chore(release): 2.148.0 #30763

aws-cdk-automation · 2024-07-05T18:35:16Z

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.147.0/CHANGELOG.md)

### Reason for this change missing property ### Description of changes https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_codebuild.CfnProjectProps.html#visibility ### Description of how you validated changes done test and integ-test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) N/A ### Reason for this change The `defaulrRedirectUri` property missing in the current `UserPoolClient` class, The DefaultRedirectURI setting is essential when using Amazon Cognito Hosted UI because it specifies the primary destination where users will be redirected after successful authentication, ensuring a seamless and secure OAuth 2.0 or OpenID Connect flow. ### Description of changes Add missing property. ### Description of how you validated changes Add unit tests and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…30358) ### Issue # (if applicable) Closes #30353 . ### Reason for this change At the moment, L2 Construct does not support a custom auto scaling configuration for the AppRunner Service. ### Description of changes * Add `AutoScalingConfiguration` Class * Add `autoScalingConfiguration` property to the `Service` Class ### Description of how you validated changes Add unit tests and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… from instanceType (#30558) ### Issue # (if applicable) n/a ### Reason for this change When configuring NAT instance v2, currently we have to set machineImage manually when we want to use a graviton instance. Like this: ```ts const vpc = new Vpc(this, 'Vpc', { natGatewayProvider: NatProvider.instanceV2({ instanceType: InstanceType.of(InstanceClass.T4G, InstanceSize.NANO), // we should be able to omit this line! machineImage: MachineImage.latestAmazonLinux2023({ cpuType: AmazonLinuxCpuType.ARM_64 }), }), }); ``` This can be easily avoided if Nat instance v2 construct decides which cpu type to use for the given instance type. ### Description of changes Use `instanceType.architecture` to choose cpu type of a machine image. Now we can remove the redundant code: ```ts const vpc = new Vpc(this, 'Vpc', { natGatewayProvider: NatProvider.instanceV2({ instanceType: InstanceType.of(InstanceClass.T4G, InstanceSize.NANO), }), }); ``` ### Description of how you validated changes Added an integ test. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…pes (#30495) ### Issue # (if applicable) Closes #29385. ### Reason for this change To use Step Functions state machine enrichment for eventbrige pipes ### Description of changes Add `StepFunctionsEnrichment` class. ### Description of how you validated changes Add unit test and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…time with imported `delegatedZone` (#30440)" (#30606) This reverts commit a3d9b10. ### Issue # (if applicable) Closes #30600. ### Reason for this change Reverting #30440 so that `cdk synth` succeed when using imported `delegatedZone` ### Description of changes Removed the `throw new Error()` ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ty (#30614) ### Issue # (if applicable) Closes #30613. ### Reason for this change Documentation for `KubernetesVersion.V1_30` property incorrectly refers to `KubectlV29Layer`. ### Description of changes Corrected documentation for KubernetesVersion.V1_30 property to refer to `KubectlV30Layer`. ### Description of how you validated changes N/A ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…moved from roadmap (#30572) ### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change ### Description of changes ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… system (#30343) ### Issue # (if applicable) Closes #30340. ### Reason for this change Current LustreFileSystem class does not support automatic backups. ### Description of changes Add properties equivalent to those of the L1 construct to the L2 construct. * [automaticBackupRetentionDays](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws%5C_fsx.CfnFileSystem.LustreConfigurationProperty.html#automaticbackupretentiondays) * [copyTagsToBackups](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws%5C_fsx.CfnFileSystem.LustreConfigurationProperty.html#copytagstobackups) * [dailyAutomaticBackupStartTime](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws%5C_fsx.CfnFileSystem.LustreConfigurationProperty.html#dailyautomaticbackupstarttime) Segregated the `dailyAutomaticBackupStartTime` as a class to enable its usage in another file system's L2 construct (for example, Ontap) in the future. ### Description of how you validated changes Add unit tests and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[+] service aws-apptest │ ├ capitalized: AppTest │ │ cloudFormationNamespace: AWS::AppTest │ │ name: aws-apptest │ │ shortName: apptest │ └ resources │ └resource AWS::AppTest::TestCase │ ├ name: TestCase │ │ cloudFormationType: AWS::AppTest::TestCase │ │ documentation: Represents a Test Case that can be captured and executed │ │ tagInformation: {"tagPropertyName":"Tags","variant":"map"} │ ├ properties │ │ ├Description: string │ │ ├Name: string (required, immutable) │ │ ├Steps: Array<Step> (required) │ │ └Tags: Map<string, string> │ ├ attributes │ │ ├CreationTime: string │ │ ├LastUpdateTime: string │ │ ├LatestVersion: TestCaseLatestVersion │ │ ├Status: string │ │ ├TestCaseArn: string │ │ ├TestCaseId: string │ │ └TestCaseVersion: number │ └ types │ ├type TestCaseLatestVersion │ │├ name: TestCaseLatestVersion │ │└ properties │ │ ├Version: number (required) │ │ └Status: string (required) │ ├type Step │ │├ name: Step │ │└ properties │ │ ├Name: string (required) │ │ ├Description: string │ │ └Action: StepAction (required) │ ├type StepAction │ │├ name: StepAction │ │└ properties │ │ ├ResourceAction: ResourceAction │ │ ├MainframeAction: MainframeAction │ │ └CompareAction: CompareAction │ ├type ResourceAction │ │├ name: ResourceAction │ │└ properties │ │ ├M2ManagedApplicationAction: M2ManagedApplicationAction │ │ ├M2NonManagedApplicationAction: M2NonManagedApplicationAction │ │ └CloudFormationAction: CloudFormationAction │ ├type M2ManagedApplicationAction │ │├ name: M2ManagedApplicationAction │ │└ properties │ │ ├Resource: string (required) │ │ ├ActionType: string (required) │ │ └Properties: M2ManagedActionProperties │ ├type M2ManagedActionProperties │ │├ name: M2ManagedActionProperties │ │└ properties │ │ ├ForceStop: boolean │ │ └ImportDataSetLocation: string │ ├type M2NonManagedApplicationAction │ │├ name: M2NonManagedApplicationAction │ │└ properties │ │ ├Resource: string (required) │ │ └ActionType: string (required) │ ├type CloudFormationAction │ │├ name: CloudFormationAction │ │└ properties │ │ ├Resource: string (required) │ │ └ActionType: string │ ├type MainframeAction │ │├ name: MainframeAction │ │└ properties │ │ ├Resource: string (required) │ │ ├ActionType: MainframeActionType (required) │ │ └Properties: MainframeActionProperties │ ├type MainframeActionType │ │├ name: MainframeActionType │ │└ properties │ │ ├Batch: Batch │ │ └Tn3270: TN3270 │ ├type Batch │ │├ name: Batch │ │└ properties │ │ ├BatchJobName: string (required) │ │ ├BatchJobParameters: Map<string, string> │ │ └ExportDataSetNames: Array<string> │ ├type TN3270 │ │├ name: TN3270 │ │└ properties │ │ ├Script: Script (required) │ │ └ExportDataSetNames: Array<string> │ ├type Script │ │├ name: Script │ │└ properties │ │ ├ScriptLocation: string (required) │ │ └Type: string (required) │ ├type MainframeActionProperties │ │├ name: MainframeActionProperties │ │└ properties │ │ └DmsTaskArn: string │ ├type CompareAction │ │├ name: CompareAction │ │└ properties │ │ ├Input: Input (required) │ │ └Output: Output │ ├type Input │ │├ name: Input │ │└ properties │ │ └File: InputFile (required) │ ├type InputFile │ │├ name: InputFile │ │└ properties │ │ ├SourceLocation: string (required) │ │ ├TargetLocation: string (required) │ │ └FileMetadata: FileMetadata (required) │ ├type FileMetadata │ │├ name: FileMetadata │ │└ properties │ │ ├DataSets: Array<DataSet> │ │ └DatabaseCDC: DatabaseCDC │ ├type DataSet │ │├ name: DataSet │ │└ properties │ │ ├Type: string (required) │ │ ├Name: string (required) │ │ ├Ccsid: string (required) │ │ ├Format: string (required) │ │ └Length: number (required) │ ├type DatabaseCDC │ │├ name: DatabaseCDC │ │└ properties │ │ ├SourceMetadata: SourceDatabaseMetadata (required) │ │ └TargetMetadata: TargetDatabaseMetadata (required) │ ├type SourceDatabaseMetadata │ │├ name: SourceDatabaseMetadata │ │└ properties │ │ ├Type: string (required) │ │ └CaptureTool: string (required) │ ├type TargetDatabaseMetadata │ │├ name: TargetDatabaseMetadata │ │└ properties │ │ ├Type: string (required) │ │ └CaptureTool: string (required) │ ├type Output │ │├ name: Output │ │└ properties │ │ └File: OutputFile (required) │ └type OutputFile │ ├ name: OutputFile │ └ properties │ └FileLocation: string ├[~] service aws-batch │ └ resources │ └[~] resource AWS::Batch::JobDefinition │ └ types │ └[~] type NodeRangeProperty │ └ properties │ └[-] EksProperties: EksProperties ├[~] service aws-kinesisfirehose │ └ resources │ └[~] resource AWS::KinesisFirehose::DeliveryStream │ └ types │ ├[~] type HttpEndpointDestinationConfiguration │ │ └ properties │ │ └[+] SecretsManagerConfiguration: SecretsManagerConfiguration │ ├[~] type RedshiftDestinationConfiguration │ │ └ properties │ │ ├ Password: - string (required) │ │ │ + string │ │ ├[+] SecretsManagerConfiguration: SecretsManagerConfiguration │ │ └ Username: - string (required) │ │ + string │ ├[+] type SecretsManagerConfiguration │ │ ├ name: SecretsManagerConfiguration │ │ └ properties │ │ ├Enabled: boolean (required) │ │ ├RoleARN: string │ │ └SecretARN: string │ ├[~] type SnowflakeDestinationConfiguration │ │ └ properties │ │ ├ PrivateKey: - string (required) │ │ │ + string │ │ ├[+] SecretsManagerConfiguration: SecretsManagerConfiguration │ │ └ User: - string (required) │ │ + string │ └[~] type SplunkDestinationConfiguration │ └ properties │ ├ HECToken: - string (required) │ │ + string │ └[+] SecretsManagerConfiguration: SecretsManagerConfiguration └[~] service aws-mediapackagev2 └ resources ├[~] resource AWS::MediaPackageV2::Channel │ └ attributes │ └[+] IngestEndpointUrls: Array<string> └[~] resource AWS::MediaPackageV2::OriginEndpoint └ attributes ├[+] DashManifestUrls: Array<string> ├[+] HlsManifestUrls: Array<string> └[+] LowLatencyHlsManifestUrls: Array<string> ```

