Merged
Conversation
#37283) ### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change Previously, the function only logged a warning when encountering an event name that starts with an unknown uppercase prefix (e.g., a new service acronym). This made the issue easy to overlook and allowed inconsistent or incorrect pattern method names to be generated silently. By throwing an error instead of logging, we enforce strict handling of event naming conventions. This ensures that any newly introduced event with a service/acronym prefix is explicitly reviewed and added to the prefixes list, preventing incorrect method name(e.g., `kMSCMKDeletionPattern` instead of `kmsCMKDeletionPattern`) generation and improving long-term maintainability. ### Description of changes * Replaced the console.log warning with a thrown error when an unrecognized uppercase prefix is detected in the event name. * The function now fails fast if it encounters an event that appears to start with a service or feature acronym not included in the predefined prefixes list. * This guarantees that: * All known service prefixes are explicitly defined. * Newly introduced events with acronyms are caught during development/testing rather than slipping into production. * No changes to behavior for recognized prefixes or standard camelCase event names. ### Describe any new or updated permissions being added ### Description of how you validated changes ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…time (#37282) ### Issue # (if applicable) N/A ### Reason for this change This was previously missing from the runtime enum. The older version doesn't have types available on npm, so it's difficult and awkward to use. ### Description of changes This change just adds an enum value for the newer version of the runtime. See docs at: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Library_Nodejs.html#CloudWatch_Synthetics_runtimeversion-syn-nodejs-3.1 ### Describe any new or updated permissions being added N/A ### Description of how you validated changes The documentation was reviewed and the code was checked to be consistent with pre-existing enum values. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…update (#37288) Bumps the npm_and_yarn group with 1 update in the /packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-service-account-sdk-call.js.snapshot/asset.d388310e22224796eee0dd2d3da0207457c3e42855a921e3b1db956777d7c56a directory: [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser). Bumps the npm_and_yarn group with 1 update in the /packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/sdk-call-integ-test-docker-app/app directory: [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser). Updates `fast-xml-parser` from 5.4.2 to 5.5.6 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/NaturalIntelligence/fast-xml-parser/releases">fast-xml-parser's releases</a>.</em></p> <blockquote> <h2>fix entity expansion and incorrect replacement and performance</h2> <p><strong>Full Changelog</strong>: <a href="https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.5...v5.5.6">https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.5...v5.5.6</a></p> <h2>support onDangerousProperty</h2> <p><strong>Full Changelog</strong>: <a href="https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.3...v5.5.5">https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.3...v5.5.5</a></p> <h2>update dependecies to fix typings</h2> <p><strong>Full Changelog</strong>: <a href="https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.1...v5.5.2">https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.1...v5.5.2</a></p> <h2>integrate path-expression-matcher</h2> <ul> <li>support path-expression-matcher</li> <li>fix: stopNode should not be parsed</li> <li>performance improvement for stopNode checking</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md">fast-xml-parser's changelog</a>.</em></p> <blockquote> <p>Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.</p> <p>Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion</p> <p><strong>5.5.6 / 2026-03-16</strong></p> <ul> <li>update builder dependency</li> <li>fix incorrect regex to replace . in entity name</li> <li>fix check for entitiy expansion for lastEntities and html entities too</li> </ul> <p><strong>5.5.5 / 2026-03-13</strong></p> <ul> <li>sanitize dangerous tag or attribute name</li> <li>error on critical property name</li> <li>support onDangerousProperty option</li> </ul> <p><strong>5.5.4 / 2026-03-13</strong></p> <ul> <li>declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher</li> </ul> <p><strong>5.5.3 / 2026-03-11</strong></p> <ul> <li>upgrade builder</li> </ul> <p><strong>5.5.2 / 2026-03-11</strong></p> <ul> <li>update dependency to fix typings</li> </ul> <p><strong>5.5.1 / 2026-03-10</strong></p> <ul> <li>fix dependency</li> </ul> <p><strong>5.5.0 / 2026-03-10</strong></p> <ul> <li>support path-expression-matcher</li> <li>fix: stopNode should not be parsed</li> <li>performance improvement for stopNode checking</li> </ul> <p><strong>5.4.2 / 2026-03-03</strong></p> <ul> <li>support maxEntityCount option</li> </ul> <p><strong>5.4.1 / 2026-02-25</strong></p> <ul> <li>fix (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/785">#785</a>) unpairedTag node should not have tag content</li> </ul> <p><strong>5.4.0 / 2026-02-25</strong></p> <ul> <li>migrate to fast-xml-builder</li> </ul> <p><strong>5.3.9 / 2026-02-25</strong></p> <ul> <li>support strictReservedNames</li> </ul> <p><strong>5.3.8 / 2026-02-25</strong></p> <ul> <li>support maxNestedTags</li> <li>handle non-array input for XML builder when preserveOrder is true (By <a href="https://github.com/Angelopvtac">Angelo Coetzee</a>)</li> <li>save use of js properies</li> </ul> <p><strong>5.3.7 / 2026-02-20</strong></p> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/870043e75e78545192bc70950c6286d36c7cdf23"><code>870043e</code></a> update release info</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/6df401ef2bb1d152313276add24cdfa860819751"><code>6df401e</code></a> update builder dependency</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01"><code>bd26122</code></a> check for entitiy expansion for lastEntities and html entities too</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/7e70dd8f758f3f494c4e14a281cea35b7d8d0d13"><code>7e70dd8</code></a> fix incorrect regex to replace . in entity name</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/e54155f53048e9d58e27f170d3ccff15176b6671"><code>e54155f</code></a> update package info</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/3308fd7a45d9d74e87c6b6c4ef0574abaa1f8b65"><code>3308fd7</code></a> handle critical properties</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/0500f6b4d66464fa70ecb58907804962c6b847f9"><code>0500f6b</code></a> refactor</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/ea07bb2e8435a88136c0e46d7ee8a345107b7582"><code>ea07bb2</code></a> declare Matcher & Expression as unknown</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/0a4dc92f979b5b03cfac2339ec7d81385edc14a8"><code>0a4dc92</code></a> upgrade builder</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/e0a14f7d15a293732e630ce1b7faa39924de2359"><code>e0a14f7</code></a> update dependency to fix typings</li> <li>Additional commits viewable in <a href="https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.4.2...v5.5.6">compare view</a></li> </ul> </details> <br /> Updates `fast-xml-parser` from 5.4.2 to 5.5.6 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/NaturalIntelligence/fast-xml-parser/releases">fast-xml-parser's releases</a>.</em></p> <blockquote> <h2>fix entity expansion and incorrect replacement and performance</h2> <p><strong>Full Changelog</strong>: <a href="https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.5...v5.5.6">https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.5...v5.5.6</a></p> <h2>support onDangerousProperty</h2> <p><strong>Full Changelog</strong>: <a href="https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.3...v5.5.5">https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.3...v5.5.5</a></p> <h2>update dependecies to fix typings</h2> <p><strong>Full Changelog</strong>: <a href="https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.1...v5.5.2">https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.1...v5.5.2</a></p> <h2>integrate path-expression-matcher</h2> <ul> <li>support path-expression-matcher</li> <li>fix: stopNode should not be parsed</li> <li>performance improvement for stopNode checking</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md">fast-xml-parser's changelog</a>.</em></p> <blockquote> <p>Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.</p> <p>Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion</p> <p><strong>5.5.6 / 2026-03-16</strong></p> <ul> <li>update builder dependency</li> <li>fix incorrect regex to replace . in entity name</li> <li>fix check for entitiy expansion for lastEntities and html entities too</li> </ul> <p><strong>5.5.5 / 2026-03-13</strong></p> <ul> <li>sanitize dangerous tag or attribute name</li> <li>error on critical property name</li> <li>support onDangerousProperty option</li> </ul> <p><strong>5.5.4 / 2026-03-13</strong></p> <ul> <li>declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher</li> </ul> <p><strong>5.5.3 / 2026-03-11</strong></p> <ul> <li>upgrade builder</li> </ul> <p><strong>5.5.2 / 2026-03-11</strong></p> <ul> <li>update dependency to fix typings</li> </ul> <p><strong>5.5.1 / 2026-03-10</strong></p> <ul> <li>fix dependency</li> </ul> <p><strong>5.5.0 / 2026-03-10</strong></p> <ul> <li>support path-expression-matcher</li> <li>fix: stopNode should not be parsed</li> <li>performance improvement for stopNode checking</li> </ul> <p><strong>5.4.2 / 2026-03-03</strong></p> <ul> <li>support maxEntityCount option</li> </ul> <p><strong>5.4.1 / 2026-02-25</strong></p> <ul> <li>fix (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/785">#785</a>) unpairedTag node should not have tag content</li> </ul> <p><strong>5.4.0 / 2026-02-25</strong></p> <ul> <li>migrate to fast-xml-builder</li> </ul> <p><strong>5.3.9 / 2026-02-25</strong></p> <ul> <li>support strictReservedNames</li> </ul> <p><strong>5.3.8 / 2026-02-25</strong></p> <ul> <li>support maxNestedTags</li> <li>handle non-array input for XML builder when preserveOrder is true (By <a href="https://github.com/Angelopvtac">Angelo Coetzee</a>)</li> <li>save use of js properies</li> </ul> <p><strong>5.3.7 / 2026-02-20</strong></p> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/870043e75e78545192bc70950c6286d36c7cdf23"><code>870043e</code></a> update release info</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/6df401ef2bb1d152313276add24cdfa860819751"><code>6df401e</code></a> update builder dependency</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01"><code>bd26122</code></a> check for entitiy expansion for lastEntities and html entities too</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/7e70dd8f758f3f494c4e14a281cea35b7d8d0d13"><code>7e70dd8</code></a> fix incorrect regex to replace . in entity name</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/e54155f53048e9d58e27f170d3ccff15176b6671"><code>e54155f</code></a> update package info</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/3308fd7a45d9d74e87c6b6c4ef0574abaa1f8b65"><code>3308fd7</code></a> handle critical properties</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/0500f6b4d66464fa70ecb58907804962c6b847f9"><code>0500f6b</code></a> refactor</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/ea07bb2e8435a88136c0e46d7ee8a345107b7582"><code>ea07bb2</code></a> declare Matcher & Expression as unknown</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/0a4dc92f979b5b03cfac2339ec7d81385edc14a8"><code>0a4dc92</code></a> upgrade builder</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/e0a14f7d15a293732e630ce1b7faa39924de2359"><code>e0a14f7</code></a> update dependency to fix typings</li> <li>Additional commits viewable in <a href="https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.4.2...v5.5.6">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts). </details>
### Issue # (if applicable) Closes #26613. ### Reason for this change When creating an `eks.FargateCluster` (or any EKS cluster with `coreDnsComputeType: FARGATE`) in a VPC with only `PRIVATE_ISOLATED` subnets and private endpoint access enabled, the kubectl Lambda is placed in those isolated subnets. Since isolated subnets have no internet access by definition (no NAT Gateway, no Internet Gateway route), the Lambda cannot reach the EKS API, STS, or other AWS service endpoints. This causes the `CoreDnsComputeTypePatch` custom resource (and any other kubectl operation) to silently time out after 15 minutes, resulting in a confusing CloudFormation deployment failure. ### Description of changes Added a `ValidationError` at synth time in both `aws-eks` and `aws-eks-v2` modules that detects when the selected kubectl private subnets include `PRIVATE_ISOLATED` subnets. The check runs in the `Cluster` constructor, right after `kubectlPrivateSubnets` is assigned, by comparing the selected subnets against `vpc.isolatedSubnets`. The error message tells users exactly what is wrong and how to fix it: - Use `PRIVATE_WITH_EGRESS` subnets with a NAT Gateway - Or configure VPC endpoints for STS, EKS, and ECR - Links to the AWS private clusters documentation **Why a hard error instead of a warning:** `PRIVATE_ISOLATED` subnets are created by CDK with no egress route. If CDK created the VPC and the kubectl subnets are isolated, we know with certainty there is no egress and the deployment will fail. Failing fast at synth time is better than a 15-minute Lambda timeout. **Files changed:** - `packages/aws-cdk-lib/aws-eks/lib/cluster.ts` — validation after `kubectlPrivateSubnets` assignment - `packages/aws-cdk-lib/aws-eks-v2/lib/cluster.ts` — same validation after `kubectlSubnets` assignment - `packages/aws-cdk-lib/aws-eks/test/cluster.test.ts` — 2 new tests - `packages/aws-cdk-lib/aws-eks-v2/test/cluster.test.ts` — 2 new tests ### Describe any new or updated permissions being added No new or updated IAM permissions. This is a synth-time validation only. ### Description of how you validated changes - Added 4 unit tests (2 per module): - `throws when kubectl private subnets include isolated subnets` — verifies the `ValidationError` is thrown - `does not throw when kubectl private subnets are PRIVATE_WITH_EGRESS` — verifies no error for valid subnets - All 147 existing `aws-eks` tests pass - All 120 existing `aws-eks-v2` tests pass - No TypeScript diagnostics errors in any modified file ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # Closes #36988. ### Reason for this change S3 recently added a new `BlockedEncryptionTypes` field to server-side encryption rules ([docs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/blocking-unblocking-s3-c-encryption-gpb.html)). This field allows users to explicitly block or unblock SSE-C encryption on their bucket. Users should be able to set this field through CDK. This will become especially important when SSE-C starts being blocked by default in April ([blog post](https://aws.amazon.com/blogs/storage/advanced-notice-amazon-s3-to-disable-the-use-of-sse-c-encryption-by-default-for-all-new-buckets-and-select-existing-buckets-in-april-2026/)). ### Description of changes Added a `blockedEncryptionTypes` field to the L2 `s3.Bucket` construct. - If `blockedEncryptionTypes` is not set, behavior is same as before. No default `blockedEncryptionTypes` value will be chosen (this is important, we want to let S3 choose what default to apply). - If `blockedEncryptionTypes` is set and `encryptionType` is `BucketEncryption.UNENCRYPTED`, a server-side encryption configuration will be added with just `blockedEncryptionTypes` - **This happens even if `bucketKeyEnabled` is explicitly set**. Please confirm that this is behavior you want. I went with it because `bucketKeyEnabled` is already ignored when `encryptionType` is `BucketEncryption.UNENCRYPTED`. