chore(release): 2.146.0 #30548
Merged
chore(release): 2.146.0 #30548
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Reason for this change Add support for newly supported `8.0.mysql_aurora.3.07.0`. https://docs.aws.amazon.com/AmazonRDS/latest/AuroraMySQLReleaseNotes/AuroraMySQL.Updates.3070.html ### Description of changes Add a new version as a new property to `AuroraMysqlEngineVersion` class. ### Description of how you validated changes I used the AWS CLI to verify that the new version is available. ```bash aws rds describe-db-engine-versions --engine aurora-mysql --query "DBEngineVersions[?EngineVersion=='8.0.mysql_aurora.3.07.0']" [ { "Engine": "aurora-mysql", "EngineVersion": "8.0.mysql_aurora.3.07.0", "DBParameterGroupFamily": "aurora-mysql8.0", "DBEngineDescription": "Aurora MySQL", "DBEngineVersionDescription": "Aurora MySQL 3.07.0 (compatible with MySQL 8.0.36)", "ValidUpgradeTarget": [], "ExportableLogTypes": [ "audit", "error", "general", "slowquery" ], "SupportsLogExportsToCloudwatchLogs": true, "SupportsReadReplica": false, "SupportedEngineModes": [ "provisioned" ], "SupportedFeatureNames": [ "Bedrock" ], "Status": "available", "SupportsParallelQuery": true, "SupportsGlobalDatabases": true, "MajorEngineVersion": "8.0", "SupportsBabelfish": false, "SupportsLimitlessDatabase": false, "SupportsCertificateRotationWithoutRestart": true, "SupportedCACertificateIdentifiers": [ "rds-ca-2019", "rds-ca-ecc384-g1", "rds-ca-rsa4096-g1", "rds-ca-rsa2048-g1" ], "SupportsLocalWriteForwarding": true, "SupportsIntegrations": true } ] ``` Hopefully this will be automated in the future. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`
**L1 CloudFormation resource definition changes:**
```
├[~] service aws-autoscaling
│ └ resources
│ └[~] resource AWS::AutoScaling::ScalingPolicy
│ └ types
│ ├[~] type CustomizedMetricSpecification
│ │ └ properties
│ │ ├ MetricName: - string (required)
│ │ │ + string
│ │ ├[+] Metrics: Array<TargetTrackingMetricDataQuery>
│ │ ├ Namespace: - string (required)
│ │ │ + string
│ │ └ Statistic: - string (required)
│ │ + string
│ ├[+] type TargetTrackingMetricDataQuery
│ │ ├ name: TargetTrackingMetricDataQuery
│ │ └ properties
│ │ ├Label: string
│ │ ├MetricStat: TargetTrackingMetricStat
│ │ ├Id: string (required)
│ │ ├ReturnData: boolean
│ │ └Expression: string
│ └[+] type TargetTrackingMetricStat
│ ├ name: TargetTrackingMetricStat
│ └ properties
│ ├Metric: Metric (required)
│ ├Stat: string (required)
│ └Unit: string
├[~] service aws-connect
│ └ resources
│ └[~] resource AWS::Connect::Rule
│ └ types
│ ├[~] type Actions
│ │ └ properties
│ │ └[+] SubmitAutoEvaluationActions: Array<SubmitAutoEvaluationAction>
│ └[+] type SubmitAutoEvaluationAction
│ ├ documentation: The definition of submit auto evaluation action.
