feat(codepipeline): support environment variables for actions #34667

go-to-k · 2025-06-10T10:11:59Z

Issue # (if applicable)

N/A

Reason for this change

CodePipeline supports the Environment Variables in actions, but L2 Pipeline with actions doesn't support it.

https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-codepipeline-pipeline-environmentvariable.html
https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-Commands.html
- The SECRETS_MANAGER type is only supported for the Commands action.

Description of changes

Added EnvironmentVariable with PlaintextEnvironmentVariable and SecretsManagerEnvironmentVariable.

Describe any new or updated permissions being added

None.

Description of how you validated changes

Both unit tests and integ tests.

Checklist

My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

aws-cdk-automation

(This review is outdated)

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

go-to-k · 2025-06-10T17:08:33Z

packages/aws-cdk-lib/aws-codepipeline/lib/action.ts

+   *
+   * @default - no environment variables
+   */
+  readonly actionEnvironmentVariables?: EnvironmentVariable[];


Avoided the name environmentVariables because CodeBuildActionProps that extends codepipeline.CommonAwsActionProps and this CommonActionProps has already used a property with the same name and an error occurs if the name is used in this props.

https://github.com/aws/aws-cdk/blob/v2.200.1/packages/aws-cdk-lib/aws-codepipeline-actions/lib/codebuild/build-action.ts#L81

go-to-k · 2025-06-11T13:44:28Z

packages/aws-cdk-lib/aws-codepipeline/lib/environment-variable.ts

+    // Don't use `grantRead` method for the secret because `secretsmanager:DescribeSecret` is not required.
+    // See https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-Commands.html#action-reference-Commands-envvars
+    options.role.addToPrincipalPolicy(new iam.PolicyStatement({
+      actions: ['secretsmanager:GetSecretValue'],
+      resources: [secretArn],
+    }));


https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-Commands.html#action-reference-Commands-envvars

To use the SecretsManager, you must add the following permissions to your pipeline service role: { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": [ "SECRET_ARN" ] }

go-to-k · 2025-06-11T15:56:52Z

packages/aws-cdk-lib/aws-codepipeline/lib/environment-variable.ts

+  /**
+   * Bind the environment variable to the action.
+   * @internal
+   */
+  public abstract _bind(scope: Construct, actionProperties: ActionProperties, options: ActionBindOptions): void;


Originally, this abstract method was not made, but the concrete bind method was only created for SecretsManagerEnvironmentVariable. However, considering that support for PARAMETER_STORE may be added in the future, such as the one for CodeBuild, it is better to create the abstract method, so I did it this way. Otherwise, it would be necessary to implement the bind calling as follows. If more types are added in the future, the code will become even more complicated.

envVars?.forEach(envVar => { if (envVar instanceof SecretsManagerEnvironmentVariable || envVar instanceof ParameterStoreEnvironmentVariable) { envVar._bind(scope, this.actionProperties, options); } });

Now we can write like:

envVars?.forEach(envVar => { envVar._bind(scope, this.actionProperties, options); });

aws-cdk-automation · 2025-06-11T16:21:59Z

AWS CodeBuild CI Report

CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
Commit ID: 9d906f7
Result: SUCCEEDED
Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

