We are having some known issues to clone or build aws-cdk on Windows such as #23910 and #25164. Before we can address those issues, we should encourage Windows developers to use Gitpod or CodeCatalyst Dev Env on their Windows instead.

Closes #23910 #25164

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.81.0/CHANGELOG.md)

…on (#25744)

The [addAccountCondition](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.PolicyStatement.html#addwbraccountwbrconditionaccountid) method essentially create a `StringEquals` condition with `sts:ExternalId` which is used for [Cross-account confused deputy prevention](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html#mitigate-confused-deputy). This PR adds `addSourceArnCondition` and `addSourceAccountCondition` methods used for [Cross-service confused deputy prevention](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html#cross-service-confused-deputy-prevention) and improves the doc on the methods.

Closes #25732

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This was intended to be able to do `npx cdk` out of the blue, but that won't work as long as the package has a prerelease tag.

The rest of the changes are forced upon me by `pkglint`.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ined in VPC (#25468)

## Changes Made

The existing code calls a get availabilityZones method off of the stack. If no context is provided, then two possible return values are possible:
1) The stack is deemed agnostic, i.e., the stack has no defined environment, or the environment only contains just an account or just a region. In this case, the return value will be an array of unresolved tokens.
2) The stack is deemed non-agnostic. In this case, the return value will be ['dummy1a', 'dummy1b', 'dummy1c']

In the event of case 1, the filter method is called off of the array of unresolved tokens and attempts to create a new array of 'resolved stack AZs'. However, since the array that filter is called off of contains unresolved tokens, the result is an empty array. Moving forward, the value 'areGivenAzsSubsetOfStack' will be true only because 'resolvedStackAzs' is of length 0.

In the event of case 2, the filter method is called off of the array containing dummy values - ['dummy1a', 'dummy1b', 'dummy1c']. Since each element in this array will be considered resolved, the resulting array will also just be ['dummy1a', 'dummy1b', 'dummy1c']. Moving forward from this, the value 'areGivenAzsSubsetOfStack' will be false assuming the user is providing actual availability zones, i.e., 'us-east-1a', 'us-east-1b', etc. The previously mentioned error will then be thrown which is unhelpful for the user as the validation done in this case isn't helpful.

As a result, the only useful validation that can occur is in the case that a context has been provided that contains one of two keys:
1) availability-zones:account=${account}:region=${region}
2) aws:cdk:availability-zones:fallback

I've updated the validation logic to check for one of these two keys - it first checks for key 1 and then checks for the availability-zones fallback key (key 2). If either of the two keys is found then 'stackAzs' will be equal to the associated key's value. If neither key is found then 'stackAzs' will be undefined. From here, we check if 'stackAzs' is undefined, and if it is then no useful validation can be done so 'areGivenAzsSubsetOfStackAzs' will be true and we will move on without validation. If 'stackAzs' is not undefined, then we can check that each given availability zone exists within the'stackAzs' array. The error mentioned above will only be thrown if 'areGivenAzsSubsetOfStackAzs' if false.

Closes #21690

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This PR adds additional getters to allow easy access to context object fields. We currently have getters allowing easy access to the entire context object and the context object task token field. This adds getters for the following additional context object fields:
- Execution id
- Execution input
- Execution name
- Execution role arn
- Execution start time
- State entered time
- State name
- State retry count
- State machine id
- State machine name

Closes #25415

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Closes #25629

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

[Amazon RDS for PostgreSQL supports minor versions 15.3, 14.8, 13.11, 12.15, and 11.20](https://aws.amazon.com/about-aws/whats-new/2023/05/amazon-rds-postgresql-supports-new-minor-versions/)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…nal (#25379)

new flag `addTrailingDot`

The addTrailingDot option provides users with the choice to add a trailing dot (.) to the given domain name. In DNS, appending a dot at the end of a domain name indicates that the domain name is a fully qualified domain name (FQDN).
This function returns the value as is if the domain name is already an FQDN or has a trailing dot, and otherwise treats it as having a trailing dot. The existing specification was rejecting domain names with trailing dots, but this modification makes it unnecessary, so the validation check has been removed.

Closes #22406

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…FindingsFilter does not work (#25778)

The attribute was removed in a recent CFN Spec update.
We had then patched the attribute and type back in to avoid a breaking change. 
Now I have confirmed with the service team that this attribute has actually never worked and the removal is indeed correct.
Update CDK to reflect the fix made in CloudFormation.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…25622)

* If KMS is used for encryption, `grantSendMessage` grants the below permissions to the principle - kms:Decrypt, kms:Encrypt, kms:ReEncrypt*, kms:GenerateDataKey*

* If KMS is used for encryption, `grantConsumeMessage` grants the below permissions to the principle - kms:Decrypt

> REPLACE THIS TEXT BLOCK
>
> Describe the reason for this change, what the solution is, and any
> important design decisions you made. 
>
> Remember to follow the [CONTRIBUTING GUIDE] and [DESIGN GUIDELINES] for any
> code you submit.
>
> [CONTRIBUTING GUIDE]: https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md
> [DESIGN GUIDELINES]: https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md

Closes #25620 .

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

The `sha` for the `pull_request_target` event is for the base branch (i.e. `main`) so we were checking the status from the last commit to `main`. We should instead get the `sha` from the event payload which contains the `head` sha.

This also fixes an issue processing the status event where we were trying to parse the latest commit from the status URL, but that value is always equal to `{sha}`. Instead get it from the `head` info.

Added some debug logs to help us see what is getting processed. 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

## What change
Add CloudWatch Synthetics runtime nodejs puppeteer 4.0.

## Others
I changed integ test to using integ-tests assertions.

Closes #25493

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

[AWS Lambda introduces response payload streaming](https://aws.amazon.com/jp/about-aws/whats-new/2023/04/aws-lambda-response-payload-streaming/)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Adding support for adding aurora serverless v2 instances to a `DatabaseCluster`.

For detailed information on the design decisions see the [adr](https://github.com/corymhall/aws-cdk/blob/corymhall/rds/aurora-serverless-v2/packages/aws-cdk-lib/aws-rds/adr/aurora-serverless-v2.md)

This PR adds a lot of validation to try and ensure that the user is configuring the cluster correctly.

It also adds some functionality that allows users to have an easier migration experience from the deprecated properties.

closes #20197

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*