…PI call (#30061) ### Issue # (if applicable) Closes #29918. ### Reason for this change It would be useful if we could call AWS API across regions from a Step Functions state machine. Currently it is not officially supported even with AWS SDK integration tasks. Our usecase is to automate a cross-region failover scenario in a multi-region application. This requires you to orchestrate multiple API calls for both active and standby regions (e.g. failover Aurora DB cluster, rewrite AppConfig parameter, etc), and it would be great if we can manage these operations in a single state machine. ### Description of changes This PR adds a new construct `CallAwsServiceCrossRegion` that deploys 1. a Lambda function to call AWS API in different regions 2. SFn task to call the function. Because most properties are compatible with the existing `CallAwsService` construct, you can use the new construct by just adding the `region` property. Additionally, it also allows to set `endpoint` to override AWS API endpoint, because some AWS APIs requires you to override it. (e.g. [Route53 ARC](https://docs.aws.amazon.com/r53recovery/latest/dg/getting-started-cli-routing.control-state.html)) ### Description of how you validated changes Added unit tests and integ tests. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Add Anthropic's Claude 3.5 Sonnet model. Ref * https://aws.amazon.com/about-aws/whats-new/2024/06/anthropic-claude-3-5-sonnet-model-bedrock/ * https://docs.aws.amazon.com/bedrock/latest/userguide/model-ids.html ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…#30359) ### Issue # (if applicable) Closes #22985 . ### Reason for this change At the moment, L2 Construct does not support a tracing setting for the AppRunner Service. ### Description of changes * Add `ObservabilityConfiguration` Class * Add `observabilityConfiguration` property to the `Service` Class ### Description of how you validated changes Add unit tests and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…bled` is broken (#30624) ### Issue # (if applicable) None ### Reason for this change The documentation link of `crossZoneEnabled` is broken due to unnecessary hyphen. https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.NetworkLoadBalancer.html#crosszoneenabled <img width="732" alt="スクリーンショット 2024-06-23 0 33 20" src="https://github.com/aws/aws-cdk/assets/64848616/5096bf05-4e6e-4e72-a882-1e8d1a817ff5"> ### Description of changes Removed unnecessary hyphen. ### Description of how you validated changes None ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Add new minor version. Ref: https://aws.amazon.com/about-aws/whats-new/2024/06/amazon-rds-mysql-new-minor-version-8-0-37/ ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ture flag) (#30389) Closes #30368. Doc: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security_iam_id-based-policy-examples.html#IAM_run_policies

…aged Termination Protection is disable (#30335) Let AsgCapacityProvider use IAutoScalingGroup only when Managed Termination Protection is disable. The code will throw an exception with a clear message when the user specify a self managed ASG using `AutoScalingGroup.fromAutoScalingGroupName` and let the Managed Termination Protection enabled. It will also throw a clear exception when calling `Cluster.addAsgCapacityProvider` with an `AsgCapacityProvider` created with an imported ASG. ### Issue # (if applicable) Closes #29174. ### Reason for this change As there is no clear fix to the original issue, this change's purpose it to bring clarity to the users about what is not allowed when using the L2 Constructs `AsgCapacityProvider` and `Cluster` with an imported ASG. ### Description of changes This change will replace non explicit exception, caused by missing methods, by clear error messages. ### Description of how you validated changes Added unit tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Removed unnecessary hyphens before links in the @see section of the document. Unnecessary hyphens are breaking the links in the document. Same as #30624. Ref: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.BaseServiceProps.html#launchtype https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_eks.NodegroupOptions.html#instancetypes https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_eks.NodegroupOptions.html#launchtemplatespec ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…d due to lack of a permission (#30630) ### Issue # (if applicable) Closes #26640 ### Reason for this change According to the [docs](https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html#security_iam_service-with-iam-roles), required permissions for an App Runner's AccessRole to access images in ECR repository are the followings: 1. "ecr:GetDownloadUrlForLayer", 2. "ecr:BatchCheckLayerAvailability", 3. "ecr:BatchGetImage", 4. "ecr:DescribeImages", 5. "ecr:GetAuthorizationToken" No.1~3 are granted by the [grantPull](https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-ecr/lib/repository.ts#L385) method of `ecr.Repository`. https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-apprunner-alpha/lib/service.ts#L1303 Permission for No.5 is granted by the following. **Note** : It is correct that the resources here is set to `*`(Ref: [docs](https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html#security_iam_service-with-iam-roles)) > If you create your own custom policy for your access role, be sure to specify "Resource": "*" for the ecr:GetAuthorizationToken action. Tokens can be used to access any Amazon ECR registry that you have access to. https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-apprunner-alpha/lib/service.ts#L1368 At the moment, No.4 permission is missing. So we need to add. ### Description of changes Add a `ecr:DescribeImages` permisison to the AccessRole. ### Description of how you validated changes Update a unit test and a integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.

We were seeing build failures (most likely) caused by nx version mismatches. This PR aligns those versions. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…M_3 (#30670) ### Description of changes Fixed typo in the comment at CodeBuildImage.AMAZON_LINUX_2_ARM_3. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.147.1/CHANGELOG.md)

Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.

### Issue # (if applicable) Closes #30270. ### Reason for this change Lambda Function target is not supported yet by pipes-targets. ### Description of changes - Added LambdaFunction as a pipes target. - Default LambdaFunctionInvocationType to `LambdaFunctionInvocationType.REQUEST_RESPONSE` - Allowed grant Invoke on Lambda by Pipes ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… notifications (under feature flag) (#30699) Reverts #30610 due to Feature flags issues

### Issue # (if applicable) None. ### Reason for this change https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-extension-versionsx86-64.html https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-extension-versionsARM.html ### Description of changes - adding region - ap-southeast-4 - il-central-1 - adding version * Version 1.0.273.0 * Version 1.0.275.0 * Version 1.0.295.0 * Version 1.0.317.0 ### Description of how you validated changes no ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

I saw these errors when working on #30696.

Automated changes by [create-pull-request](https://github.com/peter-evans/create-pull-request) GitHub action