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Ran unit tests, added integ tests. - Verified that the `MySsecBlockedBucket` bucket has `SSE-C` blocked (and no default server-side encryption type explicitly set) - Verified that the `MyKmsBucket` bucket has no encryption types blocked ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #36283. ### Reason for this change AWS supports post-quantum (PQ) security policies for ALB and NLB using hybrid ML-KEM key exchange. The CDK's SslPolicy enum lacks these policies, and the AWS Console already defaults to PQ policies while CDK still uses ELBSecurityPolicy-2016-08. ### Description of changes 1. Added 11 post-quantum security policy enum values to SslPolicy: Standard TLS Policies with PQ: - TLS13_13_PQ, TLS13_12_PQ, TLS13_12_RES_PQ, TLS13_12_EXT1_PQ, TLS13_12_EXT2_PQ, TLS13_10_PQ FIPS-Compliant Policies with PQ: - FIPS_TLS13_13_PQ, FIPS_TLS13_12_PQ, FIPS_TLS13_12_RES_PQ, FIPS_TLS13_12_EXT0_PQ, FIPS_TLS13_12_EXT1_PQ, FIPS_TLS13_12_EXT2_PQ, FIPS_TLS13_10_PQ All enum entries include `@see` links to the AWS ELB SSL policies documentation. 2. Added feature flag `@aws-cdk/aws-elasticloadbalancingv2:usePostQuantumTlsPolicy`: - **Disabled (default)**: No change to existing behavior - **Enabled**: HTTPS/TLS listeners automatically use `SslPolicy.TLS13_12_PQ` (`ELBSecurityPolicy-TLS13-1-2-PQ-2025-09`) 3. Updated listener implementations: - ALB and NLB listeners check the feature flag at construction time - Explicit `sslPolicy` always overrides the feature flag - HTTP/TCP listeners are unaffected > **Note for new CDK projects**: Projects created with `cdk init` will have the feature flag `@aws-cdk/aws-elasticloadbalancingv2:usePostQuantumTlsPolicy` enabled by default. This means HTTPS/TLS listeners without an explicit `sslPolicy` will use `ELBSecurityPolicy-TLS13-1-2-PQ-2025-09` instead of the CloudFormation default (`ELBSecurityPolicy-2016-08`). Existing projects are unaffected unless they explicitly opt in. ### Behavior Summary | Feature Flag | HTTPS/TLS Listeners (no explicit sslPolicy) | Explicit sslPolicy | HTTP/TCP Listeners | |---|---|---|---| | Disabled (default) | CloudFormation default (no explicit policy) | Always honored | No SSL policy | | Enabled | ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 | Always honored | No SSL policy | ### Description of how you validated changes - Unit tests for ALB and NLB listeners covering: flag disabled, flag enabled, explicit override, non-TLS unaffected - All policy names verified against [AWS documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/describe-ssl-policies.html) ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)
Updated README to reflect changes in Mixins availability and imports. \---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ent patterns (#37284) ### Description of changes adding examples in the readme for the standalone events, and adding unit tests for the standalone events ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… table properties (#36811) ### Reason for this change This PR adds support for new S3 Tables Iceberg features to the L2 construct library, enabling users to configure partition specifications, sort orders, table properties, and schema field IDs when creating tables. These features are essential for optimizing query performance and data organization in Iceberg tables. ### Description of changes **Enhanced Table construct with new Iceberg metadata properties**: - Added `id` field to `SchemaFieldProperty` for schema field identification - Added `IcebergPartitionSpec` and `IcebergPartitionField` interfaces for partition configuration - Added `IcebergSortOrder` and `IcebergSortField` interfaces for sort order configuration - Added `tableProperties` support for custom Iceberg table properties - Updated `IcebergMetadataProperty` to include optional `icebergPartitionSpec`, `icebergSortOrder`, and `tableProperties` **Documentation**: - Added comprehensive examples for `IcebergPartitionField`, `IcebergPartitionSpec`, and `IcebergSortOrder` - Updated README with "Advanced Iceberg Table Configuration" section showing complete usage examples ### Description of how you validated changes - **Unit tests**: Added comprehensive test coverage for new features (192 tests passing) - **Integration test**: Created `integ.table-with-partition-sort.ts` to validate partition spec, sort order, and table properties - **Manual testing**: Successfully deployed and validated in Gamma environment where the CloudFormation resource type with new properties is available. Verified that partition spec, sort order, and table properties are correctly applied to the Iceberg table metadata. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
In the past, Construct Errors (`ValidationError`, `UnscopedValidationError`, `AssumptionError`) had a number of downsides:
- If the construct path was not set (even for an `UnscopedValidationError`) the path would be rendered as ` at path [undefined]`.
- For multiline error messages, parts of the error would be repeated.
- (When used as a library) Errors would include the JavaScript line of code throwing the error, but a production CDK build is minified so it would just be giant line of noise.
In this PR:
- Render both the call stack and the construct path visually distinct.
- Render the construct path visually using a tree.
- Only render the construct path if available (avoid rendering `undefined` for errors are not related to a construct)
- Don't render the actual contents of the source line, to avoid a huge minified line.
- In order to improve the readability of the stack trace, we render Just My Code (this is a Visual Code term): we hide stack traces belonging to library code, focusing only on user code.
- Make the S3 Bucket Name validation error scoped (instead of unscoped)
Examples (see 👀 for what to pay attention to)
## Scoped error (in CDK repo)
BEFORE
```
/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/aws-cdk-lib/aws-s3/lib/bucket.ts:2266
throw new UnscopedValidationError('InvalidBucketNameValue', `Invalid S3 bucket name (value: ${bucketName})${EOL}${errors.join(EOL)}`);
^
InvalidBucketNameValue: Invalid S3 bucket name (value: &*&*$)
Bucket name must only contain lowercase characters and the symbols, period (.) and dash (-) (offset: 0)
Bucket name must start with a lowercase character or number (offset: 0)
Bucket name must end with a lowercase character or number (offset: 4)
👀 at path [/SomeStack/TargetBucket]
👀 Bucket name must only contain lowercase characters and the symbols, period (.) and dash (-) (offset: 0)
👀 Bucket name must start with a lowercase character or number (offset: 0)
👀 Bucket name must end with a lowercase character or number (offset: 4)
at Bucket.validateBucketName (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/aws-cdk-lib/aws-s3/lib/bucket.ts:2266:13)
at new Bucket (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/aws-cdk-lib/aws-s3/lib/bucket.ts:2319:12)
at new Bucket (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/aws-cdk-lib/core/lib/prop-injectable.ts:40:7)
at Object.<anonymous> (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/aws-cdk-lib/core/test/integ.error.ts:10:22)
at Module._compile (node:internal/modules/cjs/loader:1761:14)
at Module.m._compile (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/node_modules/ts-node/src/index.ts:1618:23)
at Module._extensions..js (node:internal/modules/cjs/loader:1893:10)
at Object.require.extensions.<computed> [as .ts] (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/node_modules/ts-node/src/index.ts:1621:12)
at Module.load (node:internal/modules/cjs/loader:1481:32)
at Module._load (node:internal/modules/cjs/loader:1300:12)
```
AFTER
```
InvalidBucketNameValue: Invalid S3 bucket name (value: &*&*$)
Bucket name must only contain lowercase characters and the symbols, period (.) and dash (-) (offset: 0)
Bucket name must start with a lowercase character or number (offset: 0)
Bucket name must end with a lowercase character or number (offset: 4)
at validateBucketName (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/aws-cdk-lib/aws-s3/lib/bucket.ts:1003)
at new Bucket (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/aws-cdk-lib/aws-s3/lib/bucket.ts:1046)
at new Bucket (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/aws-cdk-lib/core/lib/prop-injectable.ts:31)
at <anonymous> (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/aws-cdk-lib/core/test/integ.error.ts:10)
👀 ...node internals, m._compile in ts-node, require.extensions.<computed> in ts-node...
👀 Relates to construct:
<.> (constructs.Construct)
└─ SomeStack (constructs.Construct)
└─ TargetBucket (constructs.Construct)
```
## Unscoped error (in CDK repo)
BEFORE
```
/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/aws-cdk-lib/core/test/integ.error.ts:24
throw new cdk.UnscopedValidationError('Blaaah', 'Some error');
^
Blaaah: Some error
👀 at path [undefined]
at Object.<anonymous> (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/aws-cdk-lib/core/test/integ.error.ts:24:7)
at Module._compile (node:internal/modules/cjs/loader:1761:14)
at Module.m._compile (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/node_modules/ts-node/src/index.ts:1618:23)
at Module._extensions..js (node:internal/modules/cjs/loader:1893:10)
at Object.require.extensions.<computed> [as .ts] (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/node_modules/ts-node/src/index.ts:1621:12)
at Module.load (node:internal/modules/cjs/loader:1481:32)
at Module._load (node:internal/modules/cjs/loader:1300:12)
at TracingChannel.traceSync (node:diagnostics_channel:328:14)
at wrapModuleLoad (node:internal/modules/cjs/loader:245:24)
at Module.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:154:5)
```
AFTER
```
Blaaah: Some error
at <anonymous> (/Users/huijbers/Workspaces/PublicCDK/aws-cdk4/packages/aws-cdk-lib/core/test/integ.error.ts:22)
👀 ...node internals, m._compile in ts-node, require.extensions.<computed> in ts-node...
```
## When using CDK as a library
AFTER
```
InvalidBucketNameValue: Invalid S3 bucket name (value: &*&*$)
Bucket name must only contain lowercase characters and the symbols, period (.) and dash (-) (offset: 0)
Bucket name must start with a lowercase character or number (offset: 0)
Bucket name must end with a lowercase character or number (offset: 4)
👀 ...new Bucket2 in aws-cdk-lib...
at new ApiStack (/Users/huijbers/Temp/testcustomer2/lib/api-stack.ts:2)
at <anonymous> (/Users/huijbers/Temp/testcustomer2/bin/repro.ts:3)
at <anonymous> (/Users/huijbers/Temp/testcustomer2/bin/repro.ts:4)
...node internals, transformer in tsx...
Relates to construct:
<.> (aws-cdk-lib.App)
└─ ReproApiStack (aws-cdk-lib.Stack)
└─ TargetBucket (aws-cdk-lib.aws_s3.Bucket)
```
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…rmance insight properties are set (#37287) ### Issue # (if applicable) Closes #37051 ### Reason for this change `DatabaseInstanceFromSnapshot` (and other `DatabaseInstanceNew` subclasses) ignores an explicit `enablePerformanceInsights: false` when other Performance Insights properties are also set. ### Description of changes Replace `||` with `??` in the PI enablement logic so that an explicit `false` is not overridden. Remove the redundant fallback on the CFn property assignment. ### Description of how you validated changes Added a unit test for `DatabaseInstanceFromSnapshot` with `enablePerformanceInsights: false`. All existing tests pass. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)
We want to know about the synth errors that happened in the CDK app in the Toolkit. In order to do that, we are doing the following things:
We print the error code between special markers. We have chosen the guillemet to print the error codes: `«InvalidBucketName»`. It nicely braces the error, look visually appealing, and is uncommon enough that it is unlikely to appear in the output of a CDK app already accidentally.
The CLI will scan `stdout` and `stderr` for text between these markers. That approach is chosen because it will work regardless of whether the CDK app is executing via jsii or not (`uncaughtException` handlers will only work for direct Node programs, not jsii programs).
In order for this masterful scheme not to be foiled by a customer putting the following into their program:
```ts
console.log('«IveTrickedYouIntoCollectingCustomerContent»');
```
Whenever an error with an error code is constructed, we write the code to special file that is indicated by the `CDK_ERROR_FILE` environment variable (which will be set by the Toolkit). Only codes that appear in that file are eligible for scanning from `stderr`/`stdout`, so that we are not tricked into collecting customer content.
Why don't we just take the error code in that file as gospel? Because the exception could be caught and the program continued. That an Error object is produced doesn't mean it terminates the program.
