chore(release): 2.181.0 #33581
Merged
chore(release): 2.181.0 #33581
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Issue # (if applicable) n/a ### Reason for this change fix workflows failing with `error: failed to push some refs to 'https://github.com/aws/aws-cdk'` ### Description of changes add `git checkout` to exit detached HEAD state before committing/pushing ### Describe any new or updated permissions being added n/a ### Description of how you validated changes Validated previously and confirmed workflow succeeded ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) N/A ### Reason for this change To put these integration tests more in-line with the rest in the repository and ensure tests are comprehensive, added assertions to validate that the `IdentityPool` construct is deployed with the correct parameters. ### Description of changes Added assertions against the Cognito calls for `DescribeIdentityPoolCommand` ([doc ref](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity/command/DescribeIdentityPoolCommand/)) and `GetIdentityPoolRolesCommand` ([doc ref](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity/command/GetIdentityPoolRolesCommand/)). ### Describe any new or updated permissions being added N/A ### Description of how you validated changes `yarn integ test/integ.identitypool.js` passes and the tests deploy. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…AddTags permission (#32536) ### Issue # (if applicable) Closes #32294 ### Reason for this change - Missing permission <img width="722" alt="Screenshot 2024-12-15 171605" src="https://github.com/user-attachments/assets/c5626c58-fef7-48bf-afd1-934978ce7baa" /> ### Description of changes - StepFunctions add `sagemaker:AddTags` permission ### Description of how you validated changes Unit + Integration test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…k with token (#33516) ### Issue # (if applicable) Closes #33504. ### Reason for this change `monitoringInterval` prop in `DatabaseClusterProps` should accept a token. ### Description of changes Skip validations if `monitoringInterval` is a token. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Added a unit test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… window (#33448) ### Issue # (if applicable) Closes #33447. ### Reason for this change CloudFormation has added `applyImmediately` feature to RDS instances. This allows to schedule modifications in the next scheduled maintenance window. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ModifyInstance.ApplyImmediately.html ### Description of changes Added `applyImmediately` prop to `DatabaseInstanceNewProps` and `ClusterInstanceOptions`. To schedule modifications, specify `applyImmediately: false` in instance props. ```ts new rds.DatabaseInstance(this, 'Instance', { // ... applyImmediately: false, }); new rds.DatabaseCluster(this, 'Cluster', { // ... writer: rds.ClusterInstance.serverlessV2('writer', { applyImmediately: false, }), }); ``` Note: Currently, `applyImmediately` is not supported in the cluster configurations. ### Describe any new or updated permissions being added Nothing ### Description of how you validated changes Unit tests and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change PR CI consistently failed due to notices showing up in the cdk list command and notice is considered as stacks. ### Description of changes Force notices flag to false ### Description of how you validated changes CI passes ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ode (#33501) ### Issue # (if applicable) Closes #33465 ### Reason for this change The error message when using grant methods like `grantPublish()` and `grantSubscribe()` on an Event API without IAM authorization mode needs improvement. Currently, users get a confusing error without clear guidance on how to fix it. The error should clearly explain: 1. Why the operation failed (you tried to use a grant method on an Event API with missing IAM authorization mode) 2. How to fix it (add IAM authorization mode to the auth providers list) ### Description of changes Rephrased the error message. ### Describe any new or updated permissions being added ### Description of how you validated changes ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…33550) ### Issue # (if applicable) N/A ### Reason for this change A previous PR removed the `IdentityPoolRoleAttachmentProps` interface, so the linting exclusion is not necessary anymore. ### Description of changes Removed unused linting exclusion from `aws-cognito-identitypool-alpha/awslint.json`. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes `yarn build && yarn test` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Checks off some items from #33526
…oken (#33541) ### Issue # (if applicable) Closes #33513. ### Reason for this change The `serviceTimeout` for `CustomResource` does not work with token. The way the token is handled is wrong, and the `isUnresolved` method that the `Duration` type has should be used. ### Description of changes Use the `props.serviceTimeout.isUnresolved()`. Also add a doc that the token must be specified in `Duration.seconds()` since it is converted by `toSeconds` internally. (Because it is a token and unknown MINUTES value cannot be converted to SECONDS. This is due to the token mechanism.) see: https://github.com/go-to-k/aws-cdk/blob/75e52619cd09f363882ff62561a53cd5cd79ab30/packages/aws-cdk-lib/core/lib/custom-resource.ts#L169 https://github.com/go-to-k/aws-cdk/blob/75e52619cd09f363882ff62561a53cd5cd79ab30/packages/aws-cdk-lib/core/lib/duration.ts#L332 ### Describe any new or updated permissions being added ### Description of how you validated changes Unit tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change Messaging around stale PRs isn't clear, contributors don't always know what the next steps are if their PR is considered stale. Also, response time for contributors is too short. IMO 7 days isn't enough to get back to our comments as we sometimes take a long time to review PRs. Open to discussion on what the window for response time should be ### Description of changes ### Describe any new or updated permissions being added - Update which labels which should be skipped for stale PRs - Update merge conflict warning to be more clear about next steps - Update time given to contributors to respond ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
