Merge branch 'main' into rds-maria

CHANGELOG.v2.alpha.md

@@ -2,6 +2,20 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.182.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.181.1-alpha.0...v2.182.0-alpha.0) (2025-03-04)
+
+
+### Features
+
+* **pipes-alpha:** support for customer-managed KMS keys to encrypt pipe data ([#33546](https://github.com/aws/aws-cdk/issues/33546)) ([dd0d62f](https://github.com/aws/aws-cdk/commit/dd0d62f84da06e2cafbe7a8bac80899d86b6f153)), closes [#31453](https://github.com/aws/aws-cdk/issues/31453)
+
+
+### Bug Fixes
+
+* **cognito-identitypool-alpha:** prevent stacks from not deploying correctly ([#33609](https://github.com/aws/aws-cdk/issues/33609)) ([e220bc8](https://github.com/aws/aws-cdk/commit/e220bc8ca9b75bcbb4bb7447703f32737b47fc77)), closes [#33510](https://github.com/aws/aws-cdk/issues/33510)
+* **eks-v2-alpha:** can't delete fargate cluster ([#33573](https://github.com/aws/aws-cdk/issues/33573)) ([4ada313](https://github.com/aws/aws-cdk/commit/4ada3132e73e8f6b299548003d46e68f9db353a5)), closes [#33347](https://github.com/aws/aws-cdk/issues/33347)
+* **scheduler-targets:** update kinesis firehose imports ([#33615](https://github.com/aws/aws-cdk/issues/33615)) ([1df1a78](https://github.com/aws/aws-cdk/commit/1df1a784ca4d4ed8c724f0a8840137724fb46ca9))
+
 ## [2.181.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.181.0-alpha.0...v2.181.1-alpha.0) (2025-02-27)
 
 

