fix(msk-alpha): support any combination of client auth mechanisms #30307

…ns is ignored (aws#30302) ### Reason for this change `EvaluateExpression` exposes a runtime property that can be used to configure the runtime language used to evaluate an expression. When the handler for this was migrated into the handler framework we hid the runtime property and didn't make it configurable. As a result, when the runtime property is specified as part of `EvaluateExpressionProps` it ends up being dropped in place of the code generated runtime. ### Description of changes Added a configurable runtime property to the generated `EvalNodejsSingletonFunctionProps` interface and set this property using runtime property on `EvaluateExpressionProps` if one was provided. Otherwise, the current node 18 default is used. ### Description of how you validated changes Unit test for codegen with eval-nodejs-provider. Integ test for default `EvaluateExpression` runtime (we already test a configurable runtime, unfortunately this was the same as the default so this bug was not caught). ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) Closes aws#30292 ### Reason for this change To allow ec2.Instance to specify `placementGroup`. ### Description of changes ### Description of how you validated changes - [x] integ test - [x] unit test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This PR ensures the dependency on the readers always to be created after the writer. This might not be the best solution as all the readers will not start provisioning until the writer is completed. Another solution is to build a custom resource to check if the writer has started provisioning, if yes, return success and let all the dependent readers start provisioning. But that would require a new custom resource. - [x] unit tests - [x] update integ tests - fixed the integ error `"Cannot find version 8.0.mysql_aurora.3.01.0 for aurora-mysql` for `integ.cluster-instance-id` ### Issue # (if applicable) Closes aws#30260 ### Reason for this change ### Description of changes ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) N/A ### Reason for this change Adding new team member's GitHub account ### Description of changes Added my GitHub username ### Description of how you validated changes N/A ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-amplify │ └ resources │ └[~] resource AWS::Amplify::Branch │ ├ properties │ │ └ Backend: (documentation changed) │ └ types │ └[~] type Backend │ └ - documentation: Describes the backend properties associated with an Amplify `Branch` . │ + documentation: Describes the backend associated with an Amplify `Branch` . │ This property is available to Amplify Gen 2 apps only. When you deploy an application with Amplify Gen 2, you provision the app's backend infrastructure using Typescript code. ├[~] service aws-backup │ └ resources │ └[~] resource AWS::Backup::BackupVault │ └ properties │ └ BackupVaultName: (documentation changed) ├[~] service aws-bedrock │ └ resources │ ├[~] resource AWS::Bedrock::Agent │ │ ├ properties │ │ │ └ TestAliasTags: (documentation changed) │ │ └ types │ │ ├[~] type ActionGroupExecutor │ │ │ ├ - documentation: Contains details about the Lambda function containing the business logic that is carried out upon invoking the action. │ │ │ │ + documentation: Contains details about the Lambda function containing the business logic that is carried out upon invoking the action or the custom control method for handling the information elicited from the user. │ │ │ └ properties │ │ │ ├[+] CustomControl: string │ │ │ └ Lambda: - string (required) │ │ │ + string │ │ ├[~] type AgentActionGroup │ │ │ └ properties │ │ │ ├ ActionGroupExecutor: (documentation changed) │ │ │ └[+] FunctionSchema: FunctionSchema │ │ ├[+] type Function │ │ │ ├ documentation: Defines parameters that the agent needs to invoke from the user to complete the function. Corresponds to an action in an action group. │ │ │ │ This data type is used in the following API operations: │ │ │ │ - [CreateAgentActionGroup request](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_CreateAgentActionGroup.html#API_agent_CreateAgentActionGroup_RequestSyntax) │ │ │ │ - [CreateAgentActionGroup response](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_CreateAgentActionGroup.html#API_agent_CreateAgentActionGroup_ResponseSyntax) │ │ │ │ - [UpdateAgentActionGroup request](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_UpdateAgentActionGroup.html#API_agent_UpdateAgentActionGroup_RequestSyntax) │ │ │ │ - [UpdateAgentActionGroup response](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_UpdateAgentActionGroup.html#API_agent_UpdateAgentActionGroup_ResponseSyntax) │ │ │ │ - [GetAgentActionGroup response](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_GetAgentActionGroup.html#API_agent_GetAgentActionGroup_ResponseSyntax) │ │ │ │ name: Function │ │ │ └ properties │ │ │ ├Name: string (required) │ │ │ ├Description: string │ │ │ └Parameters: Map<string, ParameterDetail> │ │ ├[+] type FunctionSchema │ │ │ ├ documentation: Defines functions that each define parameters that the agent needs to invoke from the user. Each function represents an action in an action group. │ │ │ │ This data type is used in the following API operations: │ │ │ │ - [CreateAgentActionGroup request](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_CreateAgentActionGroup.html#API_agent_CreateAgentActionGroup_RequestSyntax) │ │ │ │ - [CreateAgentActionGroup response](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_CreateAgentActionGroup.html#API_agent_CreateAgentActionGroup_ResponseSyntax) │ │ │ │ - [UpdateAgentActionGroup request](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_UpdateAgentActionGroup.html#API_agent_UpdateAgentActionGroup_RequestSyntax) │ │ │ │ - [UpdateAgentActionGroup response](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_UpdateAgentActionGroup.html#API_agent_UpdateAgentActionGroup_ResponseSyntax) │ │ │ │ - [GetAgentActionGroup response](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_GetAgentActionGroup.html#API_agent_GetAgentActionGroup_ResponseSyntax) │ │ │ │ name: FunctionSchema │ │ │ └ properties │ │ │ └Functions: Array<Function> (required) │ │ └[+] type ParameterDetail │ │ ├ documentation: Contains details about a parameter in a function for an action group. │ │ │ This data type is used in the following API operations: │ │ │ - [CreateAgentActionGroup request](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_CreateAgentActionGroup.html#API_agent_CreateAgentActionGroup_RequestSyntax) │ │ │ - [CreateAgentActionGroup response](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_CreateAgentActionGroup.html#API_agent_CreateAgentActionGroup_ResponseSyntax) │ │ │ - [UpdateAgentActionGroup request](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_UpdateAgentActionGroup.html#API_agent_UpdateAgentActionGroup_RequestSyntax) │ │ │ - [UpdateAgentActionGroup response](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_UpdateAgentActionGroup.html#API_agent_UpdateAgentActionGroup_ResponseSyntax) │ │ │ - [GetAgentActionGroup response](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent_GetAgentActionGroup.html#API_agent_GetAgentActionGroup_ResponseSyntax) │ │ │ name: ParameterDetail │ │ └ properties │ │ ├Description: string │ │ ├Type: string (required) │ │ └Required: boolean │ └[+] resource AWS::Bedrock::GuardrailVersion │ ├ name: GuardrailVersion │ │ cloudFormationType: AWS::Bedrock::GuardrailVersion │ │ documentation: Creates a version of the guardrail. Use this API to create a snapshot of the guardrail when you are satisfied with a configuration, or to compare the configuration with another version. │ ├ properties │ │ ├Description: string (immutable) │ │ └GuardrailIdentifier: string (required, immutable) │ └ attributes │ ├GuardrailArn: string │ ├GuardrailId: string │ └Version: string ├[~] service aws-budgets │ └ resources │ ├[~] resource AWS::Budgets::Budget │ │ ├ properties │ │ │ └[+] ResourceTags: Array<ResourceTag> │ │ └ types │ │ └[+] type ResourceTag │ │ ├ documentation: The tag structure that contains a tag key and value. │ │ │ name: ResourceTag │ │ └ properties │ │ ├Value: string │ │ └Key: string (required) │ └[~] resource AWS::Budgets::BudgetsAction │ ├ - tagInformation: undefined │ │ + tagInformation: {"tagPropertyName":"ResourceTags","variant":"standard"} │ ├ properties │ │ └[+] ResourceTags: Array<ResourceTag> │ └ types │ └[+] type ResourceTag │ ├ documentation: The tag structure that contains a tag key and value. │ │ name: ResourceTag │ └ properties │ ├Key: string (required) │ └Value: string (required) ├[~] service aws-cloudtrail │ └ resources │ ├[~] resource AWS::CloudTrail::EventDataStore │ │ └ types │ │ └[~] type AdvancedFieldSelector │ │ └ properties │ │ └ Field: (documentation changed) │ └[~] resource AWS::CloudTrail::Trail │ └ types │ └[~] type AdvancedFieldSelector │ └ properties │ └ Field: (documentation changed) ├[~] service aws-codepipeline │ └ resources │ └[~] resource AWS::CodePipeline::Pipeline │ └ types │ ├[+] type FailureConditions │ │ ├ name: FailureConditions │ │ └ properties │ │ └Result: string (required) │ └[~] type StageDeclaration │ └ properties │ └[+] OnFailure: FailureConditions ├[~] service aws-datazone │ └ resources │ ├[+] resource AWS::DataZone::GroupProfile │ │ ├ name: GroupProfile │ │ │ cloudFormationType: AWS::DataZone::GroupProfile │ │ │ documentation: Group profiles represent groups of Amazon DataZone users. Groups can be manually created, or mapped to Active Directory groups of enterprise customers. In Amazon DataZone, groups serve two purposes. First, a group can map to a team of users in the organizational chart, and thus reduce the administrative work of a Amazon DataZone project owner when there are new employees joining or leaving a team. Second, corporate administrators use Active Directory groups to manage and update user statuses and so Amazon DataZone domain administrators can use these group memberships to implement Amazon DataZone domain policies. │ │ ├ properties │ │ │ ├DomainIdentifier: string (required, immutable) │ │ │ ├GroupIdentifier: string (required, immutable) │ │ │ └Status: string │ │ └ attributes │ │ ├DomainId: string │ │ ├GroupName: string │ │ └Id: string │ ├[+] resource AWS::DataZone::ProjectMembership │ │ ├ name: ProjectMembership │ │ │ cloudFormationType: AWS::DataZone::ProjectMembership │ │ │ documentation: Definition of AWS::DataZone::ProjectMembership Resource Type │ │ ├ properties │ │ │ ├ProjectIdentifier: string (required, immutable) │ │ │ ├Designation: string (required) │ │ │ ├Member: Member (required, immutable) │ │ │ └DomainIdentifier: string (required, immutable) │ │ └ types │ │ └type Member │ │ ├ name: Member │ │ └ properties │ │ ├UserIdentifier: string │ │ └GroupIdentifier: string │ └[+] resource AWS::DataZone::UserProfile │ ├ name: UserProfile │ │ cloudFormationType: AWS::DataZone::UserProfile │ │ documentation: A user profile represents Amazon DataZone users. Amazon DataZone supports both IAM roles and SSO identities to interact with the Amazon DataZone Management Console and the data portal for different purposes. Domain administrators use IAM roles to perform the initial administrative domain-related work in the Amazon DataZone Management Console, including creating new Amazon DataZone domains, configuring metadata form types, and implementing policies. Data workers use their SSO corporate identities via Identity Center to log into the Amazon DataZone Data Portal and access projects where they have memberships. │ ├ properties │ │ ├DomainIdentifier: string (required, immutable) │ │ ├Status: string │ │ ├UserIdentifier: string (required, immutable) │ │ └UserType: string (immutable) │ ├ attributes │ │ ├DomainId: string │ │ ├Type: string │ │ ├Id: string │ │ └Details: UserProfileDetails │ └ types │ ├type UserProfileDetails │ │├ name: UserProfileDetails │ │└ properties │ │ ├Iam: IamUserProfileDetails │ │ └Sso: SsoUserProfileDetails │ ├type IamUserProfileDetails │ │├ documentation: The details of the IAM User Profile. │ ││ name: IamUserProfileDetails │ │└ properties │ │ └Arn: string │ └type SsoUserProfileDetails │ ├ documentation: The details of the SSO User Profile. │ │ name: SsoUserProfileDetails │ └ properties │ ├Username: string │ ├FirstName: string │ └LastName: string ├[~] service aws-dynamodb │ └ resources │ ├[~] resource AWS::DynamoDB::GlobalTable │ │ ├ properties │ │ │ └ WriteOnDemandThroughputSettings: (documentation changed) │ │ └ types │ │ ├[~] type GlobalSecondaryIndex │ │ │ └ properties │ │ │ └ WriteOnDemandThroughputSettings: (documentation changed) │ │ ├[~] type ReadOnDemandThroughputSettings │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Sets the read request settings for a replica table or a replica global secondary index. You must specify this setting if you set the `BillingMode` to `PAY_PER_REQUEST` . │ │ │ └ properties │ │ │ └ MaxReadRequestUnits: (documentation changed) │ │ ├[~] type ReplicaGlobalSecondaryIndexSpecification │ │ │ └ properties │ │ │ └ ReadOnDemandThroughputSettings: (documentation changed) │ │ ├[~] type ReplicaSpecification │ │ │ └ properties │ │ │ └ ReadOnDemandThroughputSettings: (documentation changed) │ │ └[~] type WriteOnDemandThroughputSettings │ │ ├ - documentation: undefined │ │ │ + documentation: Sets the write request settings for a global table or a global secondary index. You must specify this setting if you set the `BillingMode` to `PAY_PER_REQUEST` . │ │ └ properties │ │ └ MaxWriteRequestUnits: (documentation changed) │ └[~] resource AWS::DynamoDB::Table │ ├ properties │ │ └ OnDemandThroughput: (documentation changed) │ └ types │ ├[~] type GlobalSecondaryIndex │ │ └ properties │ │ └ OnDemandThroughput: (documentation changed) │ └[~] type OnDemandThroughput │ ├ - documentation: undefined │ │ + documentation: Sets the maximum number of read and write units for the specified on-demand table. If you use this property, you must specify `MaxReadRequestUnits` , `MaxWriteRequestUnits` , or both. │ └ properties │ ├ MaxReadRequestUnits: (documentation changed) │ └ MaxWriteRequestUnits: (documentation changed) ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::LaunchTemplate │ │ └ types │ │ ├[~] type LaunchTemplateTagSpecification │ │ │ └ properties │ │ │ └ ResourceType: (documentation changed) │ │ └[~] type TagSpecification │ │ └ properties │ │ └ ResourceType: (documentation changed) │ └[~] resource AWS::EC2::SpotFleet │ └ types │ └[~] type SpotFleetRequestConfigData │ └ properties │ └ AllocationStrategy: (documentation changed) ├[~] service aws-ecs │ └ resources │ └[~] resource AWS::ECS::Service │ ├ - documentation: The `AWS::ECS::Service` resource creates an Amazon Elastic Container Service (Amazon ECS) service that runs and maintains the requested number of tasks and associated load balancers. │ │ > The stack update fails if you change any properties that require replacement and at least one Amazon ECS Service Connect `ServiceConnectService` is configured. This is because AWS CloudFormation creates the replacement service first, but each `ServiceConnectService` must have a name that is unique in the namespace. > Starting April 15, 2023, AWS ; will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS , or Amazon EC2 . However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service. │ │ + documentation: The `AWS::ECS::Service` resource creates an Amazon Elastic Container Service (Amazon ECS) service that runs and maintains the requested number of tasks and associated load balancers. │ │ > The stack update fails if you change any properties that require replacement and at least one Amazon ECS Service Connect `ServiceConnectConfiguration` property the is configured. This is because AWS CloudFormation creates the replacement service first, but each `ServiceConnectService` must have a name that is unique in the namespace. > Starting April 15, 2023, AWS ; will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS , or Amazon EC2 . However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service. │ └ types │ ├[~] type ServiceConnectTlsCertificateAuthority │ │ └ - documentation: An object that represents the AWS Private Certificate Authority certificate. │ │ + documentation: The certificate root authority that secures your service. │ └[~] type ServiceConnectTlsConfiguration │ └ - documentation: An object that represents the configuration for Service Connect TLS. │ + documentation: The key that encrypts and decrypts your resources for Service Connect TLS. ├[~] service aws-elasticache │ └ resources │ └[~] resource AWS::ElastiCache::ParameterGroup │ └ attributes │ └[+] CacheParameterGroupName: string ├[~] service aws-events │ └ resources │ ├[~] resource AWS::Events::Archive │ │ └ - documentation: Creates an archive of events with the specified settings. When you create an archive, incoming events might not immediately start being sent to the archive. Allow a short period of time for changes to take effect. If you do not specify a pattern to filter events sent to the archive, all events are sent to the archive except replayed events. Replayed events are not sent to an archive. │ │ + documentation: Creates an archive of events with the specified settings. When you create an archive, incoming events might not immediately start being sent to the archive. Allow a short period of time for changes to take effect. If you do not specify a pattern to filter events sent to the archive, all events are sent to the archive except replayed events. Replayed events are not sent to an archive. │ │ > Archives and schema discovery are not supported for event buses encrypted using a customer managed key. EventBridge returns an error if: │ │ > │ │ > - You call `[CreateArchive](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_CreateArchive.html)` on an event bus set to use a customer managed key for encryption. │ │ > - You call `[CreateDiscoverer](https://docs.aws.amazon.com/eventbridge/latest/schema-reference/v1-discoverers.html#CreateDiscoverer)` on an event bus set to use a customer managed key for encryption. │ │ > - You call `[UpdatedEventBus](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_UpdatedEventBus.html)` to set a customer managed key on an event bus with an archives or schema discovery enabled. │ │ > │ │ > To enable archives or schema discovery on an event bus, choose to use an AWS owned key . For more information, see [Data encryption in EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-encryption.html) in the *Amazon EventBridge User Guide* . │ ├[~] resource AWS::Events::Endpoint │ │ └ - documentation: A global endpoint used to improve your application's availability by making it regional-fault tolerant. For more information about global endpoints, see [Making applications Regional-fault tolerant with global endpoints and event replication](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-global-endpoints.html) in the *Amazon EventBridge User Guide* . │ │ + documentation: A global endpoint used to improve your application's availability by making it regional-fault tolerant. For more information about global endpoints, see [Making applications Regional-fault tolerant with global endpoints and event replication](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-global-endpoints.html) in the **Amazon EventBridge User Guide** . │ ├[~] resource AWS::Events::EventBus │ │ ├ properties │ │ │ ├[+] DeadLetterConfig: DeadLetterConfig │ │ │ ├[+] Description: string │ │ │ └[+] KmsKeyIdentifier: string │ │ └ types │ │ └[+] type DeadLetterConfig │ │ ├ documentation: Dead Letter Queue for the event bus. │ │ │ name: DeadLetterConfig │ │ └ properties │ │ └Arn: string │ ├[~] resource AWS::Events::EventBusPolicy │ │ └ - documentation: Running `PutPermission` permits the specified AWS account or AWS organization to put events to the specified *event bus* . Amazon EventBridge (CloudWatch Events) rules in your account are triggered by these events arriving to an event bus in your account. │ │ For another account to send events to your account, that external account must have an EventBridge rule with your account's event bus as a target. │ │ To enable multiple AWS accounts to put events to your event bus, run `PutPermission` once for each of these accounts. Or, if all the accounts are members of the same AWS organization, you can run `PutPermission` once specifying `Principal` as "*" and specifying the AWS organization ID in `Condition` , to grant permissions to all accounts in that organization. │ │ If you grant permissions using an organization, then accounts in that organization must specify a `RoleArn` with proper permissions when they use `PutTarget` to add your account's event bus as a target. For more information, see [Sending and Receiving Events Between AWS Accounts](https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-cross-account-event-delivery.html) in the *Amazon EventBridge User Guide* . │ │ The permission policy on the event bus cannot exceed 10 KB in size. │ │ + documentation: Running `PutPermission` permits the specified AWS account or AWS organization to put events to the specified *event bus* . Amazon EventBridge rules in your account are triggered by these events arriving to an event bus in your account. │ │ For another account to send events to your account, that external account must have an EventBridge rule with your account's event bus as a target. │ │ To enable multiple AWS accounts to put events to your event bus, run `PutPermission` once for each of these accounts. Or, if all the accounts are members of the same AWS organization, you can run `PutPermission` once specifying `Principal` as "*" and specifying the AWS organization ID in `Condition` , to grant permissions to all accounts in that organization. │ │ If you grant permissions using an organization, then accounts in that organization must specify a `RoleArn` with proper permissions when they use `PutTarget` to add your account's event bus as a target. For more information, see [Sending and Receiving Events Between AWS Accounts](https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-cross-account-event-delivery.html) in the *Amazon EventBridge User Guide* . │ │ The permission policy on the event bus cannot exceed 10 KB in size. │ └[~] resource AWS::Events::Rule │ ├ properties │ │ ├ EventPattern: (documentation changed) │ │ ├ State: (documentation changed) │ │ └ Targets: (documentation changed) │ └ types │ └[~] type DeadLetterConfig │ └ - documentation: A `DeadLetterConfig` object that contains information about a dead-letter queue configuration. │ + documentation: Configuration details of the Amazon SQS queue for EventBridge to use as a dead-letter queue (DLQ). │ For more information, see [Event retry policy and using dead-letter queues](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rule-dlq.html) in the *EventBridge User Guide* . ├[~] service aws-fms │ └ resources │ ├[~] resource AWS::FMS::Policy │ │ ├ - documentation: An AWS Firewall Manager policy. │ │ │ Firewall Manager provides the following types of policies: │ │ │ - An AWS Shield Advanced policy, which applies Shield Advanced protection to specified accounts and resources. │ │ │ - An AWS WAF policy (type WAFV2), which defines rule groups to run first in the corresponding AWS WAF web ACL and rule groups to run last in the web ACL. │ │ │ - An AWS WAF Classic policy, which defines a rule group. AWS WAF Classic doesn't support rule groups in Amazon CloudFront , so, to create AWS WAF Classic policies through CloudFront , you first need to create your rule groups outside of CloudFront . │ │ │ - A security group policy, which manages VPC security groups across your AWS organization. │ │ │ - An AWS Network Firewall policy, which provides firewall rules to filter network traffic in specified Amazon VPCs. │ │ │ - A DNS Firewall policy, which provides Amazon Route 53 Resolver DNS Firewall rules to filter DNS queries for specified Amazon VPCs. │ │ │ - A third-party firewall policy, which manages a third-party firewall service. │ │ │ Each policy is specific to one of the types. If you want to enforce more than one policy type across accounts, create multiple policies. You can create multiple policies for each type. │ │ │ These policies require some setup to use. For more information, see the sections on prerequisites and getting started under [AWS Firewall Manager](https://docs.aws.amazon.com/waf/latest/developerguide/fms-prereq.html) . │ │ │ + documentation: An AWS Firewall Manager policy. │ │ │ A Firewall Manager policy is specific to the individual policy type. If you want to enforce multiple policy types across accounts, you can create multiple policies. You can create more than one policy for each type. │ │ │ If you add a new account to an organization that you created with AWS Organizations , Firewall Manager automatically applies the policy to the resources in that account that are within scope of the policy. │ │ │ Policies require some setup to use. For more information, see the sections on prerequisites and getting started under [Firewall Manager prerequisites](https://docs.aws.amazon.com/waf/latest/developerguide/fms-prereq.html) . │ │ │ Firewall Manager provides the following types of policies: │ │ │ - *AWS WAF policy* - This policy applies AWS WAF web ACL protections to specified accounts and resources. │ │ │ - *Shield Advanced policy* - This policy applies Shield Advanced protection to specified accounts and resources. │ │ │ - *Security Groups policy* - This type of policy gives you control over security groups that are in use throughout your organization in AWS Organizations and lets you enforce a baseline set of rules across your organization. │ │ │ - *Network ACL policy* - This type of policy gives you control over the network ACLs that are in use throughout your organization in AWS Organizations and lets you enforce a baseline set of first and last network ACL rules across your organization. │ │ │ - *Network Firewall policy* - This policy applies Network Firewall protection to your organization's VPCs. │ │ │ - *DNS Firewall policy* - This policy applies Amazon Route 53 Resolver DNS Firewall protections to your organization's VPCs. │ │ │ - *Third-party firewall policy* - This policy applies third-party firewall protections. Third-party firewalls are available by subscription through the AWS Marketplace console at [AWS Marketplace](https://docs.aws.amazon.com/marketplace) . │ │ │ - *Palo Alto Networks Cloud NGFW policy* - This policy applies Palo Alto Networks Cloud Next Generation Firewall (NGFW) protections and Palo Alto Networks Cloud NGFW rulestacks to your organization's VPCs. │ │ │ - *Fortigate CNF policy* - This policy applies Fortigate Cloud Native Firewall (CNF) protections. Fortigate CNF is a cloud-centered solution that blocks Zero-Day threats and secures cloud infrastructures with industry-leading advanced threat prevention, smart web application firewalls (WAF), and API protection. │ │ ├ properties │ │ │ ├ ResourceType: (documentation changed) │ │ │ └ SecurityServicePolicyData: (documentation changed) │ │ └ types │ │ └[~] type SecurityServicePolicyData │ │ └ properties │ │ └ ManagedServiceData: (documentation changed) │ └[~] resource AWS::FMS::ResourceSet │ └ attributes │ └ Id: (documentation changed) ├[~] service aws-fsx │ └ resources │ └[~] resource AWS::FSx::FileSystem │ └ properties │ └ StorageCapacity: (documentation changed) ├[~] service aws-identitystore │ └ resources │ ├[~] resource AWS::IdentityStore::Group │ │ └ properties │ │ └ DisplayName: (documentation changed) │ └[~] resource AWS::IdentityStore::GroupMembership │ ├ properties │ │ └ GroupId: (documentation changed) │ └ types │ └[~] type MemberId │ └ properties │ └ UserId: (documentation changed) ├[~] service aws-lambda │ └ resources │ └[~] resource AWS::Lambda::Version │ └ properties │ └[+] Policy: json ├[~] service aws-lightsail │ └ resources │ └[~] resource AWS::Lightsail::Instance │ └ attributes │ └[+] Ipv6Addresses: Array<string> ├[~] service aws-location │ └ resources │ └[~] resource AWS::Location::Tracker │ └ properties │ └ PricingPlanDataSource: (documentation changed) ├[~] service aws-mediaconnect │ └ resources │ ├[~] resource AWS::MediaConnect::Flow │ │ ├ properties │ │ │ ├[+] Maintenance: Maintenance │ │ │ ├[+] MediaStreams: Array<MediaStream> │ │ │ └[+] VpcInterfaces: Array<VpcInterface> │ │ ├ attributes │ │ │ └[+] EgressIp: string │ │ └ types │ │ ├[+] type Fmtp │ │ │ ├ documentation: A set of parameters that define the media stream. │ │ │ │ name: Fmtp │ │ │ └ properties │ │ │ ├ExactFramerate: string │ │ │ ├Colorimetry: string │ │ │ ├ScanMode: string │ │ │ ├Tcs: string │ │ │ ├Range: string │ │ │ ├Par: string │ │ │ └ChannelOrder: string │ │ ├[+] type InputConfiguration │ │ │ ├ documentation: The transport parameters associated with an incoming media stream. │ │ │ │ name: InputConfiguration │ │ │ └ properties │ │ │ ├InputPort: integer (required) │ │ │ └Interface: Interface (required) │ │ ├[+] type Interface │ │ │ ├ documentation: The VPC interface that you want to use for the media stream associated with the output. │ │ │ │ name: Interface │ │ │ └ properties │ │ │ └Name: string (required) │ │ ├[+] type Maintenance │ │ │ ├ documentation: The maintenance setting of a flow. MediaConnect routinely performs maintenance on underlying systems for security, reliability, and operational performance. The maintenance activities include actions such as patching the operating system, updating drivers, or installing software and patches. │ │ │ │ You can select the day and time that maintenance events occur. This is called a maintenance window and is used every time a maintenance event is required. To change the day and time, you can edit the maintenance window using `MaintenanceDay` and `MaintenanceStartHour` . │ │ │ │ name: Maintenance │ │ │ └ properties │ │ │ ├MaintenanceDay: string (required) │ │ │ └MaintenanceStartHour: string (required) │ │ ├[+] type MediaStream │ │ │ ├ documentation: A single track or stream of media that contains video, audio, or ancillary data. After you add a media stream to a flow, you can associate it with sources and outputs on that flow, as long as they use the CDI protocol or the ST 2110 JPEG XS protocol. Each source or output can consist of one or many media streams. │ │ │ │ name: MediaStream │ │ │ └ properties │ │ │ ├MediaStreamId: integer (required) │ │ │ ├MediaStreamType: string (required) │ │ │ ├VideoFormat: string │ │ │ ├MediaStreamName: string (required) │ │ │ ├Description: string │ │ │ ├Attributes: MediaStreamAttributes │ │ │ ├ClockRate: integer │ │ │ └Fmt: integer │ │ ├[+] type MediaStreamAttributes │ │ │ ├ documentation: Attributes that are related to the media stream. │ │ │ │ name: MediaStreamAttributes │ │ │ └ properties │ │ │ ├Fmtp: Fmtp │ │ │ └Lang: string │ │ ├[+] type MediaStreamSourceConfiguration │ │ │ ├ documentation: The media stream that is associated with the source, and the parameters for that association. │ │ │ │ name: MediaStreamSourceConfiguration │ │ │ └ properties │ │ │ ├EncodingName: string (required) │ │ │ ├InputConfigurations: Array<InputConfiguration> │ │ │ └MediaStreamName: string (required) │ │ ├[~] type Source │ │ │ └ properties │ │ │ ├[+] MaxSyncBuffer: integer │ │ │ └[+] MediaStreamSourceConfigurations: Array<MediaStreamSourceConfiguration> │ │ └[+] type VpcInterface │ │ ├ documentation: The details of a VPC interface. │ │ │ name: VpcInterface │ │ └ properties │ │ ├Name: string (required) │ │ ├NetworkInterfaceType: string │ │ ├RoleArn: string (required) │ │ ├SecurityGroupIds: Array<string> (required) │ │ ├SubnetId: string (required) │ │ └NetworkInterfaceIds: Array<string> │ ├[~] resource AWS::MediaConnect::FlowOutput │ │ ├ properties │ │ │ └[+] MediaStreamOutputConfigurations: Array<MediaStreamOutputConfiguration> │ │ └ types │ │ ├[+] type DestinationConfiguration │ │ │ ├ documentation: The definition of a media stream that is associated with the output. │ │ │ │ name: DestinationConfiguration │ │ │ └ properties │ │ │ ├DestinationIp: string (required) │ │ │ ├DestinationPort: integer (required) │ │ │ └Interface: Interface (required) │ │ ├[+] type EncodingParameters │ │ │ ├ documentation: A collection of parameters that determine how MediaConnect will convert the content. These fields only apply to outputs on flows that have a CDI source. │ │ │ │ name: EncodingParameters │ │ │ └ properties │ │ │ ├CompressionFactor: number (required) │ │ │ └EncoderProfile: string │ │ ├[+] type Interface │ │ │ ├ documentation: The VPC interface that you want to use for the media stream associated with the output. │ │ │ │ name: Interface │ │ │ └ properties │ │ │ └Name: string (required) │ │ └[+] type MediaStreamOutputConfiguration │ │ ├ documentation: The media stream that is associated with the output, and the parameters for that association. │ │ │ name: MediaStreamOutputConfiguration │ │ └ properties │ │ ├EncodingName: string (required) │ │ ├DestinationConfigurations: Array<DestinationConfiguration> │ │ ├MediaStreamName: string (required) │ │ └EncodingParameters: EncodingParameters │ └[~] resource AWS::MediaConnect::FlowVpcInterface │ └ - documentation: The AWS::MediaConnect::FlowVpcInterface resource is a connection between your AWS Elemental MediaConnect flow and a virtual private cloud (VPC) that you created using the Amazon Virtual Private Cloud service. │ To avoid streaming your content over the public internet, you can add up to two VPC interfaces to your flow and use those connections to transfer content between your VPC and MediaConnect. │ You can update an existing flow to add a VPC interface. If you haven’t created the flow yet, you must create the flow with a temporary standard source by doing the following: │ - Use CloudFormation to create a flow with a standard source that uses to the flow’s public IP address. │ - Use CloudFormation to create a VPC interface to add to this flow. This can also be done as part of the previous step. │ - After CloudFormation has created the flow and the VPC interface, update the source to point to the VPC interface that you created. │ + documentation: The AWS::MediaConnect::FlowVpcInterface resource is a connection between your AWS Elemental MediaConnect flow and a virtual private cloud (VPC) that you created using the Amazon Virtual Private Cloud service. │ To avoid streaming your content over the public internet, you can add up to two VPC interfaces to your flow and use those connections to transfer content between your VPC and MediaConnect. │ You can update an existing flow to add a VPC interface. If you haven’t created the flow yet, you must create the flow with a temporary standard source by doing the following: │ - Use CloudFormation to create a flow with a standard source that uses to the flow’s public IP address. │ - Use CloudFormation to create a VPC interface to add to this flow. This can also be done as part of the previous step. │ - After CloudFormation has created the flow and the VPC interface, update the source to point to the VPC interface that you created. │ > The previous steps must be undone before the CloudFormation stack can be deleted. Because the source is manually updated in step 3, CloudFormation is not aware of this change. The source must be returned to a standard source before CloudFormation stack deletion. ├[~] service aws-mediatailor │ └ resources │ └[~] resource AWS::MediaTailor::PlaybackConfiguration │ └ types │ └[~] type AvailSuppression │ └ properties │ └[+] FillPolicy: string ├[~] service aws-mwaa │ └ resources │ └[~] resource AWS::MWAA::Environment │ └ properties │ ├[+] MaxWebservers: integer │ └[+] MinWebservers: integer ├[~] service aws-neptune │ └ resources │ └[+] resource AWS::Neptune::EventSubscription │ ├ name: EventSubscription │ │ cloudFormationType: AWS::Neptune::EventSubscription │ │ documentation: Creates an event notification subscription. This action requires a topic ARN (Amazon Resource Name) created by either the Neptune console, the SNS console, or the SNS API. To obtain an ARN with SNS, you must create a topic in Amazon SNS and subscribe to the topic. The ARN is displayed in the SNS console. │ │ You can specify the type of source (SourceType) you want to be notified of, provide a list of Neptune sources (SourceIds) that triggers the events, and provide a list of event categories (EventCategories) for events you want to be notified of. For example, you can specify SourceType = db-instance, SourceIds = mydbinstance1, mydbinstance2 and EventCategories = Availability, Backup. │ │ If you specify both the SourceType and SourceIds, such as SourceType = db-instance and SourceIdentifier = myDBInstance1, you are notified of all the db-instance events for the specified source. If you specify a SourceType but do not specify a SourceIdentifier, you receive notice of the events for that source type for all your Neptune sources. If you do not specify either the SourceType nor the SourceIdentifier, you are notified of events generated from all Neptune sources belonging to your customer account. │ ├ properties │ │ ├Enabled: boolean │ │ ├EventCategories: Array<string> │ │ ├SnsTopicArn: string (immutable) │ │ ├SourceIds: Array<string> │ │ └SourceType: string │ └ attributes │ └Id: string ├[~] service aws-personalize │ └ resources │ └[~] resource AWS::Personalize::Dataset │ └ types │ └[~] type DataSource │ ├ - documentation: Describes the data source that contains the data to upload to a dataset. │ │ + documentation: Describes the data source that contains the data to upload to a dataset, or the list of records to delete from Amazon Personalize. │ └ properties │ └ DataLocation: (documentation changed) ├[~] service aws-pipes │ └ resources │ └[~] resource AWS::Pipes::Pipe │ └ types │ ├[~] type EcsEphemeralStorage │ │ └ - documentation: The amount of