…cing default values (aws#35156) Updates documentation to reflect ECS change in default behavior for the `AvailabilityZoneRebalancing` property: - For create service requests, when no value is specified for AvailabilityZoneRebalancing, Amazon ECS defaults to ENABLED if the ECS service is compatible with AvailabilityZoneRebalancing. If the ECS service is not compatible with AvailabilityZoneRebalancing, Amazon ECS defaults to DISABLED. - For update service requests, when no value is specified for AvailabilityZoneRebalancing, Amazon ECS defaults to the existing service’s AvailabilityZoneRebalancing value. If the service never had an AvailabilityZoneRebalancing value set, Amazon ECS treats this as DISABLED. ### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change  ### Description of changes  ### Describe any new or updated permissions being added  ### Description of how you validated changes  ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-apigateway │ └ resources │ ├[~] resource AWS::ApiGateway::Account │ │ └ - arnTemplate: arn:${Partition}:apigateway:${Region}::/account │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/account/${ApiGatewayAccountId} │ └[~] resource AWS::ApiGateway::DomainNameAccessAssociation │ └ - arnTemplate: arn:${Partition}:apigateway:${Region}:${Account}:/domainnameaccessassociations │ + arnTemplate: arn:${Partition}:apigateway:${Region}:${Account}:/domainnameaccessassociations/domainname/${DomainName}/${SourceType}/${SourceId} ├[~] service aws-applicationsignals │ └ resources │ ├[~] resource AWS::ApplicationSignals::Discovery │ │ └ - documentation: Enables this AWS account to be able to use CloudWatch Application Signals by creating the `AWSServiceRoleForCloudWatchApplicationSignals` service-linked role. This service-linked role has the following permissions: │ │ - `xray:GetServiceGraph` │ │ - `logs:StartQuery` │ │ - `logs:GetQueryResults` │ │ - `cloudwatch:GetMetricData` │ │ - `cloudwatch:ListMetrics` │ │ - `tag:GetResources` │ │ - `autoscaling:DescribeAutoScalingGroups` │ │ After completing this step, you still need to instrument your Java and Python applications to send data to Application Signals. For more information, see [Enabling Application Signals](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Application-Signals-Enable.html) . │ │ + documentation: > If you have existing `AWS::ApplicationSignals::Discovery` resources that were created prior to the Application Map release, you will need to delete and recreate these resources in your account to enable Application Map. │ │ Enables this AWS account to be able to use CloudWatch Application Signals by creating the `AWSServiceRoleForCloudWatchApplicationSignals` service-linked role. This service-linked role has the following permissions: │ │ - `xray:GetServiceGraph` │ │ - `logs:StartQuery` │ │ - `logs:GetQueryResults` │ │ - `cloudwatch:GetMetricData` │ │ - `cloudwatch:ListMetrics` │ │ - `tag:GetResources` │ │ - `autoscaling:DescribeAutoScalingGroups` │ │ A service-linked CloudTrail event channel is created to process CloudTrail events and return change event information. This includes last deployment time, userName, eventName, and other event metadata. │ │ After completing this step, you still need to instrument your Java and Python applications to send data to Application Signals. For more information, see [Enabling Application Signals](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Application-Signals-Enable.html) . │ └[+] resource AWS::ApplicationSignals::GroupingConfiguration │ ├ name: GroupingConfiguration │ │ cloudFormationType: AWS::ApplicationSignals::GroupingConfiguration │ │ documentation: Resource Type definition for AWS::ApplicationSignals::GroupingConfiguration │ ├ properties │ │ └ GroupingAttributeDefinitions: Array<GroupingAttributeDefinition> (required) │ ├ attributes │ │ ├ UpdatedAt: string │ │ └ AccountId: string │ └ types │ └ type GroupingAttributeDefinition │ ├ name: GroupingAttributeDefinition │ └ properties │ ├ GroupingName: string (required) │ ├ GroupingSourceKeys: Array<string> (required) │ └ DefaultGroupingValue: string ├[~] service aws-arcregionswitch │ └ resources │ └[~] resource AWS::ARCRegionSwitch::Plan │ └ attributes │ └[+] PlanHealthChecks: Array<string> ├[~] service aws-backup │ └ resources │ ├[~] resource AWS::Backup::BackupVault │ │ └ - arnTemplate: arn:${Partition}:backup:${Region}:${Account}:backup-vault:${BackupVaultName} │ │ + arnTemplate: undefined │ └[~] resource AWS::Backup::LogicallyAirGappedBackupVault │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:backup:${Region}:${Account}:backup-vault:${BackupVaultName} ├[~] service aws-bedrock │ └ resources │ └[~] resource AWS::Bedrock::DataAutomationProject │ └ types │ ├[~] type AudioExtractionCategory │ │ └ properties │ │ └ TypeConfiguration: (documentation changed) │ ├[~] type AudioExtractionCategoryTypeConfiguration │ │ ├ - documentation: undefined │ │ │ + documentation: Allows configuration of extractions for different types of data, such as transcript and content moderation. │ │ └ properties │ │ └ Transcript: (documentation changed) │ ├[~] type ChannelLabelingConfiguration │ │ ├ - documentation: undefined │ │ │ + documentation: Enables or disables channel labeling. Channel labeling, when enabled will assign a number to each audio channel, and indicate which channel is being used in each portion of the transcript. This appears in the response as "ch_0" for the first channel, and "ch_1" for the second. │ │ └ properties │ │ └ State: (documentation changed) │ ├[~] type SpeakerLabelingConfiguration │ │ ├ - documentation: undefined │ │ │ + documentation: Enables or disables speaker labeling. Speaker labeling, when enabled will assign a number to each speaker, and indicate which speaker is talking in each portion of the transcript. This appears in the response as "spk_0" for the first speaker, "spk_1" for the second, and so on for up to 30 speakers. │ │ └ properties │ │ └ State: (documentation changed) │ └[~] type TranscriptConfiguration │ ├ - documentation: undefined │ │ + documentation: Configuration for transcript options. This option allows you to enable speaker labeling and channel labeling. │ └ properties │ ├ ChannelLabeling: (documentation changed) │ └ SpeakerLabeling: (documentation changed) ├[~] service aws-bedrockagentcore │ └ resources │ ├[+] resource AWS::BedrockAgentCore::Gateway │ │ ├ name: Gateway │ │ │ cloudFormationType: AWS::BedrockAgentCore::Gateway │ │ │ documentation: Definition of AWS::BedrockAgentCore::Gateway Resource Type │ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"map"} │ │ │ arnTemplate: arn:${Partition}:bedrock-agentcore:${Region}:${Account}:gateway/${GatewayId} │ │ ├ properties │ │ │ ├ AuthorizerConfiguration: AuthorizerConfiguration │ │ │ ├ AuthorizerType: string (required) │ │ │ ├ Description: string │ │ │ ├ ExceptionLevel: string │ │ │ ├ KmsKeyArn: string │ │ │ ├ Name: string (required) │ │ │ ├ ProtocolConfiguration: GatewayProtocolConfiguration │ │ │ ├ ProtocolType: string (required) │ │ │ ├ RoleArn: string (required) │ │ │ └ Tags: Map<string, string> │ │ ├ attributes │ │ │ ├ CreatedAt: string │ │ │ ├ GatewayArn: string │ │ │ ├ GatewayIdentifier: string │ │ │ ├ GatewayUrl: string │ │ │ ├ Status: string │ │ │ ├ StatusReasons: Array<string> │ │ │ ├ UpdatedAt: string │ │ │ └ WorkloadIdentityDetails: WorkloadIdentityDetails │ │ └ types │ │ ├ type AuthorizerConfiguration │ │ │ ├ name: AuthorizerConfiguration │ │ │ └ properties │ │ │ └ CustomJWTAuthorizer: CustomJWTAuthorizerConfiguration (required) │ │ ├ type CustomJWTAuthorizerConfiguration │ │ │ ├ name: CustomJWTAuthorizerConfiguration │ │ │ └ properties │ │ │ ├ DiscoveryUrl: string (required) │ │ │ ├ AllowedAudience: Array<string> │ │ │ └ AllowedClients: Array<string> │ │ ├ type GatewayProtocolConfiguration │ │ │ ├ name: GatewayProtocolConfiguration │ │ │ └ properties │ │ │ └ Mcp: MCPGatewayConfiguration (required) │ │ ├ type MCPGatewayConfiguration │ │ │ ├ name: MCPGatewayConfiguration │ │ │ └ properties │ │ │ ├ SupportedVersions: Array<string> │ │ │ ├ Instructions: string │ │ │ └ SearchType: string │ │ └ type WorkloadIdentityDetails │ │ ├ name: WorkloadIdentityDetails │ │ └ properties │ │ └ WorkloadIdentityArn: string (required) │ └[+] resource AWS::BedrockAgentCore::GatewayTarget │ ├ name: GatewayTarget │ │ cloudFormationType: AWS::BedrockAgentCore::GatewayTarget │ │ documentation: Definition of AWS::BedrockAgentCore::GatewayTarget Resource Type │ ├ properties │ │ ├ CredentialProviderConfigurations: Array<CredentialProviderConfiguration> (required) │ │ ├ Description: string │ │ ├ GatewayIdentifier: string (immutable) │ │ ├ Name: string (required) │ │ └ TargetConfiguration: TargetConfiguration (required) │ ├ attributes │ │ ├ CreatedAt: string │ │ ├ GatewayArn: string │ │ ├ Status: string │ │ ├ StatusReasons: Array<string> │ │ ├ TargetId: string │ │ └ UpdatedAt: string │ └ types │ ├ type ApiKeyCredentialProvider │ │ ├ name: ApiKeyCredentialProvider │ │ └ properties │ │ ├ ProviderArn: string (required) │ │ ├ CredentialParameterName: string │ │ ├ CredentialPrefix: string │ │ └ CredentialLocation: string │ ├ type ApiSchemaConfiguration │ │ ├ name: ApiSchemaConfiguration │ │ └ properties │ │ ├ S3: S3Configuration │ │ └ InlinePayload: string │ ├ type CredentialProvider │ │ ├ name: CredentialProvider │ │ └ properties │ │ ├ OauthCredentialProvider: OAuthCredentialProvider │ │ └ ApiKeyCredentialProvider: ApiKeyCredentialProvider │ ├ type CredentialProviderConfiguration │ │ ├ name: CredentialProviderConfiguration │ │ └ properties │ │ ├ CredentialProviderType: string (required) │ │ └ CredentialProvider: CredentialProvider │ ├ type McpLambdaTargetConfiguration │ │ ├ name: McpLambdaTargetConfiguration │ │ └ properties │ │ ├ LambdaArn: string (required) │ │ └ ToolSchema: ToolSchema (required) │ ├ type McpTargetConfiguration │ │ ├ name: McpTargetConfiguration │ │ └ properties │ │ ├ OpenApiSchema: ApiSchemaConfiguration │ │ ├ SmithyModel: ApiSchemaConfiguration │ │ └ Lambda: McpLambdaTargetConfiguration │ ├ type OAuthCredentialProvider │ │ ├ name: OAuthCredentialProvider │ │ └ properties │ │ ├ ProviderArn: string (required) │ │ ├ Scopes: Array<string> (required) │ │ └ CustomParameters: Map<string, string> │ ├ type S3Configuration │ │ ├ name: S3Configuration │ │ └ properties │ │ ├ Uri: string │ │ └ BucketOwnerAccountId: string │ ├ type SchemaDefinition │ │ ├ name: SchemaDefinition │ │ └ properties │ │ ├ Type: string (required) │ │ ├ Description: string │ │ ├ Required: Array<string> │ │ ├ Items: SchemaDefinition │ │ └ Properties: Map<string, SchemaDefinition> │ ├ type TargetConfiguration │ │ ├ name: TargetConfiguration │ │ └ properties │ │ └ Mcp: McpTargetConfiguration (required) │ ├ type ToolDefinition │ │ ├ name: ToolDefinition │ │ └ properties │ │ ├ Name: string (required) │ │ ├ Description: string (required) │ │ ├ InputSchema: SchemaDefinition (required) │ │ └ OutputSchema: SchemaDefinition │ └ type ToolSchema │ ├ name: ToolSchema │ └ properties │ ├ S3: S3Configuration │ └ InlinePayload: Array<ToolDefinition> ├[~] service aws-cognito │ └ resources │ └[~] resource AWS::Cognito::UserPoolUser │ └ properties │ └ ClientMetadata: (documentation changed) ├[~] service aws-devicefarm │ └ resources │ └[~] resource AWS::DeviceFarm::DevicePool │ └ - arnTemplate: arn:${Partition}:devicefarm:${Region}:${Account}:devicepool:${ResourceId} │ + arnTemplate: arn:${Partition}:devicefarm:${Region}:${Account}:devicepool:${ProjectId}/${DevicePoolId} ├[~] service aws-directoryservice │ └ resources │ └[~] resource AWS::DirectoryService::SimpleAD │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:ds:${Region}:${Account}:directory/${DirectoryId} ├[~] service aws-ec2 │ └ resources │ └[~] resource AWS::EC2::TransitGatewayPeeringAttachment │ └ - arnTemplate: arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-attachment/${TransitGatewayAttachmentId} │ + arnTemplate: undefined ├[~] service aws-ecs │ └ resources │ └[~] resource AWS::ECS::CapacityProvider │ ├ - documentation: Creates a new capacity provider. Capacity providers are associated with an Amazon ECS cluster and are used in capacity provider strategies to facilitate cluster auto scaling. │ │ Only capacity providers that use an Auto Scaling group can be created. Amazon ECS tasks on AWS Fargate use the `FARGATE` and `FARGATE_SPOT` capacity providers. These providers are available to all accounts in the AWS Regions that AWS Fargate supports. │ │ + documentation: Creates a capacity provider. Capacity providers are associated with a cluster and are used in capacity provider strategies to facilitate cluster auto scaling. You can create capacity providers for Amazon ECS Managed Instances and EC2 instances. AWS Fargate has the predefined `FARGATE` and `FARGATE_SPOT` capacity providers. │ ├ properties │ │ └ ManagedInstancesProvider: (documentation changed) │ └ types │ ├[~] type AcceleratorCountRequest │ │ ├ - documentation: undefined │ │ │ + documentation: The minimum and maximum number of accelerators (such as GPUs) for instance type selection. This is used for workloads that require specific numbers of accelerators. │ │ └ properties │ │ ├ Max: (documentation changed) │ │ └ Min: (documentation changed) │ ├[~] type AcceleratorTotalMemoryMiBRequest │ │ ├ - documentation: undefined │ │ │ + documentation: The minimum and maximum total accelerator memory in mebibytes (MiB) for instance type selection. This is important for GPU workloads that require specific amounts of video memory. │ │ └ properties │ │ ├ Max: (documentation changed) │ │ └ Min: (documentation changed) │ ├[~] type BaselineEbsBandwidthMbpsRequest │ │ ├ - documentation: undefined │ │ │ + documentation: The minimum and maximum baseline Amazon EBS bandwidth in megabits per second (Mbps) for instance type selection. This is important for workloads with high storage I/O requirements. │ │ └ properties │ │ ├ Max: (documentation changed) │ │ └ Min: (documentation changed) │ ├[~] type InstanceLaunchTemplate │ │ ├ - documentation: undefined │ │ │ + documentation: The launch template configuration for Amazon ECS Managed Instances. This defines how Amazon ECS launches Amazon EC2 instances, including the instance profile for your tasks, network and storage configuration, capacity options, and instance requirements for flexible instance type selection. │ │ └ properties │ │ ├ Ec2InstanceProfileArn: (documentation changed) │ │ ├ InstanceRequirements: (documentation changed) │ │ ├ Monitoring: (documentation changed) │ │ ├ NetworkConfiguration: (documentation changed) │ │ └ StorageConfiguration: (documentation changed) │ ├[~] type InstanceRequirementsRequest │ │ ├ - documentation: undefined │ │ │ + documentation: The instance requirements for attribute-based instance type selection. Instead of specifying exact instance types, you define requirements such as vCPU count, memory size, network performance, and accelerator specifications. Amazon ECS automatically selects Amazon EC2 instance types that match these requirements, providing flexibility and helping to mitigate capacity constraints. │ │ └ properties │ │ ├ AcceleratorCount: (documentation changed) │ │ ├ AcceleratorManufacturers: (documentation changed) │ │ ├ AcceleratorNames: (documentation changed) │ │ ├ AcceleratorTotalMemoryMiB: (documentation changed) │ │ ├ AcceleratorTypes: (documentation changed) │ │ ├ AllowedInstanceTypes: (documentation changed) │ │ ├ BareMetal: (documentation changed) │ │ ├ BaselineEbsBandwidthMbps: (documentation changed) │ │ ├ BurstablePerformance: (documentation changed) │ │ ├ CpuManufacturers: (documentation changed) │ │ ├ ExcludedInstanceTypes: (documentation changed) │ │ ├ InstanceGenerations: (documentation changed) │ │ ├ LocalStorage: (documentation changed) │ │ ├ LocalStorageTypes: (documentation changed) │ │ ├ MaxSpotPriceAsPercentageOfOptimalOnDemandPrice: (documentation changed) │ │ ├ MemoryGiBPerVCpu: (documentation changed) │ │ ├ MemoryMiB: (documentation changed) │ │ ├ NetworkBandwidthGbps: (documentation changed) │ │ ├ NetworkInterfaceCount: (documentation changed) │ │ ├ OnDemandMaxPricePercentageOverLowestPrice: (documentation changed) │ │ ├ RequireHibernateSupport: (documentation changed) │ │ ├ SpotMaxPricePercentageOverLowestPrice: (documentation changed) │ │ ├ TotalLocalStorageGB: (documentation changed) │ │ └ VCpuCount: (documentation changed) │ ├[~] type ManagedInstancesNetworkConfiguration │ │ ├ - documentation: undefined │ │ │ + documentation: The network configuration for Amazon ECS Managed Instances. This specifies the VPC subnets and security groups that instances use for network connectivity. Amazon ECS Managed Instances support multiple network modes including `awsvpc` (instances receive ENIs for task isolation), `host` (instances share network namespace with tasks), and `none` (no external network connectivity), ensuring backward compatibility for migrating workloads from Fargate or Amazon EC2. │ │ └ properties │ │ ├ SecurityGroups: (documentation changed) │ │ └ Subnets: (documentation changed) │ ├[~] type ManagedInstancesProvider │ │ ├ - documentation: undefined │ │ │ + documentation: The configuration for a Amazon ECS Managed Instances provider. Amazon ECS uses this configuration to automatically launch, manage, and terminate Amazon EC2 instances on your behalf. Managed instances provide access to the full range of Amazon EC2 instance types and features while offloading infrastructure management to AWS . │ │ └ properties │ │ ├ InfrastructureRoleArn: (documentation changed) │ │ ├ InstanceLaunchTemplate: (documentation changed) │ │ └ PropagateTags: (documentation changed) │ ├[~] type ManagedInstancesStorageConfiguration │ │ ├ - documentation: undefined │ │ │ + documentation: The storage configuration for Amazon ECS Managed Instances. This defines the root volume configuration for the instances. │ │ └ properties │ │ └ StorageSizeGiB: (documentation changed) │ ├[~] type MemoryGiBPerVCpuRequest │ │ ├ - documentation: undefined │ │ │ + documentation: The minimum and maximum amount of memory per vCPU in gibibytes (GiB). This helps ensure that instance types have the appropriate memory-to-CPU ratio for your workloads. │ │ └ properties │ │ ├ Max: (documentation changed) │ │ └ Min: (documentation changed) │ ├[~] type MemoryMiBRequest │ │ ├ - documentation: undefined │ │ │ + documentation: The minimum and maximum amount of memory in mebibytes (MiB) for instance type selection. This ensures that selected instance types have adequate memory for your workloads. │ │ └ properties │ │ ├ Max: (documentation changed) │ │ └ Min: (documentation changed) │ ├[~] type NetworkBandwidthGbpsRequest │ │ ├ - documentation: undefined │ │ │ + documentation: The minimum and maximum network bandwidth in gigabits per second (Gbps) for instance type selection. This is important for network-intensive workloads. │ │ └ properties │ │ ├ Max: (documentation changed) │ │ └ Min: (documentation changed) │ ├[~] type NetworkInterfaceCountRequest │ │ ├ - documentation: undefined │ │ │ + documentation: The minimum and maximum number of network interfaces for instance type selection. This is useful for workloads that require multiple network interfaces. │ │ └ properties │ │ ├ Max: (documentation changed) │ │ └ Min: (documentation changed) │ ├[~] type TotalLocalStorageGBRequest │ │ ├ - documentation: undefined │ │ │ + documentation: The minimum and maximum total local storage in gigabytes (GB) for instance types with local storage. This is useful for workloads that require local storage for temporary data or caching. │ │ └ properties │ │ ├ Max: (documentation changed) │ │ └ Min: (documentation changed) │ └[~] type VCpuCountRangeRequest │ ├ - documentation: undefined │ │ + documentation: The minimum and maximum number of vCPUs for instance type selection. This allows you to specify a range of vCPU counts that meet your workload requirements. │ └ properties │ ├ Max: (documentation changed) │ └ Min: (documentation changed) ├[~] service aws-events │ └ resources │ └[~] resource AWS::Events::Rule │ └ - arnTemplate: arn:${Partition}:events:${Region}:${Account}:rule/${RuleName} │ + arnTemplate: arn:${Partition}:events:${Region}:${Account}:rule/${EventBusName}/${RuleName} ├[~] service aws-fsx │ └ resources │ └[~] resource AWS::FSx::FileSystem │ └ types │ ├[~] type OntapConfiguration │ │ └ properties │ │ └ EndpointIpAddressRange: (documentation changed) │ └[~] type OpenZFSConfiguration │ └ properties │ └ EndpointIpAddressRange: (documentation changed) ├[~] service aws-imagebuilder │ └ resources │ ├[~] resource AWS::ImageBuilder::Image │ │ ├ properties │ │ │ └[+] LoggingConfiguration: ImageLoggingConfiguration │ │ └ types │ │ └[+] type ImageLoggingConfiguration │ │ ├ documentation: The logging configuration settings for the image. │ │ │ name: ImageLoggingConfiguration │ │ └ properties │ │ └ LogGroupName: string │ ├[~] resource AWS::ImageBuilder::ImagePipeline │ │ ├ properties │ │ │ └[+] LoggingConfiguration: PipelineLoggingConfiguration │ │ └ types │ │ ├[+] type AutoDisablePolicy │ │ │ ├ documentation: The auto-disable policy configuration for the image pipeline. │ │ │ │ name: AutoDisablePolicy │ │ │ └ properties │ │ │ └ FailureCount: integer (required) │ │ ├[+] type PipelineLoggingConfiguration │ │ │ ├ documentation: The logging configuration settings for the image pipeline. │ │ │ │ name: PipelineLoggingConfiguration │ │ │ └ properties │ │ │ ├ PipelineLogGroupName: string │ │ │ └ ImageLogGroupName: string │ │ └[~] type Schedule │ │ └ properties │ │ └[+] AutoDisablePolicy: AutoDisablePolicy │ └[~] resource AWS::ImageBuilder::ImageRecipe │ └ properties │ └[+] AmiTags: Map<string, string> ├[~] service aws-lex │ └ resources │ └[~] resource AWS::Lex::ResourcePolicy │ └ properties │ └ ResourceArn: - string (required) │ + string (required, immutable) ├[~] service aws-lookoutmetrics │ └ resources │ ├[~] resource AWS::LookoutMetrics::Alert │ │ └ - documentation: The `AWS::LookoutMetrics::Alert` type creates an alert for an anomaly detector. │ │ + documentation: > End of support notice: On October 31, 2025, AWS will end support for Amazon Lookout for Metrics. After October 31, 2025, you will no longer be able to access the Amazon Lookout for Metrics console or Amazon Lookout for Metrics resources. For more information, see [Amazon Lookout for Metrics end of support](https://docs.aws.amazon.com//blogs/machine-learning/transitioning-off-amazon-lookout-for-metrics/) . │ │ The `AWS::LookoutMetrics::Alert` type creates an alert for an anomaly detector. │ └[~] resource AWS::LookoutMetrics::AnomalyDetector │ └ - documentation: The `AWS::LookoutMetrics::AnomalyDetector` type creates an anomaly detector. │ + documentation: > End of support notice: On October 31, 2025, AWS will end support for Amazon Lookout for Metrics. After October 31, 2025, you will no longer be able to access the Amazon Lookout for Metrics console or Amazon Lookout for Metrics resources. For more information, see [Amazon Lookout for Metrics end of support](https://docs.aws.amazon.com//blogs/machine-learning/transitioning-off-amazon-lookout-for-metrics/) . │ The `AWS::LookoutMetrics::AnomalyDetector` type creates an anomaly detector. ├[~] service aws-networkfirewall │ └ resources │ └[~] resource AWS::NetworkFirewall::RuleGroup │ └ - arnTemplate: arn:${Partition}:network-firewall:${Region}:${Account}:stateless-rulegroup/${Name} │ + arnTemplate: arn:${Partition}:network-firewall:${Region}:${Account}:stateful-rulegroup/${Name} ├[~] service aws-networkmanager │ └ resources │ ├[~] resource AWS::NetworkManager::ConnectAttachment │ │ └ - arnTemplate: arn:${Partition}:networkmanager::${Account}:attachment/${AttachmentId} │ │ + arnTemplate: undefined │ └[~] resource AWS::NetworkManager::VpcAttachment │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:networkmanager::${Account}:attachment/${AttachmentId} ├[~] service aws-opensearchservice │ └ resources │ └[~] resource AWS::OpenSearchService::Domain │ └ - arnTemplate: arn:${Partition}:es:${Region}:${Account}:domain/${DomainName} │ + arnTemplate: undefined ├[~] service aws-pcs │ └ resources │ └[~] resource AWS::PCS::ComputeNodeGroup │ └ properties │ └ PurchaseOption: (documentation changed) ├[~] service aws-pinpoint │ └ resources │ └[~] resource AWS::Pinpoint::InAppTemplate │ └ - arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates │ + arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/PUSH ├[~] service aws-redshift │ └ resources │ ├[~] resource AWS::Redshift::ClusterSecurityGroup │ │ └ - arnTemplate: arn:${Partition}:redshift:${Region}:${Account}:securitygroup:${SecurityGroupName} │ │ + arnTemplate: arn:${Partition}:redshift:${Region}:${Account}:securitygroup:${SecurityGroupName}/ec2securitygroup/${Owner}/${Ec2SecurityGroupId} │ └[~] resource AWS::Redshift::ClusterSecurityGroupIngress │ └ - arnTemplate: arn:${Partition}:redshift:${Region}:${Account}:securitygroupingress:${SecurityGroupName}/cidrip/${IpRange} │ + arnTemplate: arn:${Partition}:redshift:${Region}:${Account}:securitygroupingress:${SecurityGroupName}/ec2securitygroup/${Owner}/${Ece2SecuritygroupId} ├[~] service aws-servicecatalog │ └ resources │ └[~] resource AWS::ServiceCatalog::PortfolioShare └[~] service aws-xray └ resources └[~] resource AWS::XRay::Group └ - arnTemplate: arn:${Partition}:xray:${Region}:${AccountId}:group/${GroupName} + arnTemplate: arn:${Partition}:xray:${Region}:${AccountId}:group/${GroupName}/${Id} ``` **CHANGES TO L1 RESOURCES:** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed: - **aws-lex**: AWS::Lex::ResourcePolicy: ResourceArn property is now immutable.

