Merge branch 'main' into oidc

Author: mergify[bot]

CHANGELOG.v2.alpha.md

@@ -2,6 +2,21 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.236.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.235.1-alpha.0...v2.236.0-alpha.0) (2026-01-23)
+
+
+### Features
+
+* **bedrock-agentcore-alpha:** added episodic memory strategy ([#36591](https://github.com/aws/aws-cdk/issues/36591)) ([21dcfc6](https://github.com/aws/aws-cdk/commit/21dcfc6807a3876e2275bdac6f1e4f7564a66100))
+* **bedrock-agentcore-alpha:** added gateway interceptors ([#36604](https://github.com/aws/aws-cdk/issues/36604)) ([ba8aa48](https://github.com/aws/aws-cdk/commit/ba8aa48a33b1e008194d6b6b13d10c41019f56b4))
+* **bedrock-agentcore-alpha:** make physical name properties optional for AgentCore resources ([#36354](https://github.com/aws/aws-cdk/issues/36354)) ([5137d81](https://github.com/aws/aws-cdk/commit/5137d811a92eb63f52d2bfa0713a660f5476839e)), closes [#36341](https://github.com/aws/aws-cdk/issues/36341)
+* **mixins-preview:** expose `BucketPolicyStatementsMixin` publicly ([#36771](https://github.com/aws/aws-cdk/issues/36771)) ([458156d](https://github.com/aws/aws-cdk/commit/458156dd43ced89c893687415d7c2a2fce141653))
+* **sagemaker:** add containerStartupHealthCheckTimeoutInSeconds support for EndpointConfig ([#35626](https://github.com/aws/aws-cdk/issues/35626)) ([47d707a](https://github.com/aws/aws-cdk/commit/47d707aac809fda8ec5302bf927380e8060d380a)), closes [#35566](https://github.com/aws/aws-cdk/issues/35566)
+
+### Bug Fixes
+
+* **eks-v2-alpha:** ensure kubectl provider access entry is depended upon by downstream resources ([#36734](https://github.com/aws/aws-cdk/issues/36734)) ([e104f45](https://github.com/aws/aws-cdk/commit/e104f45654177e87e2fb46510f77d02fcf20c499)), closes [#34898](https://github.com/aws/aws-cdk/issues/34898) [#34897](https://github.com/aws/aws-cdk/issues/34897)
+
 ## [2.235.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.235.0-alpha.0...v2.235.1-alpha.0) (2026-01-19)
 
