chore(release): 2.189.0 #34088
Merged
chore(release): 2.189.0 #34088
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Issue # 33995 #33995 Closes #33995 ### Reason for this change Support v2 pipeline type in cdk.pipelines ### Description of changes add pipeline v2 type support ### Describe any new or updated permissions being added new ### Description of how you validated changes integ test/unit test/local deployment ### Checklist - [Y] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…n for replica table (#34056) ### Issue # (if applicable) Closes NA ### Reason for this change Currently CloudFormation sends the DynamoDB table replica `onEvent` and `isComplete` handler requests with `skipReplicaDeletion` property as string (e.g., "true") rather than boolean (true). Cloudformation converts non string to string for custom resource properties when calling the handler. However, the handlers were checking for boolean value which caused the `isComplete` handler to timeout during delete operation when `skipReplicaDeletion` was enabled. This property was introduced in this PR #33953 ### Description of changes Modified both `onEvent` and `isComplete` handlers to explicitly convert `skipReplicaDeletion` from string to boolean using comparison. ### Describe any new or updated permissions being added NA ### Description of how you validated changes Ran Unit test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #32159 . ### Reason for this change Adding support for `mapPublicIpOnLaunch` prop in SubnetV2. ### Description of changes Added property mapPublicIpOnLaunch in SubnetV2Props, set to undefined by default. ### Describe any new or updated permissions being added NA ### Description of how you validated changes Added unit test and integration tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…eplacements (#34038) ### Reason for this change aws-cdk supports Docker replacements such as Finch, but the CONTRIBUTING.md guidelines don't mention it. ### Description of changes Add instructions for using Docker replacements. ### Describe any new or updated permissions being added None ### Description of how you validated changes Used the instructions myself. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ish (#34015) ### Reason for this change It appears that the structure and the link on the permissions page of the CodePipeline action has changed. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ments ### Issue #34008 Closes [#34008](#34008). ### Reason for this change ### Describe the issue [aws-cdk-lib.aws_batch.FargateComputeEnvironment](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_batch.FargateComputeEnvironment.html) needs to be updated for Fargate CEs This doc is not consistent with other docs: https://docs.aws.amazon.com/batch/latest/userguide/updating-compute-environments.html https://docs.aws.amazon.com/cli/latest/reference/batch/update-compute-environment.html Following fields in `FargateComputeEnvironmentProps` of `FargateComputeEnvironment` are not applicable. We might not be able to change model now as it is out, we can update documentation to reflect it is not applicable. All these params are optional `?` . ``` replaceComputeEnvironment? terminateOnUpdate? updateTimeout? updateToLatestImageVersion? ``` ### Links https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-batch/README.md ### Description of changes Update README, following the instructions in the issue. ### Describe any new or updated permissions being added No. ### Description of how you validated changes No, only README change. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…p-in replacements (#33948) ### Issue # (if applicable) Closes #33947. ### Reason for this change Documentation has been created to guide customers on using Docker drop-in replacements in the Developer Guide. Adding a link to that page here. ### Description of changes Add link to Docker drop-in replacements. ### Describe any new or updated permissions being added None ### Description of how you validated changes None ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ld in `customRule` (#33973) ### Issue # (if applicable) N/A I found this problem while working on #33962. ### Reason for this change Re-running `packages/@aws-cdk/aws-amplify-alpha/test/integ.app.ts`, got the following error: ```sh Resource handler returned message: "Invalid request provided: Status field in rewrite custom rules should not be empty (Service: Amplify, Status Code: 400, Request ID: 3f3694f1-3eeb-4af3-8cdf-8b77b6387e57) (SDK Attempt Count: 1)" (RequestToken: 5748aef8-c0e1-1a1d-ab27-1bab938e0bd3, HandlerErrorCode: InvalidRequest) ``` If `status` is omitted in `customRules`, `App` cannot be deployed. ### Description of changes Specify `status` property in integ test. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Re-ran integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change This adds an alpha module `@aws-cdk/aws-s3tables-alpha` containing L2 constructs for Amazon S3 Tables. ### Description of changes Amazon S3 Tables deliver the first cloud object store with built-in Apache Iceberg support and streamline storing tabular data at scale. See [product page](https://aws.amazon.com/s3/features/tables/). These changes set up an alpha module for higher level L2 constructs for S3 Tables: - `TableBucket`: defines an underlying [CfnTableBucket](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3tables-tablebucket.html) resource - `TableBucketPolicy`: defines an underlying [CfnTableBucketPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3tables-tablebucketpolicy.html) resource #### Example Usage **Define an S3 Table Bucket** ```ts // Build a Table bucket const tableBucket = new TableBucket(scope, 'ExampleTableBucket', { tableBucketName: 'example-bucket-1', // optional fields: unreferencedFileRemoval: { noncurrentDays: 123, status: 'Enabled', unreferencedDays: 123, }, }); // Add resource policy statements const permissions = new iam.PolicyStatement({ effect: Effect.ALLOW, actions: ['s3tables:*'], principals: [ new iam.ServicePrincipal('example.awsamazon.com') ], resources: ['*'] }); tableBucket.addResourcePolicy(permissions); ``` Future constructs are planned to be supported incrementally. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Unit tests for all major code branches and snapshot integration tests have been added ### Checklist - [✔] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…may contain invalid characters (#34016) ### Issue # (if applicable) Closes #23260 Also #34011 ### Reason for this change According [to the documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html), the `RoleSessionName` property for an `AssumeRole` operation may only contain upper- and lower-case alphanumeric characters with no spaces, underscores or any of the following characters: =,.@- ### Description of changes Sanitize the role session name by removing all non-allowed symbols ### Describe any new or updated permissions being added N/A ### Description of how you validated changes - [x] Unit Test - [x] Integration Test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Ref: https://aws.amazon.com/about-aws/whats-new/2025/04/amazon-nova-reel-1-1/ ```sh % aws bedrock get-foundation-model --model-identifier amazon.nova-reel-v1:1 --region us-east-1 { "modelDetails": { "modelArn": "arn:aws:bedrock:us-east-1::foundation-model/amazon.nova-reel-v1:1", "modelId": "amazon.nova-reel-v1:1", "modelName": "Nova Reel", "providerName": "Amazon", "inputModalities": [ "TEXT", "IMAGE" ], "outputModalities": [ "VIDEO" ], "responseStreamingSupported": false, "customizationsSupported": [], "inferenceTypesSupported": [ "ON_DEMAND" ], "modelLifecycle": { "status": "ACTIVE" } } } ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…in trust policy for cross-account actions (under feature flag) (#34074) ### Issue # (if applicable) [GHSA-5pq3-h73f-66hr](GHSA-5pq3-h73f-66hr) ### Reason for this change See GHSA for details. ### Description of changes Added new feature flag `@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope` When the feature flag `@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope` is set to true: - Scope down cross-account action role's trust policy to the pipeline role - Set pipeline role's `roleName` to `PhysicalName.GENERATE_IF_NEEDED` ### Describe any new or updated permissions being added Cross-account action role trust policy is scoped with condition key `ArnEquals` when feature flag is enabled: ``` "Statement": [ { "Action": "sts:AssumeRole", "Condition": { "ArnEquals": { "aws:PrincipalArn": "<pipelineRoleARN>" } }, "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<pipelineStack.account>:root" } } ], ``` ### Description of how you validated changes Added integration tests for S3, StepFunction, and Cloudformation codepipeline actions and manually verified that the cross-account action was successfully completed (reading S3 bucket, invoking state machine, and deploying a cloudformation stack in the cross-account). ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-apigateway │ └ resources │ └[~] resource AWS::ApiGateway::DomainName │ └ - documentation: The `AWS::ApiGateway::DomainName` resource specifies a public custom domain name for your API in API Gateway. │ You can use a custom domain name to provide a URL that's more intuitive and easier to recall. For more information about using custom domain names, see [Set up Custom Domain Name for an API in API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html) in the *API Gateway Developer Guide* . │ + documentation: The `AWS::ApiGateway::DomainName` resource specifies a public custom domain name for your API in API Gateway. │ To create a custom domain name for private APIs, use [AWS::ApiGateway::DomainV2](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainnamev2.html) . │ You can use a custom domain name to provide a URL that's more intuitive and easier to recall. For more information about using custom domain names, see [Set up Custom Domain Name for an API in API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html) in the *API Gateway Developer Guide* . ├[~] service aws-bedrock │ └ resources │ ├[~] resource AWS::Bedrock::Prompt │ │ └ types │ │ ├[~] type CachePointBlock │ │ │ ├ - documentation: Indicates where a cache checkpoint is located. All information before this checkpoint is cached to be accessed on subsequent requests. │ │ │ │ + documentation: Defines a section of content to be cached for reuse in subsequent API calls. │ │ │ └ properties │ │ │ └ Type: (documentation changed) │ │ ├[~] type ContentBlock │ │ │ └ properties │ │ │ └ CachePoint: (documentation changed) │ │ ├[~] type SystemContentBlock │ │ │ └ properties │ │ │ └ CachePoint: (documentation changed) │ │ └[~] type Tool │ │ └ properties │ │ └ CachePoint: (documentation changed) │ └[~] resource AWS::Bedrock::PromptVersion │ └ types │ ├[~] type CachePointBlock │ │ ├ - documentation: Indicates where a cache checkpoint is located. All information before this checkpoint is cached to be accessed on subsequent requests. │ │ │ + documentation: Defines a section of content to be cached for reuse in subsequent API calls. │ │ └ properties │ │ └ Type: (documentation changed) │ ├[~] type ContentBlock │ │ └ properties │ │ └ CachePoint: (documentation changed) │ ├[~] type SystemContentBlock │ │ └ properties │ │ └ CachePoint: (documentation changed) │ └[~] type Tool │ └ properties │ └ CachePoint: (documentation changed) ├[+] service aws-dsql │ ├ capitalized: DSQL │ │ cloudFormationNamespace: AWS::DSQL │ │ name: aws-dsql │ │ shortName: dsql │ └ resources │ └ resource AWS::DSQL::Cluster │ ├ name: Cluster │ │ cloudFormationType: AWS::DSQL::Cluster │ │ documentation: Resource Type definition for AWS::DSQL::Cluster │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ ├ properties │ │ ├ DeletionProtectionEnabled: boolean │ │ └ Tags: Array<tag> │ └ attributes │ ├ ResourceArn: string │ ├ Identifier: string │ ├ CreationTime: string │ └ Status: string ├[~] service aws-dynamodb │ └ resources │ ├[~] resource AWS::DynamoDB::GlobalTable │ │ └ types │ │ └[~] type Projection │ │ └ properties │ │ └ NonKeyAttributes: (documentation changed) │ └[~] resource AWS::DynamoDB::Table │ └ types │ └[~] type Projection │ └ properties │ └ NonKeyAttributes: (documentation changed) ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::Instance │ │ └ types │ │ └[~] type NetworkInterface │ │ └ properties │ │ └ EnaSrdSpecification: (documentation changed) │ ├[~] resource AWS::EC2::LaunchTemplate │ │ └ types │ │ └[~] type NetworkInterface │ │ └ properties │ │ └ DeviceIndex: (documentation changed) │ ├[~] resource AWS::EC2::RouteServer │ │ ├ - documentation: VPC Route Server │ │ │ + documentation: Specifies a route server to manage dynamic routing in a VPC. │ │ │ Amazon VPC Route Server simplifies routing for traffic between workloads that are deployed within a VPC and its internet gateways. With this feature, VPC Route Server dynamically updates VPC and internet gateway route tables with your preferred routes to achieve routing fault tolerance for those workloads. This enables you to automatically reroute traffic within a VPC, which increases the manageability of VPC routing and interoperability with third-party workloads. │ │ │ For more information see [Dynamic routing in your VPC with VPC Route