…25384)

The first attempt to fix this in #25190 didn't work because it didn't account for the fact that when exporting to multiple regions, we create multiple `ExportWriter`s that all use the same provider (and provider role).

This PR fixes that by adding the policy cross region ARNs directly to the custom resource provider (1 per stack) rather than the `ExportWriter` (multiple per stack). I also updated the test case to better account for this scenario.

fixes #25377

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.78.0/CHANGELOG.md)

This is a generated file that does not need to be present in the repo.

Also changed the ordering of services.
Previously this was ordered by UTF-16 code unit values. Now it's human friendly, in case anyone ever needs to look at it. This also helps with the transition to the new l1 generation.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…25435)

The current file says it was released on 2.59.0, but that is incorrect.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…#25428)

This PR replaces the hardcoded `aws` partition used in the IAM policy with `${Aws:Partition}` to ensure the correct partition is used during policy generation.

Closes #25407 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Newer Java versions will not accept `_` as an identifier. Rename a bunch of them in our public API away.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

It is currently very difficult to use the issue search functionality to figure out which PRs are ready for review from a core team member. Usually it is ~ 1/3 of open PRs that are in a reviewable state.

Some of the information we need is not available as a search filter in the issue search page (or it is difficult to create a correct filter). A PR is ready for review when:

  1. Not a draft
  2. Does not have any merge conflicts
  3. PR linter is not failing OR the user has requested an exemption
  4. A maintainer has not requested changes ...others may be added in the future

This PR adds functionality to add a label `pr/needs-review` to any PR that meets our criteria. This will allow us to easily use this to filter PRs.

**Note** I tested this locally using `act`, but there is no way to test this for real until it is merged.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Forgot to handle a case where the label does not exist on the pull request when trying to remove the label. Update to first check to make sure the label exists before removing it.

…to keep deprecated method in alpha version (#25454)

Revert PR of deprecating method AssociateAttributeGroup and AssociateStack since we would like to allow our v1 customer to continue to use deprecated method in v2 alpha version to offer them more time to switch to stable version. **We will remove these deprecated method in stable version**

This reverts commit [9222f21.](9222f21)

**Here is some context about this change:**
Recently, we found that we do not mark these two methods as deprecated in v1 cdk. Also, we cannot update v1 cdk now to send deprecation notification to them. Thus, v1 customer cannot receive any notification for the methods’ deprecation forever.
Therefore, if we directly remove these methods in v2, then v1 customers have to update their code to depreciate these two methods. We think that this migration’s customer experience is not good.

In order to offer a better customer experience to customers, we decide to keep deprecated method in alpha version. Thus, if v1 customs do not want to update their code to deprecate the methods when they want to migrate to v2, they can use our v2 alpha version temporarily

Also, there are some customer are still using these deprecated methods in alpha version, and we do not want to break their customer experience. They can update their code when they are moving to v2-stable version

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Adding this note to be explicitly clear

Closes #16250 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

The `sha` doesn't exist in some of the payloads, but should always exist in the event context.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…24510)

## Summary
Allow HTTPS outbound traffic for security groups attached to the Application Load Balancer if the Application Load Balancer is configured with an authentication configuration.

## Why is this PR needed?
Application Load Balancer authentication requires HTTPS outbound traffic.
However, the security group attached to the ApplicationLoadBalancer does not allow traffic to the outside, so the code as described in the documentation will not work by itself.
<img width="593" alt="image" src="https://user-images.githubusercontent.com/49480575/223705838-a047e14c-95f5-4c8e-9003-0bbdf6b9d281.png">

This issue is also documented.
https://aws.amazon.com/premiumsupport/knowledge-center/elb-configure-authentication-alb/?nc1=h_ls

## Related issues
Following opened issues were fixed by #21939, but related this PR.
Closes  #19035 #18944.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Adds a grantRead method with `ecr:DescribeRepositories` and `ecr:DescribeImages` permissions. 

The use case is for something like cdk-assets, which tries to look up the repository / image name as part of the publishing step (so it doesn't publish a duplicate). 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This PR fixes 2 integ tests from aws-eks.