….17, 15.11, 15.12, 16.8, 17.3, and 17.4 (#33559) Add minor versions. * [Amazon RDS for PostgreSQL supports minor versions 17.4, 16.8, 15.12, 14.17, 13.20](https://aws.amazon.com/about-aws/whats-new/2025/02/amazon-rds-postgresql-supports-minor-versions/) * [Amazon RDS for PostgreSQL supports minor versions 17.3, 16.7, 15.11, 14.16, 13.19](https://aws.amazon.com/about-aws/whats-new/2025/02/amazon-rds-for-postgresql-new-minor-versions/) 16.7 is already added at #33509. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…to legacy versions (#33553) ### Issue # (if applicable) N/A ### Reason for this change * MSK now supports Kafka version 3.8 ([Ref](https://aws.amazon.com/about-aws/whats-new/2025/02/amazon-msk-apache-kafka-version-3-8/)) * Some versions are already deprecated ([Ref](https://docs.aws.amazon.com/msk/latest/developerguide/supported-kafka-versions.html) ### Description of changes * Add Kafka version 3.8.x. * Add deprecated labels to following versions: | version | EOL | |----------|-----| | 2.6.0 | 2024-09-11 | | 2.6.1 | 2024-09-11 | | 2.6.2 | 2024-09-11 | | 2.6.3 | 2024-09-11 | | 2.7.0 | 2024-09-11 | | 2.7.1 | 2024-09-11 | | 2.7.2 | 2024-09-11 | | 2.8.0 | 2024-09-11 | | 2.8.1 | 2024-09-11 | | 2.8.2-tiered | 2025-01-14 | | 3.1.1 | 2024-09-11 | | 3.2.0 | 2024-09-11 | | 3.3.1 | 2024-09-11 | | 3.3.2 | 2024-09-11 | ### Describe any new or updated permissions being added Nothing. ### Description of how you validated changes Update unit tests and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…3571) Add a new model. Ref * https://aws.amazon.com/about-aws/whats-new/2025/02/anthropics-claude-3-7-sonnet-amazon-bedrock/ * https://docs.aws.amazon.com/bedrock/latest/userguide/models-supported.html ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…emReader (#33558) ### Issue # (if applicable) Closes #33418. ### Reason for this change CSVDelimiter in ItemReader is not supported in L2 Construct. Ref: https://docs.aws.amazon.com/step-functions/latest/dg/input-output-itemreader.html#itemreader-field-contents ### Description of changes Add `csvDelimiter` property. ### Describe any new or updated permissions being added Nothing. ### Description of how you validated changes Add a unit test and an integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Address #32364 in aws-eks-v2-alpha. For EKS Auto Mode, all required configs, including `computeConfig`, `kubernetesNetworkConfig`, and `blockStorage` are managed through the `defaultCapacityType` enum. When set to `DefaultCapacityType.AUTOMODE` (which is the default), these configurations are automatically enabled. The `Cluster` construct in aws-eks-v2-alpha enables EKS Auto Mode by default, managing compute resources through node pools instead of creating default capacity or nodegroups. Users can still opt-in to traditional nodegroup management by setting `defaultCapacityType` to `NODEGROUP` or `EC2`. User Experience: ```ts // Default usage - Auto Mode enabled by default new eks.Cluster(this, 'hello-eks', { vpc, version: eks.KubernetesVersion.V1_32, kubectlProviderOptions: { kubectlLayer: new KubectlV32Layer(this, 'kubectl'), }, // Auto Mode is enabled by default, no need to specify anything }); // Explicit Auto Mode configuration new eks.Cluster(this, 'hello-eks', { vpc, version: eks.KubernetesVersion.V1_32, kubectlProviderOptions: { kubectlLayer: new KubectlV32Layer(this, 'kubectl'), }, defaultCapacityType: eks.DefaultCapacityType.AUTOMODE, // Optional, this is default compute: { nodePools: ['system', 'general-purpose'], // Optional, these are default values nodeRole: customRole, // Optional, custom IAM role for nodes } }); ``` ### Update Summary - [x] EKS Auto Mode is the default mode for `Cluster` construct in V2. When enabled: - Automatically manages compute resources through node pools - Enables elastic load balancing in Kubernetes networking - Enables block storage configuration - Will not create `defaultCapacity` as a `NODEGROUP`(major difference from aws-eks module) - [x] Node pools are case-sensitive and must be "system" and/or "general-purpose" - [x] Auto Mode can coexist with manually added node groups for hybrid deployments - [x] Required IAM policies are automatically attached - [x] Restore the `outputConfigCommand` support previously in `aws-eks` module - [x] integration test - [x] unit tests ### Description of how you validated changes On deploy the autoMode enabled cluster using the code above. ```sh % kubectl create deployment nginx --image=nginx % kubectl get events --sort-by='.lastTimestamp' ``` ``` 20m Normal Nominated pod/nginx-5869d7778c-52pzg Pod should schedule on: nodeclaim/general-purpose-87brc 20m Normal Launched nodeclaim/general-purpose-87brc Status condition transitioned, Type: Launched, Status: Unknown -> True, Reason: Launched 20m Normal DisruptionBlocked nodeclaim/general-purpose-87brc Nodeclaim does not have an associated node 19m Normal NodeHasSufficientPID node/i-0322e9d8dd1b95a51 Node i-0322e9d8dd1b95a51 status is now: NodeHasSufficientPID 19m Normal NodeAllocatableEnforced node/i-0322e9d8dd1b95a51 Updated Node Allocatable limit across pods 19m Normal NodeReady node/i-0322e9d8dd1b95a51 Node i-0322e9d8dd1b95a51 status is now: NodeReady 19m Normal Ready node/i-0322e9d8dd1b95a51 Status condition transitioned, Type: Ready, Status: False -> True, Reason: KubeletReady, Message: kubelet is posting ready status 19m Normal Synced node/i-0322e9d8dd1b95a51 Node synced successfully 19m Normal NodeHasNoDiskPressure node/i-0322e9d8dd1b95a51 Node i-0322e9d8dd1b95a51 status is now: NodeHasNoDiskPressure 19m Normal NodeHasSufficientMemory node/i-0322e9d8dd1b95a51 Node i-0322e9d8dd1b95a51 status is now: NodeHasSufficientMemory 19m Warning InvalidDiskCapacity node/i-0322e9d8dd1b95a51 invalid capacity 0 on image filesystem 19m Normal Starting node/i-0322e9d8dd1b95a51 Starting kubelet. 