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…7275) ### Reason for this change This PR adds request metrics configuration support to the S3 Tables TableBucket L2 construct, enabling users to enable or disable CloudWatch request metrics for their table buckets. Request metrics provide insight into Amazon S3 Tables requests, helping users monitor and optimize their table bucket usage. ### Description of changes Enhanced TableBucket construct with request metrics configuration: - Added RequestMetricsStatus enum with ENABLED and DISABLED values - Added requestMetricsStatus property to TableBucketProps (flat structure per CDK guidelines) - Pass metrics configuration through to CfnTableBucket L1 construct Documentation: - Updated README with "Enabling CloudWatch Request Metrics" section - Added RequestMetricsStatus to rosetta fixture ### Description of how you validated changes - Unit tests: added 3 new test cases for request metrics (enabled, disabled, and not specified). All 193 tests passing. - Integration test: created integ.table-bucket-metrics.ts to validate metrics configuration deployment - Rosetta: verified with yarn rosetta:extract - passes successfully ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…updates (#37300) Bumps the npm_and_yarn group with 1 update in the / directory: [flatted](https://github.com/WebReflection/flatted). Bumps the npm_and_yarn group with 1 update in the /packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-service-account-sdk-call.js.snapshot/asset.d388310e22224796eee0dd2d3da0207457c3e42855a921e3b1db956777d7c56a directory: [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser). Bumps the npm_and_yarn group with 1 update in the /packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/sdk-call-integ-test-docker-app/app directory: [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser). Updates `flatted` from 3.3.3 to 3.4.2 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/WebReflection/flatted/commit/3bf09091c3562e17a0647bc06710dd6097079cf7"><code>3bf0909</code></a> 3.4.2</li> <li><a href="https://github.com/WebReflection/flatted/commit/885ddcc33cf9657caf38c57c7be45ae1c5272802"><code>885ddcc</code></a> fix CWE-1321</li> <li><a href="https://github.com/WebReflection/flatted/commit/0bdba705d130f00892b1b8fcc80cf4cdea0631e3"><code>0bdba70</code></a> added flatted-view to the benchmark</li> <li><a href="https://github.com/WebReflection/flatted/commit/2a02dce7c641dec31194c67663f9b0b12e62da20"><code>2a02dce</code></a> 3.4.1</li> <li><a href="https://github.com/WebReflection/flatted/commit/fba4e8f2e113665da275b19cd0f695f3d98e9416"><code>fba4e8f</code></a> Merge pull request <a href="https://redirect.github.com/WebReflection/flatted/issues/89">#89</a> from WebReflection/python-fix</li> <li><a href="https://github.com/WebReflection/flatted/commit/5fe86485e6df7f7f34a07a2a85498bd3e17384e7"><code>5fe8648</code></a> added "when in Rome" also a test for PHP</li> <li><a href="https://github.com/WebReflection/flatted/commit/53517adbefe724fe472b2f9ebcdb01910d0ae3f0"><code>53517ad</code></a> some minor improvement</li> <li><a href="https://github.com/WebReflection/flatted/commit/b3e2a0c387bf446435fec45ad7f05299f012346f"><code>b3e2a0c</code></a> Fixing recursion issue in Python too</li> <li><a href="https://github.com/WebReflection/flatted/commit/c4b46dbcbf782326e54ea1b65d3ebb1dc7a23fad"><code>c4b46db</code></a> Add SECURITY.md for security policy and reporting</li> <li><a href="https://github.com/WebReflection/flatted/commit/f86d071e0f70de5a7d8200198824a3f07fc9c988"><code>f86d071</code></a> Create dependabot.yml for version updates</li> <li>Additional commits viewable in <a href="https://github.com/WebReflection/flatted/compare/v3.3.3...v3.4.2">compare view</a></li> </ul> </details> <br /> Updates `fast-xml-parser` from 5.5.6 to 5.5.8 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md">fast-xml-parser's changelog</a>.</em></p> <blockquote> <p>Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.</p> <p>Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion</p> <p><strong>5.5.8 / 2026-03-20</strong></p> <ul> <li>pass read only matcher in callback</li> </ul> <p><strong>5.5.7 / 2026-03-19</strong></p> <ul> <li>fix: entity expansion limits</li> <li>update strnum package to 2.2.0</li> </ul> <p><strong>5.5.6 / 2026-03-16</strong></p> <ul> <li>update builder dependency</li> <li>fix incorrect regex to replace . in entity name</li> <li>fix check for entitiy expansion for lastEntities and html entities too</li> </ul> <p><strong>5.5.5 / 2026-03-13</strong></p> <ul> <li>sanitize dangerous tag or attribute name</li> <li>error on critical property name</li> <li>support onDangerousProperty option</li> </ul> <p><strong>5.5.4 / 2026-03-13</strong></p> <ul> <li>declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher</li> </ul> <p><strong>5.5.3 / 2026-03-11</strong></p> <ul> <li>upgrade builder</li> </ul> <p><strong>5.5.2 / 2026-03-11</strong></p> <ul> <li>update dependency to fix typings</li> </ul> <p><strong>5.5.1 / 2026-03-10</strong></p> <ul> <li>fix dependency</li> </ul> <p><strong>5.5.0 / 2026-03-10</strong></p> <ul> <li>support path-expression-matcher</li> <li>fix: stopNode should not be parsed</li> <li>performance improvement for stopNode checking</li> </ul> <p><strong>5.4.2 / 2026-03-03</strong></p> <ul> <li>support maxEntityCount option</li> </ul> <p><strong>5.4.1 / 2026-02-25</strong></p> <ul> <li>fix (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/785">#785</a>) unpairedTag node should not have tag content</li> </ul> <p><strong>5.4.0 / 2026-02-25</strong></p> <ul> <li>migrate to fast-xml-builder</li> </ul> <p><strong>5.3.9 / 2026-02-25</strong></p> <ul> <li>support strictReservedNames</li> </ul> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/a92a665e00c146a4ea3ff7760f3399e5ed51dfc5"><code>a92a665</code></a> pass read only matcher in call back</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/a21c44123cdf0f8fb5b56d33386ed3be4e180953"><code>a21c441</code></a> update package detail</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/239b64aa1fc5c5455ddebbbb54a187eb68c9fdb7"><code>239b64a</code></a> check for min value for entity exapantion options</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/61cb666d13044b483aa495a6c020789f22e670b4"><code>61cb666</code></a> restrict more properties to be unsafe</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/41abd66adc54cbc6ebea615a9f5396d8582afdb1"><code>41abd66</code></a> performance improvement of reading DOCTYPE</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/3dfcd20c8cffc310335510ff72a211be0672a8dd"><code>3dfcd20</code></a> refactor: performance improvement</li> <li>See full diff in <a href="https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.6...v5.5.8">compare view</a></li> </ul> </details> <br /> Updates `fast-xml-parser` from 5.5.6 to 5.5.8 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md">fast-xml-parser's changelog</a>.</em></p> <blockquote> <p>Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.</p> <p>Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion</p> <p><strong>5.5.8 / 2026-03-20</strong></p> <ul> <li>pass read only matcher in callback</li> </ul> <p><strong>5.5.7 / 2026-03-19</strong></p> <ul> <li>fix: entity expansion limits</li> <li>update strnum package to 2.2.0</li> </ul> <p><strong>5.5.6 / 2026-03-16</strong></p> <ul> <li>update builder dependency</li> <li>fix incorrect regex to replace . in entity name</li> <li>fix check for entitiy expansion for lastEntities and html entities too</li> </ul> <p><strong>5.5.5 / 2026-03-13</strong></p> <ul> <li>sanitize dangerous tag or attribute name</li> <li>error on critical property name</li> <li>support onDangerousProperty option</li> </ul> <p><strong>5.5.4 / 2026-03-13</strong></p> <ul> <li>declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher</li> </ul> <p><strong>5.5.3 / 2026-03-11</strong></p> <ul> <li>upgrade builder</li> </ul> <p><strong>5.5.2 / 2026-03-11</strong></p> <ul> <li>update dependency to fix typings</li> </ul> <p><strong>5.5.1 / 2026-03-10</strong></p> <ul> <li>fix dependency</li> </ul> <p><strong>5.5.0 / 2026-03-10</strong></p> <ul> <li>support path-expression-matcher</li> <li>fix: stopNode should not be parsed</li> <li>performance improvement for stopNode checking</li> </ul> <p><strong>5.4.2 / 2026-03-03</strong></p> <ul> <li>support maxEntityCount option</li> </ul> <p><strong>5.4.1 / 2026-02-25</strong></p> <ul> <li>fix (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/785">#785</a>) unpairedTag node should not have tag content</li> </ul> <p><strong>5.4.0 / 2026-02-25</strong></p> <ul> <li>migrate to fast-xml-builder</li> </ul> <p><strong>5.3.9 / 2026-02-25</strong></p> <ul> <li>support strictReservedNames</li> </ul> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/a92a665e00c146a4ea3ff7760f3399e5ed51dfc5"><code>a92a665</code></a> pass read only matcher in call back</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/a21c44123cdf0f8fb5b56d33386ed3be4e180953"><code>a21c441</code></a> update package detail</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/239b64aa1fc5c5455ddebbbb54a187eb68c9fdb7"><code>239b64a</code></a> check for min value for entity exapantion options</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/61cb666d13044b483aa495a6c020789f22e670b4"><code>61cb666</code></a> restrict more properties to be unsafe</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/41abd66adc54cbc6ebea615a9f5396d8582afdb1"><code>41abd66</code></a> performance improvement of reading DOCTYPE</li> <li><a href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/3dfcd20c8cffc310335510ff72a211be0672a8dd"><code>3dfcd20</code></a> refactor: performance improvement</li> <li>See full diff in <a href="https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.5.6...v5.5.8">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts). </details>
…37285) Add `traceProperty` utility that records metadata with stack traces on CfnResource property setters when CDK_DEBUG=1 is enabled. Update spec2cdk code generation to emit getter/setter pairs (instead of plain fields) for mutable L1 properties, calling `traceProperty` in each setter to capture the call site. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…Group Property (#36434) ### Issue # (if applicable) None ### Reason for this change AWS Auto Scaling groups now support Instance Lifecycle Policy to control instance behavior during lifecycle events. - https://aws.amazon.com/about-aws/whats-new/2025/11/ec2-auto-scaling-instance-lifecycle-policy/ - https://docs.aws.amazon.com/autoscaling/ec2/APIReference/API_InstanceLifecyclePolicy.html ### Description of changes Add InstanceLifecyclePolicy interface with RetentionTriggers configuration ### Describe any new or updated permissions being added None ### Description of how you validated changes Added unit tests and integ tests ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ructs (#37269) ### Reason for this change Previously, if a stack has a mixin applied (using `with`), the stack's child constructs will not have its mixin metadata set. Stack used `applyTo` directly instead of `applyMixin` which adds the metadata via `addMetadata` in https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/core/lib/mixins/private/mixin-metadata.ts#L30. ### Description of changes Use withMixins, which calls the correct applyMixin function. Reflects the behaviour in `CfnElement` and `Resource`. ### Describe any new or updated permissions being added No new permissions are added. ### Description of how you validated changes No new permissions are added. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…de docker build context (#37350) ### Issue # (if applicable) References #31598 ### Reason for this change Splitting dependency updates out of #36930 ### Description of changes Update the following dependencies: - @aws-cdk/integ-runner: ^2.196.1 -> ^2.197.1 - @aws-cdk/cloud-assembly-api: ^2.1.1 -> ^2.2.0 - @aws-cdk/cloud-assembly-schema: ^52.1.0 -> ^53.0.0 - yarn.lock transitive dependency updates Fix the integration tests due to the update. Details below from our friend Kiro: > The PR that introduced the @aws-cdk/aws-eks:useNativeOidcProvider feature flag is #36589 > This PR added the EKS_USE_NATIVE_OIDC_PROVIDER flag with `recommendedValue: true`. Because it's a recommended flag, it was automatically included in the `@aws-cdk/integ-runner`'s auto-generated `recommended-feature-flags.json` when the integ-runner was built against a version of aws-cdk-lib containing this change. This is why `@aws-cdk/integ-runner@2.197.1` includes the flag but `@aws-cdk/integ-runner@2.196.1` does not — `v2.197.1` was the first integ-runner release built after PR #36589 was merged. ### Describe any new or updated permissions being added None ### Description of how you validated changes #36930 ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Fixes #31598 ### Reason for this change Add support for docker's `--build-context` flag in docker builds. This is useful for a few reasons outlined in the linked issue (and other similar issues), such as: - Sharing files from directories outside the Docker build directory - Using specific image versions as build contexts (`docker-image://alpine:latest`) - Referencing remote URLs as build contexts ### Description of changes Adds support for Docker's `--build-context` flag when building Docker image assets. This allows users to specify additional named build contexts that can be referenced in Dockerfiles via `COPY --from=<name>`. - Added `buildContexts` (optional `Record<string, string>`) to `DockerBuildOptions`, `DockerImageAssetOptions`, `DockerImageAssetInvalidationOptions`, and `DockerImageAssetSource` - Updated `DockerImage.fromBuild()` to pass `--build-context key=value` flags to the docker build command - Wired `buildContexts` through the full asset pipeline: `DockerImageAsset` → synthesizer → asset manifest → cloud assembly schema - Added token validation for `buildContexts` keys and values (same as `buildArgs`) - Added `buildContexts` to asset hash invalidation (controllable via `invalidation.buildContexts`) - Added `ASSET_RESOURCE_METADATA_DOCKER_BUILD_CONTEXTS_KEY` metadata constant - Updated the `aws-ecr-assets` README with documentation and usage example In terms of design decisions, this follows the same pattern as `buildArgs`. The necessary changes to the CLI have been released: aws/aws-cdk-cli#1128 ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Integration test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change
The local bundling path builds a single shell command string and executes it via `spawnSync("bash", ["-c", command])`. User-controlled bundling properties are interpolated into this string without sanitization. Using direct `spawnSync` with argument arrays is the idiomatic Node.js approach and avoids shell interpretation entirely.
### Description of changes
Replace shell-based command execution in the local bundling path with direct `spawnSync` calls using argument arrays.
- `PackageManager.runBinCommand()` returns `string[]` instead of a joined string. Docker-path callers use `.join(" ")`.
- New `BundlingStep` discriminated union type: `shell` (commandHooks), `spawn` (esbuild/tsc/install), `fs` (file operations).
- `createLocalBundlingSteps()` builds the step sequence for local bundling using `toCliArgsArray()` and `getTsconfigCompilerOptionsArray()` (no shell quoting needed).
- `tryBundle()` executes steps sequentially by type.
- Docker bundling path's command is escaped, the default command relies on bash already existing so we can escape it with the bash syntax.
- `commandHooks` remain shell-executed (user-provided by contract).
### Describe any new or updated permissions being added
N/A
### Description of how you validated changes
- All 125 existing aws-lambda-nodejs tests pass (6 suites).
- Updated `Local bundling` test to assert direct spawn calls.
- Added 6 new tests: esbuild options via spawn, nodeModules with fs operations, commandHooks via shell, preCompilation with tsc spawn, shell metacharacter handling, and pnpm workspace/cleanup.
- Full `lerna run build --scope=aws-cdk-lib` passes.