ephemeral storage to allocate for the task. This parameter is used to expand the total amount of ephemeral storage available, beyond the default amount, for tasks hosted on Fargate . For more information, see [Fargate task storage](https://docs.aws.amazon.com/AmazonECS/latest/userguide/using_data_volumes.html) in the *Amazon ECS User Guide for Fargate* . │ │ > This parameter is only supported for tasks hosted on Fargate using Linux platform version `1.4.0` or later. This parameter is not supported for Windows containers on Fargate . │ │ + documentation: The amount of ephemeral storage to allocate for the task. This parameter is used to expand the total amount of ephemeral storage available, beyond the default amount, for tasks hosted on Fargate. For more information, see [Fargate task storage](https://docs.aws.amazon.com/AmazonECS/latest/userguide/using_data_volumes.html) in the *Amazon ECS User Guide for Fargate* . │ │ > This parameter is only supported for tasks hosted on Fargate using Linux platform version `1.4.0` or later. This parameter is not supported for Windows containers on Fargate. │ ├[~] type PipeSourceParameters │ │ └ properties │ │ └ SelfManagedKafkaParameters: (documentation changed) │ ├[~] type PipeSourceSelfManagedKafkaParameters │ │ └ - documentation: The parameters for using a stream as a source. │ │ A *self managed* cluster refers to any Apache Kafka cluster not hosted by AWS . This includes both clusters you manage yourself, as well as those hosted by a third-party provider, such as [Confluent Cloud](https://docs.aws.amazon.com/https://www.confluent.io/) , [CloudKarafka](https://docs.aws.amazon.com/https://www.cloudkarafka.com/) , or [Redpanda](https://docs.aws.amazon.com/https://redpanda.com/) . For more information, see [Apache Kafka streams as a source](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-pipes-kafka.html) in the *Amazon EventBridge User Guide* . │ │ + documentation: The parameters for using a self-managed Apache Kafka stream as a source. │ │ A *self managed* cluster refers to any Apache Kafka cluster not hosted by AWS . This includes both clusters you manage yourself, as well as those hosted by a third-party provider, such as [Confluent Cloud](https://docs.aws.amazon.com/https://www.confluent.io/) , [CloudKarafka](https://docs.aws.amazon.com/https://www.cloudkarafka.com/) , or [Redpanda](https://docs.aws.amazon.com/https://redpanda.com/) . For more information, see [Apache Kafka streams as a source](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-pipes-kafka.html) in the *Amazon EventBridge User Guide* . │ └[~] type PipeTargetRedshiftDataParameters │ └ properties │ └ SecretManagerArn: (documentation changed) ├[~] service aws-quicksight │ └ resources │ ├[~] resource AWS::QuickSight::DataSet │ │ └ types │ │ ├[~] type DataSetRefreshProperties │ │ │ └ properties │ │ │ └ RefreshConfiguration: - RefreshConfiguration │ │ │ + RefreshConfiguration (required) │ │ ├[~] type DataSetUsageConfiguration │ │ │ └ properties │ │ │ ├ DisableUseAsDirectQuerySource: - boolean │ │ │ │ + boolean (default=false) │ │ │ └ DisableUseAsImportedSource: - boolean │ │ │ + boolean (default=false) │ │ ├[~] type DateTimeDatasetParameterDefaultValues │ │ │ └ - documentation: <p>List of default values defined for a given string date time parameter type. Currently only static values are supported.</p> │ │ │ + documentation: <p>The default values of a date time parameter.</p> │ │ ├[~] type IncrementalRefresh │ │ │ └ properties │ │ │ └ LookbackWindow: - LookbackWindow │ │ │ + LookbackWindow (required) │ │ ├[~] type LookbackWindow │ │ │ └ properties │ │ │ ├ ColumnName: - string │ │ │ │ + string (required) │ │ │ ├ Size: - number │ │ │ │ + number (required, default=0) │ │ │ └ SizeUnit: - string │ │ │ + string (required) │ │ ├[~] type RefreshConfiguration │ │ │ └ properties │ │ │ └ IncrementalRefresh: - IncrementalRefresh │ │ │ + IncrementalRefresh (required) │ │ ├[~] type TransformOperation │ │ │ └ properties │ │ │ ├ OverrideDatasetParameterOperation: (documentation changed) │ │ │ └[+] UntagColumnOperation: UntagColumnOperation │ │ └[+] type UntagColumnOperation │ │ ├ documentation: A transform operation that removes tags associated with a column. │ │ │ name: UntagColumnOperation │ │ └ properties │ │ ├ColumnName: string (required) │ │ └TagNames: Array<string> (required) │ ├[~] resource AWS::QuickSight::DataSource │ │ ├ properties │ │ │ ├ Name: - string │ │ │ │ + string (required) │ │ │ └ Type: - string (immutable) │ │ │ + string (required, immutable) │ │ └ types │ │ ├[~] type AuroraParameters │ │ │ └ properties │ │ │ └ Port: - number (required) │ │ │ + number (required, default=0) │ │ ├[~] type AuroraPostgreSqlParameters │ │ │ └ properties │ │ │ └ Port: - number (required) │ │ │ + number (required, default=0) │ │ ├[~] type DatabricksParameters │ │ │ └ properties │ │ │ └ Port: - number (required) │ │ │ + number (required, default=0) │ │ ├[+] type IdentityCenterConfiguration │ │ │ ├ documentation: The parameters for an IAM Identity Center configuration. │ │ │ │ name: IdentityCenterConfiguration │ │ │ └ properties │ │ │ └EnableIdentityPropagation: boolean │ │ ├[~] type MariaDbParameters │ │ │ └ properties │ │ │ └ Port: - number (required) │ │ │ + number (required, default=0) │ │ ├[~] type MySqlParameters │ │ │ └ properties │ │ │ └ Port: - number (required) │ │ │ + number (required, default=0) │ │ ├[~] type OracleParameters │ │ │ └ properties │ │ │ └ Port: - number (required) │ │ │ + number (required, default=0) │ │ ├[~] type PostgreSqlParameters │ │ │ └ properties │ │ │ └ Port: - number (required) │ │ │ + number (required, default=0) │ │ ├[~] type PrestoParameters │ │ │ └ properties │ │ │ └ Port: - number (required) │ │ │ + number (required, default=0) │ │ ├[+] type RedshiftIAMParameters │ │ │ ├ documentation: <p>A structure that grants Amazon QuickSight access to your cluster and make a call to the <code>redshift:GetClusterCredentials</code> API. For more information on the <code>redshift:GetClusterCredentials</code> API, see <a href="https://docs.aws.amazon.com/redshift/latest/APIReference/API_GetClusterCredentials.html"> │ │ │ │ <code>GetClusterCredentials</code> │ │ │ │ </a>.</p> │ │ │ │ name: RedshiftIAMParameters │ │ │ └ properties │ │ │ ├RoleArn: string (required) │ │ │ ├DatabaseUser: string │ │ │ ├DatabaseGroups: Array<string> │ │ │ └AutoCreateDatabaseUser: boolean (default=false) │ │ ├[~] type RedshiftParameters │ │ │ └ properties │ │ │ ├[+] IAMParameters: RedshiftIAMParameters │ │ │ ├[+] IdentityCenterConfiguration: IdentityCenterConfiguration │ │ │ └ Port: - number │ │ │ + number (default=0) │ │ ├[~] type ResourcePermission │ │ │ └ properties │ │ │ └[+] Resource: string │ │ ├[~] type SparkParameters │ │ │ └ properties │ │ │ └ Port: - number (required) │ │ │ + number (required, default=0) │ │ ├[~] type SqlServerParameters │ │ │ └ properties │ │ │ └ Port: - number (required) │ │ │ + number (required, default=0) │ │ ├[~] type SslProperties │ │ │ └ properties │ │ │ └ DisableSsl: - boolean │ │ │ + boolean (default=false) │ │ ├[~] type StarburstParameters │ │ │ └ properties │ │ │ └ Port: - number (required) │ │ │ + number (required, default=0) │ │ ├[~] type TeradataParameters │ │ │ └ properties │ │ │ └ Port: - number (required) │ │ │ + number (required, default=0) │ │ └[~] type TrinoParameters │ │ └ properties │ │ └ Port: - number (required) │ │ + number (required, default=0) │ └[~] resource AWS::QuickSight::Topic │ └ types │ ├[~] type TopicCalculatedField │ │ └ properties │ │ └ DisableIndexing: (documentation changed) │ └[~] type TopicColumn │ └ properties │ └ DisableIndexing: (documentation changed) ├[~] service aws-redshift │ └ resources │ └[~] resource AWS::Redshift::Cluster │ └ properties │ └[-] MasterPasswordSecretKmsKeyId: string ├[~] service aws-route53resolver │ └ resources │ └[~] resource AWS::Route53Resolver::FirewallRuleGroup │ └ types │ └[~] type FirewallRule │ └ properties │ └[+] FirewallDomainRedirectionAction: string ├[~] service aws-s3 │ └ resources │ └[~] resource AWS::S3::Bucket │ └ types │ └[~] type DefaultRetention │ └ - documentation: The container element for specifying the default Object Lock retention settings for new objects placed in the specified bucket. │ > - The `DefaultRetention` settings require both a mode and a period. │ > - The `DefaultRetention` period can be either `Days` or `Years` but you must select one. You cannot specify `Days` and `Years` at the same time. │ + documentation: The container element for optionally specifying the default Object Lock retention settings for new objects placed in the specified bucket. │ > - The `DefaultRetention` settings require both a mode and a period. │ > - The `DefaultRetention` period can be either `Days` or `Years` but you must select one. You cannot specify `Days` and `Years` at the same time. ├[~] service aws-sagemaker │ └ resources │ ├[~] resource AWS::SageMaker::Domain │ │ └ types │ │ └[~] type DefaultSpaceSettings │ │ └ properties │ │ ├[+] CustomFileSystemConfigs: Array<CustomFileSystemConfig> │ │ ├[+] CustomPosixUserConfig: CustomPosixUserConfig │ │ ├[+] JupyterLabAppSettings: JupyterLabAppSettings │ │ └[+] SpaceStorageSettings: DefaultSpaceStorageSettings │ └[~] resource AWS::SageMaker::Space │ └ - documentation: Creates a space used for real time collaboration in a domain. │ + documentation: Creates a private space or a space used for real time collaboration in a domain. ├[~] service aws-securityhub │ └ resources │ ├[~] resource AWS::SecurityHub::Insight │ │ └ types │ │ └[~] type AwsSecurityFindingFilters │ │ └ properties │ │ └ SeverityNormalized: (documentation changed) │ └[+] resource AWS::SecurityHub::SecurityControl │ ├ name: SecurityControl │ │ cloudFormationType: AWS::SecurityHub::SecurityControl │ │ documentation: A security control in Security Hub describes a security best practice related to a specific resource. │ ├ properties │ │ ├SecurityControlId: string │ │ ├SecurityControlArn: string │ │ ├LastUpdateReason: string │ │ └Parameters: Map<string, ParameterConfiguration> (required) │ └ types │ └type ParameterConfiguration │ ├ name: ParameterConfiguration │ └ properties │ └ValueType: string (required) ├[~] service aws-ssm │ └ resources │ └[~] resource AWS::SSM::MaintenanceWindowTask │ ├ properties │ │ └ ServiceRoleArn: (documentation changed) │ └ types │ └[~] type MaintenanceWindowRunCommandParameters │ └ properties │ └ ServiceRoleArn: (documentation changed) └[~] service aws-sso └ resources ├[+] resource AWS::SSO::Application │ ├ name: Application │ │ cloudFormationType: AWS::SSO::Application │ │ documentation: Creates an application in IAM Identity Center for the given application provider. │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ ├ properties │ │ ├Name: string (required) │ │ ├Description: string │ │ ├InstanceArn: string (required, immutable) │ │ ├ApplicationProviderArn: string (required, immutable) │ │ ├Status: string │ │ ├PortalOptions: PortalOptionsConfiguration │ │ └Tags: Array<tag> │ ├ attributes │ │ └ApplicationArn: string │ └ types │ ├type PortalOptionsConfiguration │ │├ documentation: A structure that describes the options for the portal associated with an application. │ ││ name: PortalOptionsConfiguration │ │└ properties │ │ ├Visibility: string │ │ └SignInOptions: SignInOptions │ └type SignInOptions │ ├ documentation: A structure that describes the sign-in options for an application portal. │ │ name: SignInOptions │ └ properties │ ├Origin: string (required) │ └ApplicationUrl: string ├[+] resource AWS::SSO::ApplicationAssignment │ ├ name: ApplicationAssignment │ │ cloudFormationType: AWS::SSO::ApplicationAssignment │ │ documentation: A structure that describes an assignment of a principal to an application. │ └ properties │ ├ApplicationArn: string (required, immutable) │ ├PrincipalType: string (required, immutable) │ └PrincipalId: string (required, immutable) └[+] resource AWS::SSO::Instance ├ name: Instance │ cloudFormationType: AWS::SSO::Instance │ documentation: Creates an instance of IAM Identity Center for a standalone AWS account that is not managed by AWS Organizations or a member AWS account in an organization. You can create only one instance per account and across all AWS Regions . │ The CreateInstance request is rejected if the following apply: │ - The instance is created within the organization management account. │ - An instance already exists in the same account. │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} ├ properties │ ├Name: string │ └Tags: Array<tag> └ attributes ├InstanceArn: string ├OwnerAccountId: string ├IdentityStoreId: string └Status: string ```

