download-artifact/commit/f8c75c6843abc18b6814dd176070ace68bb4feec"><code>f8c75c6</code></a> build(deps): bump <code>@actions/artifact</code> from 6.2.0 to 6.2.1 (<a href="https://redirect.github.com/dawidd6/action-download-artifact/issues/381">#381</a>)</li> <li><a href="https://github.com/dawidd6/action-download-artifact/commit/09b07ec687d10771279a426c79925ee415c12906"><code>09b07ec</code></a> Update Node.js version from 20 to 24</li> <li><a href="https://github.com/dawidd6/action-download-artifact/commit/980d668e73c8252f062c5b3356914db466ba5d8e"><code>980d668</code></a> node_modules: update (<a href="https://redirect.github.com/dawidd6/action-download-artifact/issues/379">#379</a>)</li> <li><a href="https://github.com/dawidd6/action-download-artifact/commit/5061fdbee84268cd9de4a3765f15da0d3a06d71c"><code>5061fdb</code></a> build(deps): bump fast-xml-parser from 5.3.6 to 5.4.1 (<a href="https://redirect.github.com/dawidd6/action-download-artifact/issues/378">#378</a>)</li> <li><a href="https://github.com/dawidd6/action-download-artifact/commit/ea197571de670b5fa6508e942b943aedb2fd9c10"><code>ea19757</code></a> build(deps): bump actions/upload-artifact from 6 to 7 (<a href="https://redirect.github.com/dawidd6/action-download-artifact/issues/377">#377</a>)</li> <li><a href="https://github.com/dawidd6/action-download-artifact/commit/3fe16e87952bd761ad5fb4274bceb971b63f772f"><code>3fe16e8</code></a> build(deps): bump <code>@actions/artifact</code> from 6.1.0 to 6.2.0 (<a href="https://redirect.github.com/dawidd6/action-download-artifact/issues/376">#376</a>)</li> <li>See full diff in <a href="https://github.com/dawidd6/action-download-artifact/compare/v16...v18">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
aws-cdk-automation
added
auto-approve
pr/no-squash
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
kumsmrit
approved these changes
Mar 19, 2026
Contributor
|
Comments on closed issues and PRs are hard for our team to see. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
14 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See CHANGELOG