See [CHANGELOG](https://github.com/aws/aws-cdk/blob/bump/1.147.0/CHANGELOG.md)

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/1.147.0/CHANGELOG.md)

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.15.0/CHANGELOG.md)

Co-authored-by: AWS CDK Team <aws-cdk@amazon.com>

)

This PR modify the default value jsdoc of health check configuration in `aws-elasticloadbalancingv2`.

CloudFormation apply the default value about health check configuration. So the result is not `No health check`.

For more information of default values of each properties, see [this docs](https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-targetgroup.html#aws-resource-elasticloadbalancingv2-targetgroup-properties).

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ntAccessPolicy (#19082)

Closes #19058

Most likely this was an oversight in CloudFormation docs. Submitted a PR for CF docs here: awsdocs/aws-cloudformation-user-guide#1165

Here are the API docs showing the proper parameters for LifecyclePolicies: https://docs.aws.amazon.com/efs/latest/ug/API_PutLifecycleConfiguration.html

<img width="418" alt="image" src="https://user-images.githubusercontent.com/31543/155045177-308d0608-bc11-4150-8d5f-b7da7f8f5b01.png">
<img width="1226" alt="Screen Shot 2022-02-21 at 5 14 50 PM" src="https://user-images.githubusercontent.com/31543/155045111-31e9d9b5-99b1-404f-bee7-61dd3e2751f2.png">
<img width="679" alt="Screen Shot 2022-02-21 at 5 14 57 PM" src="https://user-images.githubusercontent.com/31543/155045114-a56c68f7-60f4-4a6c-946a-1231cdf84448.png">

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This method does not exist.  This mention in the docs is leftover from an abandoned approach in #8600 and should have been reverted.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

The read replica instance always uses the same engine as the source instance
but some CF validations require the engine to be explicitely passed when some
properties are specified.

Pass the `engine` property to the CF resource if `domain` is specified.

Closes #18786


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…9175)

Closes #17241

Tested by:
```typescript
// 1. Create original cluster with unencrypted storage
new DatabaseCluster(stack, 'Database', {
  engine: DatabaseClusterEngine.AURORA,
  instanceProps: { vpc },
});

// 2. Take snapshot of cluster (mySnapshot)

// 3. Create cluster from snapshot with encrypted storage
new DatabaseClusterFromSnapshot(stack, 'Database', {
  engine: DatabaseClusterEngine.AURORA,
  instanceProps: { vpc },
  snapshotIdentifier: 'mySnapshot',
  storageEncryptionKey: new kms.Key(stack, 'Key'),
});

// 4. Verify new cluster has encrypted storage
```

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Co-authored-by: AWS CDK Team <aws-cdk@amazon.com>

…9204)

Update some `README` documentation based on feedback.
Move library to developer preview with no anticipation of breaking changes.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Using the regular stack identifier in cli commands is deprecated in v1, and removed in v2. If you supply the `.id` of a stack to any cdk commands (`synth`, `deploy`), then v1 will print out a deprecation warning. And, v2 will not work at all. Because of this, it is confusing to users that `cdk synth` prints out the regular stack identifier. It is best to print out the hierarchical identifier in all cases. 

At minimum, this partially fixes #18599. This will fix the scenario where the CLI prints out 
```
Supply a stack id (StageOneF5E336C2, StageTwo81B557F6) to display its template.
```
when those ids will not actually work, and the hierarchical ids, `Stage/One` and `Stage/Two`, should be printed instead.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Co-authored-by: AWS CDK Team <aws-cdk@amazon.com>

Co-authored-by: AWS CDK Team <aws-cdk@amazon.com>
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>

…tch size for SQS (#18971)

https://docs.aws.amazon.com/lambda/latest/dg/with-sqs.html#services-sqs-params
> For standard queues, the maximum is 10,000. For FIFO queues, the maximum is 10.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This PR adds an L2 construct for the S3 Object Lambda.

To avoid a circular dependency, the construct lives outside of the aws-s3 package.

Fixes #13675

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…o bundle assets (#16192)

`DockerImage.fromBuild` was being called for bundling regardless of whether the stack needed bundling or not. With this change, we will check if the stack needs bundling before proceeding to build the docker image.