- Locally created a stack comparing the docker and local asset output
### Checklist
- [x] My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES
---
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change Properties like `isWebsite`, `disallowPublicAccess`, and `bucketWebsiteDomainName` on the `Bucket` class are computed eagerly from constructor props and cached as plain fields. This means the values are frozen at construction time and won't reflect any mutations made to the underlying `CfnBucket` resource afterwards. It also means each of these properties has its own bespoke derivation logic scattered across the constructor, making it harder to reason about where the source of truth lives. ### Description of changes This introduces `BucketReflection`, a new class that reads bucket configuration directly from the L1 `CfnBucket` resource at access time rather than caching prop-derived values. By reading from the L1, the reflection getters provide a single source of truth that stays consistent regardless of whether the bucket was created as an L2 construct, imported, or built directly as a `CfnBucket`. The `Bucket` class is refactored to delegate `bucketWebsiteDomainName`, `isWebsite`, and `disallowPublicAccess` through `BucketReflection` getters. The `disallowPublicAccess` setter is now a no-op since the value is derived from the `CfnBucket` resource via reflection. `BucketReflection` is deliberately kept as a non-exported internal class while we iterate on the API shape. Once the pattern stabilizes, it can be promoted to a public API. Beyond the initial three properties, `BucketReflection` also exposes `policy` and `encryptionKey` getters that search the construct tree for the associated `CfnBucketPolicy` and `CfnKey` resources. The previous private helper functions (`tryFindBucketPolicyForBucket`, `tryFindKmsKeyforBucket`, `tryFindBucketConstruct`) in `lib/private/reflections.ts` are consolidated into `BucketReflection` and the file is deleted. Internal consumers in `default-traits.ts` are updated to use `BucketReflection` instead. `BucketReflection.of()` gracefully handles custom `IBucketRef` implementations that don't have an underlying `CfnBucket` in the construct tree. The `bucket` getter throws lazily on access when no L1 is found, while `policy` falls back to searching from the original `IBucketRef`, and `encryptionKey`/`disallowPublicAccess` return safe defaults. This ensures the class works across L1, L2, and custom bucket implementations. To support safe property traversal on L1 resources — where any nested value might be an unresolved CDK token — this adds a `resolvedGet` utility to `core/lib/helpers-internal`. It walks a dot-separated property path and returns a caller-specified fallback whenever it encounters an `IResolvable`, rather than silently returning a token object that would be misinterpreted as a truthy value. This distinction between "not configured" (`undefined`) and "configured but unreadable" (fallback) is important for reflection getters that need to make boolean decisions based on L1 property values. ### Describe any new or updated permissions being added No new permissions. ### Description of how you validated changes Existing tests in `bucket-reflection.test.ts` (renamed from `reflections.test.ts`) are updated to use the `BucketReflection` public API instead of the deleted private helpers. Additional tests verify behavior with custom `IBucketRef` implementations that lack a `CfnBucket`: the `bucket` getter throws, `policy` still finds associated policies, and `encryptionKey` returns undefined. New unit tests for `resolvedGet` cover simple paths, numeric indexing, missing segments, null segments, and resolvable token handling at root, intermediate, and leaf positions. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…Front Functions (under feature flag) (#35941) ### Issue # (if applicable) None ### Reason for this change Cloudfront function supports for 2 JavaScript runtimes(1.0 & 2.0). Runtime 2.0 is backward compatible with 1.0 and its use is generally recommended, but CDK uses 1.0 by default for backward compatibility reasons. ### Description of changes - define @aws-cdk/aws-cloudfront:defaultFunctionRuntimeV2_0 feature flag - use 2.0 runtime by default when the feature flag is enabled ### Describe any new or updated permissions being added None ### Description of how you validated changes Add both unit and integ tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…update (#37354) Bumps the npm_and_yarn group with 1 update in the / directory: [yaml](https://github.com/eemeli/yaml). Bumps the npm_and_yarn group with 1 update in the /packages/@aws-cdk/aws-imagebuilder-alpha directory: [yaml](https://github.com/eemeli/yaml). Bumps the npm_and_yarn group with 1 update in the /packages/aws-cdk-lib directory: [yaml](https://github.com/eemeli/yaml). Updates `yaml` from 1.10.2 to 1.10.3 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/eemeli/yaml/commit/cfe8f0437054ff5fbfe6499894f55b3316a54959"><code>cfe8f04</code></a> 1.10.3</li> <li><a href="https://github.com/eemeli/yaml/commit/7abcf45dd63f0bc626890ad9a8cdeb397f92be73"><code>7abcf45</code></a> fix: Catch stack overflow during CST composition</li> <li><a href="https://github.com/eemeli/yaml/commit/a0252f8b056f49875d1b79edb8709cff7d7d0dc6"><code>a0252f8</code></a> chore: Add rules avoiding processing of tests/json-test-suite</li> <li><a href="https://github.com/eemeli/yaml/commit/a5e83b05f7124c31b4784b613f0c669959a5ed48"><code>a5e83b0</code></a> style: Apply updates Prettier rules</li> <li><a href="https://github.com/eemeli/yaml/commit/b8ddca0a5d4794a3c60f252d3513e6ff7068fdf0"><code>b8ddca0</code></a> chore: Refresh lockfile</li> <li><a href="https://github.com/eemeli/yaml/commit/395f892ec9a26b9038c8db388b675c3281ab8cd3"><code>395f892</code></a> ci: Use a different (working) submodule checkout</li> <li><a href="https://github.com/eemeli/yaml/commit/6fd272052751775e48196024d4bed639cc1e0350"><code>6fd2720</code></a> test-events: Add {} and [] indicators to flow maps & sequences</li> <li>See full diff in <a href="https://github.com/eemeli/yaml/compare/v1.10.2...v1.10.3">compare view</a></li> </ul> </details> <br /> Updates `yaml` from 1.10.2 to 1.10.3 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/eemeli/yaml/commit/cfe8f0437054ff5fbfe6499894f55b3316a54959"><code>cfe8f04</code></a> 1.10.3</li> <li><a href="https://github.com/eemeli/yaml/commit/7abcf45dd63f0bc626890ad9a8cdeb397f92be73"><code>7abcf45</code></a> fix: Catch stack overflow during CST composition</li> <li><a href="https://github.com/eemeli/yaml/commit/a0252f8b056f49875d1b79edb8709cff7d7d0dc6"><code>a0252f8</code></a> chore: Add rules avoiding processing of tests/json-test-suite</li> <li><a href="https://github.com/eemeli/yaml/commit/a5e83b05f7124c31b4784b613f0c669959a5ed48"><code>a5e83b0</code></a> style: Apply updates Prettier rules</li> <li><a href="https://github.com/eemeli/yaml/commit/b8ddca0a5d4794a3c60f252d3513e6ff7068fdf0"><code>b8ddca0</code></a> chore: Refresh lockfile</li> <li><a href="https://github.com/eemeli/yaml/commit/395f892ec9a26b9038c8db388b675c3281ab8cd3"><code>395f892</code></a> ci: Use a different (working) submodule checkout</li> <li><a href="https://github.com/eemeli/yaml/commit/6fd272052751775e48196024d4bed639cc1e0350"><code>6fd2720</code></a> test-events: Add {} and [] indicators to flow maps & sequences</li> <li>See full diff in <a href="https://github.com/eemeli/yaml/compare/v1.10.2...v1.10.3">compare view</a></li> </ul> </details> <br /> Updates `yaml` from 1.10.2 to 1.10.3 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/eemeli/yaml/commit/cfe8f0437054ff5fbfe6499894f55b3316a54959"><code>cfe8f04</code></a> 1.10.3</li> <li><a href="https://github.com/eemeli/yaml/commit/7abcf45dd63f0bc626890ad9a8cdeb397f92be73"><code>7abcf45</code></a> fix: Catch stack overflow during CST composition</li> <li><a href="https://github.com/eemeli/yaml/commit/a0252f8b056f49875d1b79edb8709cff7d7d0dc6"><code>a0252f8</code></a> chore: Add rules avoiding processing of tests/json-test-suite</li> <li><a href="https://github.com/eemeli/yaml/commit/a5e83b05f7124c31b4784b613f0c669959a5ed48"><code>a5e83b0</code></a> style: Apply updates Prettier rules</li> <li><a href="https://github.com/eemeli/yaml/commit/b8ddca0a5d4794a3c60f252d3513e6ff7068fdf0"><code>b8ddca0</code></a> chore: Refresh lockfile</li> <li><a href="https://github.com/eemeli/yaml/commit/395f892ec9a26b9038c8db388b675c3281ab8cd3"><code>395f892</code></a> ci: Use a different (working) submodule checkout</li> <li><a href="https://github.com/eemeli/yaml/commit/6fd272052751775e48196024d4bed639cc1e0350"><code>6fd2720</code></a> test-events: Add {} and [] indicators to flow maps & sequences</li> <li>See full diff in <a href="https://github.com/eemeli/yaml/compare/v1.10.2...v1.10.3">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts). </details>
…structs (#37277) ### Issue # (if applicable) Related to #33054. ### Reason for this change The L1 constructs (`CfnTableBucket`, `CfnTable`) implement `ITaggableV2`, so `Tags.of()` already propagates tags to the underlying CloudFormation resources. However, the L2 constructs (`TableBucket`, `Table`) don't formally implement `ITaggableV2`, which means: - `TagManager.of(tableBucket)` returns `undefined` on the L2 construct - The L2 constructs aren't discoverable as taggable by code that checks for `ITaggableV2` ### Description of changes Implement `ITaggableV2` on both `TableBucket` and `Table` L2 constructs by delegating `cdkTagManager` to the underlying L1 resource's tag manager (same pattern as `VpcOrigin` in `aws-cloudfront`). - `TableBucket` implements `ITaggableV2` with `cdkTagManager` delegated to `CfnTableBucket` - `Table` implements `ITaggableV2` with `cdkTagManager` delegated to `CfnTable` - Unit tests for construct-level and stack-level tag propagation (4 new tests) - README updated with tagging usage examples - Rosetta fixture updated with `Tags` import ### Describe any new or updated permissions being added N/A ### Description of how you validated changes 1. Built `@aws-cdk/aws-s3tables-alpha` — 0 errors, 0 warnings 2. Unit tests — 193 passed (4 new), coverage: 94.46% statements, 90.21% branches 3. Lint — ESLint + awslint + pkglint clean 4. Rosetta — README code samples compile 5. Integration test snapshots — 6/6 UNCHANGED ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change The warning message displayed by `addPermission()` when called on a Lambda Function with mismatched environments contains a typo: "this is is intentional" (duplicated "is"). ### Description of changes Fix `this is is intentional` → `this is intentional` in: - `packages/aws-cdk-lib/aws-lambda/lib/function-base.ts` (source) - `packages/aws-cdk-lib/aws-lambda/test/function.test.ts` (test assertion) ### Description of how you validated changes Updated the corresponding test assertion to match the corrected message. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`
**L1 CloudFormation resource definition changes:**
```
├[~] service aws-apigateway
│ └ resources
│ └[~] resource AWS::ApiGateway::RestApi
│ ├ - vendedLogs: undefined
│ │ + vendedLogs: [{"permissionsVersion":"V2","logType":"EXECUTION_LOGS","destinations":[{"destinationType":"S3","outputFormats":["json","plain","w3c","parquet"]},{"destinationType":"CWL","outputFormats":["plain","json"]},{"destinationType":"FH","outputFormats":["json","plain","raw"]}],"mandatoryFields":["resource_arn","event_timestamp","stage","payload"]},{"permissionsVersion":"V2","logType":"ACCESS_LOGS","destinations":[{"destinationType":"S3","outputFormats":["json","plain","w3c","parquet"]},{"destinationType":"CWL","outputFormats":["plain","json"]},{"destinationType":"FH","outputFormats":["json","plain","raw"]}],"mandatoryFields":["resource_arn","event_timestamp","stage","payload"]}]
│ └ vendedLogs
│ ├[+] logType: EXECUTION_LOGS
│ │ ├permissionsVersion: V2
│ │ ├destinations: [S3, CWL, FH]
│ │ └mandatoryFields: [resource_arn, event_timestamp, stage, payload]
│ └[+] logType: ACCESS_LOGS
│ ├permissionsVersion: V2
│ ├destinations: [S3, CWL, FH]
│ └mandatoryFields: [resource_arn, event_timestamp, stage, payload]
├[~] service aws-batch
│ └ resources
│ ├[+] resource AWS::Batch::QuotaShare
│ │ ├ name: QuotaShare
│ │ │ cloudFormationType: AWS::Batch::QuotaShare
│ │ │ documentation: Resource Type definition for AWS::Batch::QuotaShare
│ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"map"}
│ │ │ primaryIdentifier: ["QuotaShareArn"]
│ │ ├ properties
│ │ │ ├ QuotaShareName: string (required, immutable)
│ │ │ ├ JobQueue: string (required, immutable)
│ │ │ ├ CapacityLimits: Array<QuotaShareCapacityLimit> (required)
│ │ │ ├ ResourceSharingConfiguration: QuotaShareResourceSharingConfiguration (required)
│ │ │ ├ PreemptionConfiguration: QuotaSharePreemptionConfiguration (required)
│ │ │ ├ State: string<ENABLED|DISABLED>
│ │ │ └ Tags: Map<string, string>
│ │ ├ attributes
│ │ │ └ QuotaShareArn: string
│ │ └ types
│ │ ├ type QuotaShareCapacityLimit
│ │ │ ├ name: QuotaShareCapacityLimit
│ │ │ └ properties
│ │ │ ├ MaxCapacity: integer (required)
│ │ │ └ CapacityUnit: string (required)
│ │ ├ type QuotaSharePreemptionConfiguration
│ │ │ ├ name: QuotaSharePreemptionConfiguration
│ │ │ └ properties
│ │ │ └ InSharePreemption: string<ENABLED|DISABLED> (required)
│ │ └ type QuotaShareResourceSharingConfiguration
│ │ ├ name: QuotaShareResourceSharingConfiguration
│ │ └ properties
│ │ ├ Strategy: string<RESERVE|LEND|LEND_AND_BORROW> (required)
│ │ └ BorrowLimit: integer
│ └[~] resource AWS::Batch::SchedulingPolicy
│ ├ properties
│ │ └[+] QuotaSharePolicy: QuotaSharePolicy
│ └ types
│ └[+] type QuotaSharePolicy
│ ├ documentation: Quota Share Policy for the Job Queue.
