See [CHANGELOG](https://github.com/aws/aws-cdk/blob/bump/1.157.0/CHANGELOG.md)

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.25.0/CHANGELOG.md)

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/1.157.0/CHANGELOG.md)

Closes #20432

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…lambda-layer-awscli (#20462)

Bumps [awscli](https://github.com/aws/aws-cli) from 1.24.0 to 1.24.5.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/aws/aws-cli/blob/develop/CHANGELOG.rst">awscli's changelog</a>.</em></p>
<blockquote>
<h1>1.24.5</h1>
<ul>
<li>api-change:<code>comprehend</code>: Comprehend releases 14 new entity types for DetectPiiEntities and ContainsPiiEntities APIs.</li>
<li>api-change:<code>logs</code>: Doc-only update to publish the new valid values for log retention</li>
<li>enhancement:dependency: Bump upper bound of docutils to &lt;0.17</li>
</ul>
<h1>1.24.4</h1>
<ul>
<li>api-change:<code>gamesparks</code>: This release adds an optional DeploymentResult field in the responses of GetStageDeploymentIntegrationTests and ListStageDeploymentIntegrationTests APIs.</li>
<li>api-change:<code>lookoutmetrics</code>: In this release we added SnsFormat to SNSConfiguration to support human readable alert.</li>
</ul>
<h1>1.24.3</h1>
<ul>
<li>api-change:<code>quicksight</code>: API UpdatePublicSharingSettings enables IAM admins to enable/disable account level setting for public access of dashboards. When enabled, owners/co-owners for dashboards can enable public access on their dashboards. These dashboards can only be accessed through share link or embedding.</li>
<li>api-change:<code>greengrassv2</code>: This release adds the new DeleteDeployment API operation that you can use to delete deployment resources. This release also adds support for discontinued AWS-provided components, so AWS can communicate when a component has any issues that you should consider before you deploy it.</li>
<li>api-change:<code>transfer</code>: AWS Transfer Family now supports SetStat server configuration option, which provides the ability to ignore SetStat command issued by file transfer clients, enabling customers to upload files without any errors.</li>
<li>api-change:<code>batch</code>: Documentation updates for AWS Batch.</li>
<li>api-change:<code>appmesh</code>: This release updates the existing Create and Update APIs for meshes and virtual nodes by adding a new IP preference field. This new IP preference field can be used to control the IP versions being used with the mesh and allows for IPv6 support within App Mesh.</li>
<li>api-change:<code>iotevents-data</code>: Introducing new API for deleting detectors: BatchDeleteDetector.</li>
</ul>
<h1>1.24.2</h1>
<ul>
<li>api-change:<code>glue</code>: This release adds a new optional parameter called codeGenNodeConfiguration to CRUD job APIs that allows users to manage visual jobs via APIs. The updated CreateJob and UpdateJob will create jobs that can be viewed in Glue Studio as a visual graph. GetJob can be used to get codeGenNodeConfiguration.</li>
<li>api-change:<code>kms</code>: Add HMAC best practice tip, annual rotation of AWS managed keys.</li>
</ul>
<h1>1.24.1</h1>
<ul>
<li>api-change:<code>cloudfront</code>: Introduced a new error (TooLongCSPInResponseHeadersPolicy) that is returned when the value of the Content-Security-Policy header in a response headers policy exceeds the maximum allowed length.</li>
<li>api-change:<code>rekognition</code>: Documentation updates for Amazon Rekognition.</li>
<li>api-change:<code>resiliencehub</code>: In this release, we are introducing support for Amazon Elastic Container Service, Amazon Route 53, AWS Elastic Disaster Recovery, AWS Backup in addition to the existing supported Services.  This release also supports Terraform file input from S3 and scheduling daily assessments</li>
<li>api-change:<code>servicecatalog</code>: Updated the descriptions for the ListAcceptedPortfolioShares API description and the PortfolioShareType parameters.</li>
<li>api-change:<code>discovery</code>: Add Migration Evaluator Collector details to the GetDiscoverySummary API response</li>
<li>api-change:<code>sts</code>: Documentation updates for AWS Security Token Service.</li>
<li>api-change:<code>workspaces-web</code>: Amazon WorkSpaces Web now supports Administrator timeout control</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/aws/aws-cli/commit/6dc3193218e1f12d100ad5d137f6a8c97a39f08c"><code>6dc3193</code></a> Merge branch 'release-1.24.5'</li>
<li><a href="https://github.com/aws/aws-cli/commit/601d6b4bd993539468903a7c5333f7b52aa01382"><code>601d6b4</code></a> Bumping version to 1.24.5</li>
<li><a href="https://github.com/aws/aws-cli/commit/19cdbbff021cc0e154bf8a6094c37aef4486b115"><code>19cdbbf</code></a> Update changelog based on model updates</li>
<li><a href="https://github.com/aws/aws-cli/commit/610646918dedb1e8f5d3d2efaa4e8db31a155db2"><code>6106469</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/aws/aws-cli/issues/6977">#6977</a> from stealthycoin/bump-docutils</li>
<li><a href="https://github.com/aws/aws-cli/commit/1bc38dc3c01b8ca8557117a15b5c87f8d8f70206"><code>1bc38dc</code></a> Bump docutils upper bound to &lt;0.17</li>
<li><a href="https://github.com/aws/aws-cli/commit/469d03ccf1b01d46176ed7bc7ac624ca5a74dfb0"><code>469d03c</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/aws/aws-cli/issues/4135">#4135</a> from aamirmushtaq/cognito-documentation-fix</li>
<li><a href="https://github.com/aws/aws-cli/commit/9a0a6cc38661f782b881c6269ed8e5e35fa7faae"><code>9a0a6cc</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/aws/aws-cli/issues/6968">#6968</a> from elysahall/awsdocs-05-18-22</li>
<li><a href="https://github.com/aws/aws-cli/commit/a9bd9fac765c1ccf1b934285c2cffbee735862d4"><code>a9bd9fa</code></a> Fix whitespace in cognito-idp admin-update-user-attributes example</li>
<li><a href="https://github.com/aws/aws-cli/commit/2436eb8cde60da55b31e70f79f6d1747dbd2b263"><code>2436eb8</code></a> Merge branch 'release-1.24.4'</li>
<li><a href="https://github.com/aws/aws-cli/commit/c5063fce7f29b28b16546d1f7605dfcc0afe8220"><code>c5063fc</code></a> Merge branch 'release-1.24.4' into develop</li>
<li>Additional commits viewable in <a href="https://github.com/aws/aws-cli/compare/1.24.0...1.24.5">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=awscli&package-manager=pip&previous-version=1.24.0&new-version=1.24.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)