CHANGELOG.v2.md

@@ -2,6 +2,31 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.182.0](https://github.com/aws/aws-cdk/compare/v2.181.1...v2.182.0) (2025-03-04)
+
+
+### Features
+
+* **assertions:** added getResourceId method to Template ([#33521](https://github.com/aws/aws-cdk/issues/33521)) ([a96b0f1](https://github.com/aws/aws-cdk/commit/a96b0f1dca27b262fb2c72637ed9043830477c2c))
+* **autoscaling:** add new `HealthChecks` for multiple health check types, including EBS and VPC_LATTICE types ([#31286](https://github.com/aws/aws-cdk/issues/31286)) ([b3edd0d](https://github.com/aws/aws-cdk/commit/b3edd0da9d0f49070b94120051c48716a69102c3)), closes [#31289](https://github.com/aws/aws-cdk/issues/31289) [/github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-autoscaling/lib/auto-scaling-group.ts#L233](https://github.com/aws//github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-autoscaling/lib/auto-scaling-group.ts/issues/L233) [/github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-autoscaling/lib/auto-scaling-group.ts#L2232-L2258](https://github.com/aws//github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-autoscaling/lib/auto-scaling-group.ts/issues/L2232-L2258) [/github.com/aws/aws-cdk/pull/31286#discussion_r1740763781](https://github.com/aws//github.com/aws/aws-cdk/pull/31286/issues/discussion_r1740763781)
+* **ecs:** encrypting managed storage ([#33535](https://github.com/aws/aws-cdk/issues/33535)) ([07f0fe3](https://github.com/aws/aws-cdk/commit/07f0fe3a851cce328433ada9aac674ab9464b5ca)), closes [#33380](https://github.com/aws/aws-cdk/issues/33380)
+* **inspector:** add minimal L2 interface for Inspector assessment template and fromCfnAssessmentTemplate() ([#33614](https://github.com/aws/aws-cdk/issues/33614)) ([d51f70a](https://github.com/aws/aws-cdk/commit/d51f70ab40d237a3145d986e75c7ea2465afd6b4))
+* **opensearchservice:** nodeoptions for domain ([#32936](https://github.com/aws/aws-cdk/issues/32936)) ([1b6f0c3](https://github.com/aws/aws-cdk/commit/1b6f0c3d0eb4aedfc72c716ee18aa3ae4dbf16b8)), closes [#32553](https://github.com/aws/aws-cdk/issues/32553)
+* **rds:** `DatabaseCluster` support `replicationSourceIdentifier` ([#33471](https://github.com/aws/aws-cdk/issues/33471)) ([878ad54](https://github.com/aws/aws-cdk/commit/878ad546c2d4f330c777734a0c7919bd6ce46395)), closes [#33280](https://github.com/aws/aws-cdk/issues/33280)
+* update L1 CloudFormation resource definitions ([#33676](https://github.com/aws/aws-cdk/issues/33676)) ([92dba49](https://github.com/aws/aws-cdk/commit/92dba49571caec118001b9f13b82378bec2150f0))
+* upgrade @aws-cdk/cloud-assembly-schema to v40 ([#33620](https://github.com/aws/aws-cdk/issues/33620)) ([127059e](https://github.com/aws/aws-cdk/commit/127059e890c78fcfaf11a97a961395b2ceb2a339))
+
+
+### Bug Fixes
+
+* **apigateway:** move endpointConfiguration to RestApiBaseProps ([#33514](https://github.com/aws/aws-cdk/issues/33514)) ([e07a89c](https://github.com/aws/aws-cdk/commit/e07a89ccb053fe22bcb96456c75304ac7a3c7670)), closes [#33295](https://github.com/aws/aws-cdk/issues/33295)
+* **appsync:** appsync Event API integration assertion tests ([#33572](https://github.com/aws/aws-cdk/issues/33572)) ([6f966a6](https://github.com/aws/aws-cdk/commit/6f966a6dcc010fe6af7999e7b5f97a447287aed3))
+* **cloudwatch:** update regex expression that prevents CloudWatch:Mah:UnknownIdentifier warnings ([#33591](https://github.com/aws/aws-cdk/issues/33591)) ([#33592](https://github.com/aws/aws-cdk/issues/33592)) ([97744e7](https://github.com/aws/aws-cdk/commit/97744e746670bf067da40c8ff6a902a9c15b707e))
+* **iam:** adding organization id pattern verification ([#33555](https://github.com/aws/aws-cdk/issues/33555)) ([6df9bfe](https://github.com/aws/aws-cdk/commit/6df9bfe566a913c6c0538b2f380a83d06891a027)), closes [#32756](https://github.com/aws/aws-cdk/issues/32756)
+* **lambda-nodejs:** do not require a frozen lockfile for bun ([#32908](https://github.com/aws/aws-cdk/issues/32908)) ([a21190e](https://github.com/aws/aws-cdk/commit/a21190eb85bbc64820389ca5979a324932b9ab4b)), closes [#32906](https://github.com/aws/aws-cdk/issues/32906) [#32906](https://github.com/aws/aws-cdk/issues/32906)
+* **s3:** cannot deploy multiple replication source buckets (under feature flag) ([#33360](https://github.com/aws/aws-cdk/issues/33360)) ([d580853](https://github.com/aws/aws-cdk/commit/d580853c546b4ee2d49afb52be75b4eb036bd6cd)), closes [#33355](https://github.com/aws/aws-cdk/issues/33355)
+* **sns:** for SSE topics, add KMS permissions in grantPublish ([#32794](https://github.com/aws/aws-cdk/issues/32794)) ([f1c0926](https://github.com/aws/aws-cdk/commit/f1c092634a391b0b7aed0f75626dd6d0ffd56564)), closes [#18387](https://github.com/aws/aws-cdk/issues/18387) [#31012](https://github.com/aws/aws-cdk/issues/31012) [#24848](https://github.com/aws/aws-cdk/issues/24848) [#16271](https://github.com/aws/aws-cdk/issues/16271) [#29511](https://github.com/aws/aws-cdk/issues/29511) [/github.com/aws/aws-cdk/issues/16271#issuecomment-917221985](https://github.com/aws//github.com/aws/aws-cdk/issues/16271/issues/issuecomment-917221985)
+
 ## [2.181.1](https://github.com/aws/aws-cdk/compare/v2.181.0...v2.181.1) (2025-02-27)
 