Server](https://docs.aws.amazon.com/vpc/latest/userguide/dynamic-routing-route-server.html) in the *Amazon VPC User Guide* . │ │ ├ properties │ │ │ ├ AmazonSideAsn: (documentation changed) │ │ │ ├ PersistRoutes: (documentation changed) │ │ │ ├ PersistRoutesDuration: (documentation changed) │ │ │ ├ SnsNotificationsEnabled: (documentation changed) │ │ │ └ Tags: (documentation changed) │ │ └ attributes │ │ ├ Arn: (documentation changed) │ │ └ Id: (documentation changed) │ ├[~] resource AWS::EC2::RouteServerAssociation │ │ ├ - documentation: VPC Route Server Association │ │ │ + documentation: Specifies the association between a route server and a VPC. │ │ │ A route server association is the connection established between a route server and a VPC. │ │ └ properties │ │ ├ RouteServerId: (documentation changed) │ │ └ VpcId: (documentation changed) │ ├[~] resource AWS::EC2::RouteServerEndpoint │ │ ├ - documentation: VPC Route Server Endpoint │ │ │ + documentation: Creates a new endpoint for a route server in a specified subnet. │ │ │ A route server endpoint is an AWS -managed component inside a subnet that facilitates [BGP (Border Gateway Protocol)](https://docs.aws.amazon.com/https://en.wikipedia.org/wiki/Border_Gateway_Protocol) connections between your route server and your BGP peers. │ │ │ For more information see [Dynamic routing in your VPC with VPC Route Server](https://docs.aws.amazon.com/vpc/latest/userguide/dynamic-routing-route-server.html) in the *Amazon VPC User Guide* . │ │ ├ properties │ │ │ ├ RouteServerId: (documentation changed) │ │ │ ├ SubnetId: (documentation changed) │ │ │ └ Tags: (documentation changed) │ │ └ attributes │ │ ├ Arn: (documentation changed) │ │ ├ EniAddress: (documentation changed) │ │ ├ EniId: (documentation changed) │ │ ├ Id: (documentation changed) │ │ └ VpcId: (documentation changed) │ ├[~] resource AWS::EC2::RouteServerPeer │ │ ├ - documentation: VPC Route Server Peer │ │ │ + documentation: Specifies a BGP peer configuration for a route server endpoint. │ │ │ A route server peer is a session between a route server endpoint and the device deployed in AWS (such as a firewall appliance or other network security function running on an EC2 instance). │ │ ├ properties │ │ │ ├ BgpOptions: (documentation changed) │ │ │ ├ PeerAddress: (documentation changed) │ │ │ ├ RouteServerEndpointId: (documentation changed) │ │ │ └ Tags: (documentation changed) │ │ ├ attributes │ │ │ ├ Arn: (documentation changed) │ │ │ ├ EndpointEniAddress: (documentation changed) │ │ │ ├ EndpointEniId: (documentation changed) │ │ │ ├ Id: (documentation changed) │ │ │ ├ RouteServerId: (documentation changed) │ │ │ ├ SubnetId: (documentation changed) │ │ │ └ VpcId: (documentation changed) │ │ └ types │ │ └[~] type BgpOptions │ │ ├ - documentation: BGP Options │ │ │ + documentation: The BGP configuration options for this peer, including ASN (Autonomous System Number) and BFD (Bidrectional Forwarding Detection) settings. │ │ └ properties │ │ ├ PeerAsn: (documentation changed) │ │ └ PeerLivenessDetection: (documentation changed) │ ├[~] resource AWS::EC2::RouteServerPropagation │ │ ├ - documentation: VPC Route Server Propagation │ │ │ + documentation: Specifies route propagation from a route server to a route table. │ │ │ For more information see [Dynamic routing in your VPC with VPC Route Server](https://docs.aws.amazon.com/vpc/latest/userguide/dynamic-routing-route-server.html) in the *Amazon VPC User Guide* . │ │ └ properties │ │ ├ RouteServerId: (documentation changed) │ │ └ RouteTableId: (documentation changed) │ └[~] resource AWS::EC2::SecurityGroup │ ├ - documentation: Specifies a security group. │ │ You must specify ingress rules to allow inbound traffic. By default, no inbound traffic is allowed. │ │ If you do not specify an egress rule, we add egress rules that allow outbound IPv4 and IPv6 traffic on all ports and protocols to any destination. We do not add these rules if you specify your own egress rules. │ │ This type supports updates. For more information about updating stacks, see [AWS CloudFormation Stacks Updates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks.html) . │ │ > To cross-reference two security groups in the ingress and egress rules of those security groups, use the [AWS::EC2::SecurityGroupEgress](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-egress.html) and [AWS::EC2::SecurityGroupIngress](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-ingress.html) resources to define your rules. Do not use the