19m Normal Registered nodeclaim/general-purpose-87brc Status condition transitioned, Type: Registered, Status: Unknown -> True, Reason: Registered 19m Normal Ready nodeclaim/general-purpose-87brc Status condition transitioned, Type: Ready, Status: Unknown -> True, Reason: Ready 19m Normal Initialized nodeclaim/general-purpose-87brc Status condition transitioned, Type: Initialized, Status: Unknown -> True, Reason: Initialized 19m Normal RegisteredNode node/i-0322e9d8dd1b95a51 Node i-0322e9d8dd1b95a51 event: Registered Node i-0322e9d8dd1b95a51 in Controller 19m Normal DisruptionBlocked node/i-0322e9d8dd1b95a51 Node is nominated for a pending pod 19m Normal Scheduled pod/nginx-5869d7778c-52pzg Successfully assigned default/nginx-5869d7778c-52pzg to i-0322e9d8dd1b95a51 19m Warning FailedCreatePodSandBox pod/nginx-5869d7778c-52pzg Failed to create pod sandbox: rpc error: code = Unknown desc = failed to setup network for sandbox "9bd199c61bd9e93437b10a85af3ddc6965888e01bda96706e153b9e9852f67af": plugin type="aws-cni" name="aws-cni" failed (add): add cmd: Error received from AddNetwork gRPC call: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing: dial tcp 127.0.0.1:50051: connect: connection refused" 19m Normal Pulling pod/nginx-5869d7778c-52pzg Pulling image "nginx" 19m Normal Pulled pod/nginx-5869d7778c-52pzg Successfully pulled image "nginx" in 2.307s (2.307s including waiting). Image size: 72188133 bytes. 19m Normal Created pod/nginx-5869d7778c-52pzg Created container: nginx 19m Normal Started pod/nginx-5869d7778c-52pzg Started container nginx ``` verify the nodes and pods ```sh % kubectl get no NAME STATUS ROLES AGE VERSION i-0322e9d8dd1b95a51 Ready <none> 21m v1.32.0-eks-2e66e76 % kubectl get po NAME READY STATUS RESTARTS AGE nginx-5869d7778c-52pzg 1/1 Running 0 90m ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ### References eksctl YAML experience ```yaml # cluster.yaml apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: name: my-auto-cluster region: us-west-2 autoModeConfig: # defaults to false enabled: true # optional, defaults to [general-purpose, system] # suggested to leave unspecified nodePools: []string # optional, eksctl creates a new role if this is not supplied # and nodePools are present nodeRoleARN: string ``` Terraform experience: ```hcl provider "aws" { region = "us-east-1" } module "eks" { source = "terraform-aws-modules/eks/aws" cluster_name = "eks-auto-mode-cluster" cluster_version = "1.27" vpc_id = "<your-vpc-id>" subnet_ids = ["<subnet-id-1>", "<subnet-id-2>"] cluster_compute_config = { enabled = true node_pools = ["general-purpose"] # Default pool for Auto Mode } bootstrap_self_managed_addons = true } ``` Pulumi experience ```ts import * as pulumi from "@pulumi/pulumi"; import * as aws from "@pulumi/aws"; // Create EKS cluster with Auto Mode enabled const cluster = new aws.eks.Cluster("example", { name: "example", version: "1.31", bootstrapSelfManagedAddons: false, // Required: Must be false for Auto Mode computeConfig: { enabled: true, // Enable Auto Mode compute nodePools: ["general-purpose"], }, kubernetesNetworkConfig: { elasticLoadBalancing: { enabled: true, // Required for Auto Mode }, }, storageConfig: { blockStorage: { enabled: true, // Required for Auto Mode }, }, }); ``` ### Links - https://aws.amazon.com/about-aws/whats-new/2024/12/amazon-eks-auto-mode/ - https://aws.amazon.com/eks/auto-mode/ - https://aws.amazon.com/blogs/aws/streamline-kubernetes-cluster-management-with-new-amazon-eks-auto-mode/ ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… invalid outputs (#32575) ### Issue # Closes #27233. ### Reason for this change Referencing a list attribute of a resource defined within a `NestedStack` synthesizes successfully but the nested stack will fail deployment with the error: ``` Template format error: Every Value member must be a string. ``` This prevents deploying resources into a `NestedStack` instance if a reference to one of that resource's list attribute exists within a cross-stack context. For example, deploying a `InterfaceVpcEndpoint` instance in a nested stack and attempting to reference its `vpcEndpointDnsEntries` property within a different stack will cause this error. See new integration test at `packages/@aws-cdk-testing/framework-integ/test/core/test/integ.nested-stack-references.ts` for minimal reproduction. ### Description of changes A similar strategy to `exportStringListValue` is used to serialized the reference's values into a string and expose that value as the output from the nested stack. The reference to the serialized value is then made exportable as normally needed to hoist it to the top-level parent stack. The final reference that imports the value is then re-written to also deserialize the imported string back to the original list. The return types of some internal methods were modified to handle the fact that core/lib/private/refs.ts's `getExportable` no longer *necessarily* returns a Reference. This was needed because an exportable may now be a value derived from a reference instead of only a direct reference. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes * Added unit test to verify low-level operation * Added integration test to verify high-level behavior and deploy-ability * Executed integration test within a personal account to verify success ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### ❗Important❗ This change is to fix behavior that was always wrong, starting in this [commit](#32097) released in CDK v2.172.0. In doing so, the order of your aspect execution may change. If you are inadvertently depending on an aspect ordering that was previously wrong (tagging was previously not prioritized as a mutating aspect), you could need to change your CDK code. We are not treating this as a breaking change because the previous order was always wrong. ### Reason for this change Priority was not applied in #32333 ### Description of changes Fix missing priority ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… feature plans (#33565) ### Issue # Closes #33393 ### Reason for this change This is to solve the issue, but also to help fix errors introduced by [#32367](#32367) When Feature Flags was introduced, a bad assumption was made. This assumption is in the comments on [#32367](#32367) ``` If the advanced security mode is enabled with Essentials or Plus feature plan, CloudFormation will fail with following error: Resource handler returned message: "The following features need to be disabled for the ESSENTIALS pricing tier configured: Threat Protection (Service: CognitoIdenti tyProvider, Status Code: 400, Request ID: xx)" We cannot validate advancedSecurityMode is off when featurePlan is not specified (defaults to Essentials) because existing user pools are set to Lite feature plan for backward compatibility and CDK cannot determine what the actual feature plan is. ``` Unfortunately, this is not what this error means, and oddly the readme entry they added actually has the correct text. This text indicates the author thought that in order to use Threat Protection / advanced security mode, you needed to be on LITE mode. but this doesn't make sense, that's the lowest tier.. As confirmed by the issue this PR is closing #33393, you actually need to be on PLUS tier to be able to use Threat Protection. Also the text "Advanced Security Mode is deprecated in favor of user pool feature plans" which is in multiple places is not correct. All feature plans are, is a flag indicating a price plan. Each price plan enables more features as you go up. This means Advanced Security Mode isn't actually gone, all they did was rename it to Threat Protection. In fact, CFN has not changed the Advanced Security Mode key name in their interpreter language. Which is the correct call since this would be a very large breaking change if they did. This is confirmed by the docs for CFN https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html#cfn-cognito-userpool-userpooladdons-advancedsecuritymode and the docs for L1 https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.CfnUserPool.UserPoolAddOnsProperty.html So deprecating Advanced Security Mode is okay, only because a name change to Threat Protection would make more sense. ### Description of changes I've added props for Threat protection. There are 2 keys that can be edited, the mode of the standard user and the mode of a custom user, thus `standardThreatProtectionMode`, `customThreatProtectionMode` I've allowed advancedSecurityMode to be usable with the deprecation flag, but updated the guidance to talk about threat protection. Also I have disallowed using advancedSecurityMode and either ThreatProtectionMode key at the same time ``` if ( props.advancedSecurityMode && (props.standardThreatProtectionMode || props.customThreatProtectionMode) ) { throw new ValidationError('you cannot set Threat Protection and Advanced Security Mode at the same time. Advanced Security Mode is deprecated and should be replaced with Threat Protection instead.', this); } ``` And when I was testing this, I tested an empty cognito user pool, and I got this CFN error ``` Resource handler returned message: "1 validation error detected: Value null at 'userPoolAddOns.advancedSecurityMode' failed to satisfy constraint: Member must not be null ``` Unsure if this is new behavior from CFN, but this is indicating to me that there needs to be a default setting. So since advancedSecurityMode can't actually be anything but OFF without featurePlan being PLUS, and you can only get to PLUS by specifying the featurePlan key (no key = ESSENTIALS by default, or LITE for backwards compatibility), I am setting a new default value ``` const standardThreatProtectionMode = props.standardThreatProtectionMode ? props.standardThreatProtectionMode : StandardThreatProtectionMode.NO_ENFORCEMENT; . . . const chosenSecurityMode = props.advancedSecurityMode ? props.advancedSecurityMode : standardThreatProtectionMode; ``` Basically if advancedSecurityMode is not specified, then it falls to standardThreatProtectionMode, where if this is not specified, it's set to `StandardThreatProtectionMode.NO_ENFORCEMENT`. (OFF) I updated the enum keys to match the UI when using `StandardThreatProtectionMode` or `CustomThreatProtectionMode` ``` export enum StandardThreatProtectionMode { /** Cognito automatically takes preventative actions in response to different levels of risk that you configure for your user pool */ FULL_FUNCTION = 'ENFORCED', /** Cognito gathers metrics on detected risks, but doesn't take automatic action */ AUDIT_ONLY = 'AUDIT', /** Cognito doesn't gather metrics on detected risks or automatically