### Reason for this change - Deploying integration tests has been time-consuming and expensive for both maintainers and contributors of aws-cdk. Snapshot update and deployment may take from 10 minutes to hours depending on the snapshots updates made for each pull request. This can make any changes to aws-cdk, no matter how simple they are, be needlessly time-consuming and error-prone. - AWS CDK's PR workflows does not validate that the snapshots of contributors are _deployable_. Although this is not common, snapshots updates can be made via a dry run, and there is a possibility that those snapshot updates won't be deployable. No PR Github action at the moment prevents this scenario. ### Description of changes This adds a PR action which will use our Internal environment to test snapshot updates by attempting to deploy them. This uses the same service used by aws-cdk-cli (called Atmosphere) to deploy only the snapshot updates for the PR. This PR will need manual approval by a maintainer to run for the PR to work. Mergify rules will also be updated such that if a request to run the integ tests are made, then this workflow should pass successfully in order for the PR to be merged. ### Description of how you validated changes This workflow was validated with my fork of aws-cdk. See this example run: https://github.com/Abogical/aws-cdk/actions/runs/17458740897/job/49578262885 ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…erfaceVpcEndpointAwsService (aws#35667) [AgentCore's VPC Endpoint support announced on Sep 25, 2025 was announced](https://aws.amazon.com/about-aws/whats-new/2025/09/amazon-bedrock-agentcore-runtime-browser-code-interpreter-vpc-privatelink-cloudformation-tagging/). The service names bedrock-agentcore and bedrock-agentcore.gateway mentioned in [this document](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/vpc-interface-endpoints.html) have been added to InterfaceVpcEndpointAwsService. ### Reason for this change New VPC Endpoints exist now. ### Description of changes Add the missing constants. ### Describe any new or updated permissions being added None. ### Description of how you validated changes The following code works as expected. ``` // Deploy on us-east-1 import * as cdk from 'aws-cdk-lib'; import { Construct } from 'constructs'; import * as ec2 from 'aws-cdk-lib/aws-ec2'; export class VpcEndpointTestStack extends cdk.Stack { constructor(scope: Construct, id: string, props?: cdk.StackProps) { super(scope, id, props); const vpc = new ec2.Vpc(this, 'Vpc', { availabilityZones: [ 'us-east-1a', 'us-east-1c', 'us-east-1d', ], }); // AgentCore new ec2.InterfaceVpcEndpoint(this, 'AgentCore', { vpc, service: ec2.InterfaceVpcEndpointAwsService.BEDROCK_AGENTCORE, }); // AgentCore Gateway new ec2.InterfaceVpcEndpoint(this, 'AgentCoreGateway', { vpc, service: ec2.InterfaceVpcEndpointAwsService.BEDROCK_AGENTCORE_GATEWAY, }); } } ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* Yes, and I am an AWS employee.

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-apigateway │ └ resources │ ├[~] resource AWS::ApiGateway::Account │ │ └ - arnTemplate: arn:${Partition}:apigateway:${Region}::/account/${ApiGatewayAccountId} │ │ + arnTemplate: arn:${Partition}:apigateway:${Region}::/account │ └[~] resource AWS::ApiGateway::DomainNameAccessAssociation │ └ - arnTemplate: arn:${Partition}:apigateway:${Region}:${Account}:/domainnameaccessassociations/domainname/${DomainName}/${SourceType}/${SourceId} │ + arnTemplate: arn:${Partition}:apigateway:${Region}:${Account}:/domainnameaccessassociations ├[~] service aws-applicationsignals │ └ resources │ └[~] resource AWS::ApplicationSignals::GroupingConfiguration │ ├ - documentation: Resource Type definition for AWS::ApplicationSignals::GroupingConfiguration │ │ + documentation: A structure that contains the complete grouping configuration for an account, including all defined grouping attributes and metadata about when it was last updated. │ ├ properties │ │ └ GroupingAttributeDefinitions: (documentation changed) │ ├ attributes │ │ └ UpdatedAt: (documentation changed) │ └ types │ └[~] type GroupingAttributeDefinition │ ├ - documentation: undefined │ │ + documentation: A structure that defines how services should be grouped based on specific attributes. This includes the friendly name for the grouping, the source keys to derive values from, and an optional default value. │ └ properties │ ├ DefaultGroupingValue: (documentation changed) │ ├ GroupingName: (documentation changed) │ └ GroupingSourceKeys: (documentation changed) ├[~] service aws-backup │ └ resources │ ├[~] resource AWS::Backup::BackupVault │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:backup:${Region}:${Account}:backup-vault:${BackupVaultName} │ └[~] resource AWS::Backup::LogicallyAirGappedBackupVault │ └ - arnTemplate: arn:${Partition}:backup:${Region}:${Account}:backup-vault:${BackupVaultName} │ + arnTemplate: undefined ├[~] service aws-bedrockagentcore │ └ resources │ ├[~] resource AWS::BedrockAgentCore::BrowserCustom │ │ ├ attributes │ │ │ └[+] FailureReason: string │ │ └ types │ │ ├[~] type BrowserNetworkConfiguration │ │ │ └ properties │ │ │ └[+] VpcConfig: VpcConfig │ │ └[+] type VpcConfig │ │ ├ documentation: Network mode configuration for VPC │ │ │ name: VpcConfig │ │ └ properties │ │ ├ SecurityGroups: Array<string> (required) │ │ └ Subnets: Array<string> (required) │ ├[~] resource AWS::BedrockAgentCore::CodeInterpreterCustom │ │ ├ attributes │ │ │ └[+] FailureReason: string │ │ └ types │ │ ├[~] type CodeInterpreterNetworkConfiguration │ │ │ └ properties │ │ │ └[+] VpcConfig: VpcConfig │ │ └[+] type VpcConfig │ │ ├ documentation: Network mode configuration for VPC │ │ │ name: VpcConfig │ │ └ properties │ │ ├ SecurityGroups: Array<string> (required) │ │ └ Subnets: Array<string> (required) │ ├[~] resource AWS::BedrockAgentCore::Gateway │ │ ├ - documentation: Definition of AWS::BedrockAgentCore::Gateway Resource Type │ │ │ + documentation: > Amazon Bedrock AgentCore is in preview release and is subject to change. │ │ │ Amazon Bedrock AgentCore Gateway provides a unified connectivity layer between agents and the tools and resources they need to interact with. │ │ │ For more information about creating a gateway, see [Set up an Amazon Bedrock AgentCore gateway](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-building.html) . │ │ │ See the *Properties* section below for descriptions of both the required and optional properties. │ │ ├ properties │ │ │ ├ AuthorizerType: (documentation changed) │ │ │ ├ Description: (documentation changed) │ │ │ ├ ExceptionLevel: (documentation changed) │ │ │ ├ KmsKeyArn: (documentation changed) │ │ │ ├ Name: (documentation changed) │ │ │ ├ ProtocolConfiguration: (documentation changed) │ │ │ ├ ProtocolType: (documentation changed) │ │ │ └ Tags: (documentation changed) │ │ ├ attributes │ │ │ ├ CreatedAt: (documentation changed) │ │ │ ├ GatewayArn: (documentation changed) │ │ │ ├ GatewayUrl: (documentation changed) │ │ │ ├ Status: (documentation changed) │ │ │ └ StatusReasons: (documentation changed) │ │ └ types │ │ ├[~] type AuthorizerConfiguration │ │ │ └ properties │ │ │ └ CustomJWTAuthorizer: (documentation changed) │ │ ├[~] type CustomJWTAuthorizerConfiguration │ │ │ └ properties │ │ │ ├ AllowedAudience: (documentation changed) │ │ │ └ DiscoveryUrl: (documentation changed) │ │ ├[~] type GatewayProtocolConfiguration │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: The protocol configuration. │ │ │ └ properties │ │ │ └ Mcp: (documentation changed) │ │ ├[~] type MCPGatewayConfiguration │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: The gateway configuration for MCP. │ │ │ └ properties │ │ │ ├ SearchType: (documentation changed) │ │ │ └ SupportedVersions: (documentation changed) │ │ └[~] type WorkloadIdentityDetails │ │ └ - documentation: undefined │ │ + documentation: The workload identity details for the gateway. │ ├[~] resource AWS::BedrockAgentCore::GatewayTarget │ │ ├ - documentation: Definition of AWS::BedrockAgentCore::GatewayTarget Resource Type │ │ │ + documentation: > Amazon Bedrock AgentCore is in preview release and is subject to change. │ │ │ After creating a gateway, you can add targets, which define the tools that your gateway will host. │ │ │ For more information about adding gateway targets, see [Add targets to an existing gateway](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-building-adding-targets.html) . │ │ │ See the *Properties* section below for descriptions of both the required and optional properties. │ │ ├ properties │ │ │ ├ CredentialProviderConfigurations: (documentation changed) │ │ │ ├ Description: (documentation changed) │ │ │ ├ GatewayIdentifier: (documentation changed) │ │ │ ├ Name: (documentation changed) │ │ │ └ TargetConfiguration: (documentation changed) │ │ ├ attributes │ │ │ ├ CreatedAt: (documentation changed) │ │ │ ├ Status: (documentation changed) │ │ │ ├ StatusReasons: (documentation changed) │ │ │ ├ TargetId: (documentation changed) │ │ │ └ UpdatedAt: (documentation changed) │ │ └ types │ │ ├[~] type ApiKeyCredentialProvider │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: The API key credential provider for the gateway target. │ │ │ └ properties │ │ │ ├ CredentialLocation: (documentation changed) │ │ │ ├ CredentialParameterName: (documentation changed) │ │ │ ├ CredentialPrefix: (documentation changed) │ │ │ └ ProviderArn: (documentation changed) │ │ ├[~] type ApiSchemaConfiguration │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: The API schema configuration for the gateway target. │ │ │ └ properties │ │ │ ├ InlinePayload: (documentation changed) │ │ │ └ S3: (documentation changed) │ │ ├[~] type CredentialProvider │ │ │ └ properties │ │ │ ├ ApiKeyCredentialProvider: (documentation changed) │ │ │ └ OauthCredentialProvider: (documentation changed) │ │ ├[~] type CredentialProviderConfiguration │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: The credential provider configuration for the gateway target. │ │ │ └ properties │ │ │ ├ CredentialProvider: (documentation changed) │ │ │ └ CredentialProviderType: (documentation changed) │ │ ├[~] type McpLambdaTargetConfiguration │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: The Lambda target configuration. │ │ │ └ properties │ │ │ ├ LambdaArn: (documentation changed) │ │ │ └ ToolSchema: (documentation changed) │ │ ├[~] type McpTargetConfiguration │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: The MCP target configuration for the gateway target. │ │ │ └ properties │ │ │ ├ Lambda: (documentation changed) │ │ │ ├ OpenApiSchema: (documentation changed) │ │ │ └ SmithyModel: (documentation changed) │ │ ├[~] type OAuthCredentialProvider │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: The OAuth credential provider for the gateway target. │ │ │ └ properties │ │ │ ├ CustomParameters: (documentation changed) │ │ │ ├ ProviderArn: (documentation changed) │ │ │ └ Scopes: (documentation changed) │ │ ├[~] type S3Configuration │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: The S3 configuration for the gateway target. │ │ │ └ properties │ │ │ ├ BucketOwnerAccountId: (documentation changed) │ │ │ └ Uri: (documentation changed) │ │ ├[~] type SchemaDefinition │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: The schema definition for the gateway target. │ │ │ └ properties │ │ │ ├ Description: (documentation changed) │ │ │ ├ Properties: (documentation changed) │ │ │ ├ Required: (documentation changed) │ │ │ └ Type: (documentation changed) │ │ ├[~] type TargetConfiguration │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: The target configuration. │ │ │ └ properties │ │ │ └ Mcp: (documentation changed) │ │ ├[~] type ToolDefinition │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: The tool definition for the gateway. │ │ │ └ properties │ │ │ ├ InputSchema: (documentation changed) │ │ │ ├ Name: (documentation changed) │ │ │ └ OutputSchema: (documentation changed) │ │ └[~] type ToolSchema │ │ ├ - documentation: undefined │ │ │ + documentation: The tool schema for the gateway target. │ │ └ properties │ │ ├ InlinePayload: (documentation changed) │ │ └ S3: (documentation changed) │ └[~] resource AWS::BedrockAgentCore::Runtime │ └ types │ ├[~] type NetworkConfiguration │ │ └ properties │ │ └[+] NetworkModeConfig: VpcConfig │ └[+] type VpcConfig │ ├ documentation: Network mode configuration for VPC │ │ name: VpcConfig │ └ properties │ ├ SecurityGroups: Array<string> (required) │ └ Subnets: Array<string> (required) ├[~] service aws-datasync │ └ resources │ ├[~] resource AWS::DataSync::LocationEFS │ │ └ - arnTemplate: arn:${Partition}:datasync:${Region}:${AccountId}:location/${LocationId} │ │ + arnTemplate: undefined │ └[~] resource AWS::DataSync::LocationSMB │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:datasync:${Region}:${AccountId}:location/${LocationId} ├[~] service aws-dax │ └ resources │ └[~] resource AWS::DAX::Cluster │ └ properties │ └ NetworkType: (documentation changed) ├[~] service aws-directoryservice │ └ resources │ ├[~] resource AWS::DirectoryService::MicrosoftAD │ │ └ - arnTemplate: arn:${Partition}:ds:${Region}:${Account}:${DirectoryId} │ │ + arnTemplate: arn:${Partition}:ds:${Region}:${Account}:directory/${DirectoryId} │ └[~] resource AWS::DirectoryService::SimpleAD │ └ - arnTemplate: arn:${Partition}:ds:${Region}:${Account}:directory/${DirectoryId} │ + arnTemplate: undefined ├[~] service aws-ec2 │ └ resources │ └[~] resource AWS::EC2::TransitGatewayVpcAttachment │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-attachment/${TransitGatewayAttachmentId} ├[~] service aws-ecs │ └ resources │ ├[~] resource AWS::ECS::Service │ │ └ properties │ │ └ HealthCheckGracePeriodSeconds: (documentation changed) │ └[~] resource AWS::ECS::TaskDefinition │ └ properties │ └ RequiresCompatibilities: (documentation changed) ├[~] service aws-elasticloadbalancingv2 │ └ resources │ ├[~] resource AWS::ElasticLoadBalancingV2::ListenerRule │ │ └ - arnTemplate: arn:${Partition}:elasticloadbalancing:${Region}:${Account}:listener-rule/net/${LoadBalancerName}/${LoadBalancerId}/${ListenerId}/${ListenerRuleId} │ │ + arnTemplate: arn:${Partition}:elasticloadbalancing:${Region}:${Account}:listener-rule/${LoadBalancerType}/${LoadBalancerName}/${LoadBalancerId}/${ListenerId}/${ListenerRuleId} │ └[~] resource AWS::ElasticLoadBalancingV2::LoadBalancer │ └ - arnTemplate: arn:${Partition}:elasticloadbalancing:${Region}:${Account}:loadbalancer/app/${LoadBalancerName}/${LoadBalancerId} │ + arnTemplate: arn:${Partition}:elasticloadbalancing:${Region}:${Account}:loadbalancer/${LoadBalancerType}/${LoadBalancerName}/${LoadBalancerId} ├[~] service aws-imagebuilder │ └ resources │ ├[~] resource AWS::ImageBuilder::Image │ │ ├ properties │ │ │ └ LoggingConfiguration: (documentation changed) │ │ └ types │ │ └[~] type ImageLoggingConfiguration │ │ ├ - documentation: The logging configuration settings for the image. │ │ │ + documentation: The logging configuration that's defined for the image. Image Builder uses the defined settings to direct execution log output during image creation. │ │ └ properties │ │ └ LogGroupName: (documentation changed) │ ├[~] resource AWS::ImageBuilder::ImagePipeline │ │ ├ properties │ │ │ └ LoggingConfiguration: (documentation changed) │ │ └ types │ │ ├[~] type AutoDisablePolicy │ │ │ ├ - documentation: The auto-disable policy configuration for the image pipeline. │ │ │ │ + documentation: Defines the rules by which an image pipeline is automatically disabled when it fails. │ │ │ └ properties │ │ │ └ FailureCount: (documentation changed) │ │ └[~] type PipelineLoggingConfiguration │ │ ├ - documentation: The logging configuration settings for the image pipeline. │ │ │ + documentation: The logging configuration that's defined for pipeline execution. │ │ └ properties │ │ ├ ImageLogGroupName: (documentation changed) │ │ └ PipelineLogGroupName: (documentation changed) │ └[~] resource AWS::ImageBuilder::ImageRecipe │ └ properties │ └ AmiTags: (documentation changed) ├[~] service aws-iot │ └ resources │ └[~] resource AWS::IoT::DomainConfiguration │ └ - arnTemplate: arn:${Partition}:iot:${Region}:${Account}:domainconfiguration/${DomainConfigurationName} │ + arnTemplate: arn:${Partition}:iot:${Region}:${Account}:domainconfiguration/${DomainConfigurationName}/${Id} ├[~] service aws-iotwireless │ └ resources │ └[~] resource AWS::IoTWireless::WirelessDeviceImportTask │ └ - arnTemplate: arn:${Partition}:iotwireless:${Region}:${Account}:ImportTask/${ImportTaskId} │ + arnTemplate: arn:${Partition}:iotwireless:${Region}:${Account}:WirelessDeviceImportTask/${WirelessDeviceImportTaskId} ├[~] service aws-lightsail │ └ resources │ └[+] resource AWS::Lightsail::DiskSnapshot │ ├ name: DiskSnapshot │ │ cloudFormationType: AWS::Lightsail::DiskSnapshot │ │ documentation: Resource Type definition for AWS::Lightsail::DiskSnapshot │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ arnTemplate: arn:${Partition}:lightsail:${Region}:${Account}:DiskSnapshot/${Id} │ ├ properties │ │ ├ DiskSnapshotName: string (required, immutable) │ │ ├ DiskName: string (required, immutable) │ │ └ Tags: Array<tag> │ ├ attributes │ │ ├ DiskSnapshotArn: string │ │ ├ Location: Location │ │ ├ ResourceType: string │ │ ├ State: string │ │ ├ Progress: string │ │ ├ FromDiskName: string │ │ ├ SizeInGb: integer │ │ ├ IsFromAutoSnapshot: boolean │ │ ├ CreatedAt: string │ │ └ SupportCode: string │ └ types │ └ type Location │ ├ documentation: The AWS Region and Availability Zone where the disk snapshot was created. │ │ name: Location │ └ properties │ ├ AvailabilityZone: string │ └ RegionName: string ├[~] service aws-lookoutmetrics │ └ resources │ ├[~] resource AWS::LookoutMetrics::Alert │ │ └ - documentation: > End of support notice: On October 31, 2025, AWS will end support for Amazon Lookout for Metrics. After October 31, 2025, you will no longer be able to access the Amazon Lookout for Metrics console or Amazon Lookout for Metrics resources. For more information, see [Amazon Lookout for Metrics end of support](https://docs.aws.amazon.com//blogs/machine-learning/transitioning-off-amazon-lookout-for-metrics/) . │ │ The `AWS::LookoutMetrics::Alert` type creates an alert for an anomaly detector. │ │ + documentation: > End of support notice: On Oct 9, 2025, AWS will end support for Amazon Lookout for Metrics. After Oct 9, 2025, you will no longer be able to access the Amazon Lookout for Metrics console or Amazon Lookout for Metrics resources. For more information, see [Amazon Lookout for Metrics end of support](https://docs.aws.amazon.com//blogs/machine-learning/transitioning-off-amazon-lookout-for-metrics/) . │ │ The `AWS::LookoutMetrics::Alert` type creates an alert for an anomaly detector. │ └[~] resource AWS::LookoutMetrics::AnomalyDetector │ └ - documentation: > End of support notice: On October 31, 2025, AWS will end support for Amazon Lookout for Metrics. After October 31, 2025, you will no longer be able to access the Amazon Lookout for Metrics console or Amazon Lookout for Metrics resources. For more information, see [Amazon Lookout for Metrics end of support](https://docs.aws.amazon.com//blogs/machine-learning/transitioning-off-amazon-lookout-for-metrics/) . │ The `AWS::LookoutMetrics::AnomalyDetector` type creates an anomaly detector. │ + documentation: > End of support notice: On Oct 9, 2025, AWS will end support for Amazon Lookout for Metrics. After Oct 9, 2025, you will no longer be able to access the Amazon Lookout for Metrics console or Amazon Lookout for Metrics resources. For more information, see [Amazon Lookout for Metrics end of support](https://docs.aws.amazon.com//blogs/machine-learning/transitioning-off-amazon-lookout-for-metrics/) . │ The `AWS::LookoutMetrics::AnomalyDetector` type creates an anomaly detector. ├[~] service aws-medialive │ └ resources │ └[~] resource AWS::MediaLive::Channel │ └ types │ ├[~] type Av1Settings │ │ └ properties │ │ └[+] MinBitrate: integer │ ├[~] type H264Settings │ │ └ properties │ │ └[+] MinBitrate: integer │ └[~] type H265Settings │ └ properties │ ├[+] GopBReference: string │ ├[+] GopNumBFrames: integer │ ├[+] MinBitrate: integer │ └[+] SubgopLength: string ├[~] service aws-mwaa │ └ resources │ └[~] resource AWS::MWAA::Environment │ ├ properties │ │ └ AirflowVersion: (documentation changed) │ └ types │ └[~] type ModuleLoggingConfiguration │ └ properties │ └ LogLevel: (documentation changed) ├[~] service aws-neptune │ └ resources │ └[~] resource AWS::Neptune::EventSubscription │ ├ - tagInformation: undefined │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ ├ properties │ │ ├ Enabled: - boolean │ │ │ + boolean (default=true) │ │ ├ EventCategories: (documentation changed) │ │ ├ SnsTopicArn: - string (immutable) │ │ │ + string (required, immutable) │ │ ├ SourceIds: (documentation changed) │ │ ├ SubscriptionName: (documentation changed) │ │ └[+] Tags: Array<tag> │ └ attributes │ └[-] Id: string ├[~] service aws-observabilityadmin │ └ resources │ └[+] resource AWS::ObservabilityAdmin::OrganizationCentralizationRule │ ├ name: OrganizationCentralizationRule │ │ cloudFormationType: AWS::ObservabilityAdmin::OrganizationCentralizationRule │ │ documentation: Resource schema for AWS:ObservabilityAdmin:OrganizationCentralizationRule │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ arnTemplate: arn:${Partition}:observabilityadmin:${Region}:${Account}:organization-centralization-rule:${CentralizationRuleName} │ ├ properties │ │ ├ RuleName: string (required, immutable) │ │ ├ Rule: CentralizationRule (required) │ │ └ Tags: Array<tag> │ ├ attributes │ │ └ RuleArn: string │ └ types │ ├ type CentralizationRule │ │ ├ name: CentralizationRule │ │ └ properties │ │ ├ Source: CentralizationRuleSource (required) │ │ └ Destination: CentralizationRuleDestination (required) │ ├ type CentralizationRuleDestination │ │ ├ name: CentralizationRuleDestination │ │ └ properties │ │ ├ Region: string (required) │ │ ├ Account: string │ │ └ DestinationLogsConfiguration: DestinationLogsConfiguration │ ├ type CentralizationRuleSource │ │ ├ name: CentralizationRuleSource │ │ └ properties │ │ ├ Regions: Array<string> (required) │ │ ├ Scope: string │ │ └ SourceLogsConfiguration: SourceLogsConfiguration │ ├ type DestinationLogsConfiguration │ │ ├ name: DestinationLogsConfiguration │ │ └ properties │ │ ├ LogsEncryptionConfiguration: LogsEncryptionConfiguration │ │ └ BackupConfiguration: LogsBackupConfiguration │ ├ type LogsBackupConfiguration │ │ ├ name: LogsBackupConfiguration │ │ └ properties │ │ ├ Region: string (required) │ │ └ KmsKeyArn: string │ ├ type LogsEncryptionConfiguration │ │ ├ name: LogsEncryptionConfiguration │ │ └ properties │ │ ├ EncryptionStrategy: string (required) │ │ ├ KmsKeyArn: string │ │ └ EncryptionConflictResolutionStrategy: string │ └ type SourceLogsConfiguration │ ├ name: SourceLogsConfiguration │ └ properties │ ├ LogGroupSelectionCriteria: string (required) │ └ EncryptedLogGroupStrategy: string (required) ├[~] service aws-opensearchservice │ └ resources │ └[~] resource AWS::OpenSearchService::Domain │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:es:${Region}:${Account}:domain/${DomainName} ├[~] service aws-pcs │ └ resources │ ├[~] resource AWS::PCS::Cluster │ │ └ types │ │ └[~] type SlurmCustomSetting │ │ ├ - documentation: Additional settings that directly map to Slurm settings. │ │ │ + documentation: Additional settings that directly map to Slurm settings. │ │ │ > AWS PCS supports a subset of Slurm settings. For more information, see [Configuring custom Slurm settings in AWS PCS](https://docs.aws.amazon.com//pcs/latest/userguide/slurm-custom-settings.html) in the *AWS PCS User Guide* . │ │ └ properties │ │ └ ParameterName: (documentation changed) │ ├[~] resource AWS::PCS::ComputeNodeGroup │ │ └ types │ │ └[~] type SlurmCustomSetting │ │ ├ - documentation: Additional settings that directly map to Slurm settings. │ │ │ + documentation: Additional settings that directly map to Slurm settings. │ │ │ > AWS PCS supports a subset of Slurm settings. For more information, see [Configuring custom Slurm settings in AWS PCS](https://docs.aws.amazon.com//pcs/latest/userguide/slurm-custom-settings.html) in the *AWS PCS User Guide* . │ │ └ properties │ │ └ ParameterName: (documentation changed) │ └[~] resource AWS::PCS::Queue │ ├ properties │ │ └[+] SlurmConfiguration: SlurmConfiguration │ └ types │ ├[+] type SlurmConfiguration │ │ ├ documentation: The Slurm configuration for the queue. │ │ │ name: SlurmConfiguration │ │ └ properties │ │ └ SlurmCustomSettings: Array<SlurmCustomSetting> │ └[+] type SlurmCustomSetting │ ├ documentation: Additional settings that directly map to Slurm settings. │ │ name: SlurmCustomSetting │ └ properties │ ├ ParameterName: string (required) │ └ ParameterValue: string (required) ├[~] service aws-pinpoint │ └ resources │ └[~] resource AWS::Pinpoint::InAppTemplate │ └ - arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/PUSH │ + arnTemplate: undefined ├[~] service aws-redshift │ └ resources │ └[~] resource AWS::Redshift::ClusterSecurityGroup │ └ - arnTemplate: arn:${Partition}:redshift:${Region}:${Account}:securitygroup:${SecurityGroupName}/ec2securitygroup/${Owner}/${Ec2SecurityGroupId} │ + arnTemplate: arn:${Partition}:redshift:${Region}:${Account}:securitygroup:${SecurityGroupName} ├[~] service aws-servicecatalog │ └ resources │ ├[~] resource AWS::ServiceCatalog::PortfolioShare │ │ └ attributes │ │ └[-] Id: string │ └[~] resource AWS::ServiceCatalog::ResourceUpdateConstraint │ └ attributes │ └ Id: (documentation changed) ├[~] service aws-ssmquicksetup │ └ resources │ └[~] resource AWS::SSMQuickSetup::ConfigurationManager │ └ types │ └[~] type ConfigurationDefinition │ └ properties │ └ Parameters: (documentation changed) └[~] service aws-stepfunctions └ resources └[~] resource AWS::StepFunctions::StateMachine └ - arnTemplate: arn:${Partition}:states:${Region}:${Account}:stateMachine:${StateMachineName} + arnTemplate: arn:${Partition}:states:${Region}:${Account}:stateMachine:${StateMachineName}:${StateMachineVersionId} ``` **CHANGES TO L1 RESOURCES:** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed: - **aws-neptune**: AWS::Neptune::EventSubscription: SnsTopicArn property is now required. - **aws-neptune**: AWS::Neptune::EventSubscription: Id attribute removed. - **aws-servicecatalog**: AWS::ServiceCatalog::PortfolioShare: Id attribute removed.