 ## [2.181.0](https://github.com/aws/aws-cdk/compare/v2.180.0...v2.181.0) (2025-02-25)

packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.template.json

@@ -112,6 +112,14 @@
       ]
      }
     },
+    "FieldIndexPolicies": [
+     {
+      "Fields": [
+       "Operation",
+       "RequestId"
+      ]
+     }
+    ],
     "RetentionInDays": 731
    },
    "UpdateReplacePolicy": "Retain",

packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.ts

@@ -1,7 +1,7 @@
 import { Bucket } from 'aws-cdk-lib/aws-s3';
 import { App, Stack, StackProps } from 'aws-cdk-lib';
 import { IntegTest } from '@aws-cdk/integ-tests-alpha';
-import { LogGroup, DataProtectionPolicy, DataIdentifier, CustomDataIdentifier } from 'aws-cdk-lib/aws-logs';
+import { LogGroup, DataProtectionPolicy, DataIdentifier, CustomDataIdentifier, FieldIndexPolicy } from 'aws-cdk-lib/aws-logs';
 
 class LogGroupIntegStack extends Stack {
   constructor(scope: App, id: string, props?: StackProps) {
@@ -19,8 +19,13 @@ class LogGroupIntegStack extends Stack {
       s3BucketAuditDestination: bucket,
     });
 
+    const fieldIndexPolicy = new FieldIndexPolicy({
+      fields: ['Operation', 'RequestId'],
+    });
+
     new LogGroup(this, 'LogGroupLambda', {
       dataProtectionPolicy: dataProtectionPolicy,
+      fieldIndexPolicies: [fieldIndexPolicy],
     });
   }
 }