</details>

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

I found wrong indents in sample code and fix those.

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

The `DeployAssert` construct is really an implementation detail that is
only used when making assertions as part of integration tests. This PR
makes the construct private and creates a public interface
(`IDeployAssert`).

This PR also:

- Removes the scope swap since we no longer need to pass around
`DeployAssert`.
- Removes some unused code (ResultsCollector).

----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

The instructions in `CONTRIBUTING.md`, telling users to run `test.sh`,
started running the unit tests instead of the integ tests, since `npx`
now `cd`s to the `package.json` directory (instead of running in the
current directory).

Fix by using `npx` to look up the location of `jest`, but running
it in the current shell.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… iterations (#20244)

Adding enhancement to ProductStack to allow the specification of a VersioningStrategy.
VersioningStrategy `RetainPreviousVersions` added to save previously deployed ProductStacks templates in a local context directory. These productVersions can then be easily be deployed using the stored templates.

---
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

fixes #11221
----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

closes #20475.

----

### All Submissions:

* [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

(This change has been split off from #20189 because that PR was growing
too big)

Collapse CodeBuild action Roles: each CodeBuild step used to create a
fresh Role to run the CodeBuild action. Change to use one Role for all
CodeBuild actions. This saves a lot of resources and policy space when
using many CodeBuild steps, and doesn't appreciably change the
security posture of the Pipeline (note: this is not about the
Execution Role of the CodeBuild projects, this is about the Role
assumed by the Pipeline to initiate execution of the Project).

Relates to #19276, #19939, #19835.


----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…20425)

Fixes (first half) of #20372. 
This implements the `objectSizeGreaterThan` property for a S3 lifecycle rule. 

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

(This change has been split off from #20189 because that PR was growing
too big)

We add all Role policy statements to the Inline policy, which
has a maximums size of 10k. Especially when creating CDK Pipelines
that deploy to a lot of environments, the list of Role ARNs
the Pipeline should be allowed to assume exceeds this size.

Roles also have the ability to have Managed Policies attached
(10 by default, 20 with a quota increase), each of them can be 6k
in size. By spilling over from inline policies into Managed Policies
we can get a total of 70k of statements attached to reach Role.

This PR introduces `IComparablePrincipal` to be able to value-compare
two principals: since we want to merge first before we split (to get the
most bang for our buck), we now need to do statement merging during the
prepare phase, while we are still working on the object graph (instead
of the rendered CloudFormation template).
* That means statement merging had to be modified to work on
  PolicyStatement objects, which requires being able to compare
  Principal objects.

Closes #19276, closes #19939, closes #19835.


----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

#20492)

… destination bucket when used with accessControl

With the feature flag `@aws-cdk/aws-s3:grantWriteWithoutAcl` you no longer get `s3:PutObjectAcl` and `s3:PutObjectVersionAcl` permissions in the default role. These are however required when using the `accessControl` property.


----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

closes #18887

- Creates a new VpcConnector construct.
- Make the app runner service construct accept a `vpcConnector` property. When present, associate the service with the connector.

----

### All Submissions:

* [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [X] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [X] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ker images (#20439)

This PR adds support for specifying the desired build platform when building docker images (ie: build an arm64 image on an amd64/x86_64 host). Closes #12472 

This PR does NOT touch Lambda builders, only ECR assets. #16770 attempted to implement support for ECR and Lambda but was abandoned. Meanwhile #16858 implemented lambda platform support. This implements the ECR side

I have run `yarn integ`

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

We were trying to save time by re-using a previously synthed cloud
assembly if it existed, but we should not be doing this. When we perform
the deployment we could be using new settings (or context) that needs to
be applied to the synth.


----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… a different id

Automated action from aws/cdk-ops

Automated action from aws/cdk-ops