embedded ingress and egress rules in the `AWS::EC2::SecurityGroup` . Doing so creates a circular dependency, which AWS CloudFormation doesn't allow. │ │ + documentation: Specifies a security group. │ │ You must specify ingress rules to allow inbound traffic. By default, no inbound traffic is allowed. │ │ If you do not specify an egress rule, we add egress rules that allow outbound IPv4 and IPv6 traffic on all ports and protocols to any destination. We do not add these rules if you specify your own egress rules. │ │ If you modify a rule, CloudFormation removes the existing rule and then adds a new rule. There is a brief period when neither the original rule or the new rule exists, so the corresponding traffic is dropped. │ │ This type supports updates. For more information about updating stacks, see [AWS CloudFormation Stacks Updates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks.html) . │ │ > To cross-reference two security groups in the ingress and egress rules of those security groups, use the [AWS::EC2::SecurityGroupEgress](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-egress.html) and [AWS::EC2::SecurityGroupIngress](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-ingress.html) resources to define your rules. Do not use the embedded ingress and egress rules in the `AWS::EC2::SecurityGroup` . Doing so creates a circular dependency, which AWS CloudFormation doesn't allow. │ └ properties │ ├ SecurityGroupEgress: (documentation changed) │ └ SecurityGroupIngress: (documentation changed) ├[~] service aws-fsx │ └ resources │ └[~] resource AWS::FSx::FileSystem │ └ types │ └[~] type WindowsConfiguration │ └ properties │ └ WeeklyMaintenanceStartTime: (documentation changed) ├[~] service aws-gamelift │ └ resources │ ├[~] resource AWS::GameLift::Alias │ │ ├ - tagInformation: undefined │ │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ ├ properties │ │ │ └[+] Tags: Array<tag> │ │ └ attributes │ │ └[+] AliasArn: string │ ├[~] resource AWS::GameLift::Build │ │ ├ - tagInformation: undefined │ │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ ├ properties │ │ │ └[+] Tags: Array<tag> │ │ └ attributes │ │ └[+] BuildArn: string │ └[~] resource AWS::GameLift::ContainerGroupDefinition │ ├ properties │ │ └ OperatingSystem: (documentation changed) │ └ types │ └[~] type ContainerPortRange │ └ - documentation: A set of one or more port numbers that can be opened on the container. │ *Part of:* [ContainerPortConfiguration](https://docs.aws.amazon.com/gamelift/latest/apireference/API_ContainerPortConfiguration.html) │ + documentation: A set of one or more port numbers that can be opened on the container, and the supported network protocol. │ *Part of:* [ContainerPortConfiguration](https://docs.aws.amazon.com/gamelift/latest/apireference/API_ContainerPortConfiguration.html) ├[~] service aws-groundstation │ └ resources │ └[~] resource AWS::GroundStation::DataflowEndpointGroup │ └ properties │ └ EndpointDetails: (documentation changed) ├[~] service aws-kinesisfirehose │ └ resources │ └[~] resource AWS::KinesisFirehose::DeliveryStream │ ├ properties │ │ └ IcebergDestinationConfiguration: - IcebergDestinationConfiguration (immutable) │ │ + IcebergDestinationConfiguration │ └ types │ └[~] type IcebergDestinationConfiguration │ └ properties │ └ CatalogConfiguration: - CatalogConfiguration (required) │ + CatalogConfiguration (required, immutable) ├[~] service aws-paymentcryptography │ └ resources │ └[~] resource AWS::PaymentCryptography::Key │ └ - documentation: Creates an AWS Payment Cryptography key, a logical representation of a cryptographic key, that is unique in your account and AWS Region . You use keys for cryptographic functions such as encryption and decryption. │ In addition to the key material used in cryptographic operations, an AWS Payment Cryptography key includes metadata such as the key ARN, key usage, key origin, creation date, description, and key state. │ When you create a key, you specify both immutable and mutable data about the key. The immutable data contains key attributes that define the scope and cryptographic operations that you can perform using the key, for example key class (example: `SYMMETRIC_KEY` ), key algorithm (example: `TDES_2KEY` ), key usage (example: `TR31_P0_PIN_ENCRYPTION_KEY` ) and key modes of use (example: `Encrypt` ). For information about valid combinations of key attributes, see [Understanding key attributes](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html) in