- `integ.eks-helm-assets` is failing because 2 helm charts are trying to install with the same release name and this is failing with race condition.  This PR replaces one of them with another helm chart from ACK to avoid that and ensures the integ test will succeed.
- `integ.eks-service-account-sdk-call` is missing `package.json` and `sdk-call.js` as described in #25178 and `docker build` is failing due to missing files. We restored them from [v2.72.1](https://github.com/aws/aws-cdk/tree/v2.72.1/packages/%40aws-cdk/aws-eks/test/sdk-call-integ-test-docker-app/app) with minor update on the test.

Now both integ tests can successfully run with no error.

Closes #25438 #25178 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…esting/framework-integ/test/aws-eks/test/integ.eks-service-account-sdk-call.js.snapshot/asset.39f60f1f096988b40a74890fd21e097d4494ae80186b9dea6319e81d6c5b71d2 (#25462)

Bumps [xml2js](https://github.com/Leonidas-from-XIV/node-xml2js) from 0.4.19 to 0.5.0.
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/Leonidas-from-XIV/node-xml2js/commit/9f730bb5001331b4398909db98c80220eb9577f7"><code>9f730bb</code></a> Update package.json with latest PR</li>
<li><a href="https://github.com/Leonidas-from-XIV/node-xml2js/commit/50a492aef9729b8b9b291c5cb2746ec7dc1369db"><code>50a492a</code></a> Merge pull request <a href="https://redirect.github.com/Leonidas-from-XIV/node-xml2js/issues/603">#603</a> from autopulated/master</li>
<li><a href="https://github.com/Leonidas-from-XIV/node-xml2js/commit/7bc3c5d74cf66429dfb804626f3099a17dea1691"><code>7bc3c5d</code></a> Merge pull request <a href="https://redirect.github.com/Leonidas-from-XIV/node-xml2js/issues/598">#598</a> from fnimick/master</li>
<li><a href="https://github.com/Leonidas-from-XIV/node-xml2js/commit/f412a128b6d68c93d0cea44289484e5102b557f4"><code>f412a12</code></a> Merge pull request <a href="https://redirect.github.com/Leonidas-from-XIV/node-xml2js/issues/635">#635</a> from wisesimpson/patch-1</li>
<li><a href="https://github.com/Leonidas-from-XIV/node-xml2js/commit/d318ce0ad8e44971d8334c21f91a68ebbdc80466"><code>d318ce0</code></a> Update README.md</li>
<li><a href="https://github.com/Leonidas-from-XIV/node-xml2js/commit/581b19a62d88f8a3c068b5a45f4542c2d6a495a5"><code>581b19a</code></a> use Object.create(null) to create all parsed objects (prevent prototype repla...</li>
<li><a href="https://github.com/Leonidas-from-XIV/node-xml2js/commit/a21295009e4cbc1f9847bdff0f9b933b5005e690"><code>a212950</code></a> Add documentation for <code>explicitCharkey</code> option</li>
<li><a href="https://github.com/Leonidas-from-XIV/node-xml2js/commit/1832e0b6b2de30a5e326d1cf21708cd32305a538"><code>1832e0b</code></a> Merge pull request <a href="https://redirect.github.com/Leonidas-from-XIV/node-xml2js/issues/512">#512</a> from economia/master</li>
<li><a href="https://github.com/Leonidas-from-XIV/node-xml2js/commit/198063c4d5e051e3c58349a05354b255ef8bd63c"><code>198063c</code></a> Merge pull request <a href="https://redirect.github.com/Leonidas-from-XIV/node-xml2js/issues/556">#556</a> from Omega-Ariston/fix-issue544</li>
<li><a href="https://github.com/Leonidas-from-XIV/node-xml2js/commit/0d717852434131746d4efe147eecfcc1ebb7f4a8"><code>0d71785</code></a> Merge pull request <a href="https://redirect.github.com/Leonidas-from-XIV/node-xml2js/issues/562">#562</a> from Omega-Ariston/addDocExample</li>
<li>Additional commits viewable in <a href="https://github.com/Leonidas-from-XIV/node-xml2js/compare/0.4.19...0.5.0">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=xml2js&package-manager=npm_and_yarn&previous-version=0.4.19&new-version=0.5.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts).

</details>

)

Fixing some of the remaining issues with the new needs review workflow

- `aws-cdk-automation` does show up as MEMBER so need to filter it out
- If the PR linter failed then we never made it to the assessReview. Make sure we assess review even if the linter fails

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Sensitive data protection for CloudWatch Logs was launched at re:Invent 2022. This feature will enable that property under DataProtectionPolicy as a JSON object in the LogGroup construct.