│ │ name: SubmitAutoEvaluationAction
│ └ properties
│ └EvaluationFormArn: string (required)
├[~] service aws-ec2
│ └ resources
│ └[~] resource AWS::EC2::TransitGatewayRoute
├[~] service aws-ecs
│ └ resources
│ └[~] resource AWS::ECS::Cluster
│ └ types
│ ├[~] type ClusterConfiguration
│ │ └ properties
│ │ └[+] ManagedStorageConfiguration: ManagedStorageConfiguration
│ └[+] type ManagedStorageConfiguration
│ ├ name: ManagedStorageConfiguration
│ └ properties
│ ├FargateEphemeralStorageKmsKeyId: string
│ └KmsKeyId: string
├[~] service aws-pipes
│ └ resources
│ └[~] resource AWS::Pipes::Pipe
│ └ types
│ ├[+] type DimensionMapping
│ │ ├ name: DimensionMapping
│ │ └ properties
│ │ ├DimensionValue: string (required)
│ │ ├DimensionValueType: string (required)
│ │ └DimensionName: string (required)
│ ├[+] type MultiMeasureAttributeMapping
│ │ ├ name: MultiMeasureAttributeMapping
│ │ └ properties
│ │ ├MeasureValue: string (required)
│ │ ├MeasureValueType: string (required)
│ │ └MultiMeasureAttributeName: string (required)
│ ├[+] type MultiMeasureMapping
│ │ ├ name: MultiMeasureMapping
│ │ └ properties
│ │ ├MultiMeasureName: string (required)
│ │ └MultiMeasureAttributeMappings: Array<MultiMeasureAttributeMapping> (required)
│ ├[~] type PipeTargetParameters
│ │ └ properties
│ │ └[+] TimestreamParameters: PipeTargetTimestreamParameters
│ ├[+] type PipeTargetTimestreamParameters
│ │ ├ name: PipeTargetTimestreamParameters
│ │ └ properties
│ │ ├TimeValue: string (required)
│ │ ├EpochTimeUnit: string
│ │ ├TimeFieldType: string
│ │ ├TimestampFormat: string
│ │ ├VersionValue: string (required)
│ │ ├DimensionMappings: Array<DimensionMapping> (required)
│ │ ├SingleMeasureMappings: Array<SingleMeasureMapping>
│ │ └MultiMeasureMappings: Array<MultiMeasureMapping>
│ └[+] type SingleMeasureMapping
│ ├ name: SingleMeasureMapping
│ └ properties
│ ├MeasureValue: string (required)
│ ├MeasureValueType: string (required)
│ └MeasureName: string (required)
├[~] service aws-rolesanywhere
│ └ resources
│ └[~] resource AWS::RolesAnywhere::Profile
│ ├ properties
│ │ └[+] AttributeMappings: Array<AttributeMapping>
│ └ types
│ ├[+] type AttributeMapping
│ │ ├ name: AttributeMapping
│ │ └ properties
│ │ ├MappingRules: Array<MappingRule> (required)
│ │ └CertificateField: string (required)
│ └[+] type MappingRule
│ ├ name: MappingRule
│ └ properties
│ └Specifier: string (required)
└[~] service aws-securitylake
└ resources
└[~] resource AWS::SecurityLake::DataLake
└ properties
└ MetaStoreManagerRoleArn: - string (immutable)
+ string
```
### Issue # (if applicable) Closes #29049. ### Reason for this change Allow the Topic construct to expose a method to grant subscription permissions to a grantable resource. It's useful when you want to allow entities, such as another AWS account or resources created later, to subscribe to the topic at their own pace, separating permission granting from the actual subscription process. ### Description of changes Add grantSubscribe method to ITopic interface and TopicBase class. ### Description of how you validated changes Add unit tests and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) N/A ### Reason for this change Cluster can be upgraded/created to Postgres 15.6 via the console/CLI but not CDK. ### Description of changes Adds support for Postgres 15.6 Aurora cluster, 15.5 instances are already supported. ### Description of how you validated changes N/A ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
) ### Issue # (if applicable) N/A ### Reason for this change AppRunner supported Dual Stack. https://aws.amazon.com/about-aws/whats-new/2023/11/aws-app-runner-supports-ipv6-public-inbound-traffic/?nc1=h_ls But current L2 Construct (alpha module) does not support it. ### Description of changes Add ipAddressType property to the Service class ### Description of how you validated changes Add unit tests and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #20017 as well as #15523 and #28629 ### Reason for this change Due to the way function names are generated using token strings with either single- or double-digit numbers, longer function names can be truncated differently, leading to inconsistency in generated CloudFormation templates. ### Description of changes To ensure backwards compatibility, if names are longer than 64 characters and use region tokens, if the token uses a single-digit region number, it takes the first **31** characters + the last 32 characters; if the token uses a double-digit region number or otherwise, it takes the first **32** characters + the last 32 characters. This ensures it will always take the same first chunk of the actual function's name. ### Description of how you validated changes A new unit test was added to verify the consistency of function names in the template. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ith same name (#30439) ### Issue # (if applicable) Closes #30262. ### Reason for this change Route53 does not support subdomain delegation on Private Hosted Zones ([source](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-considerations.html#hosted-zone-private-considerations-delegating-subdomain)). `CrossAccountZoneDelegationRecord` should ignore Private Hosted Zones instead of throwing error. ### Description of changes In `CrossAccountZoneDelegationRecord` handler, filter out Private Hosted Zones. ### Description of how you validated changes Deployed a stack that uses the updated `CrossAccountZoneDelegationRecord` handler where the parent account has both public and private hosted zones with the same domain name. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change There was an upstream bug in jsii aws/jsii-compiler#1070 that caused the build to fail. Updating the package manually to confirm the issue is resolved. ### Description of changes Upgraded to the latest version of jsii that includes a fix for the build issue. ### Description of how you validated changes Dependency upgrade. Existing tests cover this. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…esources (#30108) ### Reason for this change This PR introduces node runtime region awareness into the custom resource provider framework by doing the following: - Adding a `LATEST_NODE_RUNTIME_MAP` fact table used to maintain the latest node runtime available per AWS partition - Introducing `determineLatestNodeRuntime` and `determineLatestNodeRuntimeName` functions which determine the latest Lambda node `Runtime` and the latest Lambda node `Runtime` name, respectively - Updating the custom resource provider framework to utilize these two functions when code generating the runtime property for providers using node runtimes ### Description of changes This PR can be segmented into the following code changes: - A `LATEST_NODE_RUNTIME_MAP` fact table was added which maintains the latest Lambda node runtime available per AWS partition. - Introduced `determineLatestNodeRuntime` and `determineLatestNodeRuntimeName` functions which determine the latest Lambda node `Runtime` and the latest Lambda node `Runtime` name, respectively. - The existing runtime property being code generated via the custom resource provider framework has been altered to now use the appropriate runtime determiner function, i.e., `determineLatestNodeRuntimeName` for `CustomResourceProvider` or `determineLatestNodeRuntime` for `Function` or `SingletonFunction`. Any custom resource provider using a python runtime will not use either of these functions. - To consolidate and manage importing of external modules a `ModuleImporter` class has been created. This class allows external modules to be registered as an import for a target module and prevents duplicate imports for modules that contain multiple framework components. This class also provides the ability to specify different import paths which allows all external modules to be consolidated into a single class rather than having duplicate external modules defined for different import paths. Lastly, this class determines whether or not external modules should be imported selectively or if all targets in the external module should be imported under an alias, i.e., `import { Function } from 'aws-lambda'` vs. `import * as lambda from 'aws-lambda'` - A `CallableExpr` class was created to allow expression proxies to be created from a specified expression name. This allows the new runtime determiner functions and other module specific functions to be called from their specified module and built into a JavaScript object that will mirror the JavaScript operations done to it in an expression tree. ### Description of how you validated changes Manually tested all individual custom resource handlers for create, update, and delete. I verified that the behavior seen was what was expected based off of the handler code. All impacted integ tests were updated. New unit tests were added to the custom resource handler framework to test that generated code correctly included `determineLatestNodeRuntime` for Lambda based handlers and `determineLatestNodeRuntimeName` for `CfnResource` based handlers. Added new unit tests to test the functionality of `determineLatestNodeRuntime` and `determineLatestNodeRuntimeName` for region agnostic stacks, stacks in commercial region, stacks in China regions, stacks in ADC regions, and stacks in GovCloud regions. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Reason for this change [Amazon OpenSearch Service now supports OpenSearch version 2.13](https://aws.amazon.com/about-aws/whats-new/2024/05/amazon-opensearch-supports-opensearch-version-2-13/) ### Description of changes Adds support for OpenSearch engine version 2.13 ### Description of how you validated changes `yarn test` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) N/A ### Reason for this change Adding new team member's GitHub account ### Description of changes Added my GitHub username: `IanKonlog` ### Description of how you validated changes N/A ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Background Amazon EKS originally uses `ConfigMap` as its access management and in aws-eks we use AwsAuth to leverage the kubectl from kubectl-lambda-layer to create the AwsAuth configmap for that. The ConfigMap has been very difficult to maintain due to its lack support of EKS API but thanks to the AwsAuth class, it's been very smooth in CDK. In AWS reInvent 2023 we [announced](https://aws.amazon.com/blogs/containers/a-deep-dive-into-simplified-amazon-eks-access-management-controls/) the access API support that simplifies the management as a replacement of the traditional ConfigMap. In