the *AWS Payment Cryptography User Guide* . The mutable data contained within a key includes usage timestamp and key deletion timestamp and can be modified after creation. │ AWS Payment Cryptography binds key attributes to keys using key blocks when you store or export them. AWS Payment Cryptography stores the key contents wrapped and never stores or transmits them in the clear. │ *Cross-account use* : This operation can't be used across different AWS accounts. │ *Related operations:* │ - [DeleteKey](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_DeleteKey.html) │ - [GetKey](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetKey.html) │ - [ListKeys](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ListKeys.html) │ + documentation: Creates an AWS Payment Cryptography key, a logical representation of a cryptographic key, that is unique in your account and AWS Region . You use keys for cryptographic functions such as encryption and decryption. │ In addition to the key material used in cryptographic operations, an AWS Payment Cryptography key includes metadata such as the key ARN, key usage, key origin, creation date, description, and key state. │ When you create a key, you specify both immutable and mutable data about the key. The immutable data contains key attributes that define the scope and cryptographic operations that you can perform using the key, for example key class (example: `SYMMETRIC_KEY` ), key algorithm (example: `TDES_2KEY` ), key usage (example: `TR31_P0_PIN_ENCRYPTION_KEY` ) and key modes of use (example: `Encrypt` ). AWS Payment Cryptography binds key attributes to keys using key blocks when you store or export them. AWS Payment Cryptography stores the key contents wrapped and never stores or transmits them in the clear. │ For information about valid combinations of key attributes, see [Understanding key attributes](https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html) in the *AWS Payment Cryptography User Guide* . The mutable data contained within a key includes usage timestamp and key deletion timestamp and can be modified after creation. │ You can use the `CreateKey` operation to generate an ECC (Elliptic Curve Cryptography) key pair used for establishing an ECDH (Elliptic Curve Diffie-Hellman) key agreement between two parties. In the ECDH key agreement process, both parties generate their own ECC key pair with key usage K3 and exchange the public keys. Each party then use their private key, the received public key from the other party, and the key derivation parameters including key derivation function, hash algorithm, derivation data, and key algorithm to derive a shared key. │ To maintain the single-use principle of cryptographic keys in payments, ECDH derived keys should not be used for multiple purposes, such as a `TR31_P0_PIN_ENCRYPTION_KEY` and `TR31_K1_KEY_BLOCK_PROTECTION_KEY` . When creating ECC key pairs in AWS Payment Cryptography you can optionally set the `DeriveKeyUsage` parameter, which defines the key usage bound to the symmetric key that will be derived using the ECC key pair. │ *Cross-account use* : This operation can't be used across different AWS accounts. │ *Related operations:* │ - [DeleteKey](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_DeleteKey.html) │ - [GetKey](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetKey.html) │ - [ListKeys](https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ListKeys.html) └[~] service aws-redshiftserverless └ resources └[~] resource AWS::RedshiftServerless::Workgroup └ properties ├[+] RecoveryPointId: string ├[+] SnapshotArn: string ├[+] SnapshotName: string └[+] SnapshotOwnerAccount: string ```
### Issue # (if applicable) None ### Reason for this change Cloudformation now supports for configuring ip address type for `AWS::ApiGatewayV2::Api`. https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-api.html#cfn-apigatewayv2-api-ipaddresstype ### Description of changes - define `IpAddressType` enum - add `ipAddressType` prop to both `HttpApiProps` and `WebSocketApiProps` ### Describe any new or updated permissions being added None ### Description of how you validated changes Add both unit and integ test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
b16b947 to
8de33b4
Compare
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Comments on closed issues and PRs are hard for our team to see. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See CHANGELOG