Fixes #14747

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Closes #19133


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

#18796)

This PR adds documentation on how to correctly make cross stack
connections. If the connection is not made in the correct stack it can
lead to cyclic reference.

fixes #5047


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

CloudWatchLogs.filterLogEvents will always return a `nextToken` as long
as there are _any_ additional logs. This is regardless of any filter
used (i.e. `startTime`).

This PR updates the logic to only display the truncated message if
`CloudWatchLogs.filterLogEvents` returns 100 events (the `limit`) _and_ the
`nextToken`. If the limit is hit and there is a `nextToken` then we can
assume that the _current_ request for log events was truncated.

fixes #18805


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…igw sfn integration (#18892)

Implements #18891 

This PR adds the ability to include custom authorizer context in the Step Functions API Gateway integration.  This is useful if the custom authorizer sets custom context values, which can then be used downstream in the step function.  This adds a `authorizer: { ... }` key to the state input.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This PR allow IoT Events detector model to perform actions as [this documentation](https://docs.aws.amazon.com/iotevents/latest/developerguide/iotevents-supported-actions.html).
This PR is in roadmap of #17711.

![スクリーンショット 2022-02-08 22 43 33](https://user-images.githubusercontent.com/11013683/152999288-81721f15-fefb-4108-b34b-aab3f88a7ab8.png)

With this fix, all the interfaces of the DetectorModel are now implemented! And next works is implementing expressions and actions.

The exapmle in readme became not simple, so also this PR has sorted explanation of readme.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

The `Version` object's documentation was pretty unclear,
and only needed to discourage users from using it.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…on (#19250)

closes #19223 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Document the values for Amazon ECR source


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…alid json (#19253)

The failure response from a StepFunctionsRestApi integration is not valid JSON, it is missing a comma.  This fixes the issue by adding a comma.  Fixes #19252

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Co-authored-by: AWS CDK Team <aws-cdk@amazon.com>

Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/actions/checkout/releases">actions/checkout's releases</a>.</em></p>
<blockquote>
<h2>v3.0.0</h2>
<ul>
<li>Update default runtime to node16</li>
</ul>
<h2>v2.4.0</h2>
<ul>
<li>Convert SSH URLs like <code>org-&lt;ORG_ID&gt;@github.com:</code> to <code>https://github.com/</code> - <a href="https://github-redirect.dependabot.com/actions/checkout/pull/621">pr</a></li>
</ul>
<h2>v2.3.5</h2>
<p>Update dependencies</p>
<h2>v2.3.4</h2>
<ul>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/379">Add missing <code>await</code>s</a></li>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/360">Swap to Environment Files</a></li>
</ul>
<h2>v2.3.3</h2>
<ul>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/345">Remove Unneeded commit information from build logs</a></li>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/326">Add Licensed to verify third party dependencies</a></li>
</ul>
<h2>v2.3.2</h2>
<p><a href="https://github-redirect.dependabot.com/actions/checkout/pull/320">Add Third Party License Information to Dist Files</a></p>
<h2>v2.3.1</h2>
<p><a href="https://github-redirect.dependabot.com/actions/checkout/pull/284">Fix default branch resolution for .wiki and when using SSH</a></p>
<h2>v2.3.0</h2>
<p><a href="https://github-redirect.dependabot.com/actions/checkout/pull/278">Fallback to the default branch</a></p>
<h2>v2.2.0</h2>
<p><a href="https://github-redirect.dependabot.com/actions/checkout/pull/258">Fetch all history for all tags and branches when fetch-depth=0</a></p>
<h2>v2.1.1</h2>
<p>Changes to support GHES (<a href="https://github-redirect.dependabot.com/actions/checkout/pull/236">here</a> and <a href="https://github-redirect.dependabot.com/actions/checkout/pull/248">here</a>)</p>
<h2>v2.1.0</h2>
<ul>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/191">Group output</a></li>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/199">Changes to support GHES alpha release</a></li>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/184">Persist core.sshCommand for submodules</a></li>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/163">Add support ssh</a></li>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/179">Convert submodule SSH URL to HTTPS, when not using SSH</a></li>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/157">Add submodule support</a></li>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/144">Follow proxy settings</a></li>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/141">Fix ref for pr closed event when a pr is merged</a></li>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/128">Fix issue checking detached when git less than 2.22</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/actions/checkout/blob/main/CHANGELOG.md">actions/checkout's changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<h2>v2.3.1</h2>
<ul>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/284">Fix default branch resolution for .wiki and when using SSH</a></li>
</ul>
<h2>v2.3.0</h2>
<ul>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/278">Fallback to the default branch</a></li>
</ul>
<h2>v2.2.0</h2>
<ul>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/258">Fetch all history for all tags and branches when fetch-depth=0</a></li>
</ul>
<h2>v2.1.1</h2>
<ul>
<li>Changes to support GHES (<a href="https://github-redirect.dependabot.com/actions/checkout/pull/236">here</a> and <a href="https://github-redirect.dependabot.com/actions/checkout/pull/248">here</a>)</li>
</ul>
<h2>v2.1.0</h2>
<ul>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/191">Group output</a></li>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/199">Changes to support GHES alpha release</a></li>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/184">Persist core.sshCommand for submodules</a></li>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/163">Add support ssh</a></li>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/179">Convert submodule SSH URL to HTTPS, when not using SSH</a></li>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/157">Add submodule support</a></li>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/144">Follow proxy settings</a></li>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/141">Fix ref for pr closed event when a pr is merged</a></li>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/128">Fix issue checking detached when git less than 2.22</a></li>
</ul>
<h2>v2.0.0</h2>
<ul>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/108">Do not pass cred on command line</a></li>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/107">Add input persist-credentials</a></li>
<li><a href="https://github-redirect.dependabot.com/actions/checkout/pull/104">Fallback to REST API to download repo</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/actions/checkout/commit/a12a3943b4bdde767164f792f33f40b04645d846"><code>a12a394</code></a> update readme for v3 (<a href="https://github-redirect.dependabot.com/actions/checkout/issues/708">#708</a>)</li>
<li><a href="https://github.com/actions/checkout/commit/8f9e05e482293f862823fcca12d9eddfb3723131"><code>8f9e05e</code></a> Update to node 16 (<a href="https://github-redirect.dependabot.com/actions/checkout/issues/689">#689</a>)</li>
<li><a href="https://github.com/actions/checkout/commit/230611dbd0eb52da1e1f4f7bc8bb0c3a339fc8b7"><code>230611d</code></a> Change secret name for PAT to not start with GITHUB_ (<a href="https://github-redirect.dependabot.com/actions/checkout/issues/623">#623</a>)</li>
<li>See full diff in <a href="https://github.com/actions/checkout/compare/v2...v3">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/checkout&package-manager=github_actions&previous-version=2&new-version=3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)


</details>

…k/lambda-layer-awscli (#19265)

