Permalink
Comparing changes
Choose two branches to see what’s changed or to start a new pull request.
If you need to, you can also or
learn more about diff comparisons.
Open a pull request
Create a new pull request by comparing changes across two branches. If you need to, you can also .
Learn more about diff comparisons here.
...
- 9 commits
- 1,137 files changed
- 7 contributors
Commits on Apr 30, 2025
-
chore(merge-back): 2.193.0 (#34313)
See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.193.0/CHANGELOG.md)
-
feat(events): throw
ValidationErrorsinstead of untyped Errors (#34316) ### Issue # (if applicable) Relates to #32569 ### Reason for this change Untyped Errors are not recommended. ### Description of changes `ValidationErrors` everywhere ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
-
docs(s3): update link for s3 event notification filter (#34280)
The event notification filtering documentation links were outdated. This PR updates the links to event notification filtering in the relevant methods docstrings. Closes #34277 ### Reason for this change The event notification filtering documentation links were outdated. ### Description of changes Changes only to the URL in docstrings. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Commits on May 1, 2025
-
chore: update Contributors File (#34320)
Automated changes by [create-pull-request](https://github.com/peter-evans/create-pull-request) GitHub action
-
feat: update L1 CloudFormation resource definitions (#34278)
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-apigateway │ └ resources │ ├[~] resource AWS::ApiGateway::Account │ │ └ - documentation: The `AWS::ApiGateway::Account` resource specifies the IAM role that Amazon API Gateway uses to write API logs to Amazon CloudWatch Logs. To avoid overwriting other roles, you should only have one `AWS::ApiGateway::Account` resource per region per account. │ │ + documentation: The `AWS::ApiGateway::Account` resource specifies the IAM role that Amazon API Gateway uses to write API logs to Amazon CloudWatch Logs. To avoid overwriting other roles, you should only have one `AWS::ApiGateway::Account` resource per region per account. │ │ When you delete a stack containing this resource, API Gateway can still assume the provided IAM role to write API logs to CloudWatch Logs. To deny API Gateway access to write API logs to CloudWatch logs, update the permissions policies or change the IAM role to deny access. │ └[~] resource AWS::ApiGateway::GatewayResponse │ └ - documentation: The `AWS::ApiGateway::GatewayResponse` resource creates a gateway response for your API. For more information, see [API Gateway Responses](https://docs.aws.amazon.com/apigateway/latest/developerguide/customize-gateway-responses.html#api-gateway-gatewayResponse-definition) in the *API Gateway Developer Guide* . │ + documentation: The `AWS::ApiGateway::GatewayResponse` resource creates a gateway response for your API. When you delete a stack containing this resource, your custom gateway responses are reset. For more information, see [API Gateway Responses](https://docs.aws.amazon.com/apigateway/latest/developerguide/customize-gateway-responses.html#api-gateway-gatewayResponse-definition) in the *API Gateway Developer Guide* . ├[~] service aws-appsync │ └ resources │ └[~] resource AWS::AppSync::ChannelNamespace │ ├ properties │ │ └[+] HandlerConfigs: HandlerConfigs │ └ types │ ├[+] type HandlerConfig │ │ ├ name: HandlerConfig │ │ └ properties │ │ ├ Behavior: string (required) │ │ └ Integration: Integration (required) │ ├[+] type HandlerConfigs │ │ ├ name: HandlerConfigs │ │ └ properties │ │ ├ OnPublish: HandlerConfig │ │ └ OnSubscribe: HandlerConfig │ ├[+] type Integration │ │ ├ name: Integration │ │ └ properties │ │ ├ DataSourceName: string (required) │ │ └ LambdaConfig: LambdaConfig │ └[+] type LambdaConfig │ ├ name: LambdaConfig │ └ properties │ └ InvokeType: string (required) ├[~] service aws-aps │ └ resources │ └[~] resource AWS::APS::Workspace │ ├ properties │ │ └ WorkspaceConfiguration: (documentation changed) │ └ types │ ├[~] type Label │ │ ├ - documentation: Series label │ │ │ + documentation: A label is a name:value