…uct (aws#30141) ### Issue # (if applicable) N/A ### Reason for this change Missing property in the L2 Construct. ### Description of changes Add deleteReports property. https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_codebuild.CfnReportGroup.html#deletereports ### Description of how you validated changes Add unit tests and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…0375) ### Issue # (if applicable) Closes #[30143](aws#30143). ### Reason for this change Fix the below deployment failure Deployment fails with a Could not write to bucket error: 1:36:13 PM | CREATE_FAILED | AWS::SES::ReceiptRule | TestRuleSetStoreToBucketRule3E41D5CF Could not write to bucket: reprosess3rulestack-testemailstoref58b593c-dxh45g1m3y6b (Service: AmazonSimpleEmailService; Status Code: 400; Error Code: InvalidS3Configuration; Request ID: 817f5520-748b-4bae-b347-ec68df52b675; Proxy: null) This PR reverts the changes introduced in PR aws#29833 ### Description of changes This PR reverts the change that was made in CDK v2.139.0 to reduce overly broad permissions allocated to SES for the S3 receipt rule action. This resulted in deployment failure where SES is unable to write to s3 bucket. ### Description of how you validated changes Dry-run for integration tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

….2" (aws#30306) ### Issue # (if applicable) Closes aws#30109 ### Reason for this change Currently CDK does not show option to select the Engine version `3.04.2` ### Description of changes Update the below class name to include "3.04.2" ```ts export class AuroraMysqlEngineVersion { public static readonly VER_3_04_2 = AuroraMysqlEngineVersion.builtIn_8_0('3.04.2'); } ``` ### Description of how you validated changes unit and integration tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