Use case: A data protection policy can help safeguard sensitive data that's ingested by the log group by auditing and masking the sensitive log data. When a user who does not have permission to view masked data views a log event that includes masked data, the sensitive data is replaced by asterisks.

closes #23399

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Construct Runtime Dependencies:

* [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Our automatic build concurrency calculation only uses number of available CPUs as a limiting heuristic. Also add a dimension to limit based on available memory, because my machine runs out of memory every time it builds.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

`_` identifiers cause a problem with Java compilation. Remove them.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

A package.json in a test app was accidentally removed as part of the
repo restructure. This is used as part of the yarn upgrade workflow and
if it is absent then the ncu command will apply to the `aws-cdk-lib` package.
https://github.com/aws/aws-cdk/blob/1f4c4fafe22bdd80c43e80e8a968428f3aa827e1/.github/workflows/yarn-upgrade.yml#L70

…imitive type (#25460)

We currently do not account for cases where a property type can have a complex type that matches one of our primitive types. For example, [AWS::IoT::TopicRule.LocationAction](https://github.com/aws/aws-cdk/blob/a0ad49df7b2536d800b4890ae0116e6ce26e6c55/packages/@aws-cdk/cfnspec/spec-source/specification/000_cfn/000_official/000_AWS_IoT.json#L1437-L1442) has a property `Timestamp` with a Type of [Timestamp](https://github.com/aws/aws-cdk/blob/a0ad49df7b2536d800b4890ae0116e6ce26e6c55/packages/@aws-cdk/cfnspec/spec-source/specification/000_cfn/000_official/000_AWS_IoT.json#L1727-L1742) When cfn2ts generates the TypeScript code it thinks that this is referring to the `PrimitiveType` `Timestamp` and coverts it to a `Date`.

After running `gen` with these changes the only differences in the cfnspecs were

`iot.generated.ts`
```diff
@@ -10134,7 +10134,7 @@ export namespace CfnTopicRule {
          *
          * @link http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iot-topicrule-locationaction.html#cfn-iot-topicrule-locationaction-timestamp
          */
-        readonly timestamp?: Date | cdk.IResolvable;
+        readonly timestamp?: CfnTopicRule.TimestampProperty | cdk.IResolvable;
         /**
          * The name of the tracker resource in Amazon Location in which the location is updated.
          *
@@ -10165,7 +10165,7 @@ function CfnTopicRule_LocationActionPropertyValidator(properties: any): cdk.Vali
     errors.collect(cdk.propertyValidator('longitude', cdk.validateString)(properties.longitude));
     errors.collect(cdk.propertyValidator('roleArn', cdk.requiredValidator)(properties.roleArn));
     errors.collect(cdk.propertyValidator('roleArn', cdk.validateString)(properties.roleArn));
-    errors.collect(cdk.propertyValidator('timestamp', cdk.validateDate)(properties.timestamp));
+    errors.collect(cdk.propertyValidator('timestamp', CfnTopicRule_TimestampPropertyValidator)(properties.timestamp));
     errors.collect(cdk.propertyValidator('trackerName', cdk.requiredValidator)(properties.trackerName));
     errors.collect(cdk.propertyValidator('trackerName', cdk.validateString)(properties.trackerName));
     return errors.wrap('supplied properties not correct for "LocationActionProperty"');
@@ -10187,7 +10187,7 @@ function cfnTopicRuleLocationActionPropertyToCloudFormation(properties: any): an
         Latitude: cdk.stringToCloudFormation(properties.latitude),
         Longitude: cdk.stringToCloudFormation(properties.longitude),
         RoleArn: cdk.stringToCloudFormation(properties.roleArn),
-        Timestamp: cdk.dateToCloudFormation(properties.timestamp),
+        Timestamp: cfnTopicRuleTimestampPropertyToCloudFormation(properties.timestamp),
         TrackerName: cdk.stringToCloudFormation(properties.trackerName),
     };
 }
@@ -10206,7 +10206,7 @@ function CfnTopicRuleLocationActionPropertyFromCloudFormation(properties: any):
     ret.addPropertyResult('latitude', 'Latitude', cfn_parse.FromCloudFormation.getString(properties.Latitude));
     ret.addPropertyResult('longitude', 'Longitude', cfn_parse.FromCloudFormation.getString(properties.Longitude));
     ret.addPropertyResult('roleArn', 'RoleArn', cfn_parse.FromCloudFormation.getString(properties.RoleArn));
-    ret.addPropertyResult('timestamp', 'Timestamp', properties.Timestamp != null ? cfn_parse.FromCloudFormation.getDate(properties.Timestamp) : undefined);
+    ret.addPropertyResult('timestamp', 'Timestamp', properties.Timestamp != null ? CfnTopicRuleTimestampPropertyFromCloudFormation(properties.Timestamp) : undefined);
     ret.addPropertyResult('trackerName', 'TrackerName', cfn_parse.FromCloudFormation.getString(properties.TrackerName));
     ret.addUnrecognizedPropertiesAsExtra(properties);
     return ret;
```