Bumps [awscli](https://github.com/aws/aws-cli) from 1.22.63 to 1.22.68.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/aws/aws-cli/blob/develop/CHANGELOG.rst">awscli's changelog</a>.</em></p>
<blockquote>
<h1>1.22.68</h1>
<ul>
<li>api-change:<code>ec2</code>: Documentation updates for Amazon EC2.</li>
<li>api-change:<code>synthetics</code>: Allow custom handler function.</li>
<li>api-change:<code>transfer</code>: Add waiters for server online and offline.</li>
<li>api-change:<code>connect</code>: This release updates the *InstanceStorageConfig APIs so they support a new ResourceType: REAL_TIME_CONTACT_ANALYSIS_SEGMENTS. Use this resource type to enable streaming for real-time contact analysis and to associate the Kinesis stream where real-time contact analysis segments will be published.</li>
<li>api-change:<code>macie</code>: Amazon Macie Classic (macie) has been discontinued and is no longer available. A new Amazon Macie (macie2) is now available with significant design improvements and additional features.</li>
<li>api-change:<code>sts</code>: Documentation updates for AWS Security Token Service.</li>
<li>api-change:<code>devops-guru</code>: Amazon DevOps Guru now integrates with Amazon CodeGuru Profiler. You can view CodeGuru Profiler recommendations for your AWS Lambda function in DevOps Guru. This feature is enabled by default for new customers as of 3/4/2022. Existing customers can enable this feature with UpdateEventSourcesConfig.</li>
</ul>
<h1>1.22.67</h1>
<ul>
<li>api-change:<code>timestream-query</code>: Documentation only update for SDK and CLI</li>
<li>api-change:<code>greengrassv2</code>: Doc only update that clarifies Create Deployment section.</li>
<li>api-change:<code>kendra</code>: Amazon Kendra now suggests spell corrections for a query. For more information, see <a href="https://docs.aws.amazon.com/kendra/latest/dg/query-spell-check.html">https://docs.aws.amazon.com/kendra/latest/dg/query-spell-check.html</a></li>
<li>api-change:<code>fsx</code>: This release adds support for data repository associations to use root (&quot;/&quot;) as the file system path</li>
<li>api-change:<code>appflow</code>: Launching Amazon AppFlow Marketo as a destination connector SDK.</li>
</ul>
<h1>1.22.66</h1>
<ul>
<li>api-change:<code>athena</code>: This release adds support for S3 Object Ownership by allowing the S3 bucket owner full control canned ACL to be set when Athena writes query results to S3 buckets.</li>
<li>api-change:<code>ecr</code>: This release adds support for tracking images lastRecordedPullTime.</li>
<li>api-change:<code>keyspaces</code>: This release adds support for data definition language (DDL) operations</li>
<li>api-change:<code>gamelift</code>: Minor updates to address errors.</li>
<li>api-change:<code>cloudtrail</code>: Add bytesScanned field into responses of DescribeQuery and GetQueryResults.</li>
</ul>
<h1>1.22.65</h1>
<ul>
<li>api-change:<code>mgn</code>: Add support for GP3 and IO2 volume types. Add bootMode to LaunchConfiguration object (and as a parameter to UpdateLaunchConfigurationRequest).</li>
<li>api-change:<code>rds</code>: Documentation updates for Multi-AZ DB clusters.</li>
<li>api-change:<code>mediapackage</code>: This release adds Hybridcast as an available profile option for Dash Origin Endpoints.</li>
<li>api-change:<code>kafkaconnect</code>: Adds operation for custom plugin deletion (DeleteCustomPlugin) and adds new StateDescription field to DescribeCustomPlugin and DescribeConnector responses to return errors from asynchronous resource creation.</li>
</ul>
<h1>1.22.64</h1>
<ul>
<li>api-change:<code>ec2</code>: This release adds support for new AMI property 'lastLaunchedTime'</li>
<li>api-change:<code>fsx</code>: This release adds support for the following FSx for OpenZFS features: snapshot lifecycle transition messages, force flag for deleting file systems with child resources, LZ4 data compression, custom record sizes, and unsetting volume quotas and reservations.</li>
<li>api-change:<code>route53-recovery-cluster</code>: This release adds a new API option to enable overriding safety rules to allow routing control state updates.</li>
<li>api-change:<code>fis</code>: This release adds logging support for AWS Fault Injection Simulator experiments. Experiment templates can now be configured to send experiment activity logs to Amazon CloudWatch Logs or to an S3 bucket.</li>
<li>api-change:<code>servicecatalog-appregistry</code>: AppRegistry is deprecating Application and Attribute-Group Name update feature. In this release, we are marking the name attributes for Update APIs as deprecated to give a heads up to our customers.</li>
<li>api-change:<code>athena</code>: This release adds support for updating an existing named query.</li>
</ul>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/aws/aws-cli/commit/76ff8d93cf6c6c211e56cbe4cd67a42bf908cd61"><code>76ff8d9</code></a> Merge branch 'release-1.22.68'</li>
<li><a href="https://github.com/aws/aws-cli/commit/85ea7234d55e1772b83b3def385db92f6307100f"><code>85ea723</code></a> Bumping version to 1.22.68</li>
<li><a href="https://github.com/aws/aws-cli/commit/63be387ce79991b1011a89835578f2532314d1f1"><code>63be387</code></a> Update changelog based on model updates</li>
<li><a href="https://github.com/aws/aws-cli/commit/aeed38978ecfa75488424aac52b6bff06f85c123"><code>aeed389</code></a> Merge branch 'release-1.22.67'</li>
<li><a href="https://github.com/aws/aws-cli/commit/6f29be509619a95c9cba8eaaa42ffcc1c368fff1"><code>6f29be5</code></a> Merge branch 'release-1.22.67' into develop</li>
<li><a href="https://github.com/aws/aws-cli/commit/93cbb34a1128b1660b7a885c0ff71e45b7326cc9"><code>93cbb34</code></a> Bumping version to 1.22.67</li>
<li><a href="https://github.com/aws/aws-cli/commit/86e5e12c8d4020f4c138be2e6b7aa91cbb04a0fe"><code>86e5e12</code></a> Update changelog based on model updates</li>
<li><a href="https://github.com/aws/aws-cli/commit/2a336bb0415f85ffeff17bc1a871e15ba3b3b8ff"><code>2a336bb</code></a> New CLI Examples for cognito-idp, deploy (<a href="https://github-redirect.dependabot.com/aws/aws-cli/issues/6761">#6761</a>)</li>
<li><a href="https://github.com/aws/aws-cli/commit/1e708d03cc46942c54a1b0a7b7455902a25eb64a"><code>1e708d0</code></a> Update CLI examples for secretsmanager (<a href="https://github-redirect.dependabot.com/aws/aws-cli/issues/6760">#6760</a>)</li>
<li><a href="https://github.com/aws/aws-cli/commit/ab613f204f8294e251bc65dd41b7682b4fe1ad85"><code>ab613f2</code></a> Merge branch 'release-1.22.66'</li>
<li>Additional commits viewable in <a href="https://github.com/aws/aws-cli/compare/1.22.63...1.22.68">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=awscli&package-manager=pip&previous-version=1.22.63&new-version=1.22.68)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)