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-applicationsignals │ └ resources │ └[~] resource AWS::ApplicationSignals::ServiceLevelObjective │ ├ - documentation: Resource Type definition for AWS::ApplicationSignals::ServiceLevelObjective │ │ + documentation: Creates or updates a service level objective (SLO), which can help you ensure that your critical business operations are meeting customer expectations. Use SLOs to set and track specific target levels for the reliability and availability of your applications and services. SLOs use service level indicators (SLIs) to calculate whether the application is performing at the level that you want. │ │ Create an SLO to set a target for a service or operation’s availability or latency. CloudWatch measures this target frequently you can find whether it has been breached. │ │ When you create an SLO, you set an *attainment goal* for it. An *attainment goal* is the ratio of good periods that meet the threshold requirements to the total periods within the interval. For example, an attainment goal of 99.9% means that within your interval, you are targeting 99.9% of the periods to be in healthy state. │ │ After you have created an SLO, you can retrieve error budget reports for it. An *error budget* is the number of periods or amount of time that your service can accumulate during an interval before your overall SLO budget health is breached and the SLO is considered to be unmet. for example, an SLO with a threshold that 99.95% of requests must be completed under 2000ms every month translates to an error budget of 21.9 minutes of downtime per month. │ │ When you call this operation, Application Signals creates the *AWSServiceRoleForCloudWatchApplicationSignals* service-linked role, if it doesn't already exist in your account. This service- linked role has the following permissions: │ │ - `xray:GetServiceGraph` │ │ - `logs:StartQuery` │ │ - `logs:GetQueryResults` │ │ - `cloudwatch:GetMetricData` │ │ - `cloudwatch:ListMetrics` │ │ - `tag:GetResources` │ │ - `autoscaling:DescribeAutoScalingGroups` │ │ You can easily set SLO targets for your applications that are discovered by Application Signals, using critical metrics such as latency and availability. You can also set SLOs against any CloudWatch metric or math expression that produces a time series. │ │ For more information about SLOs, see [Service level objectives (SLOs)](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-ServiceLevelObjectives.html) . │ ├ properties │ │ ├ Description: (documentation changed) │ │ ├ Goal: (documentation changed) │ │ ├ Name: (documentation changed) │ │ ├ Sli: (documentation changed) │ │ └ Tags: (documentation changed) │ ├ attributes │ │ ├ CreatedTime: (documentation changed) │ │ └ LastUpdatedTime: (documentation changed) │ └ types │ ├[~] type CalendarInterval │ │ └ properties │ │ ├ Duration: (documentation changed) │ │ └ StartTime: (documentation changed) │ ├[~] type Dimension │ │ ├ - documentation: A dimension is a name/value pair that is part of the identity of a metric. Because dimensions are part of the unique identifier for a metric, whenever you add a unique name/value pair to one of your metrics, you are creating a new variation of that metric. For example, many Amazon EC2 metrics publish `InstanceId` as a dimension name, and the actual instance ID as the value for that dimension. You can assign up to 30 dimensions to a metric. │ │ │ + documentation: A dimension is a name/value pair that is part of the identity of a metric. Because dimensions are part of the unique identifier for a metric, whenever you add a unique name/value pair to one of your metrics, you are creating a new variation of that metric. For example, many Amazon EC2 metrics publish `InstanceId` as a dimension name, and the actual instance ID as the value for that dimension. │ │ │ You can assign up to 30 dimensions to a metric. │ │ └ properties │ │ ├ Name: (documentation changed) │ │ └ Value: (documentation changed) │ ├[~] type Goal │ │ ├ - documentation: A structure that contains the attributes that determine the goal of the SLO. This includes the time period for evaluation and the attainment threshold. │ │ │ + documentation: This structure contains the attributes that determine the goal of an SLO. This includes the time period for evaluation and the attainment threshold. │ │ └ properties │ │ ├ AttainmentGoal: (documentation changed) │ │ └ Interval: (documentation changed) │ ├[~] type Interval │ │ ├ - documentation: The time period used to evaluate the SLO. It can be either a calendar interval or rolling interval. │ │ │ If you omit this parameter, a rolling interval of 7 days is used. │ │ │ + documentation: The time period used to evaluate the SLO. It can be either a calendar interval or rolling interval. │ │ └ properties │ │ ├ CalendarInterval: (documentation changed) │ │ └ RollingInterval: (documentation changed) │ ├[~] type Metric │ │ ├ - documentation: This structure defines the metric used for a service level indicator, including the metric name, namespace, and dimensions. │ │ │ + documentation: This structure defines the metric used for a service level indicator, including the metric name, namespace, and dimensions │ │ └ properties │ │ ├ Dimensions: (documentation changed) │ │ └ Namespace: (documentation changed) │ ├[~] type MetricDataQuery │ │ ├ - documentation: Use this structure to define a metric or metric math expression that you want to use as for a service level objective. │ │ │ Each `MetricDataQuery` in the `MetricDataQueries` array specifies either a metric to retrieve, or a metric math expression to be performed on retrieved metrics. A single `MetricDataQueries` array can include as many as 20 `MetricDataQuery` structures in the array. The 20 structures can include as many as 10 structures that contain a `MetricStat` parameter to retrieve a metric, and as many as 10 structures that contain the `Expression` parameter to perform a math expression. Of those Expression structures, exactly one must have true as the value for `ReturnData`. The result of this expression used for the SLO. │ │ │ + documentation: Use this structure to define a metric or metric math expression that you want to use as for a service level objective. │ │ │ Each `MetricDataQuery` in the `MetricDataQueries` array specifies either a metric to retrieve, or a metric math expression to be performed on retrieved metrics. A single `MetricDataQueries` array can include as many as 20 `MetricDataQuery` structures in the array. The 20 structures can include as many as 10 structures that contain a `MetricStat` parameter to retrieve a metric, and as many as 10 structures that contain the `Expression` parameter to perform a math expression. Of those `Expression` structures, exactly one must have true as the value for `ReturnData` . The result of this expression used for the SLO. │ │ │ For more information about metric math expressions, see [Use metric math](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/using-metric-math.html) . │ │ │ Within each `MetricDataQuery` object, you must specify either `Expression` or `MetricStat` but not both. │ │ └ properties │ │ ├ AccountId: (documentation changed) │ │ ├ Expression: (documentation changed) │ │ ├ Id: (documentation changed) │ │ ├ MetricStat: (documentation changed) │ │ └ ReturnData: (documentation changed) │ ├[~] type MetricStat │ │ ├ - documentation: A metric to be used directly for the SLO, or to be used in the math expression that will be used for the SLO. Within one MetricDataQuery object, you must specify either Expression or MetricStat but not both. │ │ │ + documentation: This structure defines the metric to be used as the service level indicator, along with the statistics, period, and unit. │ │ └ properties │ │ ├ Metric: (documentation changed) │ │ ├ Period: (documentation changed) │ │ ├ Stat: (documentation changed) │ │ └ Unit: (documentation changed) │ ├[~] type RollingInterval │ │ ├ - documentation: If the interval is a calendar interval, this structure contains the interval specifications. │ │ │ + documentation: If the interval for this SLO is a rolling interval, this structure contains the interval specifications. │ │ └ properties │ │ ├ Duration: (documentation changed) │ │ └ DurationUnit: (documentation changed) │ ├[~] type Sli │ │ ├ - documentation: This structure contains information about the performance metric that an SLO monitors. │ │ │ + documentation: This structure specifies the information about the service and the performance metric that an SLO is to monitor. │ │ └ properties │ │ ├ ComparisonOperator: (documentation changed) │ │ └ SliMetric: (documentation changed) │ └[~] type SliMetric │ ├ - documentation: A structure that contains information about the metric that the SLO monitors. │ │ + documentation: Use this structure to specify the metric to be used for the SLO. │ └ properties │ ├ KeyAttributes: (documentation changed) │ ├ MetricDataQueries: (documentation changed) │ ├ MetricType: (documentation changed) │ ├ OperationName: (documentation changed) │ └ Statistic: (documentation changed) ├[~] service aws-apptest │ └ resources │ └[~] resource AWS::AppTest::TestCase │ ├ - documentation: Represents a Test Case that can be captured and executed │ │ + documentation: Creates a test case for an application. │ │ For more information about test cases, see [Test cases](https://docs.aws.amazon.com/m2/latest/userguide/testing-test-cases.html) and [Application Testing concepts](https://docs.aws.amazon.com/m2/latest/userguide/concepts-apptest.html) in the *AWS Mainframe Modernization User Guide* . │ ├ properties │ │ ├ Description: (documentation changed) │ │ ├ Name: (documentation changed) │ │ ├ Steps: (documentation changed) │ │ └ Tags: (documentation changed) │ ├ attributes │ │ ├ CreationTime: (documentation changed) │ │ ├ LastUpdateTime: (documentation changed) │ │ ├ Status: (documentation changed) │ │ ├ TestCaseArn: (documentation changed) │ │ ├ TestCaseId: (documentation changed) │ │ └ TestCaseVersion: (documentation changed) │ └ types │ ├[~] type Batch │ │ ├ - documentation: undefined │ │ │ + documentation: Defines a batch. │ │ └ properties │ │ ├ BatchJobName: (documentation changed) │ │ ├ BatchJobParameters: (documentation changed) │ │ └ ExportDataSetNames: (documentation changed) │ ├[~] type CloudFormationAction │ │ ├ - documentation: undefined │ │ │ + documentation: Specifies the CloudFormation action. │ │ └ properties │ │ ├ ActionType: (documentation changed) │ │ └ Resource: (documentation changed) │ ├[~] type CompareAction │ │ ├ - documentation: undefined │ │ │ + documentation: Compares the action. │ │ └ properties │ │ ├ Input: (documentation changed) │ │ └ Output: (documentation changed) │ ├[~] type DatabaseCDC │ │ ├ - documentation: undefined │ │ │ + documentation: Defines the Change Data Capture (CDC) of the database. │ │ └ properties │ │ ├ SourceMetadata: (documentation changed) │ │ └ TargetMetadata: (documentation changed) │ ├[~] type DataSet │ │ ├ - documentation: undefined │ │ │ + documentation: Defines a data set. │ │ └ properties │ │ ├ Ccsid: (documentation changed) │ │ ├ Format: (documentation changed) │ │ ├ Length: (documentation changed) │ │ ├ Name: (documentation changed) │ │ └ Type: (documentation changed) │ ├[~] type FileMetadata │ │ ├ - documentation: undefined │ │ │ + documentation: Specifies a file metadata. │ │ └ properties │ │ ├ DatabaseCDC: (documentation changed) │ │ └ DataSets: (documentation changed) │ ├[~] type Input │ │ ├ - documentation: undefined │ │ │ + documentation: Specifies the input. │ │ └ properties │ │ └ File: (documentation changed) │ ├[~] type InputFile │ │ ├ - documentation: undefined │ │ │ + documentation: Specifies the input file. │ │ └ properties │ │ ├ FileMetadata: (documentation changed) │ │ ├ SourceLocation: (documentation changed) │ │ └ TargetLocation: (documentation changed) │ ├[~] type M2ManagedActionProperties │ │ ├ - documentation: undefined │ │ │ + documentation: Specifies the AWS Mainframe Modernization managed action properties. │ │ └ properties │ │ ├ ForceStop: (documentation changed) │ │ └ ImportDataSetLocation: (documentation changed) │ ├[~] type M2ManagedApplicationAction │ │ ├ - documentation: undefined │ │ │ + documentation: Specifies the AWS Mainframe Modernization managed application action. │ │ └ properties │ │ ├ ActionType: (documentation changed) │ │ ├ Properties: (documentation changed) │ │ └ Resource: (documentation changed) │ ├[~] type M2NonManagedApplicationAction │ │ ├ - documentation: undefined │ │ │ + documentation: Specifies the AWS Mainframe Modernization non-managed application action. │ │ └ properties │ │ ├ ActionType: (documentation changed) │ │ └ Resource: (documentation changed) │ ├[~] type