### Issue # (if applicable) Closes aws#30309. ### Reason for this change The rds.ServerlessCluster is for Serverless v1, but this is not explicitly stated in the documentation, which could be misleading as it may imply that it is for Serverless v2. ### Description of changes Added to the README and TSdocs that rds.ServerlessCluster is for v1 of Aurora Serverless ### Description of how you validated changes Do nothing because only documentation improvements ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) Closes aws#30075 ### Reason for this change As described in the issue. ### Description of changes * Add `ADVANCED_HD` and `ADVANCED_SD` to the `ivs.ChannelType`. * Add `preset` property to the Channel Construct. Additionally, validation has been implemented to allow setting the preset property only when using the Advanced channel type ### Description of how you validated changes Add both unit tests and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…t optimized integration for createJob api (aws#30300) Step Functions recently released an [Optimized Integration for MediaConvert CreateJob API](https://docs.aws.amazon.com/step-functions/latest/dg/connect-mediaconvert.html) and these changes add support for the MediaConvert CreateJob task to Step Functions state machines. ### Issue # (if applicable) Closes [aws#30299](aws#30299) ### Reason for this change The aws-stepfunctions-tasks now needs to support creating MediaConvert CreateJob tasks ### Description of changes Added a new L2 construct for MediaConvert Create-Job Task: ``packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/mediaconvert/create-job.ts`` ### Description of how you validated changes Unit test - ``packages/aws-cdk-lib/aws-stepfunctions-tasks/test/mediaconvert/create-job.test.ts`` Integration test - ``packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/mediaconvert/test/integ.create-job.ts`` Verified the State Machine with MediaConvert CreateJob Task with all the necessary permissions ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ce (aws#30160) ### Issue # (if applicable) Closes aws#30164 ### Reason for this change Cloudformation supports to specify `instanceInitiatedShutdownBehavior` but CDK cannot. ### Description of changes Add `instanceInitiatedShutdownBehavior` to `InstanceProps`. ### Description of how you validated changes Add both unit and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-chatbot │ └ resources │ ├[~] resource AWS::Chatbot::MicrosoftTeamsChannelConfiguration │ │ ├ - tagInformation: undefined │ │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ └ properties │ │ └[+] Tags: Array<tag> │ └[~] resource AWS::Chatbot::SlackChannelConfiguration │ ├ - tagInformation: undefined │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ └ properties │ └[+] Tags: Array<tag> ├[~] service aws-codebuild │ └ resources │ └[~] resource AWS::CodeBuild::Fleet │ ├ properties │ │ ├[+] FleetServiceRole: string │ │ ├[+] FleetVpcConfig: VpcConfig │ │ └[+] OverflowBehavior: string │ └ types │ └[+] type VpcConfig │ ├ name: VpcConfig │ └ properties │ ├VpcId: string │ ├Subnets: Array<string> │ └SecurityGroupIds: Array<string> ├[~] service aws-glue │ └ resources │ └[~] resource AWS::Glue::Job │ └ properties │ └[+] MaintenanceWindow: string └[~] service aws-medialive └ resources └[~] resource AWS::MediaLive::Channel └ types └[~] type AvailConfiguration └ properties └[+] Scte35SegmentationScope: string ```