│ │ name: QuotaSharePolicy
│ └ properties
│ └ IdleResourceAssignmentStrategy: string<FIFO>
├[~] service aws-bedrockagentcore
│ └ resources
│ ├[~] resource AWS::BedrockAgentCore::Gateway
│ │ ├ properties
│ │ │ └[+] PolicyEngineConfiguration: GatewayPolicyEngineConfiguration
│ │ └ types
│ │ └[+] type GatewayPolicyEngineConfiguration
│ │ ├ documentation: The configuration for a policy engine associated with a gateway. A policy engine is a collection of policies that evaluates and authorizes agent tool calls. When associated with a gateway, the policy engine intercepts all agent requests and determines whether to allow or deny each action based on the defined policies.
│ │ │ name: GatewayPolicyEngineConfiguration
│ │ └ properties
│ │ ├ Arn: string (required)
│ │ └ Mode: string<LOG_ONLY|ENFORCE> (required)
│ └[~] resource AWS::BedrockAgentCore::Memory
│ ├ properties
│ │ └[+] StreamDeliveryResources: StreamDeliveryResources
│ └ types
│ ├[+] type ContentConfiguration
│ │ ├ name: ContentConfiguration
│ │ └ properties
│ │ ├ Type: string<MEMORY_RECORDS> (required)
│ │ └ Level: string<METADATA_ONLY|FULL_CONTENT>
│ ├[+] type KinesisResource
│ │ ├ name: KinesisResource
│ │ └ properties
│ │ ├ DataStreamArn: string (required)
│ │ └ ContentConfigurations: Array<ContentConfiguration> (required)
│ ├[+] type StreamDeliveryResource
│ │ ├ name: StreamDeliveryResource
│ │ └ properties
│ │ └ Kinesis: KinesisResource
│ └[+] type StreamDeliveryResources
│ ├ name: StreamDeliveryResources
│ └ properties
│ └ Resources: Array<StreamDeliveryResource> (required)
├[~] service aws-cleanrooms
│ └ resources
│ └[~] resource AWS::CleanRooms::ConfiguredTable
│ └ types
│ └[~] type AthenaTableReference
│ └ properties
│ └[+] CatalogName: string
├[~] service aws-cleanroomsml
│ └ resources
│ ├[+] resource AWS::CleanRoomsML::ConfiguredModelAlgorithm
│ │ ├ name: ConfiguredModelAlgorithm
│ │ │ cloudFormationType: AWS::CleanRoomsML::ConfiguredModelAlgorithm
│ │ │ documentation: Definition of AWS::CleanRoomsML::ConfiguredModelAlgorithm Resource Type
│ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ │ │ arnTemplate: arn:${Partition}:cleanrooms-ml:${Region}:${Account}:configured-model-algorithm/${ResourceId}
│ │ │ primaryIdentifier: ["ConfiguredModelAlgorithmArn"]
│ │ ├ properties
│ │ │ ├ Name: string (required, immutable)
│ │ │ ├ Description: string (immutable)
│ │ │ ├ RoleArn: string (required, immutable)
│ │ │ ├ TrainingContainerConfig: ContainerConfig (immutable)
│ │ │ ├ InferenceContainerConfig: InferenceContainerConfig (immutable)
│ │ │ ├ KmsKeyArn: string (immutable)
│ │ │ └ Tags: Array<tag>
│ │ ├ attributes
│ │ │ └ ConfiguredModelAlgorithmArn: string
│ │ └ types
│ │ ├ type ContainerConfig
│ │ │ ├ name: ContainerConfig
│ │ │ └ properties
│ │ │ ├ ImageUri: string (required)
│ │ │ ├ Entrypoint: Array<string>
│ │ │ ├ Arguments: Array<string>
│ │ │ └ MetricDefinitions: Array<MetricDefinition>
│ │ ├ type InferenceContainerConfig
│ │ │ ├ name: InferenceContainerConfig
│ │ │ └ properties
│ │ │ └ ImageUri: string (required)
│ │ └ type MetricDefinition
│ │ ├ name: MetricDefinition
│ │ └ properties
│ │ ├ Name: string (required)
│ │ └ Regex: string (required)
│ └[+] resource AWS::CleanRoomsML::ConfiguredModelAlgorithmAssociation
│ ├ name: ConfiguredModelAlgorithmAssociation
│ │ cloudFormationType: AWS::CleanRoomsML::ConfiguredModelAlgorithmAssociation
│ │ documentation: Definition of AWS::CleanRoomsML::ConfiguredModelAlgorithmAssociation Resource Type
│ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ │ primaryIdentifier: ["ConfiguredModelAlgorithmAssociationArn"]
│ ├ properties
│ │ ├ MembershipIdentifier: string (required, immutable)
│ │ ├ ConfiguredModelAlgorithmArn: string (required, immutable)
│ │ ├ Name: string (required, immutable)
│ │ ├ Description: string (immutable)
│ │ ├ PrivacyConfiguration: PrivacyConfiguration (immutable)
│ │ └ Tags: Array<tag>
│ ├ attributes
│ │ ├ ConfiguredModelAlgorithmAssociationArn: string
│ │ └ CollaborationIdentifier: string
│ └ types
│ ├ type CustomEntityConfig
│ │ ├ name: CustomEntityConfig
│ │ └ properties
│ │ └ CustomDataIdentifiers: Array<string> (required)
│ ├ type LogRedactionConfiguration
│ │ ├ name: LogRedactionConfiguration
│ │ └ properties
│ │ ├ EntitiesToRedact: Array<string<ALL_PERSONALLY_IDENTIFIABLE_INFORMATION|NUMBERS|CUSTOM>> (required)
│ │ └ CustomEntityConfig: CustomEntityConfig
│ ├ type LogsConfigurationPolicy
│ │ ├ name: LogsConfigurationPolicy
│ │ └ properties
│ │ ├ AllowedAccountIds: Array<string> (required)
│ │ ├ FilterPattern: string
│ │ ├ LogType: string<ALL|ERROR_SUMMARY>
│ │ └ LogRedactionConfiguration: LogRedactionConfiguration
│ ├ type MetricsConfigurationPolicy
│ │ ├ name: MetricsConfigurationPolicy
│ │ └ properties
│ │ └ NoiseLevel: string<HIGH|MEDIUM|LOW|NONE> (required)
│ ├ type PrivacyConfiguration
│ │ ├ name: PrivacyConfiguration
│ │ └ properties
│ │ └ Policies: PrivacyConfigurationPolicies (required)
│ ├ type PrivacyConfigurationPolicies
│ │ ├ name: PrivacyConfigurationPolicies
│ │ └ properties
│ │ ├ TrainedModels: TrainedModelsConfigurationPolicy
│ │ ├ TrainedModelExports: TrainedModelExportsConfigurationPolicy
│ │ └ TrainedModelInferenceJobs: TrainedModelInferenceJobsConfigurationPolicy
│ ├ type TrainedModelArtifactMaxSize
│ │ ├ name: TrainedModelArtifactMaxSize
│ │ └ properties
│ │ ├ Unit: string<GB> (required)
│ │ └ Value: number (required)
│ ├ type TrainedModelExportsConfigurationPolicy
│ │ ├ name: TrainedModelExportsConfigurationPolicy
│ │ └ properties
│ │ ├ MaxSize: TrainedModelExportsMaxSize (required)
│ │ └ FilesToExport: Array<string<MODEL|OUTPUT>> (required)
│ ├ type TrainedModelExportsMaxSize
│ │ ├ name: TrainedModelExportsMaxSize
│ │ └ properties
│ │ ├ Unit: string<GB> (required)
│ │ └ Value: number (required)
│ ├ type TrainedModelInferenceJobsConfigurationPolicy
│ │ ├ name: TrainedModelInferenceJobsConfigurationPolicy
│ │ └ properties
│ │ ├ ContainerLogs: Array<LogsConfigurationPolicy>
│ │ └ MaxOutputSize: TrainedModelInferenceMaxOutputSize
│ ├ type TrainedModelInferenceMaxOutputSize
│ │ ├ name: TrainedModelInferenceMaxOutputSize
│ │ └ properties
│ │ ├ Unit: string<GB> (required)
│ │ └ Value: number (required)
│ └ type TrainedModelsConfigurationPolicy
│ ├ name: TrainedModelsConfigurationPolicy
│ └ properties
│ ├ ContainerLogs: Array<LogsConfigurationPolicy>
│ ├ ContainerMetrics: MetricsConfigurationPolicy
│ └ MaxArtifactSize: TrainedModelArtifactMaxSize
├[~] service aws-cloudwatch
│ └ resources
│ └[~] resource AWS::CloudWatch::InsightRule
│ ├ - tagInformation: {"tagPropertyName":"Tags","variant":"map"}
│ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ └ properties
│ └ Tags: - json ⇐ Array<tag>
│ + Array<tag>
├[~] service aws-config
│ └ resources
│ └[~] resource AWS::Config::RemediationConfiguration
│ ├ - primaryIdentifier: ["Id"]
│ │ + primaryIdentifier: undefined
│ ├ properties
│ │ └ Parameters: - Map<string, RemediationParameterValue> ⇐ json
│ │ + json
│ ├ attributes
│ │ └[-] Id: string
│ └ types
│ └[~] type StaticValue
│ └ properties
│ └[-] Value: Array<string>
├[~] service aws-connect
│ └ resources
│ └[~] resource AWS::Connect::Queue
│ ├ properties
│ │ └[+] AdditionalEmailAddresses: Array<EmailAddress>
│ └ types
│ └[+] type EmailAddress
│ ├ documentation: An email address configuration for the queue
│ │ name: EmailAddress
│ └ properties
│ └ EmailAddressArn: string (required)
├[~] service aws-deadline
│ └ resources
│ └[~] resource AWS::Deadline::Farm
│ └ properties
│ └[+] CostScaleFactor: number (default=1)
├[~] service aws-directoryservice
│ └ resources
│ └[~] resource AWS::DirectoryService::MicrosoftAD
│ └ - arnTemplate: arn:${Partition}:ds:${Region}:${Account}:${DirectoryId}
│ + arnTemplate: arn:${Partition}:ds:${Region}:${Account}:directory/${DirectoryId}
├[~] service aws-dlm
│ └ resources
│ └[~] resource AWS::DLM::LifecyclePolicy
│ ├ properties
│ │ └ CrossRegionCopyTargets: - json
│ │ + Array<CrossRegionCopyTarget>
│ └ types
│ ├[+] type CrossRegionCopyTarget
│ │ ├ name: CrossRegionCopyTarget
│ │ └ properties
│ │ └ TargetRegion: string
│ ├[~] type Exclusions
│ │ └ properties
│ │ ├ ExcludeTags: - json
│ │ │ + Array<tag>
│ │ └ ExcludeVolumeTypes: - json
│ │ + Array<json>
│ └[~] type PolicyDetails
│ └ properties
│ └ CrossRegionCopyTargets: - json
│ + Array<CrossRegionCopyTarget>
├[~] service aws-ec2
│ └ resources
│ ├[~] resource AWS::EC2::EC2Fleet
│ │ └ types
│ │ └[~] type TargetCapacitySpecificationRequest
│ │ └ properties
│ │ └ DefaultTargetCapacityType: - string<on-demand|spot> (immutable)
│ │ + string<on-demand|spot|reserved-capacity> (immutable)
│ ├[~] resource AWS::EC2::InstanceConnectEndpoint
│ │ ├ attributes
│ │ │ ├[+] AvailabilityZone: string
│ │ │ ├[+] AvailabilityZoneId: string
│ │ │ ├[+] CreatedAt: string
│ │ │ ├[+] InstanceConnectEndpointArn: string
│ │ │ ├[+] NetworkInterfaceIds: Array<string>
│ │ │ ├[+] OwnerId: string
│ │ │ ├[+] PublicDnsNames: InstanceConnectEndpointPublicDnsNames
│ │ │ ├[+] State: string<create-in-progress|create-complete|create-failed|delete-in-progress|delete-complete|delete-failed|update-in-progress|update-complete|update-failed>
│ │ │ ├[+] StateMessage: string
│ │ │ └[+] VpcId: string
│ │ └ types
│ │ ├[+] type InstanceConnectEndpointDnsNames
│ │ │ ├ documentation: The DNS names of the endpoint.
│ │ │ │ name: InstanceConnectEndpointDnsNames
│ │ │ └ properties
│ │ │ ├ DnsName: string
│ │ │ └ FipsDnsName: string
│ │ └[+] type InstanceConnectEndpointPublicDnsNames
│ │ ├ documentation: The public DNS names of the endpoint, including IPv4-only and dualstack DNS names.