pair used to add context to ingested metrics. This structure defines the name and value for one label that is used in a label set. You can set ingestion limits on time series that match defined label sets, to help prevent a workspace from being overwhelmed with unexpected spikes in time series ingestion. │ │ └ properties │ │ ├ Name: (documentation changed) │ │ └ Value: (documentation changed) │ ├[~] type LimitsPerLabelSet │ │ ├ - documentation: Label set and its associated limits │ │ │ + documentation: This defines a label set for the workspace, and defines the ingestion limit for active time series that match that label set. Each label name in a label set must be unique. │ │ └ properties │ │ ├ LabelSet: (documentation changed) │ │ └ Limits: (documentation changed) │ ├[~] type LimitsPerLabelSetEntry │ │ ├ - documentation: Limits that can be applied to a label set │ │ │ + documentation: This structure contains the limits that apply to time series that match one label set. │ │ └ properties │ │ └ MaxSeries: (documentation changed) │ └[~] type WorkspaceConfiguration │ ├ - documentation: Workspace configuration │ │ + documentation: Use this structure to define label sets and the ingestion limits for time series that match label sets, and to specify the retention period of the workspace. │ └ properties │ ├ LimitsPerLabelSets: (documentation changed) │ └ RetentionPeriodInDays: (documentation changed) ├[~] service aws-autoscaling │ └ resources │ └[~] resource AWS::AutoScaling::AutoScalingGroup │ └ attributes │ └[+] AutoScalingGroupARN: string ├[~] service aws-batch │ └ resources │ └[~] resource AWS::Batch::ComputeEnvironment │ └ types │ └[~] type UpdatePolicy │ └ properties │ └ TerminateJobsOnUpdate: (documentation changed) ├[~] service aws-bedrock │ └ resources │ └[~] resource AWS::Bedrock::KnowledgeBase │ └ types │ ├[~] type MongoDbAtlasConfiguration │ │ └ properties │ │ └ TextIndexName: (documentation changed) │ └[~] type RdsFieldMapping │ └ properties │ └ CustomMetadataField: (documentation changed) ├[~] service aws-ce │ └ resources │ ├[~] resource AWS::CE::AnomalyMonitor │ │ └ - tagInformation: undefined │ │ + tagInformation: {"tagPropertyName":"ResourceTags","variant":"standard"} │ └[~] resource AWS::CE::AnomalySubscription │ └ - tagInformation: undefined │ + tagInformation: {"tagPropertyName":"ResourceTags","variant":"standard"} ├[~] service aws-cloudfront │ └ resources │ ├[+] resource AWS::CloudFront::ConnectionGroup │ │ ├ name: ConnectionGroup │ │ │ cloudFormationType: AWS::CloudFront::ConnectionGroup │ │ │ documentation: Resource Type definition for AWS::CloudFront::ConnectionGroup │ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ ├ properties │ │ │ ├ Name: string (required, immutable) │ │ │ ├ Tags: Array<tag> │ │ │ ├ Ipv6Enabled: boolean │ │ │ ├ AnycastIpListId: string │ │ │ └ Enabled: boolean │ │ └ attributes │ │ ├ Id: string │ │ ├ Arn: string │ │ ├ CreatedTime: string │ │ ├ LastModifiedTime: string │ │ ├ RoutingEndpoint: string │ │ ├ Status: string │ │ ├ IsDefault: boolean │ │ └ ETag: string │ ├[~] resource AWS::CloudFront::Distribution │ │ ├ - tagInformation: undefined │ │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ └ types │ │ ├[+] type Definition │ │ │ ├ name: Definition │ │ │ └ properties │ │ │ └ StringSchema: StringSchema │ │ ├[~] type DistributionConfig │ │ │ └ properties │ │ │ ├[+] ConnectionMode: string │ │ │ └[+] TenantConfig: TenantConfig │ │ ├[+] type ParameterDefinition │ │ │ ├ name: ParameterDefinition │ │ │ └ properties │ │ │ ├ Name: string (required) │ │ │ └ Definition: Definition (required) │ │ ├[+] type StringSchema │ │ │ ├ name: StringSchema │ │ │ └ properties │ │ │ ├ Comment: string │ │ │ ├ DefaultValue: string │ │ │ └ Required: boolean (required) │ │ └[+] type TenantConfig │ │ ├ name: TenantConfig │ │ └ properties │ │ └ ParameterDefinitions: Array<ParameterDefinition> │ └[+] resource AWS::CloudFront::DistributionTenant │ ├ name: DistributionTenant │ │ cloudFormationType: AWS::CloudFront::DistributionTenant │ │ documentation: Resource Type definition for AWS::CloudFront::DistributionTenant │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ ├ properties │ │ ├ DistributionId: string (required) │ │ ├ Name: string (required, immutable) │ │ ├ Tags: Array<tag> │ │ ├ Customizations: Customizations │ │ ├ Parameters: Array<Parameter> │ │ ├ ConnectionGroupId: string │ │ ├ Enabled: boolean │ │ ├ Domains: Array<string> (required) │ │ └ ManagedCertificateRequest: ManagedCertificateRequest (immutable) │ ├ attributes │ │ ├ Id: string │ │ ├ Arn: string │ │ ├ DomainResults: Array<DomainResult> │ │ ├ ETag: string │ │ ├ Status: string │ │ ├ CreatedTime: string │ │ └ LastModifiedTime: string │ └ types │ ├ type Certificate │ │ ├ name: Certificate │ │ └ properties │ │ └ Arn: string │ ├ type Customizations │ │ ├ name: Customizations │ │ └ properties │ │ ├ WebAcl: WebAclCustomization │ │ ├ Certificate: Certificate │ │ └ GeoRestrictions: GeoRestrictionCustomization │ ├ type DomainResult │ │ ├ name: DomainResult │ │ └ pro 8000 perties │ │ ├ Domain: string │ │ ├ Status: string │ │ └ Reason: string │ ├ type GeoRestrictionCustomization │ │ ├ name: GeoRestrictionCustomization │ │ └ properties │ │ ├ RestrictionType: string │ │ └ Locations: Array<string> │ ├ type ManagedCertificateRequest │ │ ├ name: ManagedCertificateRequest │ │ └ properties │ │ ├ ValidationTokenHost: string │ │ ├ PrimaryDomainName: string │ │ └ CertificateTransparencyLoggingPreference: string │ ├ type Parameter │ │ ├ name: Parameter │ │ └ properties │ │ ├ Name: string │ │ └ Value: string │ └ type WebAclCustomization │ ├ name: WebAclCustomization │ └ properties │ ├ Action: string │ └ Arn: string ├[~] service aws-codebuild │ └ resources │ ├[~] resource AWS::CodeBuild::Fleet │ │ ├ properties │ │ │ └ ComputeConfiguration: (documentation changed) │ │ └ types │ │ └[~] type ComputeConfiguration │ │ └ - documentation: Contains compute attributes. These attributes only need be specified when your project's or fleet's `computeType` is set to `ATTRIBUTE_BASED_COMPUTE` . │ │ + documentation: Contains compute attributes. These attributes only need be specified when your project's or fleet's `computeType` is set to `ATTRIBUTE_BASED_COMPUTE` or `CUSTOM_INSTANCE_TYPE` . │ └[~] resource AWS::CodeBuild::Project │ └ types │ ├[~] type ProjectCache │ │ └ properties │ │ └ CacheNamespace: (documentation changed) │ └[~] type ScopeConfiguration │ └ properties │ ├ Domain: (documentation changed) │ └ Scope: (documentation changed) ├[~] service aws-dlm │ └ resources │ └[~] resource AWS::DLM::LifecyclePolicy │ └ types │ └[~] type CreateRule │ └ properties │ └ CronExpression: (documentation changed) ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::EC2Fleet │ │ └ types │ │ └[~] type InstanceRequirementsRequest │ │ └ properties │ │ └ AcceleratorTypes: (documentation changed) │ ├[~] resource AWS::EC2::LaunchTemplate │ │ └ types │ │ └[~] type InstanceRequirements │ │ └ properties │ │ └ AcceleratorTypes: (documentation changed) │ └[~] resource AWS::EC2::SpotFleet │ └ types │ └[~] type InstanceRequirementsRequest │ └ properties │ └ AcceleratorTypes: (documentation changed) ├[~] service aws-ecr │ └ resources │ └[+] resource AWS::ECR::RegistryScanningConfiguration │ ├ name: RegistryScanningConfiguration │ │ cloudFormationType: AWS::ECR::RegistryScanningConfiguration │ │ documentation: The AWS::ECR::RegistryScanningConfiguration controls the scanning configuration for an Amazon Elastic Container Registry (Amazon Private ECR). For more information, see https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html │ ├ properties │ │ ├ Rules: Array<ScanningRule> (required) │ │ └ ScanType: string (required) │ ├ attributes │ │ └ RegistryId: string │ └ types │ ├ type RepositoryFilter │ │ ├ documentation: The details of a scanning repository filter. │ │ │ name: RepositoryFilter │ │ └ properties │ │ ├ Filter: string (required) │ │ └ FilterType: string (required) │ └ type ScanningRule │ ├ documentation: A rule representing the details of a scanning configuration. │ │ name: ScanningRule │ └ properties │ ├ RepositoryFilters: Array<RepositoryFilter> (required) │ └ ScanFrequency: string (required) ├[~] service aws-ecs │ └ resources │ ├[~] resource AWS::ECS::Service │ │ └ types │ │ └[~] type LogConfiguration │ │ └ properties │ │ └ Options: (documentation changed) │ └[~] resource AWS::ECS::TaskDefinition │ └ types │ └[~] type LogConfiguration │ └ properties │ └ Options: (documentation changed) ├[~] service aws-entityresolution │ └ resources │ └[~] resource AWS::EntityResolution::SchemaMapping │ └ types │ └[~] type SchemaInputAttribute │ ├ - documentation: A configuration object for defining input data fields in AWS Entity Resolution . The SchemaInputAttribute specifies how individual fields in your input data should be processed and matched. │ │ + documentation: A configuration object for defining input data fields in AWS Entity Resolution . The `SchemaInputAttribute` specifies how individual fields in your input data should be processed and matched. │ └ properties │ └ Type: (documentation changed) ├[~] service aws-events │ └ resources │ ├[~] resource AWS::Events::ApiDestination │ │ └ attributes │ │ └ ArnForPolicy: (documentation changed) │ ├[~] resource AWS::Events::Archive │ │ └ properties │ │ └ KmsKeyIdentifier: (documentation changed) │ └[~] resource AWS::Events::Connection │ ├ properties │ │ └ KmsKeyIdentifier: (documentation changed) │ └ attributes │ └ ArnForPolicy: (documentation changed) ├[~] service aws-lambda │ └ resources │ └[~] resource AWS::Lambda::Function │ └ types │ └[~] type DeadLetterConfig │ └ - documentation: The [dead-letter queue](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async.html#dlq) for failed asynchronous invocations. │ + documentation: The [dead-letter queue](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async-retain-records.html#invocation-dlq) for failed asynchronous invocations. ├[~] service aws-mediapackagev2 │ └ resources │ └[~] resource AWS::MediaPackageV2::OriginEndpoint │ └ types │ ├[~] type HlsManifestConfiguration │ │ └ properties │ │ └[+] UrlEncodeChildManifest: boolean │ └[~] type LowLatencyHlsManifestConfiguration │ └ properties │ └[+] UrlEncodeChildManifest: boolean ├[~] service aws-memorydb │ └ resources │ ├[~] resource AWS::MemoryDB::Cluster │ │ └ properties │ │ ├ IpDiscovery: (documentation changed) │ │ └ NetworkType: (documentation changed) │ ├[~] resource AWS::MemoryDB::MultiRegionCluster │ │ └ properties │ │ └ NumShards: (documentation changed) │ └[~] resource AWS::MemoryDB::SubnetGroup │ └ attributes │ └ SupportedNetworkTypes: (documentation changed) ├[~] service aws-omics │ └ resources │ └[~] resource AWS::Omics::Workflow │ ├ - documentation: Creates a private workflow.Private workflows depend on a variety of resources that you create and configure before creating the workflow: │ │ - *Input data* : Input data for the workflow, stored in an S3 bucket or a AWS HealthOmics sequence store. │ │ - *Workflow definition files* : Define your workflow in one or more workflow definition files, written in WDL, Nextflow, or CWL. The workflow definition specifies the inputs and outputs for runs that use the workflow. It also includes specifications for the runs and run tasks for your workflow, including compute and memory requirements. │ │ - *Parameter template files* : Define run parameters using a parameter template file (written in JSON). │ │ - *ECR container images* : Create one or more container images for the workflow. Store the images in a private ECR repository. │ │ - (Optional) *Sentieon licenses* : Request a Sentieon license if you plan to use Sentieon software in a private workflow. │ │ For more information, see [Creating private workflows in AWS HealthOmics](https://docs.aws.amazon.com/omics/latest/dev/workflows-setup.html) in the AWS HealthOmics User Guide. │ │ + documentation: Creates a private workflow.Private workflows depend on a variety of resources that you create and configure before creating the workflow: │ │ - *Input data* : Input data for the workflow, stored in an S3 bucket or a AWS HealthOmics sequence store. │ │ - *Workflow definition files* : Define your workflow in one or more workflow definition files, written in WDL, Nextflow, or CWL. The workflow definition specifies the inputs and outputs for runs that use the workflow. It also includes specifications for the runs and run tasks for your workflow, including compute and memory requirements. │ │ - *Parameter template files* : Define run