 ## [2.235.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.234.1-alpha.0...v2.235.0-alpha.0) (2026-01-15)

CHANGELOG.v2.md

@@ -2,6 +2,26 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.236.0](https://github.com/aws/aws-cdk/compare/v2.235.1...v2.236.0) (2026-01-23)
+
+
+### Features
+
+* update L1 CloudFormation resource definitions ([#36721](https://github.com/aws/aws-cdk/issues/36721)) ([7a4a443](https://github.com/aws/aws-cdk/commit/7a4a44329d7b71a12ba566885aa5fd730c0c2475))
+* **ecs:** add capacityOptionType (Spot support) to ManagedInstancesCapacityProvider L2 construct ([#36497](https://github.com/aws/aws-cdk/issues/36497)) ([e8ad85b](https://github.com/aws/aws-cdk/commit/e8ad85b3122e8c84e19adf0ffdfd71d79ba090f9)), closes [#35648](https://github.com/aws/aws-cdk/issues/35648)
+* **ecs:** add built-in Linear and Canary deployments  ([#35981](https://github.com/aws/aws-cdk/issues/35981)) ([67ac5e7](https://github.com/aws/aws-cdk/commit/67ac5e7685e6eb8993e49aa010e43d8002998498)), closes [#35986](https://github.com/aws/aws-cdk/issues/35986) [#35987](https://github.com/aws/aws-cdk/issues/35987)
+* **logs:** add support for deletion protection configuration ([#36583](https://github.com/aws/aws-cdk/issues/36583)) ([c4d1389](https://github.com/aws/aws-cdk/commit/c4d13895339ef44ffc4cd6f86d80014a8d33a3f6)), closes [#36554](https://github.com/aws/aws-cdk/issues/36554) [#36554](https://github.com/aws/aws-cdk/issues/36554)
+
+
+### Bug Fixes
+
+* **apigatewayv2:** use custom domain name instead of regional domain name when importing domain name via fromDomainNameAttributes ([#36710](https://github.com/aws/aws-cdk/issues/36710)) ([fe6eb0b](https://github.com/aws/aws-cdk/commit/fe6eb0b9130953d5ff35bd05b643253f9b6c3247))
+* **batch:**  undeprecate useOptimalInstanceClasses   property ([#36353](https://github.com/aws/aws-cdk/issues/36353)) ([3485d53](https://github.com/aws/aws-cdk/commit/3485d5399b6cfebc3461247643d4866242311152)), closes [#36291](https://github.com/aws/aws-cdk/issues/36291) [#36291](https://github.com/aws/aws-cdk/issues/36291)
+* **core:** resources allocate unnecessary string tokens upon instantiation ([#36692](https://github.com/aws/aws-cdk/issues/36692)) ([59d4928](https://github.com/aws/aws-cdk/commit/59d49286f656a5341e907d298f30decbc8959bcf))
+* **core:** tree.json unintentionally includes telemetry metadata ([#36748](https://github.com/aws/aws-cdk/issues/36748)) ([87fd86b](https://github.com/aws/aws-cdk/commit/87fd86be736b24ab18ea2ee7a2c96b724a67c903))
+* **scheduler:** scheduleName returns undefined when imported from ARN ([#36400](https://github.com/aws/aws-cdk/issues/36400)) ([752bd9b](https://github.com/aws/aws-cdk/commit/752bd9b7c31d027be6918cd7c8ebddb4b3d29e77)), closes [#36361](https://github.com/aws/aws-cdk/issues/36361)
+* recent change to IAlarmAction breaks too many implementors ([#36695](https://github.com/aws/aws-cdk/issues/36695)) ([0c5b0db](https://github.com/aws/aws-cdk/commit/0c5b0dbb08bd1bc965067e1fbe7b2ec7e82e697b))
+
 ## [2.235.1](https://github.com/aws/aws-cdk/compare/v2.235.0...v2.235.1) (2026-01-19)
 
 

CONTRIBUTING.md

@@ -988,37 +988,37 @@ finalized, will be added to the AWS CDK with a specific suffix: `BetaX`. APIs
 with the preview suffix will never be removed, instead they will be deprecated
 and replaced by either the stable version (without the suffix), or by a newer
 preview version. For example, assume we add the method
-`grantAwesomePowerBeta1`:
+`addSecondaryResourceBeta1()` to a class:
 
 ```ts
 /**
- * This method grants awesome powers
+ * This method adds a secondary resource to the main one
  */
-grantAwesomePowerBeta1();
+addSecondaryResourceBeta1(res: SomeResource);
 ```
 
 Times goes by, we get feedback that this method will actually be much better
-if it accepts a `Principal`. Since adding a required property is a breaking
-change, we will add `grantAwesomePowerBeta2()` and deprecate
-`grantAwesomePowerBeta1`:
+if it accepts an additional required `options` parameter. Since adding a required 
+parameter to a method is a breaking change, we will add `addSecondaryResourceBeta2()`
+and deprecate `addSecondaryResourceBeta1`:
 
 ```ts
 /**
-* This method grants awesome powers to the given principal
+* This method adds a secondary resource, with more options
 *
 * @param grantee The principal to grant powers to
 */
-grantAwesomePowerBeta2(grantee: iam.IGrantable)
+addSecondaryResourceBeta2(res: SomeResource, options: SecondaryResourceOptions);
 
 /**
-* This method grants awesome powers
-* @deprecated use grantAwesomePowerBeta2
+ * This method adds a secondary resource to the main one
+* @deprecated use addSecondaryResourceBeta1
 */
-grantAwesomePowerBeta1()
+addSecondaryResourceBeta1(res: SomeResource);
 ```
 
 When we decide it's time to graduate the API, the latest preview version will
-be deprecated and the final version - `grantAwesomePower` will be added.
+be deprecated and the final version - `addSecondaryResource` will be added.
 