…StartJobRun class (aws#30319) ### Issue # (if applicable) Closes aws#12757. ### Reason for this change Missing property ### Description of changes Add workerType and numberOfWorkers to GlueStartJobRun class. The reasons for this change are as follows: * AllocatedCapacity is deprecated. * MaxCapacity can only be used with Glue version 1 and earlier, which have already reached end of support (EOS). * Glue version 2 and later use WorkerType and NumberOfWorkers. For mor information, see also the documents below. https://docs.aws.amazon.com/glue/latest/dg/aws-glue-api-jobs-runs.html#aws-glue-api-jobs-runs-StartJobRun https://docs.aws.amazon.com/glue/latest/dg/glue-version-support-policy.html ### Description of how you validated changes Add unit tests and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

aws#30324) ### Issue # (if applicable) N/A ### Reason for this change Compare with [the guide](https://docs.aws.amazon.com/bedrock/latest/userguide/model-ids.html) and add missing models. ### Description of changes Added the following models. - Amazon: - amazon.titan-text-lite-v1 - amazon.titan-text-premier-v1:0 - amazon.titan-embed-text-v2:0 - Cohere: - cohere.command-r-v1:0 - cohere.command-r-plus-v1:0 - Meta - meta.llama3-8b-instruct-v1:0 - meta.llama3-70b-instruct-v1:0 - Mistral AI - mistral.mistral-large-2402-v1:0 ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

…LustreMaintenanceTime` class. (aws#30342) ### Issue # (if applicable) Closes aws#30341 ### Reason for this change The `hour` property in the `LustreMaintenanceTime` class should be between 0 and 23. But no validation error occurs when it is set to 24. ### Description of changes In the validate method, I changed it so that an error is thrown when the hour is greater than 23, instead of when the hour is greater than 24. This allows a validation error to occur when the hour is set to 24. ### Description of how you validated changes Changed unit tests and add integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… Construct (aws#30092) ### Issue # (if applicable) Closes aws#30087 ### Reason for this change As described in the issue. ### Description of changes Add copyTagsToSnapshot property to the DatabaseCluster Construct. ### Description of how you validated changes Add both unit tests and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… fargate tasks (aws#30357) ### Issue # (if applicable) Closes aws#30281 Closes aws#27515 ### Reason for this change The customers have difficulties to find the correct logs for some scheduled task if they have multiple tasks defined in the stack, as all tasks will use the same container name. ### Description of changes Add the new optional property `ContainerName` in the `ScheduledTaskImageProps`, so customer can use it to customize the containers names. If this property is undefined, so we will use `ScheduledContainer` as default value. ### Description of how you validated changes added unit and integration test cases, and verified them. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…eset to templateDiff (aws#30332) ### Reason for this change I am making this change as part of aws#30268, but implementing the bug fix in a satisfactory way is becoming much, much, much more difficult than I thought it would. As it's now possible to view the changed values before and after a changeset is applied by using the DescribeChangeSets api with IncludePropertyValues, but the API is difficult to use because of not being supported in all regions, not including StatusReason, and being unable to paginate. So, I want to make that fix in a separate PR, once this refactor change is done. ### Description of changes * A ton of unit tests and moved changeset diff logic into a dedicated class and file. ### Description of how you validated changes * Many unit tests, integration tests, and manual tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ied 403 (aws#29632) ### Issue # (if applicable) Closes aws#29564 ### Reason for this change if you make a new s3 bucket ``` const staticBucket = new aws_s3.Bucket(s3Stack, `static-Bucket`, { bucketName: `static-bucket`, publicReadAccess: true, }) ``` While this is fine code and you can deploy it will fail in the middle with a generic access denied error not telling you what stopped it even if you are full admin. This happens due to the default deny all public access rule. ### Description of changes When users only enable `publicReadAccess` without configuring `blockPublicAccess` to disable it, we will raise an exception and throw an more appropriate error message for easier diagnosis. We do not want to directly disable `blockPublicAccess` as it feels like a weird behaviour. ### Description of how you validated changes New unit tests and updated integ tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ws#30180) ### Issue # (if applicable) Closes aws#28585 ### Reason for this change To simplify policy configuration for AppConfig Environments. ### Description of changes add grantReadConfig method to Environment Construct ### Description of how you validated changes Add unit test and integ tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…eArnWithCluster method (aws#30367) ### Issue # (if applicable) N/A ### Reason for this change The throw statement uses single quotes instead of backticks, causing incorrect output of ARN during errors. ### Description of changes Use backticks instead of single quotes for proper formatting. ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) Closes aws#30015 . ### Reason for this change Same as aws#30033, but done with `chore` instead of `feat`. > EventBridge Pipes recently added PrivateLink support for event delivery [(what's new)](https://aws.amazon.com/about-aws/whats-new/2024/04/amazon-eventbridge-pipes-event-delivery-aws-privatelink/). The VPC Endpoint Service name is com.amazonaws.{region}.pipes-data [(source)](https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html). ### Description of changes Added pipes-data VPC endpoint construct. By adding this construct in a VPC, I can send Amazon MSK, self-managed Apache Kafka, and Amazon MQ events to EventBridge Pipes through PrivateLink. ### Description of how you validated changes N/A ### Checklist - [ X ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Issue # (if applicable) Closes aws#29600. aws#29600 Reason for this change Adding a new feature Description of changes Add resourcePolicy for DynamoDB Table component in aws-dynamodb Description of how you validated changes integration test integ.dynamodb.policy.ts Checklist [X ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…el (aws#29904) ### Issue # (if applicable) ### Reason for this change Enumerate `ApplicationLogLevel` and `SystemLogLevel` to help with typing ### Description of changes Both fields should use the enum type for available options ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ws#30352) ### Issue # (if applicable) Close aws#30365. ### Reason for this change AppRunner supports for using a customer managed key to encrypt all stored copies of your application source image or source bundle. https://docs.aws.amazon.com/apprunner/latest/dg/security-data-protection-encryption.html But L2 Construct (alpha module) cannot use a customer managed key. ### Description of changes Add kmsKey property to the Service class. ### Description of how you validated changes Add unit tests and integ tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…aws#30382) ### Issue fixes aws#27555 Closes Half Fix [i.e, Allows user to give Empty Placement Constraints ] aws#27555 This PR does not address supporting empty placement strategies because of the following reason : [27555 : comment](aws#27572 (comment)) This was raised with the guidance from - [pr / 28431 : Comment ](aws#28431 (comment)) ### Reason for this change Users unable to give empty placementConstraints ### Description of how you validated changes - Added a UnitCase to cover with empty `[]` placementConstraints - Integration Tests ``` $ yarn integ test/aws-ecs/test/ec2/integ.placement-constraint-default-empty.js --update-on-failed ``` After integ tests were completed, `npm test` to verify the snapshot. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…#30210) ### Issue # (if applicable) Closes aws#30063 ### Reason for this change In the Fail state, we can specify intrinsic functions and json paths as the CausePath and ErrorPath properties. Currently, however, specifying intrinsic functions as a string will result in an error. https://docs.aws.amazon.com/step-functions/latest/dg/amazon-states-language-fail-state.html ```ts export class SampleStack extends cdk.Stack { constructor(scope: Construct, id: string, props?: cdk.StackProps) { super(scope, id, props); const fail = new stepfunctions.Fail(this, "Fail", { errorPath: "$.error", // OK causePath: "States.Format('cause: {}', $.cause)", // Error }); const sm = new stepfunctions.StateMachine(this, "StateMachine", { definitionBody: stepfunctions.DefinitionBody.fromChainable(fail), timeout: cdk.Duration.minutes(5) }); } } ``` ``` Error: Expected JSON path to start with '$', got: States.Format('cause: {}', $.cause) ``` ### Description of changes The value passed to the `renderJsonPath` function is expected to be a string starting with `$` if it is not a token. However, if you pass intrinsic functions as strings to the CausePath and ErrorPath properties, they will never start with `$`. Therefore, I fixed not to call the `renderJsonPath` function if the intrinsic functions are specified as strings. Another change was the addition of validation since error and errorPath, cause and causePath cannot be specified simultaneously. ### Description of how you validated changes I added unit tests to verify that passing intrinsic functions as strings do not cause an error. Tests were also added to verify that errors occur when errors and paths are specified at the same time and when cause and cause paths are specified at the same time. https://docs.aws.amazon.com/step-functions/latest/dg/amazon-states-language-fail-state.html#:~:text=%2C%20and%20States.UUID.-,Important,-You%20can%20specify%20either%20Cause https://docs.aws.amazon.com/step-functions/latest/dg/amazon-states-language-fail-state.html#:~:text=%2C%20and%20States.UUID.-,Important,-You%20can%20specify%20either%20Error ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Jest is resource greedy so using all but one cores is actually slowing down the tests ### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change ### Description of changes ### Description of how you validated changes ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…able of contents (aws#30387) ### Issue # (if applicable) None ### Reason for this change The index of `Stepfunctions Integration` is missed. ### Description of changes ``` - [HTTP APIs](#http-apis) - [Lambda Integration](#lambda) - [HTTP Proxy Integration](#http-proxy) - [StepFunctions Integration](#stepfunctions-integration) // added ``` ### Description of how you validated changes None ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) Closes aws#18470 ### Reason for this change This allows customers to execute an arbitrary build script as part of cdk synth, which will enable customer to use esbuild plugins. The rationale for this decision is given the issue that is linked above. ### Description of changes 1. Expose the code field on the `aws-lambda-nodejs` construct, so that customers can specify code in ways other than bundling, which was the default and abstracted away from customers before this change. 2. Add a new static method on Code, namely `Code.fromCustomCommand`. This method takes in the commands to run an arbitrary script during cdk synthesis that the customer provides. The customer also provides the location of the output from the buildscript. Then this output is supplied to a lambda function. ### Description of how you validated changes manual testing (involving inspecting output in the AWS Lambda console and invoking the function), integration tests, and full unit test coverage of new changes. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ent README ### Reason for this change The links in the development section of the aws-s3-deployment README are pointing to incorrect locations (files have been moved from those locations), fixed the links. ### Description of changes There are no code changes, only documentation update ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) Closes aws#19388 ### Reason for this change Adding tag/untag for eks cluster post its creation ### Description of changes Added API calls tagResource and untagResource in Cluster resource handler to handle tag changes ### Description of how you validated changes Have tested the changes by first deploying a cluster with below config: ```ts const vpc = ec2.Vpc.fromLookup(stack, 'Vpc', { isDefault: true }); new eks.Cluster(stack, 'Cluster', { vpc, ...getClusterVersionConfig(stack, eks.KubernetesVersion.V1_29), defaultCapacity: 0, tags: { foo: 'bar', }, }); ``` TestCase - 1 Update to add one more tag ```ts new eks.Cluster(stack, 'Cluster', { vpc, ...getClusterVersionConfig(stack, eks.KubernetesVersion.V1_29), defaultCapacity: 0, tags: { foo: 'bar', hello: "world" }, }); ``` Logs - ``` { "updates": { "replaceName": false, "replaceVpc": false, "updateAccess": false, "replaceRole": false, "updateVersion": false, "updateEncryption": false, "updateLogging": false, "updateTags": true } } ``` ``` { clientName: 'EKSClient', commandName: 'TagResourceCommand', input: { resourceArn: 'arn:aws:eks:us-east-1:xxxxx:cluster/Cluster9EE0221C-f0d60e8e0bf14fb5896ade518b5bbc15', tags: { hello: 'world' } }, output: {}, metadata: {} } ``` TestCase2 - Add, update and remove at the same time ```ts new eks.Cluster(stack, 'Cluster', { vpc, ...getClusterVersionConfig(stack, eks.KubernetesVersion.V1_29), defaultCapacity: 0, tags: { hello: 'world1', foobar: 'baz', }, endpointAccess: eks.EndpointAccess.PUBLIC, vpcSubnets: [{ subnetType: ec2.SubnetType.PUBLIC }], }); ``` ``` { clientName: 'EKSClient', commandName: 'TagResourceCommand', input: { resourceArn: 'arn:aws:eks:us-east-1:xxxxx:cluster/Cluster9EE0221C-f0d60e8e0bf14fb5896ade518b5bbc15', tags: { foobar: 'baz', hello: 'world1' } }, output: {}, metadata: {} } ``` ``` { clientName: 'EKSClient', commandName: 'UntagResourceCommand', input: { resourceArn: 'arn:aws:eks:us-east-1:xxxxx:cluster/Cluster9EE0221C-f0d60e8e0bf14fb5896ade518b5bbc15', tagKeys: [ 'foo' ] }, output: {}, metadata: {} } ``` TestCase - 3 Remove all tags ```ts new eks.Cluster(stack, 'Cluster', { vpc, ...getClusterVersionConfig(stack, eks.KubernetesVersion.V1_29), defaultCapacity: 0, endpointAccess: eks.EndpointAccess.PUBLIC, vpcSubnets: [{ subnetType: ec2.SubnetType.PUBLIC }], }); ``` ``` { clientName: 'EKSClient', commandName: 'UntagResourceCommand', input: { resourceArn: 'arn:aws:eks:us-east-1:xxxxx:cluster/Cluster9EE0221C-f0d60e8e0bf14fb5896ade518b5bbc15', tagKeys: [ 'foobar', 'hello' ] }, output: {}, metadata: {} ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Automated changes by [create-pull-request](https://github.com/peter-evans/create-pull-request) GitHub action