parameters using a parameter template file (written in JSON). │ │ - *ECR container images* : Create one or more container images for the workflow. Store the images in a private ECR repository. │ │ - (Optional) *Sentieon licenses* : Request a Sentieon license if you plan to use Sentieon software in a private workflow. │ │ For more information, see [Creating or updating a private workflow in AWS HealthOmics](https://docs.aws.amazon.com/omics/latest/dev/creating-private-workflows.html) in the AWS HealthOmics User Guide. │ └ properties │ └ StorageCapacity: (documentation changed) ├[~] service aws-qbusiness │ └ resources │ └[~] resource AWS::QBusiness::DataSource │ └ types │ └[~] type HookConfiguration │ └ properties │ └ LambdaArn: (documentation changed) ├[~] service aws-quicksight │ └ resources │ └[~] resource AWS::QuickSight::Dashboard │ └ types │ └[~] type ExportToCSVOption │ └ - documentation: Export to .csv option. │ + documentation: Enable/disable visual-level downloads option. ├[~] service aws-rds │ └ resources │ └[~] resource AWS::RDS::DBInstance │ ├ properties │ │ └[+] DatabaseInsightsMode: string │ └ attributes │ └ DatabaseInsightsMode: (documentation changed) ├[~] service aws-redshift │ └ resources │ ├[~] resource AWS::Redshift::ClusterSubnetGroup │ │ └ - tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ + tagInformation: undefined │ └[~] resource AWS::Redshift::EventSubscription │ └ - tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ + tagInformation: undefined ├[~] service aws-redshiftserverless │ └ resources │ └[~] resource AWS::RedshiftServerless::Workgroup │ └ attributes │ ├[+] Workgroup.BaseCapacity: integer │ └[+] Workgroup.MaxCapacity: integer ├[~] service aws-route53resolver │ └ resources │ └[~] resource AWS::Route53Resolver::ResolverRule │ └ properties │ └[+] DelegationRecord: string ├[~] service aws-s3 │ └ resources │ └[~] resource AWS::S3::Bucket │ └ properties │ └ MetadataTableConfiguration: (documentation changed) ├[~] service aws-sagemaker │ └ resources │ └[~] resource AWS::SageMaker::Cluster │ └ types │ └[~] type ClusterInstanceGroup │ └ properties │ └ OverrideVpcConfig: (documentation changed) ├[~] service aws-vpclattice │ └ resources │ ├[~] resource AWS::VpcLattice::Listener │ │ └ types │ │ └[~] type FixedResponse │ │ └ properties │ │ └ StatusCode: (documentation changed) │ └[~] resource AWS::VpcLattice::Rule │ └ types │ └[~] type FixedResponse │ └ properties │ └ StatusCode: (documentation changed) └[~] service aws-wisdom └ resources └[~] resource AWS::Wisdom::AIPrompt └ properties └ ModelId: (documentation changed) ```
-
chore: refactored security guardian tool and security-guardian action…
…. Enables local run. (#34158) ### Issue # (if applicable) None Closes #<issue number here>. NA ### Reason for this change With this change, developers can locally run security guardian against committed files to detect changed .template.json and run the 2 part scanner 1. cfn-guard to detect inline 2. custom scanner to detect intrinsics Please note that this will detect templates where the developer has explicitly provided broadened scope permissions like new AccountPrincipal(); We will use this as an opportunity to review if that is really needed or can be scoped down. ```bash > cd tools/@aws-cdk/security-guardian >yarn security-guardian ``` ### Description of changes ### Describe any new or updated permissions being added ### Description of how you validated changes ### Checklist - [ x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
-
chore(region-info): register ap-east-2 region (#34284)
### Issue # (if applicable) Closes #34224. ### Reason for this change Add new region ap-east-2 (Taipei) ### Description of changes Made changes according to the checklist for new region Partition for this new region is 'aws' ### Describe any new or updated permissions being added NA ### Description of how you validated changes ``` yarn build yarn test ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
-
chore(release): 2.194.0 (#34335)
See [CHANGELOG](https://github.com/aws/aws-cdk/blob/bump/2.194.0/CHANGELOG.md)
Loading
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff v2.193.0...v2.194.0