 ## Documentation
 

allowed-breaking-changes.txt

@@ -4142,3 +4142,12 @@ changed-type:aws-cdk-lib.aws_ses.EventDestination.bus
 # CloudFormation has always required SecurityGroups for ManagedInstancesCapacityProvider.
 # Making it required in TypeScript catches the error at compile time instead of deploy time.
 strengthened:aws-cdk-lib.aws_ecs.ManagedInstancesCapacityProviderProps
+
+# IEncryptedResource was too strongly typed for practical use.
+# We need to weaken it and align with other traits.
+# See: https://github.com/aws/aws-cdk/pull/36787
+incompatible-argument:aws-cdk-lib.aws_iam.GrantableResources.isEncryptedResource
+base-types:aws-cdk-lib.aws_iam.IEncryptedResource
+removed:aws-cdk-lib.aws_iam.IEncryptedResource.applyRemovalPolicy
+removed:aws-cdk-lib.aws_iam.IEncryptedResource.node
+removed:aws-cdk-lib.aws_iam.IEncryptedResource.stack

docs/DESIGN_GUIDELINES.md

@@ -1165,9 +1165,50 @@ export abstract class TopicBase extends Resource implements ITopic, IEncryptedRe
 }
 ```
 
-The `TopicGrants` class, and many others, are generated automatically. But if there
-is no auto-generated grants class for a resource, you can implement it manually,
-following the same patterns.
+The `TopicGrants` class, and many others, are generated automatically from the `grants.json`
+file present at the root of each individual module (`packages/aws-sns` for SNS constructs and 
+so on). The `grants.json` file has the following general structure:
+
+```json
+{
+  "resources": {
+    "Topic": {
+      "hasResourcePolicy": true,
+      "grants": {
+        "publish": {
+          "actions": ["sns:Publish"],
+          "keyActions": ["kms:Decrypt", "kms:GenerateDataKey*"],
+          "docSummary": "Grant topic publishing permissions to the given identity"
+        },
+        "subscribe": {
+          "actions": ["sns:Subscribe"],
+          "arnFormat": "${topicArn}/*"
+        }
+      }
+    }
+  }
+}
+```
+
+where:
+
+* `Topic` - the class to generate grants for. This will lead to a class named TopicGrants.
+* `hasResourcePolicy` - indicates whether the resource supports a resource policy. When true, all auto-generated methods in the Grants class will attempt to add statements to the resource policy when applicable. When false, the methods will only modify the principal's policy.
+* `publish` - the name of a grant.
+* `actions` - the actions to encompass in the grant.
+* `keyActions` - if the resource has an associated KMS key, also grant these permissions on the key. Notice that the resource must implement the `iam.IEncryptedResource` interface for this to work.
+* `docSummary` - the public documentation for the method.
+* `arnFormat` - In some cases, the policy applies to a specific ARN patterns, rather than just the ARN of the resource.
+
+In some cases, however, it might not be possible to specify the grant details using the `grants.json`
+file. This is usually the case when grants require additional logic, such as checking whether the
+resource is owned or unowned, or when the grant needs to modify the resource policy of the resource
+(if it has one). In these cases, you can implement the grants class manually.
+
+Historically, grant methods were implemented directly on the resource construct interface (e.g.
+`sns.ITopic.grantPublish(principal)`). For backward compatibility reasons, these methods are still
+present on the resource interfaces, but new grant implementations are only allowed through the Grants
+classes [_awslint:no-grants_].
 
 ### Metrics
 

packages/@aws-cdk-testing/framework-integ/package.json

@@ -30,7 +30,7 @@
   "license": "Apache-2.0",
   "devDependencies": {
     "@aws-cdk/cdk-build-tools": "0.0.0",
-    "@aws-cdk/integ-runner": "^2.193.4",
+    "@aws-cdk/integ-runner": "^2.193.5",
     "@aws-cdk/pkglint": "0.0.0",
     "@aws-sdk/client-acm": "3.632.0",
     "@aws-sdk/client-rds": "3.632.0",
@@ -50,7 +50,7 @@
     "@aws-cdk/lambda-layer-kubectl-v34": "^2.0.0",
     "@aws-cdk/region-info": "0.0.0",
     "aws-cdk-lib": "0.0.0",
-    "cdk8s": "2.70.42",
+    "cdk8s": "2.70.43",
     "cdk8s-plus-27": "2.9.5",
     "constructs": "^10.0.0"
   },

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.cross-account-pipeline-cfn-action.js.snapshot/CdkPipelineCfnActionStack.assets.json

@@ -198,7 +198,7 @@
    "Properties": {
     "Content": {
      "S3Bucket": "cdk-hnb659fds-assets-12345678-test-region",
-     "S3Key": "c82567645316e1499ecd064c937f1183bb4a74e95800ff64fab4d308451ba5f0.zip"
+     "S3Key": "0cfdecad2260a3a84ad0c2d08a77e03c9d25e26c7b52f26b1e1faf97aef92f18.zip"
     },
     "Description": "/opt/awscli/aws"
    }