│ │ │ name: InstanceConnectEndpointPublicDnsNames
│ │ └ properties
│ │ ├ Ipv4: InstanceConnectEndpointDnsNames
│ │ └ Dualstack: InstanceConnectEndpointDnsNames
│ ├[+] resource AWS::EC2::IPAMPrefixListResolverTarget
│ │ ├ name: IPAMPrefixListResolverTarget
│ │ │ cloudFormationType: AWS::EC2::IPAMPrefixListResolverTarget
│ │ │ documentation: Resource Type definition for AWS::EC2::IPAMPrefixListResolverTarget
│ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ │ │ primaryIdentifier: ["IpamPrefixListResolverTargetId"]
│ │ ├ properties
│ │ │ ├ IpamPrefixListResolverId: string (required, immutable)
│ │ │ ├ PrefixListId: string (required, immutable)
│ │ │ ├ PrefixListRegion: string (required, immutable)
│ │ │ ├ DesiredVersion: integer
│ │ │ ├ TrackLatestVersion: boolean (required)
│ │ │ └ Tags: Array<tag>
│ │ └ attributes
│ │ ├ IpamPrefixListResolverTargetId: string
│ │ └ IpamPrefixListResolverTargetArn: string
│ └[~] resource AWS::EC2::TransitGatewayMeteringPolicyEntry
│ └ properties
│ ├ DestinationTransitGatewayAttachmentType: - string<vpc|vpn|direct-connect-gateway|peering|network-function|vpn-concentrator> (immutable)
│ │ + string<vpc|vpn|direct-connect-gateway|peering|network-function|vpn-concentrator|client-vpn> (immutable)
│ └ SourceTransitGatewayAttachmentType: - string<vpc|vpn|direct-connect-gateway|peering|network-function|vpn-concentrator> (immutable)
│ + string<vpc|vpn|direct-connect-gateway|peering|network-function|vpn-concentrator|client-vpn> (immutable)
├[~] service aws-eks
│ └ resources
│ └[~] resource AWS::EKS::Cluster
│ └ types
│ ├[~] type ControlPlaneScalingConfig
│ │ └ properties
│ │ └ Tier: - string<standard|tier-xl|tier-2xl|tier-4xl>
│ │ + string<standard|tier-xl|tier-2xl|tier-4xl|tier-8xl|tier-ultra>
│ └[~] type RemoteNetworkConfig
│ └ properties
│ └ RemoteNodeNetworks: - Array<RemoteNodeNetwork> (required)
│ + Array<RemoteNodeNetwork>
├[~] service aws-elasticache
│ └ resources
│ └[~] resource AWS::ElastiCache::ReplicationGroup
│ ├ properties
│ │ ├ AtRestEncryptionEnabled: - boolean (immutable)
│ │ │ + boolean (default=false, immutable)
│ │ ├ AutomaticFailoverEnabled: - boolean
│ │ │ + boolean (default=false)
│ │ ├ CacheSecurityGroupNames: - Array<string>
│ │ │ + Array<string> (deprecated=WARN)
│ │ ├ NumNodeGroups: - integer (immutable?)
│ │ │ + integer (default=1, immutable?)
│ │ ├ SnapshotRetentionLimit: - integer
│ │ │ + integer (default=0)
│ │ └ TransitEncryptionEnabled: - boolean
│ │ + boolean (default=false)
│ ├ attributes
│ │ ├[+] ConfigurationEndPoint: Endpoint
│ │ ├[+] PrimaryEndPoint: Endpoint
│ │ ├[+] ReadEndPoint: ReadEndPoint
│ │ ├[-] ReadEndPoint.Addresses.List: Array<string>
│ │ ├[+] ReadEndPoint.AddressesList: Array<string>
│ │ ├[-] ReadEndPoint.Ports.List: Array<string>
│ │ ├[+] ReadEndPoint.PortsList: Array<string>
│ │ └[+] ReaderEndPoint: Endpoint
│ └ types
│ ├[+] type Endpoint
│ │ ├ name: Endpoint
│ │ └ properties
│ │ ├ Address: string
│ │ └ Port: string
│ └[+] type ReadEndPoint
│ ├ name: ReadEndPoint
│ └ properties
│ ├ Addresses: string
│ ├ AddressesList: Array<string>
│ ├ Ports: string
│ └ PortsList: Array<string>
├[+] service aws-elementalinference
│ ├ capitalized: ElementalInference
│ │ cloudFormationNamespace: AWS::ElementalInference
│ │ name: aws-elementalinference
│ │ shortName: elementalinference
│ └ resources
│ └ resource AWS::ElementalInference::Feed
│ ├ name: Feed
│ │ cloudFormationType: AWS::ElementalInference::Feed
│ │ documentation: Represents a feed that receives media for inference processing
│ │ tagInformation: {"tagPropertyName":"Tags","variant":"map"}
│ │ arnTemplate: arn:${Partition}:elemental-inference:${Region}:${Account}:feed/${Id}
│ │ primaryIdentifier: ["Id"]
│ ├ properties
│ │ ├ Name: string (required)
│ │ ├ Outputs: Array<GetOutput> (required)
│ │ └ Tags: Map<string, string>
│ ├ attributes
│ │ ├ Arn: string
│ │ ├ DataEndpoints: Array<string>
│ │ └ Id: string
│ └ types
│ ├ type ClippingConfig
│ │ ├ name: ClippingConfig
│ │ └ properties
│ │ └ CallbackMetadata: string
│ ├ type GetOutput
│ │ ├ name: GetOutput
│ │ └ properties
│ │ ├ Name: string (required)
│ │ ├ OutputConfig: OutputConfig (required)
│ │ ├ Status: string<ENABLED|DISABLED> (required)
│ │ └ Description: string
│ └ type OutputConfig
│ ├ name: OutputConfig
│ └ properties
│ ├ Cropping: json
│ └ Clipping: ClippingConfig
├[~] service aws-gameliftstreams
│ └ resources
│ └[~] resource AWS::GameLiftStreams::StreamGroup
│ └ types
│ ├[~] type LocationConfiguration
│ │ └ properties
│ │ └[+] VpcTransitConfiguration: VpcTransitConfiguration
│ └[+] type VpcTransitConfiguration
│ ├ name: VpcTransitConfiguration
│ └ properties
│ ├ VpcId: string (required)
│ └ Ipv4CidrBlocks: Array<string> (required)
├[~] service aws-glue
│ └ resources
│ ├[+] resource AWS::Glue::Catalog
│ │ ├ name: Catalog
│ │ │ cloudFormationType: AWS::Glue::Catalog
│ │ │ documentation: Creates a catalog in the Glue Data Catalog.
│ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ │ │ primaryIdentifier: ["ResourceArn"]
│ │ ├ properties
│ │ │ ├ Name: string (required, immutable)
│ │ │ ├ Description: string
│ │ │ ├ Parameters: Map<string, string>
│ │ │ ├ FederatedCatalog: FederatedCatalog
│ │ │ ├ TargetRedshiftCatalog: TargetRedshiftCatalog
│ │ │ ├ CatalogProperties: CatalogProperties
│ │ │ ├ CreateTableDefaultPermissions: Array<PrincipalPermissions>
│ │ │ ├ CreateDatabaseDefaultPermissions: Array<PrincipalPermissions>
│ │ │ ├ AllowFullTableExternalDataAccess: string<True|False>
│ │ │ ├ OverwriteChildResourcePermissionsWithDefault: string<Accept|Deny>
│ │ │ └ Tags: Array<tag>
│ │ ├ attributes
│ │ │ ├ CatalogId: string
│ │ │ ├ ResourceArn: string
│ │ │ ├ CreateTime: integer
│ │ │ ├ UpdateTime: integer
│ │ │ ├ CatalogProperties.DataLakeAccessProperties.ManagedWorkgroupName: string
│ │ │ ├ CatalogProperties.DataLakeAccessProperties.ManagedWorkgroupStatus: string
│ │ │ ├ CatalogProperties.DataLakeAccessProperties.RedshiftDatabaseName: string
│ │ │ └ CatalogProperties.CustomProperties: Map<string, string>
│ │ └ types
│ │ ├ type CatalogProperties
│ │ │ ├ documentation: A structure that specifies data lake access properties and other custom properties.
│ │ │ │ name: CatalogProperties
│ │ │ └ properties
│ │ │ ├ DataLakeAccessProperties: DataLakeAccessProperties
│ │ │ └ CustomProperties: Map<string, string>
│ │ ├ type DataLakeAccessProperties
│ │ │ ├ documentation: Data lake access properties for the catalog.
│ │ │ │ name: DataLakeAccessProperties
│ │ │ └ properties
│ │ │ ├ DataLakeAccess: boolean
│ │ │ ├ DataTransferRole: string
│ │ │ ├ KmsKey: string
│ │ │ ├ CatalogType: string
│ │ │ ├ ManagedWorkgroupName: string
│ │ │ ├ ManagedWorkgroupStatus: string
│ │ │ ├ RedshiftDatabaseName: string
│ │ │ └ AllowFullTableExternalDataAccess: string<True|False>
│ │ ├ type DataLakePrincipal
│ │ │ ├ documentation: The Lake Formation principal.
│ │ │ │ name: DataLakePrincipal
│ │ │ └ properties
│ │ │ └ DataLakePrincipalIdentifier: string
│ │ ├ type FederatedCatalog
│ │ │ ├ documentation: A FederatedCatalog structure that references an entity outside the Glue Data Catalog.
│ │ │ │ name: FederatedCatalog
│ │ │ └ properties
│ │ │ ├ Identifier: string
│ │ │ └ ConnectionName: string
│ │ ├ type PrincipalPermissions
│ │ │ ├ documentation: Permissions granted to a principal.
│ │ │ │ name: PrincipalPermissions
│ │ │ └ properties
│ │ │ ├ Principal: DataLakePrincipal
│ │ │ └ Permissions: Array<string<ALL|SELECT|ALTER|DROP|DELETE|INSERT|CREATE_DATABASE|CREATE_TABLE|DATA_LOCATION_ACCESS>>
│ │ └ type TargetRedshiftCatalog
│ │ ├ documentation: A structure that describes a target catalog for resource linking.
│ │ │ name: TargetRedshiftCatalog
│ │ └ properties
│ │ └ CatalogArn: string (required)
│ └[~] resource AWS::Glue::SecurityConfiguration
│ └ types
│ └[~] type EncryptionConfiguration
│ └ properties
│ └ S3Encryptions: - json ⇐ Array<S3Encryption>
│ + Array<S3Encryption>
├[~] service aws-lakeformation
│ └ resources
│ └[~] resource AWS::LakeFormation::DataLakeSettings
│ └ properties
│ ├ Admins: - json ⇐ Array<DataLakePrincipal>
│ │ + Array<DataLakePrincipal>
│ ├ CreateDatabaseDefaultPermissions: - json ⇐ Array<PrincipalPermissions>
│ │ + Array<PrincipalPermissions>
│ ├ CreateTableDefaultPermissions: - json ⇐ Array<PrincipalPermissions>
│ │ + Array<PrincipalPermissions>
│ ├ ExternalDataFilteringAllowList: - json ⇐ Array<DataLakePrincipal>
│ │ + Array<DataLakePrincipal>
│ └ ReadOnlyAdmins: - json
│ + Array<DataLakePrincipal>
├[~] service aws-logs
│ └ resources
│ └[~] resource AWS::Logs::ScheduledQuery
│ └ attributes
│ └ LastExecutionStatus: - string<InvalidQuery|Complete|Failed|Timeout>
│ + string<Pending|InvalidQuery|Complete|Failed|Timeout>
├[~] service aws-mediaconnect
│ └ resources
│ ├[~] resource AWS::MediaConnect::Flow
│ │ ├ - tagInformation: undefined
│ │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ │ ├ properties
│ │ │ ├[+] EncodingConfig: EncodingConfig
│ │ │ ├ FlowSize: - string<MEDIUM|LARGE>
│ │ │ │ + string<MEDIUM|LARGE|LARGE_4X>
│ │ │ └[+] Tags: Array<tag>
│ │ └ types
│ │ ├[+] type EncodingConfig
│ │ │ ├ name: EncodingConfig
│ │ │ └ properties
│ │ │ ├ EncodingProfile: string<DISTRIBUTION_H264_DEFAULT|CONTRIBUTION_H264_DEFAULT>
│ │ │ └ VideoMaxBitrate: integer
│ │ ├[~] type MediaStream
│ │ │ └ properties
│ │ │ └[+] Tags: Array<tag>
│ │ ├[+] type NdiSourceSettings
│ │ │ ├ name: NdiSourceSettings
│ │ │ └ properties
│ │ │ └ SourceName: string
│ │ ├[~] type Source
│ │ │ └ properties
│ │ │ ├[+] NdiSourceSettings: NdiSourceSettings
│ │ │ ├ Protocol: - string<zixi-push|rtp-fec|rtp|rist|fujitsu-qos|srt-listener|srt-caller|st2110-jpegxs|cdi>
│ │ │ │ + string<zixi-push|rtp-fec|rtp|rist|srt-listener|srt-caller|st2110-jpegxs|cdi|ndi-speed-hq>
│ │ │ └[+] Tags: Array<tag>
│ │ └[~] type VpcInterface
│ │ └ properties
│ │ └[+] Tags: Array<tag>
│ ├[~] resource AWS::MediaConnect::FlowEntitlement
│ │ ├ - tagInformation: undefined
│ │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ │ └ properties
│ │ ├ FlowArn: - string (required)
│ │ │ + string (required, immutable)
│ │ └[+] Tags: Array<tag>
│ ├[~] resource AWS::MediaConnect::FlowOutput
│ │ ├ - tagInformation: undefined
│ │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ │ └ properties
│ │ ├ FlowArn: - string (required)
│ │ │ + string (required, immutable)
│ │ ├ Protocol: - string<zixi-push|rtp-fec|rtp|zixi-pull|rist|fujitsu-qos|srt-listener|srt-caller|st2110-jpegxs|cdi|ndi-speed-hq>
│ │ │ + string<zixi-push|rtp-fec|rtp|zixi-pull|rist|srt-listener|srt-caller|st2110-jpegxs|cdi|ndi-speed-hq>
│ │ └[+] Tags: Array<tag>
│ └[~] resource AWS::MediaConnect::FlowSource
│ ├ - tagInformation: undefined
│ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ └ properties
│ ├ EntitlementArn: - string
│ │ + string (deprecated=WARN)
│ ├ FlowArn: - string
│ │ + string (required, immutable)
│ ├ Protocol: - string<zixi-push|rtp-fec|rtp|rist|srt-listener|srt-caller>
│ │ + string<zixi-push|rtp-fec|rtp|rist|srt-listener|srt-caller> (immutable)
│ ├ SenderControlPort: - integer
│ │ + integer (deprecated=WARN)
│ ├ SenderIpAddress: - string
│ │ + string (deprecated=WARN)
│ └[+] Tags: Array<tag>
├[~] service aws-medialive
│ └ resources
│ └[~] resource AWS::MediaLive::Channel
│ ├ properties
│ │ └[+] InferenceSettings: InferenceSettings
│ └ types
│ └[+] type InferenceSettings
│ ├ name: InferenceSettings
│ └ properties
│ └ FeedArn: string
├[~] service aws-networkfirewall
│ └ resources
│ └[~] resource AWS::NetworkFirewall::RuleGroup
│ └ - arnTemplate: arn:${Partition}:network-firewall:${Region}:${Account}:stateful-rulegroup/${Name}
│ + arnTemplate: arn:${Partition}:network-firewall:${Region}:${Account}:stateless-rulegroup/${Name}
├[~] service aws-observabilityadmin
│ └ resources
│ └[+] resource AWS::ObservabilityAdmin::TelemetryEnrichment
│ ├ name: TelemetryEnrichment
│ │ cloudFormationType: AWS::ObservabilityAdmin::TelemetryEnrichment
│ │ documentation: AWS::ObservabilityAdmin::TelemetryEnrichment cloudformation resource enables the resource tags for telemetry feature in CloudWatch to enrich infrastructure metrics with AWS resource tags. For more details: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/resource-tags-for-telemetry.html
│ │ primaryIdentifier: ["Scope"]
│ ├ properties
│ │ └ Scope: string<ACCOUNT> (immutable)
│ └ attributes
│ └ Status: string<RUNNING|STOPPED|IMPAIRED>
├[~] service aws-odb
│ └ resources
│ ├[~] resource AWS::ODB::CloudAutonomousVmCluster
│ │ ├ properties
│ │ │ └[+] IamRoles: Array<IamRole>
│ │ └ types
│ │ └[+] type IamRole
│ │ ├ documentation: An AWS Identity and Access Management (IAM) service role associated with the Autonomous VM cluster.