…35560) ### Issue # (if applicable) Closes aws#25544 ### Reason for this change Added the `removalPolicy` prop to the EKS cluster. This will apply the removal policy to all resources created by the cluster including node groups, roles, vpc and security groups. This also includes the custom resource that created the construct. Currently this is possible with `RemovalPolicies.of(cluster).apply` but this is not a user friendly API, this PR just abstracts that with a `removalPolicy` prop which is the expected behavior when using L2s. ### Description of changes Added `removalPolicy` property to the `ClusterProps` interface in the EKS library that allows users to specify a removal policy for all CloudFormation resources created by the EKS cluster construct. - Added `readonly removalPolicy?: RemovalPolicy` to `ClusterProps` interface - Added integration test `integ.eks-cluster-retain.ts` to verify removal policy functionality with `RemovalPolicy.DESTROY`. If it deploys with destroy, it will also deploy with retain. The reason we don't write a specific retain integ test is that it will orphan resources in the account for anyone who deploys the integ test. The removal policy affects the EKS cluster itself, associated IAM roles, node groups, security groups, VPC resources, and any other CloudFormation resources managed by this construct. ### Describe any new or updated permissions being added No new IAM permissions are required for this change. ### Description of how you validated changes - Added integration test `integ.eks-cluster-retain.ts` that creates an EKS cluster with `RemovalPolicy.RETAIN` - The test verifies that all resources can be deployed successfully with the removal policy applied, and the snapshot validates we added the policy to all resources. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ws#35359) ### Issue # (if applicable) Not related to any issue. ### Reason for this change It was not possible to pass the argument 'applyOnTransformedLogs' to the class MetricFilter, in order to create MetricFilter, Filter and Alarm. ### Description of changes Since MetricFilter makes use of CfnMetricFilter, which allows the parameter 'applyOnTransformedLogs', this change adds the parameter 'applyOnTransformedLogs' to MetricFilterOptions, which is directly passed to the CfnMetric class. ### Describe any new or updated permissions being added No permission is added or updated. ### Description of how you validated changes I tested by hand. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) Closes aws#35693. ### Reason for this change The `amplify.App` construct fails with a TypeError when `customResponseHeaders` is an empty array, preventing CDK synthesis. This is a regression introduced in v2.202.0 (PR aws#31771) that breaks applications passing an empty array to this property. ### Description of changes Added defensive checks to prevent array access on empty `customResponseHeaders` arrays: 1. **Length check** in App constructor (line 319-321): Prevents calling render function with empty arrays by checking length before invocation, ensuring CloudFormation `CustomHeaders` property is properly omitted (undefined) 2. **Defensive assertion** in `renderCustomResponseHeaders` function (line 608-611): Throws clear error if function is called with empty array, catching potential CDK programming bugs 3. **JSDoc documentation** added to clarify function contract and internal nature 4. **Unit test** enhanced with clarifying comments referencing issue aws#35693 The fix follows CDK defensive programming patterns with a clear separation of concerns: - **Call site validation** (line 319): Handles user input, ensures proper CloudFormation output - **Function assertion** (line 608): Catches CDK programming errors with fail-fast behavior - **Documentation**: Makes the contract explicit for future maintainers ### Description of how you validated changes - **Unit tests**: Added new test case "with empty custom response headers array" that verifies empty arrays don't cause errors and that the CloudFormation `CustomHeaders` property is correctly absent. All 45 unit tests pass (100%). - **Integration tests**: All 10 existing integration tests pass with UNCHANGED status, confirming no regression in existing functionality. The `integ.app-monorepo-custom-headers` test specifically validates custom headers behavior remains correct. - **Manual validation**: Tested the exact reproduction case from issue aws#35693 - empty array no longer causes TypeError and synthesis completes successfully. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Reason for this change The new integ test deployment workflow asks for a deployment in the UI. This has been confusing for contributors as it is similarly named to the general integ test available today. ### Description of changes - Skip this job if the label `request-deployment-integ-run` - Update name of the job to clarify its purpose ### Describe any new or updated permissions being added No new permissions added. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Latest version as of current date. Fixes missing package for 1.1.30 when building on graviton instances ### Issue # (if applicable) Closes aws#35534. ### Reason for this change The aws-lambda-nodejs construct fails Docker bundling on ARM64 architectures (AWS Graviton instances) because bun@1.1.30 is missing the required `@oven/bun-linux-aarch64` package. This causes npm to fail when trying to install bun during the Docker build process, with the error: ``` npm error Failed to find package "@oven/bun-linux-x64-baseline" ``` ### Description of changes Bumped bun from version 1.1.30 to 1.2.23 in `packages/aws-cdk-lib/aws-lambda-nodejs/lib/Dockerfile`. This addresses the issue because bun@1.2.23 includes proper ARM64 support via optional dependencies: - `@oven/bun-linux-aarch64` - `@oven/bun-linux-aarch64-musl` **Why this approach:** This is a simpler solution than alternatives (such as switching to the curl-based bun installer) because: 1. Maintains consistency with the existing npm-based installation pattern used for other package managers (yarn, pnpm) in the same Dockerfile 2. Reduces supply chain risk by not introducing additional external dependencies (bun.sh installer endpoint) 3. Minimal change - just a version bump **Alternatives considered:** - Using the official bun installer script via curl - rejected due to added supply chain risk and deviation from existing patterns - Platform-specific conditional installation - rejected as unnecessarily complex when a version bump suffices ### Describe any new or updated permissions being added None. This change only updates a package version. ### Description of how you validated changes Verified that bun@1.2.23 includes the required ARM64 packages: ```bash $ npm view bun@1.2.23 optionalDependencies { "@oven/bun-linux-aarch64": "1.2.23", "@oven/bun-linux-aarch64-musl": "1.2.23", ... } ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… versions 11 and greater (aws#35426) ### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change Support packaging structure changes for new runtimes based on NodeJS runtime Puppeteer framework ### Description of changes As part of the new Puppeteer based runtimes (`syn-nodesj-puppeteer-11.0` and greater), users can have the canary script files in the root directory and are not required to use the `nodejs/node_modules` sub-directory to include the canary scripts. This PR ensures that we do not throw validation exception when users have their canary script in the root directory. Current requirement for the folder structure for Puppeteer based runtimes `Canary/nodejs/node_modules/index.js` With the above changes, along with the above structure support, we also support `Canary/index.js` ### Describe any new or updated permissions being added No new permission have been added ### Description of how you validated changes Validated the changes by creating a sample canary with the changes in place and ensured that we are able to create canaries on runtime version `syn-nodejs-puppeteer-11.0` with the `index.js` files in the root directory as well as `index.js` file being present in the `nodejs/node_modules` subdirectory inside the root directory. Added corresponding unit tests and integration tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…respected (aws#35319) Fixes issue where anomaly detection band alarm's period defaulted to 300 seconds regardless of the metric's period. AnomalyDetectionAlarmProps didn't have a period property because it was deprecated in the parent interface and removed by jsii during compilation, causing the internal MathExpression to default to 300 seconds. I am an Amazon employee (see commit email). ### Issue Should fix aws#34614 (the issue was closed as duplicate but I'm not sure [the issue it was linked to](aws#32221) is actually the same issue) ### Reason for this change Although I passed in the duration of 1 day as the `period` for the alarm metric, the actual period for the evaluation of the anomaly detection band is overridden to 5 minutes (300 seconds). i.e, `cdk synth` shows this warning: > [Warning at /TestCdkStack/TestAnomalyAlarm] Periods of metrics in 'usingMetrics' for Math expression 'ANOMALY_DETECTION_BAND(m0, 2)' have been overridden to 300 seconds. [ack: CloudWatch:Math:MetricsPeriodsOverridden] And, on deployment, I can see on the CloudWatch alarm dashboard that the period is 5 minutes. Example alarm: ```typescript import * as cdk from 'aws-cdk-lib'; import { Construct } from 'constructs'; import { AnomalyDetectionAlarm, ComparisonOperator, Metric, Stats } from 'aws-cdk-lib/aws-cloudwatch'; export class TestCdkStack extends cdk.Stack { constructor(scope: Construct, id: string, props?: cdk.StackProps) { super(scope, id, props); new AnomalyDetectionAlarm(this, 'TestAnomalyAlarm', { alarmName: 'TestAnomalyDetectionAlarm', metric: new Metric({ namespace: 'TestNamespace', metricName: 'TestMetric', statistic: Stats.SUM, period: cdk.Duration.days(1), // This will get overriden }), // period: cdk.Duration.days(1), I can't add period here since AnomalyDetectionAlarmProps doesn't have period prop stdDevs: 2, comparisonOperator: ComparisonOperator.GREATER_THAN_UPPER_THRESHOLD, evaluationPeriods: 1, }); } } ``` This happens because `AnomalyDetectionAlarm` creates an internal `MathExpression` for the anomaly detection band, and since `AnomalyDetectionAlarmProps` doesn't have a period property, no period gets passed to that math expression. The math expression then defaults to 300 seconds which overrides the period I've set on the metric used within it (math expression always [overrides](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.MathExpressionProps.html#period) the periods of the metrics passed into it) I believe this is a bug in aws-cdk-lib where the metric's period isn't being respected by the Anomaly Detection Alarm. If I try to include the `period` property in `AnomalyDetectionAlarmProps`, I get the error: `Object literal may only specify known properties, and 'period' does not exist in type 'AnomalyDetectionAlarmProps'` despite `AnomalyDetectionAlarmProps` extending `CreateAlarmOptionsBase`, which has the `period` property. This is because the `period` property has been marked as [deprecated](https://github.com/aws/aws-cdk/blob/6966c03b1a7aece0846f5a91bbeb825cd7491689/packages/aws-cdk-lib/aws-cloudwatch/lib/private/alarm-options.ts#L16-L18) so [`jsii` removed that property](https://github.com/aws/aws-cdk/blob/86638f6daca6ead382d0b9c1cf65bb04f70d4b3d/packages/aws-cdk-lib/package.json#L32) during compilation, which resulted in `AnomalyDetectionAlarmProps` not receiving this property from the parent interface. ### Possible Fixes 1. Add a `period` property to `AnomalyDetectionAlarmProps` 2. Have the AnomalyDetectionAlarm use the period set in the `metric` passed into it This PR implements approach 2 (see [discussion](aws#35319 (comment))) ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Added two new unit tests Added an integration test #### Steps I took for testing (listing it here to catch if I missed anything/did something wrong) - I made a `testCDK` package with the example alarm I've provided above. - Made the change to `aws-cdk-lib` and ran `npx lerna run build --scope=aws-cdk-lib` - Ran `../aws/link-all.sh` in `testCDK` directory. - Also had to follow the second option mentioned [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md#import-errors) since I faced the same issue. - Ran `npx cdk synth` to make sure the generated file is correct. - Also deployed to my aws account with `npx cdk deploy` and verified that the dashboard is displaying the correct duration. - Ran `yarn test` in `aws-cdk/packages/aws-cdk-lib` - Ran `npx lerna run build --scope=@aws-cdk-testing/framework-integ` followed by `yarn integ --update-on-failed` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-backup │ └ resources │ └[~] resource AWS::Backup::LogicallyAirGappedBackupVault │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:backup:${Region}:${Account}:backup-vault:${BackupVaultName} ├[~] service aws-bedrockagentcore │ └ resources │ └[+] resource AWS::BedrockAgentCore::Memory │ ├ name: Memory │ │ cloudFormationType: AWS::BedrockAgentCore::Memory │ │ documentation: Resource Type definition for AWS::BedrockAgentCore::Memory │ │ tagInformation: {"tagPropertyName":"Tags","variant":"map"} │ ├ properties │ │ ├ Name: string (required, immutable) │ │ ├ Description: string │ │ ├ EncryptionKeyArn: string (immutable) │ │ ├ MemoryExecutionRoleArn: string │ │ ├ EventExpiryDuration: integer (required) │ │ ├ MemoryStrategies: Array<MemoryStrategy> │ │ └ Tags: Map<string, string> │ ├ attributes │ │ ├ MemoryArn: string │ │ ├ MemoryId: string │ │ ├ Status: string │ │ ├ CreatedAt: string │ │ ├ UpdatedAt: string │ │ └ FailureReason: string │ └ types │ ├ type CustomConfigurationInput │ │ ├ name: CustomConfigurationInput │ │ └ properties │ │ ├ SemanticOverride: SemanticOverride │ │ ├ SummaryOverride: SummaryOverride │ │ └ UserPreferenceOverride: UserPreferenceOverride │ ├ type CustomMemoryStrategy │ │ ├ name: CustomMemoryStrategy │ │ └ properties │ │ ├ Name: string (required) │ │ ├ Description: string │ │ ├ Namespaces: Array<string> │ │ ├ Configuration: CustomConfigurationInput │ │ ├ StrategyId: string │ │ ├ Type: string │ │ ├ Status: string │ │ ├ CreatedAt: string │ │ └ UpdatedAt: string │ ├ type MemoryStrategy │ │ ├ name: MemoryStrategy │ │ └ properties │ │ ├ SemanticMemoryStrategy: SemanticMemoryStrategy │ │ ├ SummaryMemoryStrategy: SummaryMemoryStrategy │ │ ├ UserPreferenceMemoryStrategy: UserPreferenceMemoryStrategy │ │ └ CustomMemoryStrategy: CustomMemoryStrategy │ ├ type SemanticMemoryStrategy │ │ ├ name: SemanticMemoryStrategy │ │ └ properties │ │ ├ Name: string (required) │ │ ├ Description: string │ │ ├ Namespaces: Array<string> │ │ ├ StrategyId: string │ │ ├ Type: string │ │ ├ Status: string │ │ ├ CreatedAt: string │ │ └ UpdatedAt: string │ ├ type SemanticOverride │ │ ├ name: SemanticOverride │ │ └ properties │ │ ├ Extraction: SemanticOverrideExtractionConfigurationInput │ │ └ Consolidation: SemanticOverrideConsolidationConfigurationInput │ ├ type SemanticOverrideConsolidationConfigurationInput │ │ ├ name: SemanticOverrideConsolidationConfigurationInput │ │ └ properties │ │ ├ AppendToPrompt: string (required) │ │ └ ModelId: string (required) │ ├ type SemanticOverrideExtractionConfigurationInput │ │ ├ name: SemanticOverrideExtractionConfigurationInput │ │ └ properties │ │ ├ AppendToPrompt: string (required) │ │ └ ModelId: string (required) │ ├ type SummaryMemoryStrategy │ │ ├ name: SummaryMemoryStrategy │ │ └ properties │ │ ├ Name: string (required) │ │ ├ Description: string │ │ ├ Namespaces: Array<string> │ │ ├ StrategyId: string │ │ ├ Type: string │ │ ├ Status: string │ │ ├ CreatedAt: string │ │ └ UpdatedAt: string │ ├ type SummaryOverride │ │ ├ name: SummaryOverride │ │ └ properties │ │ └ Consolidation: SummaryOverrideConsolidationConfigurationInput │ ├ type SummaryOverrideConsolidationConfigurationInput │ │ ├ name: SummaryOverrideConsolidationConfigurationInput │ │ └ properties │ │ ├ AppendToPrompt: string (required) │ │ └ ModelId: string (required) │ ├ type UserPreferenceMemoryStrategy │ │ ├ name: UserPreferenceMemoryStrategy │ │ └ properties │ │ ├ Name: string (required) │ │ ├ Description: string │ │ ├ Namespaces: Array<string> │ │ ├ StrategyId: string │ │ ├ Type: string │ │ ├ Status: string │ │ ├ CreatedAt: string │ │ └ UpdatedAt: string │ ├ type UserPreferenceOverride │ │ ├ name: UserPreferenceOverride │ │ └ properties │ │ ├ Extraction: UserPreferenceOverrideExtractionConfigurationInput │ │ └ Consolidation: UserPreferenceOverrideConsolidationConfigurationInput │ ├ type UserPreferenceOverrideConsolidationConfigurationInput │ │ ├ name: UserPreferenceOverrideConsolidationConfigurationInput │ │ └ properties │ │ ├ AppendToPrompt: string (required) │ │ └ ModelId: string (required) │ └ type UserPreferenceOverrideExtractionConfigurationInput │ ├ name: UserPreferenceOverrideExtractionConfigurationInput │ └ properties │ ├ AppendToPrompt: string (required) │ └ ModelId: string (required) ├[~] service aws-chatbot │ └ resources │ └[~] resource AWS::Chatbot::SlackChannelConfiguration │ └ - arnTemplate: arn:${Partition}:chatbot::${Account}:chat-configuration/slack-channel/${ConfigurationName} │ + arnTemplate: arn:${Partition}:chatbot::${Account}:chat-configuration/${ConfigurationType}/${ChatbotConfigurationName} ├[~] service aws-datasync │ └ resources │ ├[~] resource AWS::DataSync::LocationAzureBlob │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:datasync:${Region}:${AccountId}:location/${LocationId} │ ├[~] resource AWS::DataSync::LocationEFS │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:datasync:${Region}:${AccountId}:location/${LocationId} │ ├[~] resource AWS::DataSync::LocationFSxLustre │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:datasync:${Region}:${AccountId}:location/${LocationId} │ ├[~] resource AWS::DataSync::LocationFSxONTAP │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:datasync:${Region}:${AccountId}:location/${LocationId} │ ├[~] resource AWS::DataSync::LocationFSxOpenZFS │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:datasync:${Region}:${AccountId}:location/${LocationId} │ ├[~] resource AWS::DataSync::LocationFSxWindows │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:datasync:${Region}:${AccountId}:location/${LocationId} │ ├[~] resource AWS::DataSync::LocationHDFS │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:datasync:${Region}:${AccountId}:location/${LocationId} │ ├[~] resource AWS::DataSync::LocationNFS │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:datasync:${Region}:${AccountId}:location/${LocationId} │ ├[~] resource AWS::DataSync::LocationObjectStorage │ │ └ - arnTemplate: undefined │ │ + arnTemplate: arn:${Partition}:datasync:${Region}:${AccountId}:location/${LocationId} │ └[~] resource AWS::DataSync::LocationS3 │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:datasync:${Region}:${AccountId}:location/${LocationId} ├[~] service aws-devicefarm │ └ resources │ └[~] resource AWS::DeviceFarm::NetworkProfile │ └ - arnTemplate: arn:${Partition}:devicefarm:${Region}:${Account}:networkprofile:${ProjectId}/${NetworkProfileId} │ + arnTemplate: arn:${Partition}:devicefarm:${Region}:${Account}:networkprofile:${ResourceId} ├[~] service aws-directoryservice │ └ resources │ └[~] resource AWS::DirectoryService::SimpleAD │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:ds:${Region}:${Account}:directory/${DirectoryId} ├[~] service aws-ec2 │ └ resources │ └[~] resource AWS::EC2::TransitGatewayPeeringAttachment │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-attachment/${TransitGatewayAttachmentId} ├[~] service aws-elasticloadbalancingv2 │ └ resources │ ├[~] resource AWS::ElasticLoadBalancingV2::ListenerRule │ │ └ - arnTemplate: arn:${Partition}:elasticloadbalancing:${Region}:${Account}:listener-rule/${LoadBalancerType}/${LoadBalancerName}/${LoadBalancerId}/${ListenerId}/${ListenerRuleId} │ │ + arnTemplate: arn:${Partition}:elasticloadbalancing:${Region}:${Account}:listener-rule/net/${LoadBalancerName}/${LoadBalancerId}/${ListenerId}/${ListenerRuleId} │ └[~] resource AWS::ElasticLoadBalancingV2::LoadBalancer │ └ - arnTemplate: arn:${Partition}:elasticloadbalancing:${Region}:${Account}:loadbalancer/${LoadBalancerType}/${LoadBalancerName}/${LoadBalancerId} │ + arnTemplate: arn:${Partition}:elasticloadbalancing:${Region}:${Account}:loadbalancer/net/${LoadBalancerName}/${LoadBalancerId} ├[~] service aws-events │ └ resources │ └[~] resource AWS::Events::Rule │ └ - arnTemplate: arn:${Partition}:events:${Region}:${Account}:rule/${EventBusName}/${RuleName} │ + arnTemplate: arn:${Partition}:events:${Region}:${Account}:rule/[${EventBusName}/]${RuleName} ├[~] service aws-imagebuilder │ └ resources │ └[~] resource AWS::ImageBuilder::Image │ └ - arnTemplate: arn:${Partition}:imagebuilder:${Region}:${Account}:image/${ImageName}/${ImageVersion} │ + arnTemplate: arn:${Partition}:imagebuilder:${Region}:${Account}:image/${ImageName}/${ImageVersion}/${ImageBuildVersion} ├[~] service aws-iot │ └ resources │ └[~] resource AWS::IoT::DomainConfiguration │ └ - arnTemplate: arn:${Partition}:iot:${Region}:${Account}:domainconfiguration/${DomainConfigurationName}/${Id} │ + arnTemplate: arn:${Partition}:iot:${Region}:${Account}:domainconfiguration/${DomainConfigurationName} ├[~] service aws-iotsitewise │ └ resources │ ├[~] resource AWS::IoTSiteWise::AccessPolicy │ │ └ - documentation: Creates an access policy that grants the specified identity (IAM Identity Center user, IAM Identity Center group, or IAM user) access to the specified AWS IoT SiteWise Monitor portal or project resource. │ │ > Support for access policies that use an SSO Group as the identity is not supported at this time. │ │ + documentation: > The AWS IoT SiteWise Monitor feature will no longer be open to new customers starting November 7, 2025 . If you would like to use the AWS IoT SiteWise Monitor feature, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [AWS IoT SiteWise Monitor availability change](https://docs.aws.amazon.com/iot-sitewise/latest/appguide/iotsitewise-monitor-availability-change.html) . │ │ Creates an access policy that grants the specified identity (IAM Identity Center user, IAM Identity Center group, or IAM user) access to the specified AWS IoT SiteWise Monitor portal or project resource. │ │ > Support for access policies that use an SSO Group as the identity is not supported at this time. │ ├[~] resource AWS::IoTSiteWise::AssetModel │ │ ├ properties │ │ │ └ AssetModelType: (documentation changed) │ │ └ types │ │ ├[~] type EnforcedAssetModelInterfacePropertyMapping │ │ │ ├ - documentation: Contains information about enforced interface property and asset model property │ │ │ │ + documentation: Contains information about applied interface property and asset model property │ │ │ └ properties │ │ │ ├ AssetModelPropertyExternalId: (documentation changed) │ │ │ ├ AssetModelPropertyLogicalId: (documentation changed) │ │ │ └ InterfaceAssetModelPropertyExternalId: (documentation