`sagemaker.generated.ts`
```diff
@@ -2053,7 +2053,7 @@ export namespace CfnDataQualityJobDefinition {
          *
          * @link http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sagemaker-dataqualityjobdefinition-datasetformat.html#cfn-sagemaker-dataqualityjobdefinition-datasetformat-json
          */
-        readonly json?: any | cdk.IResolvable;
+        readonly json?: CfnDataQualityJobDefinition.JsonProperty | cdk.IResolvable;
         /**
          * `CfnDataQualityJobDefinition.DatasetFormatProperty.Parquet`
          *
@@ -2077,7 +2077,7 @@ function CfnDataQualityJobDefinition_DatasetFormatPropertyValidator(properties:
         errors.collect(new cdk.ValidationResult('Expected an object, but received: ' + JSON.stringify(properties)));
     }
     errors.collect(cdk.propertyValidator('csv', CfnDataQualityJobDefinition_CsvPropertyValidator)(properties.csv));
-    errors.collect(cdk.propertyValidator('json', cdk.validateObject)(properties.json));
+    errors.collect(cdk.propertyValidator('json', CfnDataQualityJobDefinition_JsonPropertyValidator)(properties.json));
     errors.collect(cdk.propertyValidator('parquet', cdk.validateBoolean)(properties.parquet));
     return errors.wrap('supplied properties not correct for "DatasetFormatProperty"');
 }
@@ -2095,7 +2095,7 @@ function cfnDataQualityJobDefinitionDatasetFormatPropertyToCloudFormation(proper
     CfnDataQualityJobDefinition_DatasetFormatPropertyValidator(properties).assertSuccess();
     return {
         Csv: cfnDataQualityJobDefinitionCsvPropertyToCloudFormation(properties.csv),
-        Json: cdk.objectToCloudFormation(properties.json),
+        Json: cfnDataQualityJobDefinitionJsonPropertyToCloudFormation(properties.json),
         Parquet: cdk.booleanToCloudFormation(properties.parquet),
     };
 }
@@ -2111,7 +2111,7 @@ function CfnDataQualityJobDefinitionDatasetFormatPropertyFromCloudFormation(prop
     }
     const ret = new cfn_parse.FromCloudFormationPropertyObject<CfnDataQualityJobDefinition.DatasetFormatProperty>();
     ret.addPropertyResult('csv', 'Csv', properties.Csv != null ? CfnDataQualityJobDefinitionCsvPropertyFromCloudFormation(properties.Csv) : undefined);
-    ret.addPropertyResult('json', 'Json', properties.Json != null ? cfn_parse.FromCloudFormation.getAny(properties.Json) : undefined);
+    ret.addPropertyResult('json', 'Json', properties.Json != null ? CfnDataQualityJobDefinitionJsonPropertyFromCloudFormation(properties.Json) : undefined);
     ret.addPropertyResult('parquet', 'Parquet', properties.Parquet != null ? cfn_parse.FromCloudFormation.getBoolean(properties.Parquet) : undefined);
     ret.addUnrecognizedPropertiesAsExtra(properties);
     return ret;
@@ -11470,7 +11470,7 @@ export namespace CfnModelBiasJobDefinition {
          *
          * @link http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sagemaker-modelbiasjobdefinition-datasetformat.html#cfn-sagemaker-modelbiasjobdefinition-datasetformat-json
          */
-        readonly json?: any | cdk.IResolvable;
+        readonly json?: CfnModelBiasJobDefinition.JsonProperty | cdk.IResolvable;
         /**
          * `CfnModelBiasJobDefinition.DatasetFormatProperty.Parquet`
          *
@@ -11494,7 +11494,7 @@ function CfnModelBiasJobDefinition_DatasetFormatPropertyValidator(properties: an