│ │ │ name: IamRole
│ │ └ properties
│ │ ├ AwsIntegration: string
│ │ ├ IamRoleArn: string
│ │ └ Status: string
│ ├[~] resource AWS::ODB::CloudVmCluster
│ │ ├ properties
│ │ │ └[+] IamRoles: Array<IamRole>
│ │ └ types
│ │ └[+] type IamRole
│ │ ├ documentation: An AWS Identity and Access Management (IAM) service role associated with the VM cluster.
│ │ │ name: IamRole
│ │ └ properties
│ │ ├ AwsIntegration: string
│ │ ├ IamRoleArn: string
│ │ └ Status: string
│ ├[~] resource AWS::ODB::OdbNetwork
│ │ ├ properties
│ │ │ ├[+] CrossRegionS3RestoreSources: Array<string>
│ │ │ ├[+] KmsAccess: string<ENABLED|DISABLED>
│ │ │ ├[+] KmsPolicyDocument: string
│ │ │ ├[+] StsAccess: string<ENABLED|DISABLED>
│ │ │ └[+] StsPolicyDocument: string
│ │ └ types
│ │ ├[+] type CrossRegionS3RestoreSourcesAccess
│ │ │ ├ documentation: The configuration access for the cross-Region Amazon S3 database restore source for the ODB network.
│ │ │ │ name: CrossRegionS3RestoreSourcesAccess
│ │ │ └ properties
│ │ │ ├ Status: string<ENABLED|ENABLING|DISABLED|DISABLING>
│ │ │ ├ Ipv4Addresses: Array<string>
│ │ │ └ Region: string
│ │ ├[+] type KmsAccess
│ │ │ ├ documentation: The AWS Key Management Service (KMS) access configuration.
│ │ │ │ name: KmsAccess
│ │ │ └ properties
│ │ │ ├ Status: string<ENABLED|ENABLING|DISABLED|DISABLING>
│ │ │ ├ Ipv4Addresses: Array<string>
│ │ │ ├ DomainName: string
│ │ │ └ KmsPolicyDocument: string
│ │ ├[~] type ManagedServices
│ │ │ └ properties
│ │ │ ├[+] CrossRegionS3RestoreSourcesAccess: Array<CrossRegionS3RestoreSourcesAccess>
│ │ │ ├[+] KmsAccess: KmsAccess
│ │ │ └[+] StsAccess: StsAccess
│ │ └[+] type StsAccess
│ │ ├ documentation: The AWS Security Token Service (STS) access configuration.
│ │ │ name: StsAccess
│ │ └ properties
│ │ ├ Status: string<ENABLED|ENABLING|DISABLED|DISABLING>
│ │ ├ Ipv4Addresses: Array<string>
│ │ ├ DomainName: string
│ │ └ StsPolicyDocument: string
│ └[~] resource AWS::ODB::OdbPeeringConnection
│ └ properties
│ └[+] PeerNetworkRouteTableIds: Array<string> (immutable)
├[~] service aws-opensearchserverless
│ └ resources
│ └[~] resource AWS::OpenSearchServerless::Collection
│ ├ properties
│ │ └[+] VectorOptions: VectorOptions (immutable)
│ └ types
│ └[+] type VectorOptions
│ ├ documentation: Vector search configuration options for the collection
│ │ name: VectorOptions
│ └ properties
│ └ ServerlessVectorAcceleration: string<ENABLED|DISABLED|ALLOWED> (immutable)
├[~] service aws-opensearchservice
│ └ resources
│ └[~] resource AWS::OpenSearchService::Domain
│ ├ properties
│ │ └[+] DeploymentStrategyOptions: DeploymentStrategyOptions
│ └ types
│ └[+] type DeploymentStrategyOptions
│ ├ name: DeploymentStrategyOptions
│ └ properties
│ └ DeploymentStrategy: string<Default|CapacityOptimized>
├[~] service aws-ram
│ └ resources
│ └[~] resource AWS::RAM::Permission
│ └ - arnTemplate: arn:${Partition}:ram::${Account}:permission/${ResourcePath}
│ + arnTemplate: arn:${Partition}:ram:${Region}:${Account}:permission/${ResourcePath}
├[+] service aws-route53globalresolver
│ ├ capitalized: Route53GlobalResolver
│ │ cloudFormationNamespace: AWS::Route53GlobalResolver
│ │ name: aws-route53globalresolver
│ │ shortName: route53globalresolver
│ └ resources
│ ├ resource AWS::Route53GlobalResolver::AccessSource
│ │ ├ name: AccessSource
│ │ │ cloudFormationType: AWS::Route53GlobalResolver::AccessSource
│ │ │ documentation: Resource schema for AWS::Route53GlobalResolver::AccessSource
│ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ │ │ arnTemplate: arn:${Partition}:route53globalresolver::${Account}:access-source/${Id}
│ │ │ primaryIdentifier: ["AccessSourceId"]
│ │ ├ properties
│ │ │ ├ Cidr: string (required)
│ │ │ ├ IpAddressType: string<IPV4|IPV6>
│ │ │ ├ Name: string
│ │ │ ├ DnsViewId: string (required, immutable)
│ │ │ ├ Protocol: string<DO53|DOH|DOT> (required)
│ │ │ ├ ClientToken: string (immutable)
│ │ │ └ Tags: Array<tag>
│ │ └ attributes
│ │ ├ Arn: string
│ │ ├ AccessSourceId: string
│ │ ├ CreatedAt: string
│ │ ├ UpdatedAt: string
│ │ └ Status: string<CREATING|OPERATIONAL|UPDATING|DELETING>
│ ├ resource AWS::Route53GlobalResolver::AccessToken
│ │ ├ name: AccessToken
│ │ │ cloudFormationType: AWS::Route53GlobalResolver::AccessToken
│ │ │ documentation: Resource schema for AWS::Route53GlobalResolver::AccessToken
│ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ │ │ arnTemplate: arn:${Partition}:route53globalresolver::${Account}:access-token/${Id}
│ │ │ primaryIdentifier: ["AccessTokenId"]
│ │ ├ properties
│ │ │ ├ Name: string
│ │ │ ├ DnsViewId: string (required, immutable)
│ │ │ ├ ExpiresAt: string (immutable)
│ │ │ ├ ClientToken: string (immutable)
│ │ │ └ Tags: Array<tag>
│ │ └ attributes
│ │ ├ Arn: string
│ │ ├ AccessTokenId: string
│ │ ├ CreatedAt: string
│ │ ├ UpdatedAt: string
│ │ ├ Status: string<CREATING|OPERATIONAL|DELETING>
│ │ ├ Value: string
│ │ └ GlobalResolverId: string
│ ├ resource AWS::Route53GlobalResolver::DnsView
│ │ ├ name: DnsView
│ │ │ cloudFormationType: AWS::Route53GlobalResolver::DnsView
│ │ │ documentation: Resource schema for AWS::Route53GlobalResolver::DnsView
│ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ │ │ arnTemplate: arn:${Partition}:route53globalresolver::${Account}:dns-view/${Id}
│ │ │ primaryIdentifier: ["DnsViewId"]
│ │ ├ properties
│ │ │ ├ Name: string (required)
│ │ │ ├ Description: string
│ │ │ ├ GlobalResolverId: string (required, immutable)
│ │ │ ├ DnssecValidation: string<ENABLED|DISABLED>
│ │ │ ├ EdnsClientSubnet: string<ENABLED|DISABLED>
│ │ │ ├ FirewallRulesFailOpen: string<ENABLED|DISABLED>
│ │ │ ├ ClientToken: string (immutable)
│ │ │ └ Tags: Array<tag>
│ │ └ attributes
│ │ ├ Arn: string
│ │ ├ DnsViewId: string
│ │ ├ CreatedAt: string
│ │ ├ UpdatedAt: string
│ │ └ Status: string<CREATING|OPERATIONAL|UPDATING|ENABLING|DISABLING|DISABLED|DELETING>
│ ├ resource AWS::Route53GlobalResolver::FirewallDomainList
│ │ ├ name: FirewallDomainList
│ │ │ cloudFormationType: AWS::Route53GlobalResolver::FirewallDomainList
│ │ │ documentation: Resource schema for AWS::Route53GlobalResolver::FirewallDomainList
│ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ │ │ arnTemplate: arn:${Partition}:route53globalresolver::${Account}:firewall-domain-list/${Id}
│ │ │ primaryIdentifier: ["FirewallDomainListId"]
│ │ ├ properties
│ │ │ ├ Name: string (required, immutable)
│ │ │ ├ Description: string (immutable)
│ │ │ ├ GlobalResolverId: string (required, immutable)
│ │ │ ├ Domains: Array<string>
│ │ │ ├ DomainFileUrl: string
│ │ │ ├ ClientToken: string (immutable)
│ │ │ └ Tags: Array<tag>
│ │ └ attributes
│ │ ├ Arn: string
│ │ ├ FirewallDomainListId: string
│ │ ├ DomainCount: integer
│ │ ├ CreatedAt: string
│ │ ├ UpdatedAt: string
│ │ ├ Status: string<CREATING|OPERATIONAL|UPDATING|DELETING>
│ │ └ StatusMessage: string
│ ├ resource AWS::Route53GlobalResolver::FirewallRule
│ │ ├ name: FirewallRule
│ │ │ cloudFormationType: AWS::Route53GlobalResolver::FirewallRule
│ │ │ documentation: Resource schema for AWS::Route53GlobalResolver::FirewallRule
│ │ │ primaryIdentifier: ["FirewallRuleId"]
│ │ ├ properties
│ │ │ ├ Name: string (required)
│ │ │ ├ Description: string
│ │ │ ├ Action: string<ALLOW|ALERT|BLOCK> (required)
│ │ │ ├ BlockResponse: string<NODATA|NXDOMAIN|OVERRIDE>
│ │ │ ├ BlockOverrideDnsType: string<CNAME>
│ │ │ ├ BlockOverrideDomain: string
│ │ │ ├ BlockOverrideTtl: integer
│ │ │ ├ ConfidenceThreshold: string<LOW|MEDIUM|HIGH>
│ │ │ ├ DnsAdvancedProtection: string<DGA|DNS_TUNNELING|DICTIONARY_DGA>
│ │ │ ├ FirewallDomainListId: string (immutable)
│ │ │ ├ Priority: integer
│ │ │ ├ DnsViewId: string (required, immutable)
│ │ │ ├ QType: string (immutable)
│ │ │ └ ClientToken: string (immutable)
│ │ └ attributes
│ │ ├ FirewallRuleId: string
│ │ ├ CreatedAt: string
│ │ ├ UpdatedAt: string
│ │ ├ Status: string<CREATING|OPERATIONAL|UPDATING|DELETING>
│ │ └ QueryType: string
│ ├ resource AWS::Route53GlobalResolver::GlobalResolver
│ │ ├ name: GlobalResolver
│ │ │ cloudFormationType: AWS::Route53GlobalResolver::GlobalResolver
│ │ │ documentation: Resource schema for AWS::Route53GlobalResolver::GlobalResolver
│ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ │ │ arnTemplate: arn:${Partition}:route53globalresolver::${Account}:global-resolver/${Id}
│ │ │ vendedLogs: [{"permissionsVersion":"V2","logType":"GLOBAL_RESOLVER_LOGS","destinations":[{"destinationType":"S3","outputFormats":["json","plain","w3c","parquet"]},{"destinationType":"CWL","outputFormats":["plain","json"]},{"destinationType":"FH","outputFormats":["json","plain","raw"]}],"mandatoryFields":["action_id","activity_id","category_uid","class_uid","cloud","metadata","severity_id","src_endpoint","time","type_uid"],"optionalFields":["action_name","activity_name","answers","category_name","class_name","connection_info","duration","end_time","enrichments","message","query","query_time","rcode","rcode_id","response_time","severity","start_time","status","status_id","type_name"]}]
│ │ │ primaryIdentifier: ["GlobalResolverId"]
│ │ ├ properties
│ │ │ ├ Name: string (required)
│ │ │ ├ Description: string
│ │ │ ├ Regions: Array<string> (required, immutable)
│ │ │ ├ ObservabilityRegion: string
│ │ │ ├ IpAddressType: string<IPV4|DUAL_STACK>
│ │ │ ├ ClientToken: string (immutable)
│ │ │ └ Tags: Array<tag>
│ │ └ attributes
│ │ ├ Arn: string
│ │ ├ GlobalResolverId: string
│ │ ├ DnsName: string
│ │ ├ IPv4Addresses: Array<string>
│ │ ├ IPv6Addresses: Array<string>
│ │ ├ CreatedAt: string
│ │ ├ UpdatedAt: string
│ │ └ Status: string<CREATING|OPERATIONAL|UPDATING|DELETING>
│ └ resource AWS::Route53GlobalResolver::HostedZoneAssociation
│ ├ name: HostedZoneAssociation
│ │ cloudFormationType: AWS::Route53GlobalResolver::HostedZoneAssociation
│ │ documentation: Resource schema for AWS::Route53GlobalResolver::HostedZoneAssociation
│ │ primaryIdentifier: ["HostedZoneAssociationId"]
│ ├ properties
│ │ ├ Name: string (required)
│ │ ├ HostedZoneId: string (required, immutable)
│ │ └ ResourceArn: string (required, immutable)
│ └ attributes
│ ├ HostedZoneAssociationId: string
│ ├ HostedZoneName: string
│ ├ CreatedAt: string
│ ├ UpdatedAt: string
│ └ Status: string<CREATING|OPERATIONAL|DELETING>
├[~] service aws-s3
│ └ resources
│ └[~] resource AWS::S3::Bucket
│ ├ - vendedLogs: [{"permissionsVersion":"V2","logType":"S3_SERVER_ACCESS_LOGS","destinations":[{"destinationType":"S3","outputFormats":["json","parquet"]},{"destinationType":"CWL","outputFormats":["json"]},{"destinationType":"FH","outputFormats":["json"]}],"mandatoryFields":["schema_version_id","bucket_arn","request_time","bucket_owner_id","remote_ip","requester","request_id","operation","key_name","request_uri","http_status","error_code","bytes_sent","object_size","total_duration","turn_around_duration","referer","user_agent","version_id","host_id","signature_version","cipher_suite","authentication_type","host_header","tls_version","access_point_arn","acl_required","source_region"],"optionalFields":["bucket_name"]}]
│ │ + vendedLogs: [{"permissionsVersion":"V2","logType":"S3_SERVER_ACCESS_LOGS","destinations":[{"destinationType":"S3","outputFormats":["json","parquet"]},{"destinationType":"CWL","outputFormats":["json"]},{"destinationType":"FH","outputFormats":["json"]}],"mandatoryFields":["schema_version_id","bucket_arn","request_time","bucket_owner_id","remote_ip","requester","request_id","operation","key_name","request_uri","http_status","error_code","bytes_sent_size","object_size","total_duration","turn_around_duration","referer","user_agent","version_id","host_id","signature_version","cipher_suite","authentication_type","host_header","tls_version","access_point_arn","acl_required","source_region"],"optionalFields":["bucket_name"]}]
│ ├ properties
│ │ ├[+] BucketNamePrefix: string (immutable)