changed) │ │ └[~] type EnforcedAssetModelInterfaceRelationship │ │ ├ - documentation: Contains information about enforced interface hierarchy and asset model hierarchy │ │ │ + documentation: Contains information about applied interface hierarchy and asset model hierarchy │ │ └ properties │ │ ├ InterfaceAssetModelId: (documentation changed) │ │ └ PropertyMappings: (documentation changed) │ ├[~] resource AWS::IoTSiteWise::ComputationModel │ │ ├ - documentation: Resource schema for AWS::IoTSiteWise::ComputationModel. │ │ │ + documentation: Create a computation model with a configuration and data binding. │ │ ├ properties │ │ │ ├ ComputationModelConfiguration: (documentation changed) │ │ │ ├ ComputationModelDataBinding: (documentation changed) │ │ │ ├ ComputationModelDescription: (documentation changed) │ │ │ └ Tags: (documentation changed) │ │ ├ attributes │ │ │ └ ComputationModelArn: (documentation changed) │ │ └ types │ │ ├[~] type AnomalyDetectionComputationModelConfiguration │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Contains the configuration for anomaly detection computation models. │ │ │ └ properties │ │ │ ├ InputProperties: (documentation changed) │ │ │ └ ResultProperty: (documentation changed) │ │ ├[~] type AssetModelPropertyBindingValue │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Contains information about an `assetModelProperty` binding value. │ │ │ └ properties │ │ │ ├ AssetModelId: (documentation changed) │ │ │ └ PropertyId: (documentation changed) │ │ ├[~] type AssetPropertyBindingValue │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: Represents a data binding value referencing a specific asset property. It's used to bind computation model variables to actual asset property values for processing. │ │ │ └ properties │ │ │ ├ AssetId: (documentation changed) │ │ │ └ PropertyId: (documentation changed) │ │ ├[~] type ComputationModelConfiguration │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: The configuration for the computation model. │ │ │ └ properties │ │ │ └ AnomalyDetection: (documentation changed) │ │ └[~] type ComputationModelDataBindingValue │ │ ├ - documentation: undefined │ │ │ + documentation: Contains computation model data binding value information, which can be one of `assetModelProperty` , `list` . │ │ └ properties │ │ ├ AssetModelProperty: (documentation changed) │ │ ├ AssetProperty: (documentation changed) │ │ └ List: (documentation changed) │ ├[~] resource AWS::IoTSiteWise::Dashboard │ │ └ - documentation: Creates a dashboard in an AWS IoT SiteWise Monitor project. │ │ + documentation: > The AWS IoT SiteWise Monitor feature will no longer be open to new customers starting November 7, 2025 . If you would like to use the AWS IoT SiteWise Monitor feature, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [AWS IoT SiteWise Monitor availability change](https://docs.aws.amazon.com/iot-sitewise/latest/appguide/iotsitewise-monitor-availability-change.html) . │ │ Creates a dashboard in an AWS IoT SiteWise Monitor project. │ ├[~] resource AWS::IoTSiteWise::Dataset │ │ ├ - documentation: Resource schema for AWS::IoTSiteWise::Dataset. │ │ │ + documentation: Creates a dataset to connect an external datasource. │ │ ├ properties │ │ │ ├ DatasetSource: (documentation changed) │ │ │ └ Tags: (documentation changed) │ │ ├ attributes │ │ │ └ DatasetArn: (documentation changed) │ │ └ types │ │ ├[~] type DatasetSource │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: The data source for the dataset. │ │ │ └ properties │ │ │ └ SourceDetail: (documentation changed) │ │ ├[~] type KendraSourceDetail │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: The source details for the Kendra dataset source. │ │ │ └ properties │ │ │ ├ KnowledgeBaseArn: (documentation changed) │ │ │ └ RoleArn: (documentation changed) │ │ └[~] type SourceDetail │ │ ├ - documentation: undefined │ │ │ + documentation: The details of the dataset source associated with the dataset. │ │ └ properties │ │ └ Kendra: (documentation changed) │ ├[~] resource AWS::IoTSiteWise::Portal │ │ └ - documentation: Creates a portal, which can contain projects and dashboards. AWS IoT SiteWise Monitor uses IAM Identity Center or IAM to authenticate portal users and manage user permissions. │ │ > Before you can sign in to a new portal, you must add at least one identity to that portal. For more information, see [Adding or removing portal administrators](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/administer-portals.html#portal-change-admins) in the *AWS IoT SiteWise User Guide* . │ │ + documentation: > The AWS IoT SiteWise Monitor feature will no longer be open to new customers starting November 7, 2025 . If you would like to use the AWS IoT SiteWise Monitor feature, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [AWS IoT SiteWise Monitor availability change](https://docs.aws.amazon.com/iot-sitewise/latest/appguide/iotsitewise-monitor-availability-change.html) . │ │ Creates a portal, which can contain projects and dashboards. AWS IoT SiteWise Monitor uses IAM Identity Center or IAM to authenticate portal users and manage user permissions. │ │ > Before you can sign in to a new portal, you must add at least one identity to that portal. For more information, see [Adding or removing portal administrators](https://docs.aws.amazon.com/iot-sitewise/latest/userguide/administer-portals.html#portal-change-admins) in the *AWS IoT SiteWise User Guide* . │ └[~] resource AWS::IoTSiteWise::Project │ └ - documentation: Creates a project in the specified portal. │ > Make sure that the project name and description don't contain confidential information. │ + documentation: > The AWS IoT SiteWise Monitor feature will no longer be open to new customers starting November 7, 2025 . If you would like to use the AWS IoT SiteWise Monitor feature, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [AWS IoT SiteWise Monitor availability change](https://docs.aws.amazon.com/iot-sitewise/latest/appguide/iotsitewise-monitor-availability-change.html) . │ Creates a project in the specified portal. │ > Make sure that the project name and description don't contain confidential information. ├[~] service aws-iotwireless │ └ resources │ └[~] resource AWS::IoTWireless::WirelessDeviceImportTask │ └ - arnTemplate: arn:${Partition}:iotwireless:${Region}:${Account}:WirelessDeviceImportTask/${WirelessDeviceImportTaskId} │ + arnTemplate: arn:${Partition}:iotwireless:${Region}:${Account}:ImportTask/${ImportTaskId} ├[~] service aws-kinesis │ └ resources │ └[~] resource AWS::Kinesis::ResourcePolicy │ └ properties │ └ ResourceArn: (documentation changed) ├[~] service aws-lightsail │ └ resources │ └[~] resource AWS::Lightsail::DiskSnapshot │ ├ - documentation: Resource Type definition for AWS::Lightsail::DiskSnapshot │ │ + documentation: Describes a block storage disk snapshot. │ ├ properties │ │ ├ DiskName: (documentation changed) │ │ ├ DiskSnapshotName: (documentation changed) │ │ └ Tags: (documentation changed) │ └ attributes │ ├ CreatedAt: (documentation changed) │ ├ FromDiskName: (documentation changed) │ ├ Progress: (documentation changed) │ ├ ResourceType: (documentation changed) │ ├ SizeInGb: (documentation changed) │ └ SupportCode: (documentation changed) ├[~] service aws-m2 │ └ resources │ ├[~] resource AWS::M2::Deployment │ │ └ - documentation: Creates and starts a deployment to deploy an application into a runtime environment. │ │ + documentation: > AWS Mainframe Modernization Service (Managed Runtime Environment experience) will no longer be open to new customers starting on November 7, 2025. If you would like to use the service, please sign up prior to November 7, 2025. For capabilities similar to AWS Mainframe Modernization Service (Managed Runtime Environment experience) explore AWS Mainframe Modernization Service (Self-Managed Experience). Existing customers can continue to use the service as normal. For more information, see [AWS Mainframe Modernization availability change](https://docs.aws.amazon.com/m2/latest/userguide/mainframe-modernization-availability-change.html) . │ │ Creates and starts a deployment to deploy an application into a runtime environment. │ └[~] resource AWS::M2::Environment │ ├ properties │ │ ├ HighAvailabilityConfig: (documentation changed) │ │ └ StorageConfigurations: (documentation changed) │ └ types │ ├[~] type EfsStorageConfiguration │ │ └ - documentation: Defines the storage configuration for an Amazon EFS file system. │ │ + documentation: > AWS Mainframe Modernization Service (Managed Runtime Environment experience) will no longer be open to new customers starting on November 7, 2025. If you would like to use the service, please sign up prior to November 7, 2025. For capabilities similar to AWS Mainframe Modernization Service (Managed Runtime Environment experience) explore AWS Mainframe Modernization Service (Self-Managed Experience). Existing customers can continue to use the service as normal. For more information, see [AWS Mainframe Modernization availability change](https://docs.aws.amazon.com/m2/latest/userguide/mainframe-modernization-availability-change.html) . │ │ Defines the storage configuration for an Amazon EFS file system. │ ├[~] type FsxStorageConfiguration │ │ └ - documentation: Defines the storage configuration for an Amazon FSx file system. │ │ + documentation: > AWS Mainframe Modernization Service (Managed Runtime Environment experience) will no longer be open to new customers starting on November 7, 2025. If you would like to use the service, please sign up prior to November 7, 2025. For capabilities similar to AWS Mainframe Modernization Service (Managed Runtime Environment experience) explore AWS Mainframe Modernization Service (Self-Managed Experience). Existing customers can continue to use the service as normal. For more information, see [AWS Mainframe Modernization availability change](https://docs.aws.amazon.com/m2/latest/userguide/mainframe-modernization-availability-change.html) . │ │ Defines the storage configuration for an Amazon FSx file system. │ ├[~] type HighAvailabilityConfig │ │ └ - documentation: Defines the details of a high availability configuration. │ │ + documentation: > AWS Mainframe Modernization Service (Managed Runtime Environment experience) will no longer be open to new customers starting on November 7, 2025. If you would like to use the service, please sign up prior to November 7, 2025. For capabilities similar to AWS Mainframe Modernization Service (Managed Runtime Environment experience) explore AWS Mainframe Modernization Service (Self-Managed Experience). Existing customers can continue to use the service as normal. For more information, see [AWS Mainframe Modernization availability change](https://docs.aws.amazon.com/m2/latest/userguide/mainframe-modernization-availability-change.html) . │ │ Defines the details of a high availability configuration. │ └[~] type StorageConfiguration │ └ - documentation: Defines the storage configuration for a runtime environment. │ + documentation: > AWS Mainframe Modernization Service (Managed Runtime Environment experience) will no longer be open to new customers starting on November 7, 2025. If you would like to use the service, please sign up prior to November 7, 2025. For capabilities similar to AWS Mainframe Modernization Service (Managed Runtime Environment experience) explore AWS Mainframe Modernization Service (Self-Managed Experience). Existing customers can continue to use the service as normal. For more information, see [AWS Mainframe Modernization availability change](https://docs.aws.amazon.com/m2/latest/userguide/mainframe-modernization-availability-change.html) . │ Defines the storage configuration for a runtime environment. ├[~] service aws-networkmanager │ └ resources │ └[~] resource AWS::NetworkManager::ConnectAttachment │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:networkmanager::${Account}:attachment/${AttachmentId} ├[~] service aws-omics │ └ resources │ └[~] resource AWS::Omics::AnnotationStore │ └ - documentation: Creates an annotation store. │ + documentation: > AWS HealthOmics variant stores and annotation stores will no longer be open to new customers starting November 7, 2025. If you would like to use variant stores or annotation stores, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [AWS HealthOmics variant store and annotation store availability change](https://docs.aws.amazon.com/omics/latest/dev/variant-store-availability-change.html) . │ Creates an annotation store. ├[~] service aws-pcs │ └ resources │ ├[~] resource AWS::PCS::Cluster │ │ └ properties │ │ └ SlurmConfiguration: - SlurmConfiguration (immutable) │ │ + SlurmConfiguration │ └[~] resource AWS::PCS::Queue │ └ properties │ └ SlurmConfiguration: (documentation changed) ├[~] service aws-pinpoint │ └ resources │ └[~] resource AWS::Pinpoint::InAppTemplate │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/SMS ├[~] service aws-quicksight │ └ resources │ └[~] resource AWS::QuickSight::Dashboard │ └ types │ ├[~] type DashboardPublishOptions │ │ └ properties │ │ └[+] QuickSuiteActionsOption: QuickSuiteActionsOption │ └[+] type QuickSuiteActionsOption │ ├ name: QuickSuiteActionsOption │ └ properties │ └ AvailabilityStatus: string ├[~] service aws-redshift │ └ resources │ ├[~] resource AWS::Redshift::ClusterSecurityGroup │ │ └ - arnTemplate: arn:${Partition}:redshift:${Region}:${Account}:securitygroup:${SecurityGroupName} │ │ + arnTemplate: arn:${Partition}:redshift:${Region}:${Account}:securitygroup:${SecurityGroupName}/ec2securitygroup/${Owner}/${Ec2SecurityGroupId} │ └[~] resource AWS::Redshift::ClusterSecurityGroupIngress │ └ - arnTemplate: arn:${Partition}:redshift:${Region}:${Account}:securitygroupingress:${SecurityGroupName}/ec2securitygroup/${Owner}/${Ece2SecuritygroupId} │ + arnTemplate: arn:${Partition}:redshift:${Region}:${Account}:securitygroupingress:${SecurityGroupName}/cidrip/${IpRange} ├[~] service aws-refactorspaces │ └ resources │ ├[~] resource AWS::RefactorSpaces::Application │ │ └ - documentation: Creates an AWS Migration Hub Refactor Spaces application. The account that owns the environment also owns the applications created inside the environment, regardless of the account that creates the application. Refactor Spaces provisions an Amazon API Gateway, API Gateway VPC link, and Network Load Balancer for the application proxy inside your account. │ │ In environments created with a [CreateEnvironment:NetworkFabricType](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/APIReference/API_CreateEnvironment.html#migrationhubrefactorspaces-CreateEnvironment-request-NetworkFabricType) of `NONE` you need to configure [VPC to VPC connectivity](https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/amazon-vpc-to-amazon-vpc-connectivity-options.html) between your service VPC and the application proxy VPC to route traffic through the application proxy to a service with a private URL endpoint. For more information, see [Create an application](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/getting-started-create-application.html) in the *Refactor Spaces User Guide* . │ │ + documentation: > AWS Migration Hub will no longer be open to new customers starting November 7, 2025. To continue using the service, sign up prior to November 7, 2025. For capabilities similar to AWS Migration Hub , explore [AWS Migration Hub](https://docs.aws.amazon.com/https://aws.amazon.com/transform) . │ │ Creates an AWS Migration Hub Refactor Spaces application. The account that owns the environment also owns the applications created inside the environment, regardless of the account that creates the application. Refactor Spaces provisions an Amazon API Gateway, API Gateway VPC link, and Network Load Balancer for the application proxy inside your account. │ │ In environments created with a [CreateEnvironment:NetworkFabricType](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/APIReference/API_CreateEnvironment.html#migrationhubrefactorspaces-CreateEnvironment-request-NetworkFabricType) of `NONE` you need to configure [VPC to VPC connectivity](https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/amazon-vpc-to-amazon-vpc-connectivity-options.html) between your service VPC and the application proxy VPC to route traffic through the application proxy to a service with a private URL endpoint. For more information, see [Create an application](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/userguide/getting-started-create-application.html) in the *Refactor Spaces User Guide* . │ ├[~] resource AWS::RefactorSpaces::Environment │ │ └ - documentation: Creates an AWS Migration Hub Refactor Spaces environment. The caller owns the environment resource, and all Refactor Spaces applications, services, and routes created within the environment. They are referred to as the *environment owner* . The environment owner has cross-account visibility and control of Refactor Spaces resources that are added to the environment by other accounts that the environment is shared with. │ │ When creating an environment with a [CreateEnvironment:NetworkFabricType](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/APIReference/API_CreateEnvironment.html#migrationhubrefactorspaces-CreateEnvironment-request-NetworkFabricType) of `TRANSIT_GATEWAY` , Refactor Spaces provisions a transit gateway to enable services in VPCs to communicate directly across accounts. If [CreateEnvironment:NetworkFabricType](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/APIReference/API_CreateEnvironment.html#migrationhubrefactorspaces-CreateEnvironment-request-NetworkFabricType) is `NONE` , Refactor Spaces does not create a transit gateway and you must use your network infrastructure to route traffic to services with private URL endpoints. │ │ + documentation: > AWS Migration Hub will no longer be open to new customers starting November 7, 2025. To continue using the service, sign up prior to November 7, 2025. For capabilities similar to AWS Migration Hub , explore [AWS Migration Hub](https://docs.aws.amazon.com/https://aws.amazon.com/transform) . │ │ Creates an AWS Migration Hub Refactor Spaces environment. The caller owns the environment resource, and all Refactor Spaces applications, services, and routes created within the environment. They are referred to as the *environment owner* . The environment owner has cross-account visibility and control of Refactor Spaces resources that are added to the environment by other accounts that the environment is shared with. │ │ When creating an environment with a [CreateEnvironment:NetworkFabricType](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/APIReference/API_CreateEnvironment.html#migrationhubrefactorspaces-CreateEnvironment-request-NetworkFabricType) of `TRANSIT_GATEWAY` , Refactor Spaces provisions a transit gateway to enable services in VPCs to communicate directly across accounts. If [CreateEnvironment:NetworkFabricType](https://docs.aws.amazon.com/migrationhub-refactor-spaces/latest/APIReference/API_CreateEnvironment.html#migrationhubrefactorspaces-CreateEnvironment-request-NetworkFabricType) is `NONE` , Refactor Spaces does not create a transit gateway and you must use your network infrastructure to route traffic to services with private URL endpoints. │ └[~] resource AWS::RefactorSpaces::Service │ └ - documentation: Creates an AWS Migration Hub Refactor Spaces service. The account owner of the service is always the environment owner, regardless of which account in the environment creates the service. Services have either a URL endpoint in a virtual private cloud (VPC), or a Lambda function endpoint. │ > If an AWS resource is launched in a service VPC, and you want it to be accessible to all of an environment’s services with VPCs and routes, apply the `RefactorSpacesSecurityGroup` to the resource. Alternatively, to add more cross-account constraints, apply your own security group. │ + documentation: > AWS Migration Hub will no longer be open to new customers starting November 7, 2025. To continue using the service, sign up prior to November 7, 2025. For capabilities similar to AWS Migration Hub , explore [AWS Migration Hub](https://docs.aws.amazon.com/https://aws.amazon.com/transform) . │ Creates an AWS Migration Hub Refactor Spaces service. The account owner of the service is always the environment owner, regardless of which account in the environment creates the service. Services have either a URL endpoint in a virtual private cloud (VPC), or a Lambda function endpoint. │ > If an AWS resource is launched in a service VPC, and you want it to be accessible to all of an environment’s services with VPCs and routes, apply the `RefactorSpacesSecurityGroup` to the resource. Alternatively, to add more cross-account constraints, apply your own security group. └[~] service aws-s3objectlambda └ resources ├[~] resource AWS::S3ObjectLambda::AccessPoint │ ├ properties │ │ └ ObjectLambdaConfiguration: (documentation changed) │ └ types │ ├[~] type Alias │ │ └ - documentation: The alias of an Object Lambda Access Point. For more information, see [How to use a bucket-style alias for your S3 bucket Object Lambda Access Point](https://docs.aws.amazon.com/AmazonS3/latest/userguide/olap-use.html#ol-access-points-alias) . │ │ + documentation: > Amazon S3 Object Lambda will no longer be open to new customers starting on 11/7/2025. If you would like to use the service, please sign up prior to 11/7/2025. For capabilities similar to S3 Object Lambda, learn more here - [Amazon S3 Object Lambda availability change](https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazons3-ol-change.html) . │ │ The alias of an Object Lambda Access Point. For more information, see [How to use a bucket-style alias for your S3 bucket Object Lambda Access Point](https://docs.aws.amazon.com/AmazonS3/latest/userguide/olap-use.html#ol-access-points-alias) . │ ├[~] type ObjectLambdaConfiguration │ │ └ - documentation: A configuration used when creating an Object Lambda Access Point. │ │ + documentation: > Amazon S3 Object Lambda will no longer be open to new customers starting on 11/7/2025. If you would like to use the service, please sign up prior to 11/7/2025. For capabilities similar to S3 Object Lambda, learn more here - [Amazon S3 Object Lambda availability change](https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazons3-ol-change.html) . │ │ A configuration used when creating an Object Lambda Access Point. │ └[~] type TransformationConfiguration │ └ - documentation: A configuration used when creating an Object Lambda Access Point transformation. │ + documentation: > Amazon S3 Object Lambda will no longer be open to new customers starting on 11/7/2025. If you would like to use the service, please sign up prior to 11/7/2025. For capabilities similar to S3 Object Lambda, learn more here - [Amazon S3 Object Lambda availability change](https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazons3-ol-change.html) . │ A configuration used when creating an Object Lambda Access Point transformation. └[~] resource AWS::S3ObjectLambda::AccessPointPolicy └ properties └ ObjectLambdaAccessPoint: (documentation changed) ```