         errors.collect(new cdk.ValidationResult('Expected an object, but received: ' + JSON.stringify(properties)));
     }
     errors.collect(cdk.propertyValidator('csv', CfnModelBiasJobDefinition_CsvPropertyValidator)(properties.csv));
-    errors.collect(cdk.propertyValidator('json', cdk.validateObject)(properties.json));
+    errors.collect(cdk.propertyValidator('json', CfnModelBiasJobDefinition_JsonPropertyValidator)(properties.json));
     errors.collect(cdk.propertyValidator('parquet', cdk.validateBoolean)(properties.parquet));
     return errors.wrap('supplied properties not correct for "DatasetFormatProperty"');
 }
@@ -11512,7 +11512,7 @@ function cfnModelBiasJobDefinitionDatasetFormatPropertyToCloudFormation(properti
     CfnModelBiasJobDefinition_DatasetFormatPropertyValidator(properties).assertSuccess();
     return {
         Csv: cfnModelBiasJobDefinitionCsvPropertyToCloudFormation(properties.csv),
-        Json: cdk.objectToCloudFormation(properties.json),
+        Json: cfnModelBiasJobDefinitionJsonPropertyToCloudFormation(properties.json),
         Parquet: cdk.booleanToCloudFormation(properties.parquet),
     };
 }
@@ -11528,7 +11528,7 @@ function CfnModelBiasJobDefinitionDatasetFormatPropertyFromCloudFormation(proper
     }
     const ret = new cfn_parse.FromCloudFormationPropertyObject<CfnModelBiasJobDefinition.DatasetFormatProperty>();
     ret.addPropertyResult('csv', 'Csv', properties.Csv != null ? CfnModelBiasJobDefinitionCsvPropertyFromCloudFormation(properties.Csv) : undefined);
-    ret.addPropertyResult('json', 'Json', properties.Json != null ? cfn_parse.FromCloudFormation.getAny(properties.Json) : undefined);
+    ret.addPropertyResult('json', 'Json', properties.Json != null ? CfnModelBiasJobDefinitionJsonPropertyFromCloudFormation(properties.Json) : undefined);
     ret.addPropertyResult('parquet', 'Parquet', properties.Parquet != null ? cfn_parse.FromCloudFormation.getBoolean(properties.Parquet) : undefined);
     ret.addUnrecognizedPropertiesAsExtra(properties);
     return ret;
@@ -15402,7 +15402,7 @@ export namespace CfnModelExplainabilityJobDefinition {
          *
          * @link http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sagemaker-modelexplainabilityjobdefinition-datasetformat.html#cfn-sagemaker-modelexplainabilityjobdefinition-datasetformat-json
          */
-        readonly json?: any | cdk.IResolvable;
+        readonly json?: CfnModelExplainabilityJobDefinition.JsonProperty | cdk.IResolvable;
         /**
          * `CfnModelExplainabilityJobDefinition.DatasetFormatProperty.Parquet`
          *
@@ -15426,7 +15426,7 @@ function CfnModelExplainabilityJobDefinition_DatasetFormatPropertyValidator(prop
         errors.collect(new cdk.ValidationResult('Expected an object, but received: ' + JSON.stringify(properties)));
     }
     errors.collect(cdk.propertyValidator('csv', CfnModelExplainabilityJobDefinition_CsvPropertyValidator)(properties.csv));
-    errors.collect(cdk.propertyValidator('json', cdk.validateObject)(properties.json));
+    errors.collect(cdk.propertyValidator('json', CfnModelExplainabilityJobDefinition_JsonPropertyValidator)(properties.json));
     errors.collect(cdk.propertyValidator('parquet', cdk.validateBoolean)(properties.parquet));
     return errors.wrap('supplied properties not correct for "DatasetFormatProperty"');
 }