take preventative actions */ NO_ENFORCEMENT = 'OFF', } ``` The keys will make more sense to someone who is creating a user pool with CDK, but still map to the required CFN values since CFN is keeping the current behavior. ### Description of how you validated changes I updated the tests created from the previous PR and I added some more to help. ``` test('advanced security defaults when no option provided', () => { // GIVEN const stack = new Stack(); // WHEN new UserPool(stack, 'Pool', {}); // THEN Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPool', { UserPoolAddOns: { AdvancedSecurityAdditionalFlows: {}, AdvancedSecurityMode: 'OFF', }, }); }); test.each([ [FeaturePlan.ESSENTIALS, AdvancedSecurityMode.AUDIT], [FeaturePlan.ESSENTIALS, AdvancedSecurityMode.ENFORCED], [FeaturePlan.LITE, AdvancedSecurityMode.AUDIT], [FeaturePlan.LITE, AdvancedSecurityMode.ENFORCED], ])('throws when feature plan is %s and advanced security mode is %s', (featurePlan, advancedSecurityMode) => { // GIVEN const stack = new Stack(); // WHEN expect(() => { new UserPool(stack, 'Pool', { featurePlan, advancedSecurityMode }); }).toThrow('you cannot enable Advanced Security when feature plan is not Plus.'); }); test.each([ [FeaturePlan.ESSENTIALS, StandardThreatProtectionMode.AUDIT_ONLY], [FeaturePlan.ESSENTIALS, StandardThreatProtectionMode.FULL_FUNCTION], [FeaturePlan.LITE, StandardThreatProtectionMode.AUDIT_ONLY], [FeaturePlan.LITE, StandardThreatProtectionMode.FULL_FUNCTION], ])('throws when feature plan is %s and standard threat protection mode is %s', (featurePlan, standardThreatProtectionMode) => { // GIVEN const stack = new Stack(); // WHEN expect(() => { new UserPool(stack, 'Pool', { featurePlan, standardThreatProtectionMode }); }).toThrow('you cannot enable Threat Protection when feature plan is not Plus.'); }); test.each([ [FeaturePlan.ESSENTIALS, CustomThreatProtectionMode.AUDIT_ONLY], [FeaturePlan.ESSENTIALS, CustomThreatProtectionMode.FULL_FUNCTION], [FeaturePlan.LITE, CustomThreatProtectionMode.AUDIT_ONLY], [FeaturePlan.LITE, CustomThreatProtectionMode.FULL_FUNCTION], ])('throws when feature plan is %s and custom threat protection mode is %s', (featurePlan, customThreatProtectionMode) => { // GIVEN const stack = new Stack(); // WHEN expect(() => { new UserPool(stack, 'Pool', { featurePlan, customThreatProtectionMode }); }).toThrow('you cannot enable Threat Protection when feature plan is not Plus.'); }); test('throws when deprecated property AdvancedSecurityMode and StandardThreatProtectionMode are specified at the same time.', () => { // GIVEN const stack = new Stack(); // WHEN expect(() => { new UserPool(stack, 'Pool', { featurePlan: FeaturePlan.PLUS, advancedSecurityMode: AdvancedSecurityMode.AUDIT, standardThreatProtectionMode: StandardThreatProtectionMode.AUDIT_ONLY, }); }).toThrow('you cannot set Threat Protection and Advanced Security Mode at the same time. Advanced Security Mode is deprecated and should be replaced with Threat Protection instead.'); }); test('throws when deprecated property AdvancedSecurityMode and CustomThreatProtectionMode are specified at the same time.', () => { // GIVEN const stack = new Stack(); // WHEN expect(() => { new UserPool(stack, 'Pool', { featurePlan: FeaturePlan.PLUS, advancedSecurityMode: AdvancedSecurityMode.AUDIT, customThreatProtectionMode: CustomThreatProtectionMode.AUDIT_ONLY, }); }).toThrow('you cannot set Threat Protection and Advanced Security Mode at the same time. Advanced Security Mode is deprecated and should be replaced with Threat Protection instead.'); }); ``` I've updated a few integs but I also wrote my own for this. ``` import { IntegTest } from '@aws-cdk/integ-tests-alpha'; import { App, RemovalPolicy, Stack } from 'aws-cdk-lib'; import { UserPool, FeaturePlan, StandardThreatProtectionMode, CustomThreatProtectionMode } from 'aws-cdk-lib/aws-cognito'; const app = new App(); const stack = new Stack(app, 'integ-user-pool-threat-protection'); new UserPool(stack, 'userpool-standard-threat-protection', { featurePlan: FeaturePlan.PLUS, standardThreatProtectionMode: StandardThreatProtectionMode.FULL_FUNCTION, removalPolicy: RemovalPolicy.DESTROY, }); new UserPool(stack, 'userpool-custom-threat-protection', { featurePlan: FeaturePlan.PLUS, customThreatProtectionMode: CustomThreatProtectionMode.FULL_FUNCTION, removalPolicy: RemovalPolicy.DESTROY, }); new IntegTest(app, 'IntegTest', { testCases: [stack] }); ``` ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change Redshift supports for the specifying [maintenance track name](https://docs.aws.amazon.com/redshift/latest/mgmt/managing-cluster-considerations.html#rs-mgmt-maintenance-tracks) but L2 Cluster construct does not support this feature. ### Description of changes - Define `MaintenanceTrackName` enum - Add `maintenanceTrackName` prop to `ClusterProps` ### Describe any new or updated permissions being added None ### Description of how you validated changes Add both unit and integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-bedrock │ └ resources │ └[~] resource AWS::Bedrock::Agent │ ├ properties │ │ ├[+] AgentCollaboration: string │ │ ├[+] AgentCollaborators: Array<AgentCollaborator> │ │ ├[+] CustomOrchestration: CustomOrchestration │ │ ├[+] MemoryConfiguration: MemoryConfiguration │ │ └[+] OrchestrationType: string │ └ types │ ├[+] type AgentCollaborator │ │ ├ documentation: An agent collaborator. │ │ │ name: AgentCollaborator │ │ └ properties │ │ ├ AgentDescriptor: AgentDescriptor (required) │ │ ├ CollaborationInstruction: string (required) │ │ ├ CollaboratorName: string (required) │ │ └ RelayConversationHistory: string │ ├[+] type AgentDescriptor │ │ ├ documentation: An agent descriptor. │ │ │ name: AgentDescriptor │ │ └ properties │ │ └ AliasArn: string │ ├[+] type CustomOrchestration │ │ ├ documentation: Details of custom orchestration. │ │ │ name: CustomOrchestration │ │ └ properties │ │ └ Executor: OrchestrationExecutor │ ├[+] type MemoryConfiguration │ │ ├ documentation: Details of the memory configuration. │ │ │ name: MemoryConfiguration │ │ └ properties │ │ ├ EnabledMemoryTypes: Array<string> │ │ ├ StorageDays: number │ │ └ SessionSummaryConfiguration: SessionSummaryConfiguration │ ├[+] type OrchestrationExecutor │ │ ├ documentation: Contains details about the Lambda function containing the orchestration logic carried out upon invoking the custom orchestration. │ │ │ name: OrchestrationExecutor │ │ └ properties │ │ └ Lambda: string (required) │ ├[~] type PromptConfiguration │ │ └ properties │ │ └[+] FoundationModel: string │ └[+] type SessionSummaryConfiguration │ ├ documentation: Configuration for SESSION_SUMMARY memory type enabled for the agent. │ │ name: SessionSummaryConfiguration │ └ properties │ └ MaxRecentSessions: number ├[~] service aws-chatbot │ └ resources │ ├[~] resource AWS::Chatbot::CustomAction │ │ ├ - documentation: The `AWS::Chatbot::CustomAction` resource creates a custom action that can be invoked as an alias or as a button on a notification. │ │ │ + documentation: > AWS Chatbot is now . [Learn more](https://docs.aws.amazon.com//chatbot/latest/adminguide/service-rename.html) │ │ │ > │ │ │ > `Type` attribute values remain unchanged. │ │ ├ properties │ │ │ └ AliasName: (documentation changed) │ │ └ types │ │ ├[~] type CustomActionAttachment │ │ │ └ - documentation: Defines when a custom action button should be attached to a notification. │ │ │ + documentation: > AWS Chatbot is now . [Learn more](https://docs.aws.amazon.com//chatbot/latest/adminguide/service-rename.html) │ │ │ > │ │ │ > `Type` attribute values remain unchanged. │ │ │ Defines when a custom action button should be attached to a notification. │ │ ├[~] type CustomActionAttachmentCriteria │ │ │ └ - documentation: A criteria for when a button should be shown based on values in the notification. │ │ │ + documentation: > AWS Chatbot is now . [Learn more](https://docs.aws.amazon.com//chatbot/latest/adminguide/service-rename.html) │ │ │ > │ │ │ > `Type` attribute values remain unchanged. │ │ │ A criteria for when a button should be shown based on values in the notification. │ │ └[~] type CustomActionDefinition │ │ └ - documentation: The definition of the command to run when invoked as an alias or as an action button. │ │ + documentation: > AWS Chatbot is now . [Learn more](https://docs.aws.amazon.com//chatbot/latest/adminguide/service-rename.html) │ │ > │ │ > `Type` attribute values remain unchanged. │ │ The definition of the command to run when invoked as an alias or as an action button. │ ├[~] resource AWS::Chatbot::MicrosoftTeamsChannelConfiguration │ │ ├ - documentation: The `AWS::Chatbot::MicrosoftTeamsChannelConfiguration` resource configures a Microsoft Teams channel to allow users to use AWS Chatbot with AWS CloudFormation templates. │ │ │ This resource requires some setup to be done in the AWS Chatbot console. To provide the required Microsoft Teams team and tenant IDs, you must perform the initial authorization flow with Microsoft Teams in the AWS Chatbot console, then copy and paste the IDs from the console. For more details, see [Configure a Microsoft Teams client](https://docs.aws.amazon.com/chatbot/latest/adminguide/teams-setup.html#teams-client-setup) in the *AWS Chatbot Administrator Guide* . │ │ │ + documentation: > AWS Chatbot is now . [Learn more](https://docs.aws.amazon.com//chatbot/latest/adminguide/service-rename.html) │ │ │ > │ │ │ > `Type` attribute values remain unchanged. │ │ │ The `AWS::Chatbot::MicrosoftTeamsChannelConfiguration` resource configures a Microsoft Teams channel to allow users to use with AWS CloudFormation templates. │ │ │ This resource requires some setup to be done in the in chat applications console. To provide the required Microsoft Teams team and tenant IDs, you must perform the initial authorization flow with Microsoft Teams in the in chat applications console, then copy and paste the IDs from the console. For more details, see steps 1-3 in [Get started with Microsoft Teams](https://docs.aws.amazon.com/chatbot/latest/adminguide/teams-setup.html#teams-client-setup) in the *in chat applications Administrator Guide* . │ │ └ properties │ │ ├ CustomizationResourceArns: (documentation changed) │ │ ├ IamRoleArn: (documentation changed) │ │ ├ SnsTopicArns: (documentation changed) │ │ ├ TeamId: (documentation changed) │ │ ├ TeamsChannelId: (documentation changed) │ │ └ TeamsTenantId: (documentation changed) │ └[~] resource AWS::Chatbot::SlackChannelConfiguration │ ├ - documentation: The `AWS::Chatbot::SlackChannelConfiguration` resource configures a Slack channel to allow users to use AWS Chatbot with AWS CloudFormation templates. │ │ This resource requires some setup to be done in the AWS Chatbot console. To provide the required Slack workspace ID, you must perform the initial authorization flow with Slack in the AWS Chatbot console, then copy and paste the workspace ID from the console. For more details, see [Configure a Slack client](https://docs.aws.amazon.com/chatbot/latest/adminguide/slack-setup.html#slack-client-setup) in the *AWS Chatbot User Guide* . │ │ + documentation: > AWS Chatbot is now . [Learn more](https://docs.aws.amazon.com//chatbot/latest/adminguide/service-rename.html) │ │ > │ │ > `Type` attribute values remain unchanged. │ │ The `AWS::Chatbot::SlackChannelConfiguration` resource configures a Slack channel to allow users to use with AWS CloudFormation templates. │ │ This resource requires some setup to be