</details>

Kubernetes has got specific requirements to names of resources:
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/

Without checks user will learn about invalid name at `cdk deploy` stage.
That could leave EKS cluster in an inconsistent state.

fixes #18189


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

The `--no-notices` flag is only being considered for actually displaying the notices, but not in the refresh step, used to mask latency.

Also handling request timeout on the `Promise` level. If the promise doesn't resolve within the time limit, resolve with an empty array, no matter what.

Fixes #19201.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

The package name is `typescript`, the bin is `tsc`.

Closes #19242


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Fixes #18916
Fixes #9817

### Motivation 
CDK currently has poor and hidden support for using ARM build images for CodeBuild that do not match what you can do with the Console. Currently, CDK has under LinuxBuildImage two constants not mentioned in the documentation. The constants internally map to a hidden ArmBuildImage class, which provides support for the standard CodeBuild ARM build images. That is the extent of the support, making ARM a second class citizen compared to x86-64 Linux and Windows build images as, for example, you can't use custom aarch64 ECR images.

### Changes
This pull request addresses the missing support by:
- renaming the previously hidden class ArmBuildImage to LinuxArmBuildImage (in case there are Windows ARM Build Images in the future).
- exporting LinuxArmBuildImage so it can be used.
- adding the two ARM constants present in LinuxBuildImage also to LinuxArmBuildImage. The constants are also left under LinuxBuildImage to not break backwards compatibility.
- adding the method fromEcrRepository() to support custom ARM build images.
- making the LinuxArmBuildImage closer to the LinuxBuildImage and WindowsBuildImage (built with props instead of just image name).
- updating documentation to show examples of ARM and highlighting the LinuxBuildImage is for x86-64.

### Testing
The unit test for ARM image is still valid.
----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

As preparation for adding yarn canaries, and not just npm. 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…19178)

The role used in the aws-events-targets example and test code needs to be passed to the SfnStateMachine target, not to the StateMachine resource.

The role's trust policy trusts events.amazonaws.com so the state machine resource would be unable to use this role anyways. This PR modifies the example in README.md and the test code to have the StateMachine construct create its own role and pass the manually created role to SfnStateMachine where EventBridge will use it to start the state machine.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Co-authored-by: AWS CDK Team <aws-cdk@amazon.com>

)

The lack of isolated subnet groups in the dummy response causes VPC lookups to fail.

Fixes #19122.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…execute permission is created (#18716)

When multiple routes are defined for a single lambda integration, only one of
the routes gets permission to execute the function. This is because the
permissions are added when the integration is bound to the route, which happens
only once per integration.

Split the `_bindToRoute` workflow into two parts:

1. The actual bind, followed by the creation of an `HttpIntegration`. We keep
doing this only once per integration.
2. A post-bind step, that happens for every route. 

In the case of `HttpLambdaIntegration`, adding the permission has been moved to
the post bind step. All other integrations remain the same.