@@ -15444,7 +15444,7 @@ function cfnModelExplainabilityJobDefinitionDatasetFormatPropertyToCloudFormatio
     CfnModelExplainabilityJobDefinition_DatasetFormatPropertyValidator(properties).assertSuccess();
     return {
         Csv: cfnModelExplainabilityJobDefinitionCsvPropertyToCloudFormation(properties.csv),
-        Json: cdk.objectToCloudFormation(properties.json),
+        Json: cfnModelExplainabilityJobDefinitionJsonPropertyToCloudFormation(properties.json),
         Parquet: cdk.booleanToCloudFormation(properties.parquet),
     };
 }
@@ -15460,7 +15460,7 @@ function CfnModelExplainabilityJobDefinitionDatasetFormatPropertyFromCloudFormat
     }
     const ret = new cfn_parse.FromCloudFormationPropertyObject<CfnModelExplainabilityJobDefinition.DatasetFormatProperty>();
     ret.addPropertyResult('csv', 'Csv', properties.Csv != null ? CfnModelExplainabilityJobDefinitionCsvPropertyFromCloudFormation(properties.Csv) : undefined);
-    ret.addPropertyResult('json', 'Json', properties.Json != null ? cfn_parse.FromCloudFormation.getAny(properties.Json) : undefined);
+    ret.addPropertyResult('json', 'Json', properties.Json != null ? CfnModelExplainabilityJobDefinitionJsonPropertyFromCloudFormation(properties.Json) : undefined);
     ret.addPropertyResult('parquet', 'Parquet', properties.Parquet != null ? cfn_parse.FromCloudFormation.getBoolean(properties.Parquet) : undefined);
     ret.addUnrecognizedPropertiesAsExtra(properties);
     return ret;
@@ -20808,7 +20808,7 @@ export namespace CfnModelQualityJobDefinition {
          *
          * @link http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sagemaker-modelqualityjobdefinition-datasetformat.html#cfn-sagemaker-modelqualityjobdefinition-datasetformat-json
          */
-        readonly json?: any | cdk.IResolvable;
+        readonly json?: CfnModelQualityJobDefinition.JsonProperty | cdk.IResolvable;
         /**
          * `CfnModelQualityJobDefinition.DatasetFormatProperty.Parquet`
          *
@@ -20832,7 +20832,7 @@ function CfnModelQualityJobDefinition_DatasetFormatPropertyValidator(properties:
         errors.collect(new cdk.ValidationResult('Expected an object, but received: ' + JSON.stringify(properties)));
     }
     errors.collect(cdk.propertyValidator('csv', CfnModelQualityJobDefinition_CsvPropertyValidator)(properties.csv));
-    errors.collect(cdk.propertyValidator('json', cdk.validateObject)(properties.json));
+    errors.collect(cdk.propertyValidator('json', CfnModelQualityJobDefinition_JsonPropertyValidator)(properties.json));
     errors.collect(cdk.propertyValidator('parquet', cdk.validateBoolean)(properties.parquet));
     return errors.wrap('supplied properties not correct for "DatasetFormatProperty"');
 }
@@ -20850,7 +20850,7 @@ function cfnModelQualityJobDefinitionDatasetFormatPropertyToCloudFormation(prope
     CfnModelQualityJobDefinition_DatasetFormatPropertyValidator(properties).assertSuccess();
     return {
         Csv: cfnModelQualityJobDefinitionCsvPropertyToCloudFormation(properties.csv),
-        Json: cdk.objectToCloudFormation(properties.json),
+        Json: cfnModelQualityJobDefinitionJsonPropertyToCloudFormation(properties.json),
         Parquet: cdk.booleanToCloudFormation(properties.parquet),
     };
 }
@@ -20866,7 +20866,7 @@ function CfnModelQualityJobDefinitionDatasetFormatPropertyFromCloudFormation(pro
     }