… classes, deprecate `useOptimalInstanceClasses` (aws#35537) ### Issue # (if applicable) Closes aws#35515 ### Reason for this change - https://aws.amazon.com/blogs/hpc/introducing-default-instance-categories-for-aws-batch/ - `optimal` behaviour change in early November 2025 ### Description of changes - EC2 Managed Compute Environment support default instance classes - Deprecate `useOptimalInstanceClasses` ### Description of how you validated changes Unit + Integ ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ws#35684) ### Issue # (if applicable) Closes aws#35644 ### Reason for this change Fix the Task Definition validations for Managed Instances based off the public documentation Public Doc: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters-managed-instances.html#constraints-managed-instances ### Description of changes ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Add unit tests for the validations ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) None ### Reason for this change cloudformation supports for configuring enhanced shard-level monitoring for Kinesis stream. https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-kinesis-stream.html#cfn-kinesis-stream-desiredshardlevelmetrics ### Description of changes - Define ShardLevelMetrics enum - Add shardLevelMetrics to StreamProps ### Describe any new or updated permissions being added None ### Description of how you validated changes Add both unit and integ tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/releases">github/codeql-action's releases</a>.</em></p> <blockquote> <h2>v3.30.8</h2> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <h2>3.30.8 - 10 Oct 2025</h2> <p>No user facing changes.</p> <p>See the full <a href="https://github.com/github/codeql-action/blob/v3.30.8/CHANGELOG.md">CHANGELOG.md</a> for more information.</p> <h2>v3.30.7</h2> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <h2>3.30.7 - 06 Oct 2025</h2> <p>No user facing changes.</p> <p>See the full <a href="https://github.com/github/codeql-action/blob/v3.30.7/CHANGELOG.md">CHANGELOG.md</a> for more information.</p> <h2>v3.30.6</h2> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <h2>3.30.6 - 02 Oct 2025</h2> <ul> <li>Update default CodeQL bundle version to 2.23.2. <a href="https://redirect.github.com/github/codeql-action/pull/3168">#3168</a></li> </ul> <p>See the full <a href="https://github.com/github/codeql-action/blob/v3.30.6/CHANGELOG.md">CHANGELOG.md</a> for more information.</p> <h2>v3.30.5</h2> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <h2>3.30.5 - 26 Sep 2025</h2> <ul> <li>We fixed a bug that was introduced in <code>3.30.4</code> with <code>upload-sarif</code> which resulted in files without a <code>.sarif</code> extension not getting uploaded. <a href="https://redirect.github.com/github/codeql-action/pull/3160">#3160</a></li> </ul> <p>See the full <a href="https://github.com/github/codeql-action/blob/v3.30.5/CHANGELOG.md">CHANGELOG.md</a> for more information.</p> <h2>v3.30.4</h2> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <h2>3.30.4 - 25 Sep 2025</h2> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's changelog</a>.</em></p> <blockquote> <h2>3.29.4 - 23 Jul 2025</h2> <p>No user facing changes.</p> <h2>3.29.3 - 21 Jul 2025</h2> <p>No user facing changes.</p> <h2>3.29.2 - 30 Jun 2025</h2> <ul> <li>Experimental: When the <code>quality-queries</code> input for the <code>init</code> action is provided with an argument, separate <code>.quality.sarif</code> files are produced and uploaded for each language with the results of the specified queries. Do not use this in production as it is part of an internal experiment and subject to change at any time. <a href="https://redirect.github.com/github/codeql-action/pull/2935">#2935</a></li> </ul> <h2>3.29.1 - 27 Jun 2025</h2> <ul> <li>Fix bug in PR analysis where user-provided <code>include</code> query filter fails to exclude non-included queries. <a href="https://redirect.github.com/github/codeql-action/pull/2938">#2938</a></li> <li>Update default CodeQL bundle version to 2.22.1. <a href="https://redirect.github.com/github/codeql-action/pull/2950">#2950</a></li> </ul> <h2>3.29.0 - 11 Jun 2025</h2> <ul> <li>Update default CodeQL bundle version to 2.22.0. <a href="https://redirect.github.com/github/codeql-action/pull/2925">#2925</a></li> <li>Bump minimum CodeQL bundle version to 2.16.6. <a href="https://redirect.github.com/github/codeql-action/pull/2912">#2912</a></li> </ul> <h2>3.28.21 - 28 July 2025</h2> <p>No user facing changes.</p> <h2>3.28.20 - 21 July 2025</h2> <ul> <li>Remove support for combining SARIF files from a single upload for GHES 3.18, see <a href="https://github.blog/changelog/2024-05-06-code-scanning-will-stop-combining-runs-from-a-single-upload/">the changelog post</a>. <a href="https://redirect.github.com/github/codeql-action/pull/2959">#2959</a></li> </ul> <h2>3.28.19 - 03 Jun 2025</h2> <ul> <li>The CodeQL Action no longer includes its own copy of the extractor for the <code>actions</code> language, which is currently in public preview. The <code>actions</code> extractor has been included in the CodeQL CLI since v2.20.6. If your workflow has enabled the <code>actions</code> language <em>and</em> you have pinned your <code>tools:</code> property to a specific version of the CodeQL CLI earlier than v2.20.6, you will need to update to at least CodeQL v2.20.6 or disable <code>actions</code> analysis.</li> <li>Update default CodeQL bundle version to 2.21.4. <a href="https://redirect.github.com/github/codeql-action/pull/2910">#2910</a></li> </ul> <h2>3.28.18 - 16 May 2025</h2> <ul> <li>Update default CodeQL bundle version to 2.21.3. <a href="https://redirect.github.com/github/codeql-action/pull/2893">#2893</a></li> <li>Skip validating SARIF produced by CodeQL for improved performance. <a href="https://redirect.github.com/github/codeql-action/pull/2894">#2894</a></li> <li>The number of threads and amount of RAM used by CodeQL can now be set via the <code>CODEQL_THREADS</code> and <code>CODEQL_RAM</code> runner environment variables. If set, these environment variables override the <code>threads</code> and <code>ram</code> inputs respectively. <a href="https://redirect.github.com/github/codeql-action/pull/2891">#2891</a></li> </ul> <h2>3.28.17 - 02 May 2025</h2> <ul> <li>Update default CodeQL bundle version to 2.21.2. <a href="https://redirect.github.com/github/codeql-action/pull/2872">#2872</a></li> </ul> <h2>3.28.16 - 23 Apr 2025</h2> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/github/codeql-action/commit/a841c540b73bac7685691a2f930006ba52db3645"><code>a841c54</code></a> Scratch <code>uploadSpecifiedFiles</code> tests, make <code>uploadPayload</code> tests instead</li> <li><a href="https://github.com/github/codeql-action/commit/aeb12f6eaaa7419b7170f27dc3e2b5710203ff2d"><code>aeb12f6</code></a> Merge branch 'main' into redsun82/skip-sarif-upload-tests</li> <li><a href="https://github.com/github/codeql-action/commit/6fd4ceb7bbb8ec2746fd4d3a64b77787dffd9afc"><code>6fd4ceb</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3189">#3189</a> from github/henrymercer/download-codeql-rate-limit</li> <li><a href="https://github.com/github/codeql-action/commit/196a3e577b477ffb129cb35c7ed3ba72e6e2dbe7"><code>196a3e5</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3188">#3188</a> from github/mbg/telemetry/partial-config</li> <li><a href="https://github.com/github/codeql-action/commit/98abb870dcd6421594724ae220643e13baf90298"><code>98abb87</code></a> Add configuration error for rate limited CodeQL download</li> <li><a href="https://github.com/github/codeql-action/commit/bdd2cdf891a0a89c6680bd54c9ba63c80e440f75"><code>bdd2cdf</code></a> Also include <code>language</code> in error status report for <code>start-proxy</code>, if available</li> <li><a href="https://github.com/github/codeql-action/commit/fb148789ab863424b005147b4b018fe5691e5ccc"><code>fb14878</code></a> Include <code>languages</code> in <code>start-proxy</code> telemetry</li> <li><a href="https://github.com/github/codeql-action/commit/2ff418f28a66dd71cd80701e95ec26db12875f15"><code>2ff418f</code></a> Parse <code>language</code> before calling <code>getCredentials</code></li> <li>See full diff in <a href="https://github.com/github/codeql-action/compare/v3...v4">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=3&new-version=4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4 to 5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/setup-node/releases">actions/setup-node's releases</a>.</em></p> <blockquote> <h2>v5.0.0</h2> <h2>What's Changed</h2> <h3>Breaking Changes</h3> <ul> <li>Enhance caching in setup-node with automatic package manager detection by <a href="https://github.com/priya-kinthali"><code>@priya-kinthali</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1348">actions/setup-node#1348</a></li> </ul> <p>This update, introduces automatic caching when a valid <code>packageManager</code> field is present in your <code>package.json</code>. This aims to improve workflow performance and make dependency management more seamless. To disable this automatic caching, set <code>package-manager-cache: false</code></p> <pre lang="yaml"><code>steps: - uses: actions/checkout@v5 - uses: actions/setup-node@v5 with: package-manager-cache: false </code></pre> <ul> <li>Upgrade action to use node24 by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1325">actions/setup-node#1325</a></li> </ul> <p>Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. <a href="https://github.com/actions/runner/releases/tag/v2.327.1">See Release Notes</a></p> <h3>Dependency Upgrades</h3> <ul> <li>Upgrade <code>@octokit/request-error</code> and <code>@actions/github</code> by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1227">actions/setup-node#1227</a></li> <li>Upgrade uuid from 9.0.1 to 11.1.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1273">actions/setup-node#1273</a></li> <li>Upgrade undici from 5.28.5 to 5.29.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1295">actions/setup-node#1295</a></li> <li>Upgrade form-data to bring in fix for critical vulnerability by <a href="https://github.com/gowridurgad"><code>@gowridurgad</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1332">actions/setup-node#1332</a></li> <li>Upgrade actions/checkout from 4 to 5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1345">actions/setup-node#1345</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/priya-kinthali"><code>@priya-kinthali</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1348">actions/setup-node#1348</a></li> <li><a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1325">actions/setup-node#1325</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-node/compare/v4...v5.0.0">https://github.com/actions/setup-node/compare/v4...v5.0.0</a></p> <h2>v4.4.0</h2> <h2>What's Changed</h2> <h3>Bug fixes:</h3> <ul> <li>Make eslint-compact matcher compatible with Stylelint by <a href="https://github.com/FloEdelmann"><code>@FloEdelmann</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/98">actions/setup-node#98</a></li> <li>Add support for indented eslint output by <a href="https://github.com/fregante"><code>@fregante</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1245">actions/setup-node#1245</a></li> </ul> <h3>Enhancement:</h3> <ul> <li>Support private mirrors by <a href="https://github.com/marco-ippolito"><code>@marco-ippolito</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1240">actions/setup-node#1240</a></li> </ul> <h3>Dependency update:</h3> <ul> <li>Upgrade <code>@action/cache</code> from 4.0.2 to 4.0.3 by <a href="https://github.com/aparnajyothi-y"><code>@aparnajyothi-y</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1262">actions/setup-node#1262</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/FloEdelmann"><code>@FloEdelmann</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/98">actions/setup-node#98</a></li> <li><a href="https://github.com/fregante"><code>@fregante</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1245">actions/setup-node#1245</a></li> <li><a href="https://github.com/marco-ippolito"><code>@marco-ippolito</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1240">actions/setup-node#1240</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-node/compare/v4...v4.4.0">https://github.com/actions/setup-node/compare/v4...v4.4.0</a></p> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/setup-node/commit/a0853c24544627f65ddf259abe73b1d18a591444"><code>a0853c2</code></a> Bump actions/checkout from 4 to 5 (<a href="https://redirect.github.com/actions/setup-node/issues/1345">#1345</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/b7234cc9fe124f0f4932554b4e5284543083ae7b"><code>b7234cc</code></a> Upgrade action to use node24 (<a href="https://redirect.github.com/actions/setup-node/issues/1325">#1325</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/d7a11313b581b306c961b506cfc8971208bb03f6"><code>d7a1131</code></a> Enhance caching in setup-node with automatic package manager detection (<a href="https://redirect.github.com/actions/setup-node/issues/1348">#1348</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/5e2628c959b9ade56971c0afcebbe5332d44b398"><code>5e2628c</code></a> Bumps form-data (<a href="https://redirect.github.com/actions/setup-node/issues/1332">#1332</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/65beceff8e91358525397bdce9103d999507ab03"><code>65becef</code></a> Bump undici from 5.28.5 to 5.29.0 (<a href="https://redirect.github.com/actions/setup-node/issues/1295">#1295</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/7e24a656e1c7a0d6f3eaef8d8e84ae379a5b035b"><code>7e24a65</code></a> Bump uuid from 9.0.1 to 11.1.0 (<a href="https://redirect.github.com/actions/setup-node/issues/1273">#1273</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/08f58d1471bff7f3a07d167b4ad7df25d5fcfcb6"><code>08f58d1</code></a> Bump <code>@octokit/request-error</code> and <code>@actions/github</code> (<a href="https://redirect.github.com/actions/setup-node/issues/1227">#1227</a>)</li> <li>See full diff in <a href="https://github.com/actions/setup-node/compare/v4...v5">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/setup-node&package-manager=github_actions&previous-version=4&new-version=5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>