### Issue # (if applicable) Closes aws#8827. ### Reason for this change Customers could not override the authorizer defined in the default method configuration if they want to set the authorization type to None. ### Description of changes If the customer set the authorization type to None while creating a new method, we will not use the authorizer value defined in the default configuration and instead we will set it to undefined. ### Description of how you validated changes added unit, and integration test cases. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

A small typo fix. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Minor typo fixed ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…30423) ### Issue # (if applicable) Closes aws#30422 ### Reason for this change Missing Property in the Subscription class. ### Description of changes Add destination property to the Subscription class. ### Description of how you validated changes Add unit tests and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…iguration` (aws#30420) ### Issue # (if applicable) Closes aws#30403. ### Reason for this change `chatbot.SlackChannelConfiguration` does not support for configuring `userRoleRequired` prop. ### Description of changes Add `userRoleRequired` to `SlackChannelConfigurationProps` ### Description of how you validated changes Add both unit and integ tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…trigger (aws#29127) ### Issue # (if applicable) Closes aws#29124 Related PR: aws#29128 Perhaps if one merges, the other will cause a conflict. ### Reason for this change We would be good to trigger pipelines by GitPushFilter with branches and file paths. - CFn docs - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-gitpushfilter.html - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-gitbranchfiltercriteria.html - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-gitfilepathfiltercriteria.html ### Description of changes Add props: - branchesExcludes - branchesIncludes - filePathsExcludes - filePathsIncludes ### Description of how you validated changes Both unit and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…e with imported `delegatedZone` (aws#30440) ### Issue # (if applicable) Closes aws#28581. ### Reason for this change An imported `delegatedZone` will not have info about the Name Servers. When it is passed to `CrossAccountZoneDelegationRecord`, the handler will see `undefined` when trying to retrieve the Name Servers info on `delegatedZone`, then throw exception during deployment. This change throws the exception at build time for a faster feedback loop. ### Description of changes `CrossAccountZoneDelegationRecord` throws exception if `delegatedZone.hostedZoneNameServers` is undefined. ### Description of how you validated changes Add unit test to cover the case of passing an imported HostedZone to `CrossAccountZoneDelegationRecord` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Reason for this change The contribution guide recommend the active node LTS: https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md#getting-started ### Description of changes Update node 18 to 20 in devcontainer and gitpod and also the os version to bookworm ### Description of how you validated changes opened devcontainer and gitpod, checkd the node version and run command `npx lerna run build --scope=aws-cdk-lib --scope=@aws-cdk-testing/framework-integ --skip-nx-cache` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- refs: - aws#25381 - aws#25426 *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) Closes aws#29617. ### Reason for this change Implementation of reserved capacity CodeBuild projects ### Description of changes * Add Fleet Construct * Add `EnvironmentType` enum * Refactor existing type strings to use the new enum * Validate that Windows 2022 build images can only be used in fleet projects Changes merged from aws#29616: * Added missing build images * Updated JSDoc comments to indicate AL2023 based images, see [docs](https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html) * It might be a good idea to deprecate and rename `AMAZON_LINUX_2_STANDARD_3_0` to `AMAZON_LINUX_2023_STANDARD_3_0`, despite how the images are named. I'll leave it up to the maintainers * Added `{@link}` tags where missing ### Description of how you validated changes Unit and integ tests The images were retrieved using the [codebuild:ListCuratedEnvironmentImages](https://docs.aws.amazon.com/codebuild/latest/APIReference/API_ListCuratedEnvironmentImages.html) API command, and comparing it to the CDK. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…seEncryption method (aws#30417) Removed the single quotes around the error message string to allow proper interpolation of the ${encryptionType} variable. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Commits on May 23, 2024

chore: integrationtest

Dahlberg Victor committed May 23, 2024

Configuration menu

View commit details

Copy full SHA for 8e3e453

Browse repository at this point

Copy the full SHA

8e3e453 View commit details

Browse the repository at this point in the history

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(msk-alpha): support any combination of client auth mechanisms #30307

fix(msk-alpha): support any combination of client auth mechanisms #30307

Commits on May 22, 2024

Commits on May 23, 2024

Commits on Jun 10, 2024