     const ret = new cfn_parse.FromCloudFormationPropertyObject<CfnModelQualityJobDefinition.DatasetFormatProperty>();
     ret.addPropertyResult('csv', 'Csv', properties.Csv != null ? CfnModelQualityJobDefinitionCsvPropertyFromCloudFormation(properties.Csv) : undefined);
-    ret.addPropertyResult('json', 'Json', properties.Json != null ? cfn_parse.FromCloudFormation.getAny(properties.Json) : undefined);
+    ret.addPropertyResult('json', 'Json', properties.Json != null ? CfnModelQualityJobDefinitionJsonPropertyFromCloudFormation(properties.Json) : undefined);
     ret.addPropertyResult('parquet', 'Parquet', properties.Parquet != null ? cfn_parse.FromCloudFormation.getBoolean(properties.Parquet) : undefined);
     ret.addUnrecognizedPropertiesAsExtra(properties);
     return ret;
@@ -22693,7 +22693,7 @@ export namespace CfnMonitoringSchedule {
          *
          * @link http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sagemaker-monitoringschedule-datasetformat.html#cfn-sagemaker-monitoringschedule-datasetformat-json
          */
-        readonly json?: any | cdk.IResolvable;
+        readonly json?: CfnMonitoringSchedule.JsonProperty | cdk.IResolvable;
         /**
          * `CfnMonitoringSchedule.DatasetFormatProperty.Parquet`
          *
@@ -22717,7 +22717,7 @@ function CfnMonitoringSchedule_DatasetFormatPropertyValidator(properties: any):
         errors.collect(new cdk.ValidationResult('Expected an object, but received: ' + JSON.stringify(properties)));
     }
     errors.collect(cdk.propertyValidator('csv', CfnMonitoringSchedule_CsvPropertyValidator)(properties.csv));
-    errors.collect(cdk.propertyValidator('json', cdk.validateObject)(properties.json));
+    errors.collect(cdk.propertyValidator('json', CfnMonitoringSchedule_JsonPropertyValidator)(properties.json));
     errors.collect(cdk.propertyValidator('parquet', cdk.validateBoolean)(properties.parquet));
     return errors.wrap('supplied properties not correct for "DatasetFormatProperty"');
 }
@@ -22735,7 +22735,7 @@ function cfnMonitoringScheduleDatasetFormatPropertyToCloudFormation(properties:
     CfnMonitoringSchedule_DatasetFormatPropertyValidator(properties).assertSuccess();
     return {
         Csv: cfnMonitoringScheduleCsvPropertyToCloudFormation(properties.csv),
-        Json: cdk.objectToCloudFormation(properties.json),
+        Json: cfnMonitoringScheduleJsonPropertyToCloudFormation(properties.json),
         Parquet: cdk.booleanToCloudFormation(properties.parquet),
     };
 }
@@ -22751,7 +22751,7 @@ function CfnMonitoringScheduleDatasetFormatPropertyFromCloudFormation(properties
     }
     const ret = new cfn_parse.FromCloudFormationPropertyObject<CfnMonitoringSchedule.DatasetFormatProperty>();
     ret.addPropertyResult('csv', 'Csv', properties.Csv != null ? CfnMonitoringScheduleCsvPropertyFromCloudFormation(properties.Csv) : undefined);
-    ret.addPropertyResult('json', 'Json', properties.Json != null ? cfn_parse.FromCloudFormation.getAny(properties.Json) : undefined);
+    ret.addPropertyResult('json', 'Json', properties.Json != null ? CfnMonitoringScheduleJsonPropertyFromCloudFormation(properties.Json) : undefined);
     ret.addPropertyResult('parquet', 'Parquet', properties.Parquet != null ? cfn_parse.FromCloudFormation.getBoolean(properties.Parquet) : undefined);
     ret.addUnrecognizedPropertiesAsExtra(properties);
     return ret;
```