MainframeAction │ │ ├ - documentation: undefined │ │ │ + documentation: Specifies the mainframe action. │ │ └ properties │ │ ├ ActionType: (documentation changed) │ │ ├ Properties: (documentation changed) │ │ └ Resource: (documentation changed) │ ├[~] type MainframeActionProperties │ │ ├ - documentation: undefined │ │ │ + documentation: Specifies the mainframe action properties. │ │ └ properties │ │ └ DmsTaskArn: (documentation changed) │ ├[~] type MainframeActionType │ │ ├ - documentation: undefined │ │ │ + documentation: Specifies the mainframe action type. │ │ └ properties │ │ ├ Batch: (documentation changed) │ │ └ Tn3270: (documentation changed) │ ├[~] type Output │ │ ├ - documentation: undefined │ │ │ + documentation: Specifies an output. │ │ └ properties │ │ └ File: (documentation changed) │ ├[~] type OutputFile │ │ ├ - documentation: undefined │ │ │ + documentation: Specifies an output file. │ │ └ properties │ │ └ FileLocation: (documentation changed) │ ├[~] type ResourceAction │ │ ├ - documentation: undefined │ │ │ + documentation: Specifies a resource action. │ │ └ properties │ │ ├ CloudFormationAction: (documentation changed) │ │ ├ M2ManagedApplicationAction: (documentation changed) │ │ └ M2NonManagedApplicationAction: (documentation changed) │ ├[~] type Script │ │ ├ - documentation: undefined │ │ │ + documentation: Specifies the script. │ │ └ properties │ │ ├ ScriptLocation: (documentation changed) │ │ └ Type: (documentation changed) │ ├[~] type SourceDatabaseMetadata │ │ ├ - documentation: undefined │ │ │ + documentation: Specifies the source database metadata. │ │ └ properties │ │ ├ CaptureTool: (documentation changed) │ │ └ Type: (documentation changed) │ ├[~] type Step │ │ ├ - documentation: undefined │ │ │ + documentation: Defines a step. │ │ └ properties │ │ ├ Action: (documentation changed) │ │ ├ Description: (documentation changed) │ │ └ Name: (documentation changed) │ ├[~] type StepAction │ │ ├ - documentation: undefined │ │ │ + documentation: Specifies a step action. │ │ └ properties │ │ ├ CompareAction: (documentation changed) │ │ ├ MainframeAction: (documentation changed) │ │ └ ResourceAction: (documentation changed) │ ├[~] type TargetDatabaseMetadata │ │ ├ - documentation: undefined │ │ │ + documentation: Specifies a target database metadata. │ │ └ properties │ │ ├ CaptureTool: (documentation changed) │ │ └ Type: (documentation changed) │ ├[~] type TestCaseLatestVersion │ │ ├ - documentation: undefined │ │ │ + documentation: Specifies the latest version of a test case. │ │ └ properties │ │ ├ Status: (documentation changed) │ │ └ Version: (documentation changed) │ └[~] type TN3270 │ ├ - documentation: undefined │ │ + documentation: Specifies the TN3270 protocol. │ └ properties │ ├ ExportDataSetNames: (documentation changed) │ └ Script: (documentation changed) ├[~] service aws-backup │ └ resources │ ├[~] resource AWS::Backup::BackupVault │ │ └ properties │ │ └ BackupVaultName: (documentation changed) │ └[~] resource AWS::Backup::RestoreTestingSelection │ └ types │ └[~] type ProtectedResourceConditions │ └ - documentation: The conditions that you define for resources in your restore testing plan using tags. │ For example, `"StringEquals": { "Key": "aws:ResourceTag/CreatedByCryo", "Value": "true" },` . Condition operators are case sensitive. │ + documentation: The conditions that you define for resources in your restore testing plan using tags. ├[~] service aws-bedrock │ └ resources │ └[~] resource AWS::Bedrock::Agent │ ├ properties │ │ └[+] GuardrailConfiguration: GuardrailConfiguration │ └ types │ └[+] type GuardrailConfiguration │ ├ documentation: Configuration information for a guardrail that you use with the `Converse` action. │ │ name: GuardrailConfiguration │ └ properties │ ├GuardrailIdentifier: string │ └GuardrailVersion: string ├[~] service aws-cloudtrail │ └ resources │ └[~] resource AWS::CloudTrail::Trail │ ├ properties │ │ ├ CloudWatchLogsLogGroupArn: (documentation changed) │ │ └ CloudWatchLogsRoleArn: (documentation changed) │ └ types │ └[~] type DataResource │ ├ - documentation: Data events provide information about the resource operations performed on or within a resource itself. These are also known as data plane operations. You can specify up to 250 data resources for a trail. │ │ Configure the `DataResource` to specify the resource type and resource ARNs for which you want to log data events. │ │ You can specify the following resource types in your event selectors for your trail: │ │ - `AWS::DynamoDB::Table` │ │ - `AWS::Lambda::Function` │ │ - `AWS::S3::Object` │ │ > The total number of allowed data resources is 250. This number can be distributed between 1 and 5 event selectors, but the total cannot exceed 250 across all selectors for the trail. │ │ > │ │ > If you are using advanced event selectors, the maximum total number of values for all conditions, across all advanced event selectors for the trail, is 500. │ │ The following example demonstrates how logging works when you configure logging of all data events for an S3 bucket named `bucket-1` . In this example, the CloudTrail user specified an empty prefix, and the option to log both `Read` and `Write` data events. │ │ - A user uploads an image file to `bucket-1` . │ │ - The `PutObject` API operation is an Amazon S3 object-level API. It is recorded as a data event in CloudTrail. Because the CloudTrail user specified an S3 bucket with an empty prefix, events that occur on any object in that bucket are logged. The trail processes and logs the event. │ │ - A user uploads an object to an Amazon S3 bucket named `arn:aws:s3:::bucket-2` . │ │ - The `PutObject` API operation occurred for an object in an S3 bucket that the CloudTrail user didn't specify for the trail. The trail doesn’t log the event. │ │ The following example demonstrates how logging works when you configure logging of AWS Lambda data events for a Lambda function named *MyLambdaFunction* , but not for all Lambda functions. │ │ - A user runs a script that includes a call to the *MyLambdaFunction* function and the *MyOtherLambdaFunction* function. │ │ - The `Invoke` API operation on *MyLambdaFunction* is an Lambda API. It is recorded as a data event in CloudTrail. Because the CloudTrail user specified logging data events for *MyLambdaFunction* , any invocations of that function are logged. The trail processes and logs the event. │ │ - The `Invoke` API operation on *MyOtherLambdaFunction* is an Lambda API. Because the CloudTrail user did not specify logging data events for all Lambda functions, the `Invoke` operation for *MyOtherLambdaFunction* does not match the function specified for the trail. The trail doesn’t log the event. │ │ + documentation: Data events provide information about the resource operations performed on or within a resource itself. These are also known as data plane operations. You can specify up to 250 data resources for a trail. │ │ Configure the `DataResource` to specify the resource type and resource ARNs for which you want to log data events. │ │ You can specify the following resource types in your event selectors for your trail: │ │ - `AWS::DynamoDB::Table` │ │ - `AWS::Lambda::Function` │ │ - `AWS::S3::Object` │ │ > The total number of allowed data resources is 250. This number can be distributed between 1 and 5 event selectors, but the total cannot exceed 250 across all selectors for the trail. │ │ > │ │ > If you are using advanced event selectors, the maximum total number of values for all conditions, across all advanced event selectors for the trail, is 500. │ │ The following example demonstrates how logging works when you configure logging of all data events for an S3 bucket named `DOC-EXAMPLE-BUCKET1` . In this example, the CloudTrail user specified an empty prefix, and the option to log both `Read` and `Write` data events. │ │ - A user uploads an image file to `DOC-EXAMPLE-BUCKET1` . │ │ - The `PutObject` API operation is an Amazon S3 object-level API. It is recorded as a data event in CloudTrail. Because the CloudTrail user specified an S3 bucket with an empty prefix, events that occur on any object in that bucket are logged. The trail processes and logs the event. │ │ - A user uploads an object to an Amazon S3 bucket named `arn:aws:s3:::DOC-EXAMPLE-BUCKET1` . │ │ - The `PutObject` API operation occurred for an object in an S3 bucket that the CloudTrail user didn't specify for the trail. The trail doesn’t log the event. │ │ The following example demonstrates how logging works when you configure logging of AWS Lambda data events for a Lambda function named *MyLambdaFunction* , but not for all Lambda functions. │ │ - A user runs a script that includes a call to the *MyLambdaFunction* function and the *MyOtherLambdaFunction* function. │ │ - The `Invoke` API operation on *MyLambdaFunction* is an Lambda API. It is recorded as a data event in CloudTrail. Because the CloudTrail user specified logging data events for *MyLambdaFunction* , any invocations of that function are logged. The trail processes and logs the event. │ │ - The `Invoke` API operation on *MyOtherLambdaFunction* is an Lambda API. Because the CloudTrail user did not specify logging data events for all Lambda functions, the `Invoke` operation for *MyOtherLambdaFunction* does not match the function specified for the trail. The trail doesn’t log the event. │ └ properties │ └ Values: (documentation changed) ├[~] service aws-codeartifact │ └ resources │ ├[~] resource AWS::CodeArtifact::Domain │ │ └ properties │ │ └ EncryptionKey: (documentation changed) │ └[~] resource AWS::CodeArtifact::Repository │ └ properties │ └ DomainOwner: (documentation changed) ├[~] service aws-codebuild │ └ resources │ └[~] resource AWS::CodeBuild::Project │ └ types │ ├[~] type ProjectTriggers │ │ └ properties │ │ └[+] ScopeConfiguration: ScopeConfiguration │ ├[+] type ScopeConfiguration │ │ ├ name: ScopeConfiguration │ │ └ properties │ │ └Name: string (required) │ └[~] type WebhookFilter │ └ properties │ └ Type: (documentation changed) ├[~] service aws-cognito │ └ resources │ ├[~] resource AWS::Cognito::UserPoolClient │ │ └ properties │ │ └ DefaultRedirectURI: (documentation changed) │ └[~] resource AWS::Cognito::UserPoolResourceServer │ └ attributes │ └[-] Id: string ├[~] service aws-datasync │ └ resources │ └[~] resource AWS::DataSync::Agent │ └ properties │ ├ ActivationKey: (documentation changed) │ ├ AgentName: (documentation changed) │ └ SubnetArns: (documentation changed) ├[~] service aws-deadline │ └ resources │ └[~] resource AWS::Deadline::Monitor │ └ attributes │ └ Arn: (documentation changed) ├[~] service aws-dms │ └ resources │ └[~] resource AWS::DMS::ReplicationConfig │ └ attributes │ └ ReplicationConfigArn: (documentation changed) ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::EC2Fleet │ │ ├ - documentation: Specifies the configuration information to launch a fleet--or group--of instances. An EC2 Fleet can launch multiple instance types across multiple Availability Zones, using the On-Demand Instance, Reserved Instance, and Spot Instance purchasing models together. Using EC2 Fleet, you can define separate On-Demand and Spot capacity targets, specify the instance types that work best for your applications, and specify how Amazon EC2 should distribute your fleet capacity within each purchasing model. For more information, see [Launching an EC2 Fleet](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet.html) in the *Amazon EC2 User Guide for Linux Instances* . │ │ │ + documentation: Specifies the configuration information to launch a fleet--or group--of instances. An EC2 Fleet can launch multiple instance types across multiple Availability Zones, using the On-Demand Instance, Reserved Instance, and Spot Instance purchasing models together. Using EC2 Fleet, you can define separate On-Demand and Spot capacity targets, specify the instance types that work best for your applications, and specify how Amazon EC2 should distribute your fleet capacity within each purchasing model. For more information, see [Launching an EC2 Fleet](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet.html) in the *Amazon EC2 User Guide* . │ │ └ types │ │ └[~] type InstanceRequirementsRequest │ │ └ properties │ │ └ MaxSpotPriceAsPercentageOfOptimalOnDemandPrice: (documentation changed) │ ├[~] resource AWS::EC2::Host │ │ └ - documentation: Allocates a fully dedicated physical server for launching EC2 instances. Because the host is fully dedicated for your use, it can help you address compliance requirements and reduce costs by allowing you to use your existing server-bound software licenses. For more information, see [Dedicated Hosts](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-hosts-overview.html) in