done in the in chat applications console. To provide the required Slack workspace ID, you must perform the initial authorization flow with Slack in the in chat applications console, then copy and paste the workspace ID from the console. For more details, see steps 1-3 in [Tutorial: Get started with Slack](https://docs.aws.amazon.com/chatbot/latest/adminguide/slack-setup.html#slack-client-setup) in the *in chat applications User Guide* . │ └ properties │ ├ CustomizationResourceArns: (documentation changed) │ ├ IamRoleArn: (documentation changed) │ ├ SlackWorkspaceId: (documentation changed) │ └ SnsTopicArns: (documentation changed) ├[~] service aws-cloudformation │ └ resources │ ├[~] resource AWS::CloudFormation::GuardHook │ │ └ properties │ │ ├ StackFilters: (documentation changed) │ │ └ TargetFilters: (documentation changed) │ └[~] resource AWS::CloudFormation::LambdaHook │ └ properties │ ├ StackFilters: (documentation changed) │ └ TargetFilters: (documentation changed) ├[~] service aws-config │ └ resources │ └[~] resource AWS::Config::ConfigRule │ └ properties │ └ Scope: (documentation changed) ├[~] service aws-dynamodb │ └ resources │ └[~] resource AWS::DynamoDB::Table │ └ properties │ └ BillingMode: (documentation changed) ├[~] service aws-ecs │ └ resources │ ├[~] resource AWS::ECS::Cluster │ │ └ types │ │ └[~] type ServiceConnectDefaults │ │ └ properties │ │ └ Namespace: (documentation changed) │ ├[~] resource AWS::ECS::Service │ │ └ types │ │ └[~] type AwsVpcConfiguration │ │ └ properties │ │ └ AssignPublicIp: (documentation changed) │ ├[~] resource AWS::ECS::TaskDefinition │ │ └ properties │ │ └ Cpu: (documentation changed) │ └[~] resource AWS::ECS::TaskSet │ └ types │ └[~] type AwsVpcConfiguration │ └ properties │ └ AssignPublicIp: (documentation changed) ├[~] service aws-eks │ └ resources │ └[~] resource AWS::EKS::Nodegroup │ ├ - documentation: Creates a managed node group for an Amazon EKS cluster. │ │ You can only create a node group for your cluster that is equal to the current Kubernetes version for the cluster. All node groups are created with the latest AMI release version for the respective minor Kubernetes version of the cluster, unless you deploy a custom AMI using a launch template. For more information about using launch templates, see [Customizing managed nodes with launch templates](https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html) . │ │ An Amazon EKS managed node group is an Amazon EC2 Auto Scaling group and associated Amazon EC2 instances that are managed by AWS for an Amazon EKS cluster. For more information, see [Managed node groups](https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html) in the *Amazon EKS User Guide* . │ │ > Windows AMI types are only supported for commercial AWS Regions that support Windows on Amazon EKS. │ │ + documentation: Creates a managed node group for an Amazon EKS cluster. │ │ You can only create a node group for your cluster that is equal to the current Kubernetes version for the cluster. All node groups are created with the latest AMI release version for the respective minor Kubernetes version of the cluster, unless you deploy a custom AMI using a launch template. │ │ For later updates, you will only be able to update a node group using a launch template only if it was originally deployed with a launch template. Additionally, the launch template ID or name must match what was used when the node group was created. You can update the launch template version with necessary changes. For more information about using launch templates, see [Customizing managed nodes with launch templates](https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html) . │ │ An Amazon EKS managed node group is an Amazon EC2 Auto Scaling group and associated Amazon EC2 instances that are managed by AWS for an Amazon EKS cluster. For more information, see [Managed node groups](https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html) in the *Amazon EKS User Guide* . │ │ > Windows AMI types are only supported for commercial AWS Regions that support Windows on Amazon EKS. │ ├ properties │ │ └ LaunchTemplate: (documentation changed) │ └ types │ └[~] type LaunchTemplateSpecification │ └ properties │ ├ Id: (documentation changed) │ ├ Name: (documentation changed) │ └ Version: (documentation changed) ├[~] service aws-iot │ └ resources │ └[~] resource AWS::IoT::Logging │ └ - documentation: Configure logging. │ > If you already set the log function of AWS IoT Core , you can't deploy the AWS Cloud Development Kit (AWS CDK) to change the logging settings. You can change the logging settings by either: │ > │ > - Importing a role into your AWS CloudFormation stack, such as with the [infrastructure as code generator (IaC generator)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/generate-IaC.html) . │ > - [Deleting the existing role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html#roles-managingrole-deleting-console) . │ + documentation: Configure logging. │ > If you already set the log function of AWS IoT Core , you can't deploy the AWS Cloud Development Kit (AWS CDK) to change the logging settings. You can change the logging settings by either: │ > │ > - Importing the existing logging resource into your AWS CloudFormation stack, such as with the [infrastructure as code generator (IaC generator)](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/generate-IaC.html) . │ > - Calling `aws iot set-v2-logging-options --disable-all-logs` before creating a new CloudFormation stack. This command disables all AWS IoT logging. As a result, no AWS IoT logs will be delivered to Amazon CloudWatch until you re-enable logging. ├[~] service aws-mediapackagev2 │ └ resources │ └[~] resource AWS::MediaPackageV2::Channel │ ├ properties │ │ ├[+] InputSwitchConfiguration: InputSwitchConfiguration │ │ └[+] OutputHeaderConfiguration: OutputHeaderConfiguration │ └ types │ ├[+] type InputSwitchConfiguration │ │ ├ documentation: <p>The configuration for input switching based on the media quality confidence score (MQCS) as provided from AWS Elemental MediaLive.