Fixes #18201.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

The output directory should always use posix paths since this directory
is being used within a linux docker container.

I did not add any tests because it looks like there is no way to mock the `path` platform detection.

fixes #18861


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…on (#19237)

The subnet selection was always overriden by the subnet selection of the
instance/cluster.

Avoid these kinds of errors by explicitely defining rotation options and
their defaults.

Closes #19233


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…19249)

This PR allow states in IoT Events detector model to set event on input and exit.
This PR is in roadmap of #17711.
<img width="530" alt="スクリーンショット 2022-03-05 13 40 57" src="https://user-images.githubusercontent.com/11013683/156868196-a37f5926-05e2-4d3b-a881-17520b465518.png">


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Add notes in the docs that `grantConnect()` does not work currently.

Reference: #11851

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Forgot to clean this up in #19237


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…structor (#15876)

Currently when creating an elasticsearch domain the access policies must be set in the constructor. This makes it impossible to create access policies that reference the domain. 

### Use Cases

See: https://aws.amazon.com/premiumsupport/knowledge-center/kinesis-firehose-cross-account-streaming/

### Proposed Solution

This PR extracts the access policy setting to a helper method which can be used if the `accessPolicies` and `useUnsignedBasicAuth` props are not set. The helper will error if access policies are already set to prevent creating duplicate custom resources.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…19306)

fixes #19291


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… elastic beanstalk environment endpoint target (#18804)

This PR fixes the extraction of the region name from a Elastic Beanstalk Environment URL generated with a custom CNAME_PREFIX.

The code is backward compatible with the regular URL

# Motivation

ElasticBeanstalkEnvironmentEndpointTarget is used to create an alias target for ElasticBeanstalk Environments that are already created and published for a certain region.

When creating an ElasticBeanstalk Environment is possible to configure a `cname_prefix` in order to have a "deterministic" url for the generated environment.

Normally the generated url looks like `mybeanstalkenvironment.xyz.eu-west-1.elasticbeanstalk.com`, however when the `cname_prefix` is specified the url loses the randomly generated hash and looks like `mycnameprefix.eu-west-1.elasticbeanstalk.com`.

In the custom `cname_prefix` scenario the `ElasticBeanstalkEnvironmentEndpointTarget` class fails with the following error:
```
jsii.errors.JSIIError: Elastic Beanstalk environment target is not supported for the "elasticbeanstalk" region.
```

I mentioned this problem also [here](#17992 (comment)), sorry for the double comment. This PR does not fix the original problem of that issue thread.

# How to reproduce
Consider this scenario:
```
# app1.py
# EB Enviroment
enviroment = elasticbeanstalk.CfnEnvironment(self, 'Enviroment', 
    environment_name='MySampleEnviroment',
    application_name=application.application_name or application_name,
    solution_stack_name=SOLUTION_STACK_NAME,
    option_settings=self.get_option_setting_properties(),
    version_label=app_version_props.ref,
    cname_prefix='myapp'
)
```

This generates an elastic beanstalk environment with url `myapp.eu-west-1.elasticbeanstalk.com` (supposing one it's deploying in eu-west-1).

Then a following cdk app tries to create a DNS record for it
```
# app2.py
route53.ARecord(self, f'{construct_label}AliasRecord',
    target=route53.RecordTarget.from_alias(
        targets.ElasticBeanstalkEnvironmentEndpointTarget(     
            'myapp.eu-west-1.elasticbeanstalk.com',
        ),
    ),
    zone=domain_configuration.hosted_zone,
)
```

At this point the command cdk diff returns the following error:
```
jsii.errors.JSIIError: Elastic Beanstalk environment target is not supported for the "elasticbeanstalk" region.
```

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…0220309

# Conflicts:
#	packages/@aws-cdk/aws-iotevents-actions/package.json
#	packages/@aws-cdk/aws-lambda-python/lib/layer.ts
#	packages/@aws-cdk/aws-opensearchservice/lib/opensearch-access-policy.ts
#	packages/@aws-cdk/aws-s3objectlambda/package.json

Automated action from aws/cdk-ops

One of the changes in #19216 is causing 3 unit tests in the CI environment of the pipeline to fail
(for reasons not exactly clear).
This changes unblocks them.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*