packages/@aws-cdk/aws-scheduler-targets-alpha/README.md

@@ -222,7 +222,9 @@ called every hour by EventBridge Scheduler.
 ```ts
 import * as inspector from 'aws-cdk-lib/aws-inspector';
 
-declare const assessmentTemplate: inspector.CfnAssessmentTemplate;
+declare const cfnAssessmentTemplate: inspector.CfnAssessmentTemplate;
+
+const assessmentTemplate = inspector.AssessmentTemplate.fromCfnAssessmentTemplate(this, 'MyAssessmentTemplate', cfnAssessmentTemplate);
 
 new Schedule(this, 'Schedule', {
   schedule: ScheduleExpression.rate(Duration.minutes(60)),
@@ -316,7 +318,7 @@ new Schedule(this, 'Schedule', {
 
 ## Invoke a wider set of AWS API
 
-Use the `Universal` target to invoke AWS API. See https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html
+Use the `Universal` target to invoke AWS API. See <https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html>
 
 The code snippet below creates an event rule with AWS API as the target which is
 called at midnight every day by EventBridge Scheduler.

packages/@aws-cdk/aws-scheduler-targets-alpha/lib/inspector-start-assessment-run.ts

@@ -1,22 +1,24 @@
 import { IScheduleTarget } from '@aws-cdk/aws-scheduler-alpha';
 import { IRole, PolicyStatement } from 'aws-cdk-lib/aws-iam';
-import { CfnAssessmentTemplate } from 'aws-cdk-lib/aws-inspector';
+import { IAssessmentTemplate } from 'aws-cdk-lib/aws-inspector';
 import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target';
 
 /**
  * Use an Amazon Inspector as a target for AWS EventBridge Scheduler.
  */
 export class InspectorStartAssessmentRun extends ScheduleTargetBase implements IScheduleTarget {
   constructor(
-    template: CfnAssessmentTemplate,
+    template: IAssessmentTemplate,
     props: ScheduleTargetBaseProps = {},
   ) {
-    super(props, template.attrArn);
+    super(props, template.assessmentTemplateArn);
   }
 
   protected addTargetActionToRole(role: IRole): void {
     role.addToPrincipalPolicy(new PolicyStatement({
       actions: ['inspector:StartAssessmentRun'],
+      // The wildcard is intentional here as Amazon Inspector does not support specifying a resource ARN in the Resource element of an IAM policy statement.
+      // See https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspector.html#amazoninspector-resources-for-iam-policies.
       resources: ['*'],
     }));
   }

packages/@aws-cdk/aws-scheduler-targets-alpha/test/inspector-start-assessment-run.test.ts

@@ -2,26 +2,27 @@ import { ScheduleExpression, Schedule, Group } from '@aws-cdk/aws-scheduler-alph
 import { App, Duration, Stack } from 'aws-cdk-lib';
 import { Template } from 'aws-cdk-lib/assertions';
 import { AccountRootPrincipal, Role } from 'aws-cdk-lib/aws-iam';
-import { CfnAssessmentTarget, CfnAssessmentTemplate } from 'aws-cdk-lib/aws-inspector';
+import { AssessmentTemplate, CfnAssessmentTarget, CfnAssessmentTemplate, IAssessmentTemplate } from 'aws-cdk-lib/aws-inspector';
 import * as sqs from 'aws-cdk-lib/aws-sqs';
 import { InspectorStartAssessmentRun } from '../lib';
 
 describe('schedule target', () => {
   let app: App;
   let stack: Stack;
-  let template: CfnAssessmentTemplate;
+  let template: IAssessmentTemplate;
   const expr = ScheduleExpression.at(new Date(Date.UTC(1969, 10, 20, 0, 0, 0)));
   const roleId = 'SchedulerRoleForTarget78b2d848BF7444';
 
   beforeEach(() => {
     app = new App({ context: { '@aws-cdk/aws-iam:minimizePolicies': true } });
     stack = new Stack(app, 'Stack', { env: { region: 'us-east-1', account: '123456789012' } });
     const assessmentTarget = new CfnAssessmentTarget(stack, 'MyAssessmentTarget');
-    template = new CfnAssessmentTemplate(stack, 'MyTemplate', {
+    const cfnAssessmentTemplate = new CfnAssessmentTemplate(stack, 'MyTemplate', {
       assessmentTargetArn: assessmentTarget.attrArn,
       durationInSeconds: 3600,
       rulesPackageArns: ['arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gEjTy7T7'],
     });
+    template = AssessmentTemplate.fromCfnAssessmentTemplate(stack, 'AssessmentTemplate', cfnAssessmentTemplate);
   });
 
   test('creates IAM role and IAM policy for inspector assessment template in the same account', () => {
@@ -278,11 +279,12 @@ describe('schedule target', () => {
       },
     });
     const assessmentTarget = new CfnAssessmentTarget(stack2, 'AnotherTarget');
-    const anotherTemplate = new CfnAssessmentTemplate(stack2, 'AnotherTemplate', {
+    const cfnAssessmentTemplate = new CfnAssessmentTemplate(stack2, 'AnotherTemplate', {
       assessmentTargetArn: assessmentTarget.attrArn,
       durationInSeconds: 3600,
       rulesPackageArns: ['arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gEjTy7T7'],
     });
+    const anotherTemplate = AssessmentTemplate.fromCfnAssessmentTemplate(stack2, 'AnotherAssessmentTemplate', cfnAssessmentTemplate);
 
     const inspectorTarget = new InspectorStartAssessmentRun(anotherTemplate);
 
@@ -363,11 +365,12 @@ describe('schedule target', () => {
       },
     });