Closes #22732

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…d with `[Object object]` (#25466)

We were using `Tokenization.resolve()`, which uses a generic token resolver that does `${token1}${token2}` instead of creating an `Fn::Split` object. The only reason that token existed was to mutate the L1 object after synthesis so subclasses could fill in the `executionRole`. The `executionRole` was meant to be optional for EC2 jobs and required for Fargate jobs. Setting the `loggingConfig` being defined would force it to be defined it for EC2 Jobs. However, the `loggingConfig` was always defined, because it was set to a `Lazy` (which could result in `undefined`, but that doesn't matter: it was defined during synthesis). So the `executionRole` was always being set:

```
    this.executionRole = props.executionRole ?? (this.logDriverConfig ? createExecutionRole(this, 'ExecutionRole') : undefined);
```

This PR makes it clear that the `executionRole` is created by default.

Closes #25250

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.

…esting/framework-integ/test/aws-eks/test/integ.eks-service-account-sdk-call.js.snapshot/asset.46684d71d35b87acf17090e483a3db7ff3e198145b41450ffaa234ff8ffdebed (#25487)

Bumps [xml2js](https://github.com/Leonidas-from-XIV/node-xml2js) from 0.4.19 to 0.5.0.
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/Leonidas-from-XIV/node-xml2js/commit/9f730bb5001331b4398909db98c80220eb9577f7"><code>9f730bb</code></a> Update package.json with latest PR</li>
<li><a href="https://github.com/Leonidas-from-XIV/node-xml2js/commit/50a492aef9729b8b9b291c5cb2746ec7dc1369db"><code>50a492a</code></a> Merge pull request <a href="https://redirect.github.com/Leonidas-from-XIV/node-xml2js/issues/603">#603</a> from autopulated/master</li>
<li><a href="https://github.com/Leonidas-from-XIV/node-xml2js/commit/7bc3c5d74cf66429dfb804626f3099a17dea1691"><code>7bc3c5d</code></a> Merge pull request <a href="https://redirect.github.com/Leonidas-from-XIV/node-xml2js/issues/598">#598</a> from fnimick/master</li>
<li><a href="https://github.com/Leonidas-from-XIV/node-xml2js/commit/f412a128b6d68c93d0cea44289484e5102b557f4"><code>f412a12</code></a> Merge pull request <a href="https://redirect.github.com/Leonidas-from-XIV/node-xml2js/issues/635">#635</a> from wisesimpson/patch-1</li>
<li><a href="https://github.com/Leonidas-from-XIV/node-xml2js/commit/d318ce0ad8e44971d8334c21f91a68ebbdc80466"><code>d318ce0</code></a> Update README.md</li>
<li><a href="https://github.com/Leonidas-from-XIV/node-xml2js/commit/581b19a62d88f8a3c068b5a45f4542c2d6a495a5"><code>581b19a</code></a> use Object.create(null) to create all parsed objects (prevent prototype repla...</li>
<li><a href="https://github.com/Leonidas-from-XIV/node-xml2js/commit/a21295009e4cbc1f9847bdff0f9b933b5005e690"><code>a212950</code></a> Add documentation for <code>explicitCharkey</code> option</li>
<li><a href="https://github.com/Leonidas-from-XIV/node-xml2js/commit/1832e0b6b2de30a5e326d1cf21708cd32305a538"><code>1832e0b</code></a> Merge pull request <a href="https://redirect.github.com/Leonidas-from-XIV/node-xml2js/issues/512">#512</a> from economia/master</li>
<li><a href="https://github.com/Leonidas-from-XIV/node-xml2js/commit/198063c4d5e051e3c58349a05354b255ef8bd63c"><code>198063c</code></a> Merge pull request <a href="https://redirect.github.com/Leonidas-from-XIV/node-xml2js/issues/556">#556</a> from Omega-Ariston/fix-issue544</li>
<li><a href="https://github.com/Leonidas-from-XIV/node-xml2js/commit/0d717852434131746d4efe147eecfcc1ebb7f4a8"><code>0d71785</code></a> Merge pull request <a href="https://redirect.github.com/Leonidas-from-XIV/node-xml2js/issues/562">#562</a> from Omega-Ariston/addDocExample</li>
<li>Additional commits viewable in <a href="https://github.com/Leonidas-from-XIV/node-xml2js/compare/0.4.19...0.5.0">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=xml2js&package-manager=npm_and_yarn&previous-version=0.4.19&new-version=0.5.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts).

</details>

chore(eks): test app should only exist in framework-integ

Manually running the bump-cfnspec.sh script and creating the PR because there are breaking changes that cause the automated build to fail.

- Keeping S3, Neptune, Xray on 1.117 due to breaking changes

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

There recently was some confusion on how CDK calculates service principal names. Will it add region-specific suffixes, will it not?

It depends on a feature flag; document that now.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Closes #<[25503](#25503)>

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

The aws-eks README is using `version: eks.KubernetesVersion.V1_26` but the layer version is still v25.

This PR updates the versions to make them all v26 for consistency.

Closes #<issue number here>.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

I figure that approved PRs should also lose the `needs-review` label, since they will still exist in the open PR list for a while and pollute the pool of actual prs needing review. I could've bundled this in to `maintainerRequestsChanges` but I figured it makes more sense to be explicit about the different rules we have for the `needs-review` label.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*