</p> │ │ │ name: InputSwitchConfiguration │ │ └ properties │ │ └ MQCSInputSwitching: boolean │ └[+] type OutputHeaderConfiguration │ ├ documentation: <p>The settings for what common media server data (CMSD) headers AWS Elemental MediaPackage includes in responses to the CDN.</p> │ │ name: OutputHeaderConfiguration │ └ properties │ └ PublishMQCS: boolean ├[~] service aws-networkfirewall │ └ resources │ └[~] resource AWS::NetworkFirewall::RuleGroup │ └ types │ ├[~] type RulesSource │ │ └ properties │ │ └ StatefulRules: (documentation changed) │ └[~] type StatefulRule │ └ - documentation: A single Suricata rules specification, for use in a stateful rule group. Use this option to specify a simple Suricata rule with protocol, source and destination, ports, direction, and rule options. For information about the Suricata `Rules` format, see [Rules Format](https://docs.aws.amazon.com/https://suricata.readthedocs.io/en/suricata-6.0.9/rules/intro.html) . │ + documentation: A single Suricata rules specification, for use in a stateful rule group. Use this option to specify a simple Suricata rule with protocol, source and destination, ports, direction, and rule options. For information about the Suricata `Rules` format, see [Rules Format](https://docs.aws.amazon.com/https://suricata.readthedocs.io/en/suricata-7.0.3/rules/intro.html) . ├[~] service aws-opensearchserverless │ └ resources │ └[~] resource AWS::OpenSearchServerless::SecurityConfig │ ├ properties │ │ └ IamIdentityCenterOptions: (documentation changed) │ ├ attributes │ │ ├ IamIdentityCenterOptions.ApplicationArn: (documentation changed) │ │ ├ IamIdentityCenterOptions.ApplicationDescription: (documentation changed) │ │ └ IamIdentityCenterOptions.ApplicationName: (documentation changed) │ └ types │ ├[~] type IamIdentityCenterConfigOptions │ │ ├ - documentation: Describes IAM Identity Center options for an OpenSearch Serverless security configuration in the form of a key-value map │ │ │ + documentation: Describes IAM Identity Center options for an OpenSearch Serverless security configuration in the form of a key-value map. │ │ └ properties │ │ ├ ApplicationArn: (documentation changed) │ │ ├ ApplicationDescription: (documentation changed) │ │ ├ ApplicationName: (documentation changed) │ │ ├ GroupAttribute: (documentation changed) │ │ ├ InstanceArn: (documentation changed) │ │ └ UserAttribute: (documentation changed) │ └[~] type SamlConfigOptions │ └ properties │ └ OpenSearchServerlessEntityId: (documentation changed) ├[~] service aws-organizations │ └ resources │ └[~] resource AWS::Organizations::Policy │ └ properties │ └ Content: (documentation changed) ├[~] service aws-pcaconnectorscep │ └ resources │ └[~] resource AWS::PCAConnectorSCEP::Challenge │ └ - documentation: For general-purpose connectors. Creates a *challenge password* for the specified connector. The SCEP protocol uses a challenge password to authenticate a request before issuing a certificate from a certificate authority (CA). Your SCEP clients include the challenge password as part of their certificate request to Connector for SCEP. To retrieve the connector Amazon Resource Names (ARNs) for the connectors in your account, call [ListConnectors](https://docs.aws.amazon.com/C4SCEP_API/pca-connector-scep/latest/APIReference/API_ListConnectors.html) . │ To create additional challenge passwords for the connector, call `CreateChallenge` again. We recommend frequently rotating your challenge passwords. │ + documentation: For general-purpose connectors. Creates a *challenge password* for the specified connector. The SCEP protocol uses a challenge password to authenticate a request before issuing a certificate from a certificate authority (CA). Your SCEP clients include the challenge password as part of their certificate request to Connector for SCEP. To retrieve the connector Amazon Resource Names (ARNs) for the connectors in your account, call [ListConnectors](https://docs.aws.amazon.com/pca-connector-scep/latest/APIReference/API_ListConnectors.html) . │ To create additional challenge passwords for the connector, call `CreateChallenge` again. We recommend frequently rotating your challenge passwords. ├[~] service aws-rds │ └ resources │ └[~] resource AWS::RDS::DBInstance │ └ properties │ └ StorageType: (documentation changed) ├[~] service aws-ssm │ └ resources │ └[~] resource AWS::SSM::PatchBaseline │ └ properties │ └ DefaultBaseline: (documentation changed) ├[~] service aws-transfer │ └ resources │ └[~] resource AWS::Transfer::Server │ └ attributes │ ├ As2ServiceManagedEgressIpAddresses: (documentation changed) │ └ State: (documentation changed) └[~] service aws-wisdom └ resources └[~] resource AWS::Wisdom::AIAgent └ types ├[~] type AIAgentConfiguration │ └ properties │ └[+] SessionSummarizationAIAgentConfiguration: SessionSummarizationAIAgentConfiguration ├[~] type AnswerRecommendationAIAgentConfiguration │ └ properties │ └[+] Locale: string ├[~] type ManualSearchAIAgentConfiguration │ └ properties │ └[+] Locale: string └[+] type SessionSummarizationAIAgentConfiguration ├ name: SessionSummarizationAIAgentConfiguration └ properties ├ SessionSummarizationAIPromptId: string └ Locale: string ```
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Comments on closed issues and PRs are hard for our team to see. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See CHANGELOG