the *Amazon EC2 User Guide for Linux Instances* . │ │ + documentation: Allocates a fully dedicated physical server for launching EC2 instances. Because the host is fully dedicated for your use, it can help you address compliance requirements and reduce costs by allowing you to use your existing server-bound software licenses. For more information, see [Dedicated Hosts](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-hosts-overview.html) in the *Amazon EC2 User Guide* . │ ├[~] resource AWS::EC2::Instance │ │ └ types │ │ └[~] type ElasticGpuSpecification │ │ └ - documentation: > Amazon Elastic Graphics reached end of life on January 8, 2024. For workloads that require graphics acceleration, we recommend that you use Amazon EC2 G4ad, G4dn, or G5 instances. │ │ Specifies the type of Elastic GPU. An Elastic GPU is a GPU resource that you can attach to your Amazon EC2 instance to accelerate the graphics performance of your applications. For more information, see [Amazon EC2 Elastic GPUs](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/elastic-graphics.html) in the *Amazon EC2 User Guide for Windows Instances* . │ │ `ElasticGpuSpecification` is a property of the [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html) resource. │ │ + documentation: > Amazon Elastic Graphics reached end of life on January 8, 2024. For workloads that require graphics acceleration, we recommend that you use Amazon EC2 G4ad, G4dn, or G5 instances. │ │ Specifies the type of Elastic GPU. An Elastic GPU is a GPU resource that you can attach to your Amazon EC2 instance to accelerate the graphics performance of your applications. │ │ `ElasticGpuSpecification` is a property of the [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html) resource. │ ├[~] resource AWS::EC2::InstanceConnectEndpoint │ │ └ properties │ │ └ PreserveClientIp: (documentation changed) │ ├[~] resource AWS::EC2::LaunchTemplate │ │ └ types │ │ ├[~] type InstanceRequirements │ │ │ └ properties │ │ │ └ MaxSpotPriceAsPercentageOfOptimalOnDemandPrice: (documentation changed) │ │ └[~] type LaunchTemplateData │ │ └ properties │ │ └ UserData: (documentation changed) │ ├[~] resource AWS::EC2::SecurityGroup │ │ └ attributes │ │ ├ GroupId: (documentation changed) │ │ └ VpcId: (documentation changed) │ └[~] resource AWS::EC2::SpotFleet │ └ types │ ├[~] type InstanceRequirementsRequest │ │ └ properties │ │ └ MaxSpotPriceAsPercentageOfOptimalOnDemandPrice: (documentation changed) │ └[~] type SpotFleetRequestConfigData │ └ properties │ └ IamFleetRole: (documentation changed) ├[~] service aws-ecs │ └ resources │ ├[~] resource AWS::ECS::Service │ │ └ types │ │ ├[~] type LogConfiguration │ │ │ ├ - documentation: The log configuration for the container. This parameter maps to `LogConfig` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--log-driver` option to [`docker run`](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/commandline/run/) . │ │ │ │ By default, containers use the same logging driver that the Docker daemon uses. However, the container might use a different logging driver than the Docker daemon by specifying a log driver configuration in the container definition. For more information about the options for different supported log drivers, see [Configure logging drivers](https://docs.aws.amazon.com/https://docs.docker.com/engine/admin/logging/overview/) in the Docker documentation. │ │ │ │ Understand the following when specifying a log configuration for your containers. │ │ │ │ - Amazon ECS currently supports a subset of the logging drivers available to the Docker daemon. Additional log drivers may be available in future releases of the Amazon ECS container agent. │ │ │ │ For tasks on AWS Fargate , the supported log drivers are `awslogs` , `splunk` , and `awsfirelens` . │ │ │ │ For tasks hosted on Amazon EC2 instances, the supported log drivers are `awslogs` , `fluentd` , `gelf` , `json-file` , `journald` , `logentries` , `syslog` , `splunk` , and `awsfirelens` . │ │ │ │ - This parameter requires version 1.18 of the Docker Remote API or greater on your container instance. │ │ │ │ - For tasks that are hosted on Amazon EC2 instances, the Amazon ECS container agent must register the available logging drivers with the `ECS_AVAILABLE_LOGGING_DRIVERS` environment variable before containers placed on that instance can use these log configuration options. For more information, see [Amazon ECS container agent configuration](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html) in the *Amazon Elastic Container Service Developer Guide* . │ │ │ │ - For tasks that are on AWS Fargate , because you don't have access to the underlying infrastructure your tasks are hosted on, any additional software needed must be installed outside of the task. For example, the Fluentd output aggregators or a remote host running Logstash to send Gelf logs to. │ │ │ │ + documentation: The log configuration for the container. This parameter maps to `LogConfig` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--log-driver` option to [`docker run`](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/commandline/run/) . │ │ │ │ By default, containers use the same logging driver that the Docker daemon uses. However, the container might use a different logging driver than the Docker daemon by specifying a log driver configuration in the container definition. For more information about the options for different supported log drivers, see [Configure logging drivers](https://docs.aws.amazon.com/https://docs.docker.com/engine/admin/logging/overview/) in the Docker documentation. │ │ │ │ Understand the following when specifying a log configuration for your containers. │ │ │ │ - Amazon ECS currently supports a subset of the logging drivers available to the Docker daemon. Additional log drivers may be available in future releases of the Amazon ECS container agent. │ │ │ │ For tasks on AWS Fargate , the supported log drivers are `awslogs` , `splunk` , and `awsfirelens` . │ │ │ │ For tasks hosted on Amazon EC2 instances, the supported log drivers are `awslogs` , `fluentd` , `gelf` , `json-file` , `journald` , `syslog` , `splunk` , and `awsfirelens` . │ │ │ │ - This parameter requires version 1.18 of the Docker Remote API or greater on your container instance. │ │ │ │ - For tasks that are hosted on Amazon EC2 instances, the Amazon ECS container agent must register the available logging drivers with the `ECS_AVAILABLE_LOGGING_DRIVERS` environment variable before containers placed on that instance can use these log configuration options. For more information, see [Amazon ECS container agent configuration](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html) in the *Amazon Elastic Container Service Developer Guide* . │ │ │ │ - For tasks that are on AWS Fargate , because you don't have access to the underlying infrastructure your tasks are hosted on, any additional software needed must be installed outside of the task. For example, the Fluentd output aggregators or a remote host running Logstash to send Gelf logs to. │ │ │ └ properties │ │ │ └ LogDriver: (documentation changed) │ │ └[~] type ServiceConnectConfiguration │ │ └ properties │ │ └ LogConfiguration: (documentation changed) │ └[~] resource AWS::ECS::TaskDefinition │ ├ properties │ │ ├ ExecutionRoleArn: (documentation changed) │ │ └ TaskRoleArn: (documentation changed) │ └ types │ ├[~] type ContainerDefinition │ │ └ properties │ │ └ Cpu: (documentation changed) │ ├[~] type LogConfiguration │ │ └ properties │ │ └ LogDriver: (documentation changed) │ └[~] type Ulimit │ └ - documentation: The `ulimit` settings to pass to the container. │ Amazon ECS tasks hosted on AWS Fargate use the default resource limit values set by the operating system with the exception of the `nofile` resource limit parameter which AWS Fargate overrides. The `nofile` resource limit sets a restriction on the number of open files that a container can use. The default `nofile` soft limit is `1024` and the default hard limit is `65535` . │ You can specify the `ulimit` settings for a container in a task definition. │ + documentation: The `ulimit` settings to pass to the container. │ Amazon ECS tasks hosted on AWS Fargate use the default resource limit values set by the operating system with the exception of the `nofile` resource limit parameter which AWS Fargate overrides. The `nofile` resource limit sets a restriction on the number of open files that a container can use. The default `nofile` soft limit is `65535` and the default hard limit is `65535` . │ You can specify the `ulimit` settings for a container in a task definition. ├[~] service aws-eks │ └ resources │ └[~] resource AWS::EKS::Cluster │ └ properties │ └[+] BootstrapSelfManagedAddons: boolean (immutable) ├[~] service aws-elasticache │ └ resources │ ├[~] resource AWS::ElastiCache::ReplicationGroup │ │ └ properties │ │ └ ReplicationGroupId: (documentation changed) │ ├[~] resource AWS::ElastiCache::ServerlessCache │ │ └ properties │ │ ├ DailySnapshotTime: (documentation changed) │ │ └ SnapshotRetentionLimit: (documentation changed) │ ├[~] resource AWS::ElastiCache::User │ │ └ properties │ │ └ Tags: (documentation changed) │ └[~] resource AWS::ElastiCache::UserGroup │ └ properties │ └ Tags: (documentation changed) ├[~] service aws-emrserverless │ └ resources │ └[~] resource AWS::EMRServerless::Application │ └ types │ └[~] type WorkerConfiguration │ └ properties │ └[+] DiskType: string ├[~] service aws-gamelift │ └ resources │ ├[~] resource AWS::GameLift::Build │ │ └ properties │ │ └ OperatingSystem: (documentation changed) │ └[~] resource AWS::GameLift::ContainerGroupDefinition │ └ properties │ └ OperatingSystem: (documentation changed) ├[~] service aws-glue │ └ resources │ ├[~] resource AWS::Glue::Connection │ │ └ types │ │ ├[~] type ConnectionInput │ │ │ └ properties │ │ │ ├ ConnectionType: (documentation changed) │ │ │ ├ Name: (documentation changed) │ │ │ └ PhysicalConnectionRequirements: (documentation changed) │ │ └[~] type PhysicalConnectionRequirements │ │ ├ - documentation: Specifies the physical requirements for a connection. │ │ │ + documentation: The OAuth client app in GetConnection response. │ │ └ properties │ │ └ AvailabilityZone: (documentation changed) │ └[~] resource AWS::Glue::Job │ └ properties │ └ MaintenanceWindow: (documentation changed) ├[~] service aws-grafana │ └ resources │ └[~] resource AWS::Grafana::Workspace │ └ properties │ ├ AuthenticationProviders: (documentation changed) │ └ NotificationDestinations: (documentation changed) ├[~] service aws-guardduty │ └ resources │ ├[~] resource AWS::GuardDuty::Detector │ │ ├ attributes │ │ │ └ Id: (documentation changed) │ │ └ types │ │ ├[~] type CFNFeatureConfiguration │ │ │ └ properties │ │ │ └ Name: (documentation changed) │ │ └[~] type TagItem │ │ └ properties │ │ ├ Key: (documentation changed) │ │ └ Value: (documentation changed) │ ├[~] resource AWS::GuardDuty::Filter │ │ ├ properties │ │ │ ├ DetectorId: - string (immutable) │ │ │ │ + string (required, immutable) │ │ │ └ Name: - string (immutable) │ │ │ + string (required, immutable) │ │ └ types │ │ ├[~] type FindingCriteria │ │ │ └ properties │ │ │ └ Criterion: (documentation changed) │ │ └[~] type TagItem │ │ ├ - documentation: undefined │ │ │ + documentation: Describes a tag. │ │ └ properties │ │ ├ Key: (documentation changed) │ │ └ Value: (documentation changed) │ ├[~] resource AWS::GuardDuty::IPSet │ │ └ types │ │ └[~] type TagItem │ │ ├ - documentation: undefined │ │ │ + documentation: Contains information about a tag. │ │ └ properties │ │ ├ Key: (documentation changed) │ │ └ Value: (documentation changed) │ ├[~] resource AWS::GuardDuty::MalwareProtectionPlan │ │ ├ - documentation: Resource Type definition for AWS::GuardDuty::MalwareProtectionPlan │ │ │ + documentation: Creates a new Malware Protection plan for the protected resource. │ │ │ When you create a Malware Protection plan, the [AWS service terms for GuardDuty Malware Protection](https://docs.aws.amazon.com/service-terms/#87._Amazon_GuardDuty) will apply. │ │ ├ properties │ │ │ ├ Actions: (documentation changed) │ │ │ ├ ProtectedResource: (documentation changed) │ │ │ ├ Role: (documentation changed) │ │ │ └ Tags: (documentation changed) │ │ ├ attributes │ │ │ ├ Arn: (documentation changed) │ │ │ ├ MalwareProtectionPlanId: (documentation changed) │ │ │ ├ Status: (documentation changed) │ │ │ └ StatusReasons: (documentation changed) │ │ └ types │ │ ├[~] type CFNActions │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Specifies the action that is to be applied to the Malware Protection plan resource. │ │ │ └ properties │ │ │ └ Tagging: (documentation changed) │ │ ├[~] type CFNProtectedResource │ │ │ └ - documentation: undefined │ │ │ + documentation: Information about the protected resource. Presently, `S3Bucket` is the only supported protected resource. │ │ ├[~] type CFNStatusReasons │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Information about the status code and status details associated with the status of the Malware Protection plan. │ │ │ └ properties │ │ │ ├ Code: (documentation changed) │ │ │ └ Message: (documentation changed) │ │ ├[~] type CFNTagging │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Contains information about tagging status of the Malware Protection plan resource. │ │ │ └ properties │ │ │ └ Status: (documentation changed) │ │ ├[~] type S3Bucket │ │ │ └ properties │ │ │ └ ObjectPrefixes: (documentation changed) │ │ └[~] type TagItem │ │ ├ - documentation: undefined │ │ │ + documentation: Contains information about a tag. │ │ └ properties │ │ ├ Key: (documentation changed) │ │ └ Value: (documentation changed) │ ├[~] resource AWS::GuardDuty::Master │ │ └ properties │ │ └ InvitationId: (documentation changed) │ └[~] resource AWS::GuardDuty::ThreatIntelSet │ ├ - documentation: The `AWS::GuardDuty::ThreatIntelSet` resource specifies a new `ThreatIntelSet` . A `ThreatIntelSet` consists of known malicious IP addresses. GuardDuty generates findings based on the `ThreatIntelSet` when it is activated. │ │ + documentation: The `AWS::GuardDuty::ThreatIntelSet` resource specifies a new `ThreatIntelSet` . A `ThreatIntelSet` consists of known malicious IP addresses. GuardDuty generates findings based on the `ThreatIntelSet` after it is activated. │ ├ attributes │ │ └ Id: (documentation changed) │ └ types │ └[~] type TagItem │ ├ - documentation: undefined │ │ + documentation: Contains information about a tag. │ └ properties │ ├ Key: (documentation changed) │ └ Value: (documentation changed) ├[~] service aws-kinesisanalyticsv2 │ └ resources │ └[~] resource AWS::KinesisAnalyticsV2::Application │ └ types │ ├[~] type ApplicationConfiguration │ │ └ properties │ │ └[+] ApplicationSystemRollbackConfiguration: ApplicationSystemRollbackConfiguration │ └[+] type ApplicationSystemRollbackConfiguration │ ├ documentation: Describes whether system initiated rollbacks are enabled for a Flink-based Kinesis Data Analytics application. │ │ name: ApplicationSystemRollbackConfiguration │ └ properties │ └RollbackEnabled: boolean (required) ├[~] service aws-kinesisfirehose │ └ resources │ └[~] resource AWS::KinesisFirehose::DeliveryStream │ └ types │ ├[~] type HttpEndpointDestinationConfiguration │ │ └ properties │ │ └ SecretsManagerConfiguration: (documentation changed) │ ├[~] type RedshiftDestinationConfiguration │ │ └ properties │ │ └ SecretsManagerConfiguration: (documentation changed) │ ├[~] type SecretsManagerConfiguration │ │ ├ - documentation: undefined │ │ │ + documentation: The structure that defines how Firehose accesses the secret. │ │ └ properties │ │ ├ Enabled: (documentation changed) │ │ ├ RoleARN: (documentation changed) │ │ └ SecretARN: (documentation changed) │ ├[~] type SnowflakeDestinationConfiguration │ │ └ properties │ │ └ SecretsManagerConfiguration: (documentation changed) │ └[~] type SplunkDestinationConfiguration │ └ properties │ └ SecretsManagerConfiguration: (documentation changed) ├[~] service aws-kms │ └ resources │ └[~] resource AWS::KMS::Key │ └ properties │ ├ KeySpec: (documentation changed) │ └ KeyUsage: (documentation changed) ├[~] service aws-networkmanager │ └ resources │ ├[~] resource AWS::NetworkManager::ConnectAttachment │ │ └ properties │ │ └ Tags: (documentation changed) │ ├[~] resource AWS::NetworkManager::CoreNetwork │ │ └ attributes │ │ └ OwnerAccount: (documentation changed) │ └[~] resource AWS::NetworkManager::SiteToSiteVpnAttachment │ └ properties │ └ Tags: (documentation changed) ├[~] service aws-omics │ └ resources │ └[~] resource AWS::Omics::RunGroup │ └ - documentation: Creates a run group. │ + documentation: You can optionally create a run group to limit the compute resources for the runs that you add to the group. ├[~] service aws-opsworkscm │ └ resources │ └[~] resource AWS::OpsWorksCM::Server │ └ properties │ └ ServerName: (documentation changed) ├[~] service aws-rds │ └ resources │ ├[~] resource AWS::RDS::DBCluster │ │ └ properties │ │ ├[+] EnableLocalWriteForwarding: boolean │ │ └[+] EngineLifecycleSupport: string │ ├[~] resource AWS::RDS::DBInstance │ │ └ properties │ │ └[+] EngineLifecycleSupport: string │ └[~] resource AWS::RDS::GlobalCluster │ └ properties │ └[+] EngineLifecycleSupport: string ├[~] service aws-redshift │ └ resources │ ├[~] resource AWS::Redshift::Cluster │ │ └ properties │ │ ├ NodeType: (documentation changed) │ │ └ Port: (documentation changed) │ └[~] resource AWS::Redshift::ScheduledAction │ └ properties │ └ TargetAction: (documentation changed) ├[~] service aws-s3 │ └ resources │ └[~] resource AWS::S3::Bucket │ └ types │ ├[~] type EncryptionConfiguration │ │ └ - documentation: Specifies encryption-related information for an Amazon S3 bucket that is a destination for replicated objects. │ │ + documentation: Specifies encryption-related information for an Amazon S3 bucket that is a destination for replicated objects. │ │ > If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner. │ ├[~] type PartitionedPrefix │ │ └ properties │ │ └ PartitionDateSource: (documentation changed) │ ├[~] type ServerSideEncryptionByDefault │ │ └ - documentation: Describes the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. If you don't specify a customer managed key at configuration, Amazon S3 automatically creates an AWS KMS key in your AWS account the first time that you add an object encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS. For more information, see [PUT Bucket encryption](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html) in the *Amazon S3 API Reference* . │ │ + documentation: Describes the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. If you don't specify a customer managed key at configuration, Amazon S3 automatically creates an AWS KMS key in your AWS account the first time that you add an object encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS. For more information, see [PUT Bucket encryption](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html) in the *Amazon S3 API Reference* . │ │ > If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner. │ └[~] type ServerSideEncryptionRule │ └ - documentation: Specifies the default server-side encryption configuration. │ + documentation: Specifies the default server-side encryption configuration. │ > If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner. ├[~] service aws-servicediscovery │ └ resources │ └[~] resource AWS::ServiceDiscovery::Instance │ └ properties │ └ InstanceId: (documentation changed) ├[~] service aws-ses │ └ resources │ └[~] resource AWS::SES::ConfigurationSetEventDestination │ └ types │ ├[+] type EventBridgeDestination │ │ ├ documentation: An object that contains Event bus ARN associated with the event bridge destination. │ │ │ name: EventBridgeDestination │ │ └ properties │ │ └EventBusArn: string (required) │ └[~] type EventDestination │ └ properties │ └[+] EventBridgeDestination: EventBridgeDestination ├[~] service aws-signer │ └ resources │ └[~] resource AWS::Signer::SigningProfile │ └ properties │ └[+] ProfileName: string (immutable) ├[~] service aws-sqs │ └ resources │ └[~] resource AWS::SQS::Queue │ └ properties │ └ RedrivePolicy: (documentation changed) ├[~] service aws-ssm │ └ resources │ └[~] resource AWS::SSM::ResourceDataSync │ └ properties │ └ SyncName: (documentation changed) ├[~] service aws-verifiedpermissions │ └ resources │ └[~] resource AWS::VerifiedPermissions::IdentitySource │ └ types │ ├[~] type IdentitySourceConfiguration │ │ └ properties │ │ ├ CognitoUserPoolConfiguration: - CognitoUserPoolConfiguration (required) │ │ │ + CognitoUserPoolConfiguration │ │ └[+] OpenIdConnectConfiguration: OpenIdConnectConfiguration │ ├[+] type OpenIdConnectAccessTokenConfiguration │ │ ├ documentation: The configuration of an OpenID Connect (OIDC) identity source for handling access token claims. Contains the claim that you want to identify as the principal in an authorization request, and the values of the `aud` claim, or audiences, that you want to accept. │ │ │ This data type is part of a [OpenIdConnectTokenSelection](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectTokenSelection.html) structure, which is a parameter of [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html) . │ │ │ name: OpenIdConnectAccessTokenConfiguration │ │ └ properties │ │ ├PrincipalIdClaim: string (default="sub") │ │ └Audiences: Array<string> │ ├[+] type OpenIdConnectConfiguration │ │ ├ documentation: Contains configuration details of an OpenID Connect (OIDC) identity provider, or identity source, that Verified Permissions can use to generate entities from authenticated identities. It specifies the issuer URL, token type that you want to use, and policy store entity details. │ │ │ This data type is part of a [Configuration](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_Configuration.html) structure, which is a parameter to [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html) . │ │ │ name: OpenIdConnectConfiguration │ │ └ properties │ │ ├Issuer: string (required) │ │ ├EntityIdPrefix: string │ │ ├GroupConfiguration: OpenIdConnectGroupConfiguration │ │ └TokenSelection: OpenIdConnectTokenSelection (required) │ ├[+] type OpenIdConnectGroupConfiguration │ │ ├ documentation: The claim in OIDC identity provider tokens that indicates a user's group membership, and the entity type that you want to map it to. For example, this object can map the contents of a `groups` claim to `MyCorp::UserGroup` . │ │ │ This data type is part of a [OpenIdConnectConfiguration](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectConfiguration.html) structure, which is a parameter of [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html) . │ │ │ name: OpenIdConnectGroupConfiguration │ │ └ properties │ │ ├GroupClaim: string (required) │ │ └GroupEntityType: string (required) │ ├[+] type OpenIdConnectIdentityTokenConfiguration │ │ ├ documentation: The configuration of an OpenID Connect (OIDC) identity source for handling identity (ID) token claims. Contains the claim that you want to identify as the principal in an authorization request, and the values of the `aud` claim, or audiences, that you want to accept. │ │ │ This data type is part of a [OpenIdConnectTokenSelection](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectTokenSelection.html) structure, which is a parameter of [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html) . │ │ │ name: OpenIdConnectIdentityTokenConfiguration │ │ └ properties │ │ ├PrincipalIdClaim: string (default="sub") │ │ └ClientIds: Array<string> │ └[+] type OpenIdConnectTokenSelection │ ├ documentation: The token type that you want to process from your OIDC identity provider. Your policy store can process either identity (ID) or access tokens from a given OIDC identity source. │ │ This data type is part of a [OpenIdConnectConfiguration](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectConfiguration.html) structure, which is a parameter of [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html) . │ │ name: OpenIdConnectTokenSelection │ └ properties │ ├AccessTokenOnly: OpenIdConnectAccessTokenConfiguration │ └IdentityTokenOnly: OpenIdConnectIdentityTokenConfiguration ├[~] service aws-workspaces │ └ resources │ └[+] resource AWS::WorkSpaces::WorkspacesPool │ ├ name: WorkspacesPool │ │ cloudFormationType: AWS::WorkSpaces::WorkspacesPool │ │ documentation: Resource Type definition for AWS::WorkSpaces::WorkspacesPool │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ ├ properties │ │ ├Capacity: Capacity (required) │ │ ├PoolName: string (required, immutable) │ │ ├Description: string │ │ ├BundleId: string (required) │ │ ├DirectoryId: string (required) │ │ ├ApplicationSettings: ApplicationSettings │ │ ├TimeoutSettings: TimeoutSettings │ │ └Tags: Array<tag> │ ├ attributes │ │ ├PoolId: string │ │ ├PoolArn: string │ │ └CreatedAt: string │ └ types │ ├type Capacity │ │├ name: Capacity │ │└ properties │ │ └DesiredUserSessions: integer (required) │ ├type ApplicationSettings │ │├ name: ApplicationSettings │ │└ properties │ │ ├Status: string (required) │ │ └SettingsGroup: string │ └type TimeoutSettings │ ├ name: TimeoutSettings │ └ properties │ ├DisconnectTimeoutInSeconds: integer │ ├IdleDisconnectTimeoutInSeconds: integer │ └MaxUserDurationInSeconds: integer └[~] service aws-workspacesweb └ resources └[~] resource AWS::WorkSpacesWeb::IpAccessSettings └ properties └ Tags: (documentation changed) ```