### Description of changes This blocks the merge of PR's if they request a deployment integ workflow test and it fails. PR's can request a deployment integ test via the label `request-deployment-integ-run` ### Describe any new or updated permissions being added No new permissions added. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

@Abogical

This change has been made by @Abogical from the Mergify config editor.

### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change **This change is tracking aws/aws-cdk-private#278 Lambda is introducing dual auth on function URL(FURL). Which requires both allow on `lambda:InvokeFunction` and `lambda:InvokeFunctionUrl` (Dual Auth) to allow a function to be invoked through FURL. Before it only require allow on `lambda:InvokeFunctionUrl`. Please notice this is a breaking change on Lambda side so few integration test's snapshot will need to be overwrite. ### Description of changes `aws-lambda.FunctionUrl()`with `FunctionUrlAuthType.NONE` will create a FURL resource and add dual auth to allow same user experience as before. (this function only add allow on `lambda:InvokeFunctionUrl` before) `aws-lambda.FunctionUrl.grantInvokeUrl(grantee)` Will grant dual auth to the grantee, to insure user will still able to invoke their FURL. Also, a new prop `invokedViaFunctionUrl` is introduce on `lambda:InvokeFunction`, the dual auth granted above will set `lambda:InvokeFunction: true`. And when this prop is set to true, this permission will only allow the principal to invoke lambda function through FURL. This additional permission will not allow the granted principal to invoke Lambda directly without FURL. If user need this permission, they will still need to call `lambda.Function.grantInvoke(grantee)` directly. ### Describe any new or updated permissions being added As mentioned above, `grantInvokeUrl` will add an additional permission `lambda:InvokeFunction` to allow FURL invoke without the need for code change after dual auth goes live. Example ``` testroleDefaultPolicy884631E2: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: lambda:InvokeFunction //new permission for dual auth Effect: Allow Resource: - Fn::GetAtt: - fn5FF616E3 - Arn - Fn::Join: - "" - - Fn::GetAtt: - fn5FF616E3 - Arn - :* Condition: - Bool: - lambda:InvokedViaFunctionUrl:true // only valid for invoke through FURL - Action: lambda:InvokeFunctionUrl //existing permission Effect: Allow Resource: Fn::GetAtt: - fn5FF616E3 - Arn Version: "2012-10-17" PolicyName: testroleDefaultPolicy884631E2 Roles: - Ref: testroleB50A37BE ``` ### Description of how you validated changes New test cases are added Integration test snapshot are updated. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Reason for this change https://aws.amazon.com/about-aws/whats-new/2025/10/amazon-ec2-c8i-and-c8i-flex-instances-generally-available/ https://aws.amazon.com/about-aws/whats-new/2025/10/general-purpose-amazon-ec2-m8a-instances/ ### Description of changes EC2 add m8a,c8i,c8i-flex instance class ### Description of how you validated changes ```console $ aws ec2 describe-instance-types \ --filters "Name=instance-type,Values=c8i*" \ --query "InstanceTypes[].InstanceType" \ --output table ----------------------- |DescribeInstanceTypes| +---------------------+ | c8i-flex.8xlarge | | c8i.8xlarge | ... $ aws ec2 describe-instance-types \ --filters "Name=instance-type,Values=m8a.*" \ --query "InstanceTypes[].InstanceType" \ --output table ----------------------- |DescribeInstanceTypes| +---------------------+ | m8a.medium | | m8a.8xlarge | ... ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

github-actions · 2025-10-14T13:09:17Z

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

github-actions bot added the p2 label Jun 10, 2025

aws-cdk-automation requested a review from a team June 10, 2025 10:12

github-actions bot added the distinguished-contributor [Pilot] contributed 50+ PRs to the CDK label Jun 10, 2025

aws-cdk-automation previously requested changes Jun 10, 2025

View reviewed changes

go-to-k force-pushed the cp-env-vars branch from 44b2bf7 to 33da6f4 Compare June 10, 2025 10:16

go-to-k changed the title ~~feat(codepipeline-actions): support environment variables~~ feat(codepipeline): support environment variables Jun 10, 2025

go-to-k marked this pull request as ready for review June 10, 2025 12:00

go-to-k marked this pull request as draft June 10, 2025 12:08

go-to-k marked this pull request as ready for review June 10, 2025 13:08

aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jun 10, 2025

go-to-k force-pushed the cp-env-vars branch from 6a851d6 to fc78b7a Compare June 10, 2025 15:47

go-to-k changed the title ~~feat(codepipeline): support environment variables~~ feat(codepipeline): support environment variables for actions Jun 10, 2025

go-to-k force-pushed the cp-env-vars branch from 3e81fb1 to c0e1a82 Compare June 10, 2025 16:59

go-to-k commented Jun 10, 2025

View reviewed changes

go-to-k marked this pull request as draft June 10, 2025 17:43

go-to-k force-pushed the cp-env-vars branch from 563c351 to 09c6ef4 Compare June 11, 2025 11:11

go-to-k marked this pull request as ready for review June 11, 2025 11:12

go-to-k marked this pull request as draft June 11, 2025 11:13

go-to-k force-pushed the cp-env-vars branch 4 times, most recently from 2a82dcd to 882d787 Compare June 11, 2025 12:10

go-to-k marked this pull request as ready for review June 11, 2025 12:10

go-to-k commented Jun 11, 2025

View reviewed changes

github-actions bot mentioned this pull request Jul 1, 2025

Monthly PR metrics report #34865

Closed

djglaser and others added 2 commits August 11, 2025 19:12

chore(release): 2.211.0

cafc586

dependabot bot and others added 23 commits October 7, 2025 04:30

ci(mergify): configuration update (aws#35727)

8f1324c

This change has been made by @Abogical from the Mergify config editor.

Merge branch 'main' into cp-env-vars

5082605

go-to-k force-pushed the cp-env-vars branch 2 times, most recently from 6bdd925 to ff57186 Compare October 14, 2025 12:42

snapshots

11f322d

go-to-k closed this Oct 14, 2025

go-to-k force-pushed the cp-env-vars branch from ff57186 to 11f322d Compare October 14, 2025 13:09

github-actions bot locked as resolved and limited conversation to collaborators Oct 14, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat(codepipeline): support environment variables for actions #34667

feat(codepipeline): support environment variables for actions #34667

go-to-k commented Jun 10, 2025 •

edited

Loading

Uh oh!

aws-cdk-automation left a comment •

edited

Loading

Uh oh!

go-to-k Jun 10, 2025 •

edited

Loading

Uh oh!

go-to-k Jun 11, 2025

Uh oh!

go-to-k Jun 11, 2025 •

edited

Loading

Uh oh!

aws-cdk-automation commented Jun 11, 2025

Uh oh!

github-actions bot commented Oct 14, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

60 participants

feat(codepipeline): support environment variables for actions #34667

feat(codepipeline): support environment variables for actions #34667

Conversation

go-to-k commented Jun 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Issue # (if applicable)

Reason for this change

Description of changes

Describe any new or updated permissions being added

Description of how you validated changes

Checklist

Uh oh!

aws-cdk-automation left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

go-to-k Jun 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

go-to-k Jun 11, 2025

Choose a reason for hiding this comment

Uh oh!

go-to-k Jun 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

aws-cdk-automation commented Jun 11, 2025

AWS CodeBuild CI Report

Uh oh!

github-actions bot commented Oct 14, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

60 participants

go-to-k commented Jun 10, 2025 •

edited

Loading

aws-cdk-automation left a comment •

edited

Loading

go-to-k Jun 10, 2025 •

edited

Loading

go-to-k Jun 11, 2025 •

edited

Loading