│ │ └[+] BucketNamespace: string<global|account-regional> (immutable)
│ └ vendedLogs
│ └[~] logType: S3_SERVER_ACCESS_LOGS
│ └mandatoryFields:
│ ├- [schema_version_id, bucket_arn, request_time, bucket_owner_id, remote_ip, requester, request_id, operation, key_name, request_uri, http_status, error_code, bytes_sent, object_size, total_duration, turn_around_duration, referer, user_agent, version_id, host_id, signature_version, cipher_suite, authentication_type, host_header, tls_version, access_point_arn, acl_required, source_region]
│ └+ [schema_version_id, bucket_arn, request_time, bucket_owner_id, remote_ip, requester, request_id, operation, key_name, request_uri, http_status, error_code, bytes_sent_size, object_size, total_duration, turn_around_duration, referer, user_agent, version_id, host_id, signature_version, cipher_suite, authentication_type, host_header, tls_version, access_point_arn, acl_required, source_region]
├[~] service aws-servicecatalog
│ └ resources
│ └[~] resource AWS::ServiceCatalog::StackSetConstraint
│ └ attributes
│ └ Id: (documentation changed)
├[~] service aws-servicediscovery
│ └ resources
│ └[~] resource AWS::ServiceDiscovery::Service
│ └ properties
│ └ ServiceAttributes: - json
│ + Map<string, string> ⇐ json
├[~] service aws-verifiedpermissions
│ └ resources
│ └[~] resource AWS::VerifiedPermissions::PolicyStore
│ └ types
│ └[~] type SchemaDefinition
│ └ properties
│ └[-] CedarFormat: string
├[~] service aws-wisdom
│ └ resources
│ └[~] resource AWS::Wisdom::Assistant
│ ├ - vendedLogs: [{"permissionsVersion":"V2","logType":"EVENT_LOGS","destinations":[{"destinationType":"S3","outputFormats":["json","plain","w3c","parquet"]},{"destinationType":"CWL","outputFormats":["plain","json"]},{"destinationType":"FH","outputFormats":["json","plain","raw"]}],"optionalFields":["assistant_id","event_timestamp","event_type","session_id","session_name","recommendation_id","recommendation","is_recommendation_useful","relevance_score","recommendation_title","recommendation_sources","intent_id","intent","intent_clicked","utterance","prompt","response","session_event_id","session_event_ids","issue_probability","is_valid_trigger","prompt_type","completion","model_id","connect_user_arn","conversation_session_data","session_message_id","parsed_response","answer_id","generation_id","ai_agent_id","ai_agent_name","ai_guardrail_id","name","ai_guardrail","content","action","action_reason","outputs","assessments","usage","guardrail_coverage","ai_agent_version"]}]
│ │ + vendedLogs: [{"permissionsVersion":"V2","logType":"EVENT_LOGS","destinations":[{"destinationType":"S3","outputFormats":["json","plain","w3c","parquet"]},{"destinationType":"CWL","outputFormats":["plain","json"]},{"destinationType":"FH","outputFormats":["json","plain","raw"]}],"optionalFields":["assistant_id","event_timestamp","event_type","session_id","session_name","recommendation_id","recommendation","is_recommendation_useful","relevance_score","recommendation_title","recommendation_sources","intent_id","intent","intent_clicked","utterance","prompt","response","session_event_id","session_event_ids","issue_probability","is_valid_trigger","prompt_type","completion","model_id","connect_user_arn","conversation_session_data","session_message_id","parsed_response","answer_id","generation_id","ai_agent_id","ai_agent_name","ai_guardrail_id","name","ai_guardrail","content","action","action_reason","outputs","assessments","usage","guardrail_coverage","ai_agent_version","guardrail_blocked","participant","values","orchestration_id","ai_agent_orchestration_use_case","orchestration_iteration","orchestration_error"]}]
│ └ vendedLogs
│ └[~] logType: EVENT_LOGS
│ └optionalFields:
│ ├- [assistant_id, event_timestamp, event_type, session_id, session_name, recommendation_id, recommendation, is_recommendation_useful, relevance_score, recommendation_title, recommendation_sources, intent_id, intent, intent_clicked, utterance, prompt, response, session_event_id, session_event_ids, issue_probability, is_valid_trigger, prompt_type, completion, model_id, connect_user_arn, conversation_session_data, session_message_id, parsed_response, answer_id, generation_id, ai_agent_id, ai_agent_name, ai_guardrail_id, name, ai_guardrail, content, action, action_reason, outputs, assessments, usage, guardrail_coverage, ai_agent_version]
│ └+ [assistant_id, event_timestamp, event_type, session_id, session_name, recommendation_id, recommendation, is_recommendation_useful, relevance_score, recommendation_title, recommendation_sources, intent_id, intent, intent_clicked, utterance, prompt, response, session_event_id, session_event_ids, issue_probability, is_valid_trigger, prompt_type, completion, model_id, connect_user_arn, conversation_session_data, session_message_id, parsed_response, answer_id, generation_id, ai_agent_id, ai_agent_name, ai_guardrail_id, name, ai_guardrail, content, action, action_reason, outputs, assessments, usage, guardrail_coverage, ai_agent_version, guardrail_blocked, participant, values, orchestration_id, ai_agent_orchestration_use_case, orchestration_iteration, orchestration_error]
├[~] service aws-workspacesinstances
│ └ resources
│ └[~] resource AWS::WorkspacesInstances::WorkspaceInstance
│ └ types
│ ├[-] type InstanceMarketOptionsRequest
│ │ ├ name: InstanceMarketOptionsRequest
│ │ └ properties
│ │ ├ MarketType: string<spot|capacity-block>
│ │ └ SpotOptions: SpotMarketOptions
│ ├[~] type ManagedInstance
│ │ └ properties
│ │ └[-] InstanceMarketOptions: InstanceMarketOptionsRequest
│ └[-] type SpotMarketOptions
│ ├ name: SpotMarketOptions
│ └ properties
│ ├ InstanceInterruptionBehavior: string<hibernate|stop>
│ ├ MaxPrice: string
│ ├ SpotInstanceType: string<one-time|persistent>
│ └ ValidUntilUtc: string
└[~] service aws-xray
└ resources
└[~] resource AWS::XRay::SamplingRule
└ types
├[+] type SamplingRateBoost
│ ├ name: SamplingRateBoost
│ └ properties
│ ├ MaxRate: number (required)
│ └ CooldownWindowMinutes: integer (required)
├[~] type SamplingRule
│ └ properties
│ └[+] SamplingRateBoost: SamplingRateBoost
└[~] type SamplingRuleUpdate
└ properties
└[+] SamplingRateBoost: SamplingRateBoost
```
…group across 1 directory (#37369) Bumps the npm_and_yarn group with 1 update in the / directory: [handlebars](https://github.com/handlebars-lang/handlebars.js). Updates `handlebars` from 4.7.8 to 4.7.9 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/handlebars-lang/handlebars.js/releases">handlebars's releases</a>.</em></p> <blockquote> <h2>v4.7.9</h2> <ul> <li>fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2</li> <li>fix type "RuntimeOptions" also accepting string partials - eab1d14</li> <li>feat(types): set <code>hash</code> to be a <code>Record<string, any></code> - de4414d</li> <li>fix non-contiguous program indices - 4512766</li> <li>refactor: rename i to startPartIndex - e497a35</li> <li>security: fix security issues - 68d8df5 <ul> <li><a href="https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q">https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q</a></li> <li><a href="https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r">https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r</a></li> <li><a href="https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6">https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6</a></li> <li><a href="https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf">https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf</a></li> <li><a href="https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff">https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff</a></li> <li><a href="https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9">https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9</a></li> <li><a href="https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-7rx3-28cr-v5wh">https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-7rx3-28cr-v5wh</a></li> <li><a href="https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-442j-39wm-28r2">https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-442j-39wm-28r2</a></li> </ul> </li> </ul> <p><a href="https://github.com/handlebars-lang/handlebars.js/compare/v4.7.8...v4.7.9">Commits</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/handlebars-lang/handlebars.js/blob/v4.7.9/release-notes.md">handlebars's changelog</a>.</em></p> <blockquote> <h2>v4.7.9 - March 26th, 2026</h2> <ul> <li>fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2</li> <li>fix type "RuntimeOptions" also accepting string partials - eab1d14</li> <li>feat(types): set <code>hash</code> to be a <code>Record<string, any></code> - de4414d</li> <li>fix non-contiguous program indices - 4512766</li> <li>refactor: rename i to startPartIndex - e497a35</li> <li>security: fix security issues - 68d8df5</li> </ul> <p><a href="https://github.com/handlebars-lang/handlebars.js/compare/v4.7.8...v4.7.9">Commits</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/handlebars-lang/handlebars.js/commit/dce542c9a660048d31f0981ac8a45c08b919bddb"><code>dce542c</code></a> v4.7.9</li> <li><a href="https://github.com/handlebars-lang/handlebars.js/commit/8a41389ba5b2624b6f43a5463d8e2533b843a562"><code>8a41389</code></a> Update release notes</li> <li><a href="https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"><code>68d8df5</code></a> Fix security issues</li> <li><a href="https://github.com/handlebars-lang/handlebars.js/commit/b2a083136b11e1da9f0f47a11f749a9830a49328"><code>b2a0831</code></a> Fix browser tests</li> <li><a href="https://github.com/handlebars-lang/handlebars.js/commit/9f98c1629834abf8de5a127caff8a2eab03d2c12"><code>9f98c16</code></a> Fix release script</li> <li><a href="https://github.com/handlebars-lang/handlebars.js/commit/45443b4290475dfb7cec32a85d344f12ab345eb9"><code>45443b4</code></a> Revert "Improve partial indenting performance"</li> <li><a href="https://github.com/handlebars-lang/handlebars.js/commit/8841a5f6d35096aee95d68e1e49636a4cb5c661e"><code>8841a5f</code></a> Fix CI errors with linting</li> <li><a href="https://github.com/handlebars-lang/handlebars.js/commit/e0137c26f2202593bca7cc25184e733e87d54709"><code>e0137c2</code></a> fix: enable shell mode for spawn to resolve Windows EINVAL issue</li> <li><a href="https://github.com/handlebars-lang/handlebars.js/commit/e914d6037ffb0dd371f7e4823cdb019732ae66d7"><code>e914d60</code></a> Improve rendering performance</li> <li><a href="https://github.com/handlebars-lang/handlebars.js/commit/7de4b41c344a5d702edca93d1841b59642fa32bd"><code>7de4b41</code></a> Upgrade GitHub Actions checkout and setup-node on 4.x branch</li> <li>Additional commits viewable in <a href="https://github.com/handlebars-lang/handlebars.js/compare/v4.7.8...v4.7.9">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts). </details>
aws-cdk-automation
added
the
pr/no-squash
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
aws-cdk-automation
requested a deployment
to
test-pipeline
GitHub Actions
Waiting
aws-cdk-automation
requested a deployment
to
test-pipeline
GitHub Actions
Waiting
aws-cdk-automation
requested a deployment
to
test-pipeline
GitHub Actions
Waiting
Contributor
|
Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork). |
Contributor
Merge Queue Status
This pull request spent 6 seconds in the queue, with no time running CI. Required conditions to merge
|
Contributor
|
Comments on closed issues and PRs are hard for our team to see. |
aws-cdk-automation
added
the
pr/needs-community-review
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
aws-cdk-automation
requested a deployment
to
test-pipeline
GitHub Actions
Waiting
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
16 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See CHANGELOG