     const assessmentTarget = new CfnAssessmentTarget(stack2, 'AnotherTarget');
-    const anotherTemplate = new CfnAssessmentTemplate(stack2, 'AnotherTemplate', {
+    const cfnAssessmentTemplate = new CfnAssessmentTemplate(stack2, 'AnotherTemplate', {
       assessmentTargetArn: assessmentTarget.attrArn,
       durationInSeconds: 3600,
       rulesPackageArns: ['arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gEjTy7T7'],
     });
+    const anotherTemplate = AssessmentTemplate.fromCfnAssessmentTemplate(stack2, 'AnotherAssessmentTemplate', cfnAssessmentTemplate);
     const importedRole = Role.fromRoleArn(stack, 'ImportedRole', 'arn:aws:iam::123456789012:role/someRole');
 
     const inspectorTarget = new InspectorStartAssessmentRun(anotherTemplate, {

packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.inspector-start-assessment-run.ts

@@ -1,7 +1,7 @@
 import * as scheduler from '@aws-cdk/aws-scheduler-alpha';
 import { ExpectedResult, IntegTest } from '@aws-cdk/integ-tests-alpha';
 import * as cdk from 'aws-cdk-lib';
-import { CfnAssessmentTarget, CfnAssessmentTemplate } from 'aws-cdk-lib/aws-inspector';
+import { AssessmentTemplate, CfnAssessmentTarget, CfnAssessmentTemplate } from 'aws-cdk-lib/aws-inspector';
 import { InspectorStartAssessmentRun } from '../lib';
 
 /*
@@ -17,12 +17,12 @@ const app = new cdk.App();
 const stack = new cdk.Stack(app, 'aws-cdk-scheduler-targets-inspector-start-assessment-run');
 
 const assessmentTarget = new CfnAssessmentTarget(stack, 'MyAssessmentTarget');
-const assessmentTemplate = new CfnAssessmentTemplate(stack, 'MyAssessmentTemplate', {
+const cfnAssessmentTemplate = new CfnAssessmentTemplate(stack, 'MyAssessmentTemplate', {
   assessmentTargetArn: assessmentTarget.attrArn,
   durationInSeconds: 3600,
-  // https://docs.aws.amazon.com/inspector/v1/userguide/inspector_rules-arns.html#us-east-1
   rulesPackageArns: ['arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gEjTy7T7'],
 });
+const assessmentTemplate = AssessmentTemplate.fromCfnAssessmentTemplate(stack, 'AssessmentTemplate', cfnAssessmentTemplate);
 
 new scheduler.Schedule(stack, 'Schedule', {
   schedule: scheduler.ScheduleExpression.rate(cdk.Duration.minutes(10)),
@@ -36,10 +36,10 @@ const integrationTest = new IntegTest(app, 'integrationtest-inspector-start-asse
 
 // Verifies that the assessment run by the scheduler
 integrationTest.assertions.awsApiCall('Inspector', 'listAssessmentRuns', {
-  AssessmentTemplateArns: [assessmentTemplate.attrArn],
+  AssessmentTemplateArns: [assessmentTemplate.assessmentTemplateArn],
 }).assertAtPath(
   'assessmentRunArns.0',
-  ExpectedResult.stringLikeRegexp(assessmentTemplate.attrArn),
+  ExpectedResult.stringLikeRegexp(assessmentTemplate.assessmentTemplateArn),
 ).waitForAssertions({
   interval: cdk.Duration.seconds(30),
   totalTimeout: cdk.Duration.minutes(10),

packages/@aws-cdk/custom-resource-handlers/lib/aws-eks/cluster-resource-handler/cluster.ts

@@ -218,6 +218,18 @@ export class ClusterResourceHandler extends ResourceHandler {
       }
 
       if (updates.updateAuthMode) {
+        // update-authmode will fail if we try to update to the same mode,
+        // so skip in this case.
+        try {
+          const cluster = (await this.eks.describeCluster({ name: this.clusterName })).cluster;
+          if (cluster?.accessConfig?.authenticationMode === this.newProps.accessConfig?.authenticationMode) {
+            console.log(`cluster already at ${cluster?.accessConfig?.authenticationMode}, skipping authMode update`);
+            return;
+          }
+        } catch (e: any) {
+          throw e;
+        }
+
         // the update path must be
         // `undefined or CONFIG_MAP` -> `API_AND_CONFIG_MAP` -> `API`
         // and it's one way path.
@@ -247,17 +259,6 @@ export class ClusterResourceHandler extends ResourceHandler {
           this.newProps.accessConfig?.authenticationMode === 'API') {
           throw new Error('Cannot update from CONFIG_MAP to API');
         }
-        // update-authmode will fail if we try to update to the same mode,
-        // so skip in this case.
-        try {
-          const cluster = (await this.eks.describeCluster({ name: this.clusterName })).cluster;
-          if (cluster?.accessConfig?.authenticationMode === this.newProps.accessConfig?.authenticationMode) {
-            console.log(`cluster already at ${cluster?.accessConfig?.authenticationMode}, skipping authMode update`);
-            return;
-          }
-        } catch (e: any) {
-          throw e;
-        }
         config.accessConfig = this.newProps.accessConfig;
       }
 

packages/@aws-cdk/custom-resource-handlers/test/aws-eks/cluster-resource-handler-mocks.ts

@@ -90,6 +90,7 @@ export const client: EksClient = {
         arn: 'arn:cluster-arn',
         certificateAuthority: { data: 'certificateAuthority-data' },
         endpoint: 'http://endpoint',
+        accessConfig: { authenticationMode: 'CONFIG_MAP' },
         status: simulateResponse.describeClusterResponseMockStatus || 'ACTIVE',
       },
     };