…rror (#30726) ### Issue # (if applicable) Closes #30717. ### Reason for this change esbuild introduced a breaking change in v0.22 which caused the build error in `aws-lambda-nodejs` module. ### Description of changes Pin the esbuild version to 0.21 in Dockerfile ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.147.3/CHANGELOG.md)

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.147.2/CHANGELOG.md)

…test function version (#29856) ### Issue # (if applicable) Closes #20177 ### Reason for this change `fn.grantInvoke()` will grant invoke permission to invoke both the latest version and all pervious version of the lambda function. We can see this behavior could bring some security concern for some of our customers. ### Description of changes We provides a new function `fn.grantInvokeLatestVersion()` to grant invoke only to the Latest version of function and the unqualified lambda arn Example: ```ts // Grant permissions to a service declare const fn: lambda.Function; const principal = new iam.ServicePrincipal('my-service'); fn.grantInvokeLatestVersion(principal); ``` ### Description of how you validated changes Added unit tests and integration tests. When using `fn.grantInvokeLatestVersion()` granted principle to invoke a function's past version, it will get the following error: ``` An error occurred (AccessDeniedException) when calling the Invoke operation: User: {$principle} is not authorized to perform: lambda:InvokeFunction on resource: {$LambdaArn:$version} because no identity-based policy allows the lambda:InvokeFunction action ``` ### Alternative design (to discuss) setup a `grantInvokeProp` including `grantVersionAccess` flag to pass in the `grantInvokeLatestVersion` instead using `grantVersionAccess` flag directly on `grantInvokeLatestVersion` -> This is discussed in the comments, I agree having props will have future extensibility but usually for grant methods specifically we haven't seen before. So we will not add prop to the new function `grantInvokeLatestVersion` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ations (under feature flag) (#30706) ### Issue # (if applicable) Closes #28915 ### Reason for this change Fix to address the issues deleting the existing S3 event notifications and adding new event notifications on top of existing notifications. ### Description of changes We fixed the hashing logic used to identify old vs external S3 event notifications ### Description of how you validated changes Manually tested, integration and unit tested the changes yes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.

This was causing integ test failures because 1.22 is no longer supported. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This test was failing due to the solution stack version not being supported any longer. ### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change ### Description of changes ### Description of how you validated changes ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Note that the docstring in `aws-entities` states that the regions are added in the order they went live. For several, that was not accurate so I reordered them. This is unlikely to matter but I made the change so that the documentation there would be factually correct. Not all of these regions/partitions are live yet, but they have been announced [here](https://aws.amazon.com/blogs/aws/category/regions/) ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

aws-cdk-automation · 2024-07-05T19:18:53Z

AWS CodeBuild CI Report

CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
Commit ID: 8c827ba
Result: SUCCEEDED
Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

mergify bot and others added 30 commits June 20, 2024 22:35

chore(merge-back): 2.147.0 (#30605)

5588694

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.147.0/CHANGELOG.md)

Merge branch 'main' into merge-back/2.147.1

1491eb5

fix(stepfunctions-tasks): run task permission is too broad (under fea…

8ebfade

…ture flag) (#30389) Closes #30368. Doc: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security_iam_id-based-policy-examples.html#IAM_run_policies

Merge branch 'main' into merge-back/2.147.1

2d9b8c9

chore: npm-check-updates && yarn upgrade (#30589)

d75c0b1

Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.

Merge branch 'main' into merge-back/2.147.1

de41d89

Merge branch 'main' into merge-back/2.147.1

afc4a0f

chore(merge-back): 2.147.1 (#30651)

07cb5b0

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.147.1/CHANGELOG.md)

chore: npm-check-updates && yarn upgrade (#30678)

eaa8f3e

Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.

WtfJoke and others added 19 commits June 27, 2024 22:42

revert: fix(s3-notifications): unable to delete the existing S3 event…

2869aaa

… notifications (under feature flag) (#30699) Reverts #30610 due to Feature flags issues

chore(docs): correct spelling for pipeline (#30697)

afe69b8

I saw these errors when working on #30696.

chore: update Contributors File (#30713)

9a5d4f0

Automated changes by [create-pull-request](https://github.com/peter-evans/create-pull-request) GitHub action

Merge branch 'main' into merge-back/2.147.2

4bba088

Merge branch 'main' into merge-back/2.147.3

8947451

chore(merge-back): 2.147.3 (#30730)

84fc01f

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.147.3/CHANGELOG.md)

Merge branch 'main' into merge-back/2.147.2

22165da

chore(merge-back): 2.147.2 (#30707)

e525de3

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.147.2/CHANGELOG.md)

chore: npm-check-updates && yarn upgrade (#30744)

b7f626b

Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.

chore(release): 2.148.0

b40008c

github-actions bot added the p2 label Jul 5, 2024

aws-cdk-automation requested a review from a team July 5, 2024 18:35

aws-cdk-automation had a problem deploying to test-pipeline July 5, 2024 18:36 — with GitHub Actions Failure

GavinZZ added the pr/do-not-merge This PR should not be merged at this time. label Jul 5, 2024

Update changelog

8c827ba

GavinZZ closed this Jul 5, 2024

GavinZZ deleted the bump/2.148.0 branch July 5, 2024 18:49

GavinZZ had a problem deploying to test-pipeline July 5, 2024 18:49 — with GitHub Actions Failure

github-actions bot mentioned this pull request Jul 8, 2024

Weekly PR metrics report #30783

Closed

github-actions bot mentioned this pull request Aug 1, 2024

Monthly PR metrics report #30999

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(release): 2.148.0 #30763

chore(release): 2.148.0 #30763

aws-cdk-automation commented Jul 5, 2024 •

edited

Loading

aws-cdk-automation commented Jul 5, 2024

chore(release): 2.148.0 #30763

chore(release): 2.148.0 #30763

Conversation

aws-cdk-automation commented Jul 5, 2024 • edited Loading

aws-cdk-automation commented Jul 5, 2024

AWS CodeBuild CI Report

aws-cdk-automation commented Jul 5, 2024 •

edited

Loading