CloudFormation we have the [AccessConfig](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-cluster.html#cfn-eks-cluster-accessconfig) with [AuthenticationMode](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-cluster-accessconfig.html#cfn-eks-cluster-accessconfig-authenticationmode) and `BootstrapClusterCreatorAdminPermissions` now. The `AuthenticationMode` supports `CONFIG_MAP`, which is the default, `API_AND_CONFIG_MAP` and `CONFIG_MAP`. It allows users to switch the mode on cluster creation or update. When the mode has API support, users have to define the `AccessEntry` to map the access policies and the IAM principals. This PR introduces the `AccessEntry` and `AccessPolicy` classes for that to simplify it with similar experience just as the [iam.ManagedPolicy ](https://github.com/aws/aws-cdk/blob/3928eae1ee92a03ba9959288f05f59d6bd5edcba/packages/aws-cdk-lib/aws-iam/lib/managed-policy.ts#L104)class. This PR also introduces the `grantAccess()` method that allows a cluster to `grant` its access to a specific principal and abstracts away the complexity. Overview of the API experience from this PR: ```ts const cluster = new eks.Cluster(this, 'Cluster', { vpc, mastersRole: clusterAdminRole, version: eks.KubernetesVersion.V1_30, kubectlLayer: new KubectlV29Layer(this, 'KubectlLayer'), authenticationMode: eks.AuthenticationMode.API_AND_CONFIG_MAP, }); // Cluster Admin role for this cluster cluster.grantAccess('clusterAdminAccess', clusterAdminRole.roleArn, [ eks.AccessPolicy.fromAccessPolicyName('AmazonEKSClusterAdminPolicy', { accessScopeType: eks.AccessScopeType.CLUSTER, }), ]); // EKS Admin role for specified namespaces of thie cluster cluster.grantAccess('eksAdminRoleAccess', eksAdminRole.roleArn, [ eks.AccessPolicy.fromAccessPolicyName('AmazonEKSAdminPolicy', { accessScopeType: eks.AccessScopeType.NAMESPACE, namespaces: ['foo', 'bar'], }), ]); // EKS Admin Viewer role for specified namespaces of thie cluster cluster.grantAccess('eksAdminViewRoleAccess', eksAdminViewRole.roleArn, [ eks.AccessPolicy.fromAccessPolicyName('AmazonEKSAdminViewPolicy', { accessScopeType: eks.AccessScopeType.NAMESPACE, namespaces: ['foo', 'bar'], }), ]); ``` ### Issue # (if applicable) Closes #28588 This PR introduces the `authenticationMode`, `AccessEntry` and `AccessPolicy` for both `Cluster` and `FargateCluster` construct. - [x] bump `@aws-sdk/client-eks` to [v3.476.0](https://github.com/aws/aws-sdk-js-v3/releases/tag/v3.476.0)(the minimal version with EKS Cluster Access Management support) - [x] make sure it deploys with the new AccessConfig support for a new cluster - [x] make sure an existing cluster can update by adding this new prop - [x] make sure it deploys with a new FargateCluster - [x] make sure an existing FargateCluster can update by adding this new prop - [x] make sure it works with CfnAccessEntry L1 resources - [x] AccessEntry L2 construct support - [x] AccessPolicy class - [x] bootstrapClusterCreatorAdminPermissions - [x] unit tests - [x] integ tests - [x] update README - [x] add PR notes ### Notes 1. Switching authentication modes on an existing cluster is a one-way operation like: undefined(CONFIG_MAP) -> API_AND_CONFIG_MAP -> API You can switch from undefined or CONFIG_MAP to API_AND_CONFIG_MAP. You can then switch from API_AND_CONFIG_MAP to API. You cannot revert these operations in the opposite direction. Meaning you cannot switch back to CONFIG_MAP or API_AND_CONFIG_MAP from API. And you cannot switch back to CONFIG_MAP from API_AND_CONFIG_MAP. (see [here](https://aws.amazon.com/blogs/containers/a-deep-dive-into-simplified-amazon-eks-access-management-controls/)) This PR adds relevant checks in the custom resource and add docstring in the `authenticationMode` prop. 2. Switching `bootstrapClusterCreatorAdminPermissions` would cause cluster replacement, we callout in the README and construct prop docstring as a headsup. This option is [available](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-cluster-accessconfig.html#cfn-eks-cluster-accessconfig-bootstrapclustercreatoradminpermissions) in CFN which triggers replacement on resource update as well. I have created #30107 for further improvement. 3. This feature does not support AWS China regions at this moment as the JS SDK version of lambda node18 runtime in China regions is `3.462.0` while this feature requires SDK [3.476.0](https://github.com/aws/aws-sdk-js-v3/releases/tag/v3.476.0) or above. It's `3.552.0` in us-east-1. Use [this example](https://docs.aws.amazon.com/lambda/latest/dg/lambda-nodejs.html#nodejs-sdk-included) to check the version. ### Reason for this change ### Description of changes ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…onstruct (#30266) ### Issue # (if applicable) N/A ### Reason for this change Missing property in the Construct. https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-appsync-functionconfiguration.html#cfn-appsync-functionconfiguration-maxbatchsize ### Description of changes Add `maxBatchSize` property to the `AppSyncFunction` Construct ### Description of how you validated changes Add unit tests and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
aws-cdk-automation
added
auto-approve
pr/no-squash
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
aws-cdk-automation
had a problem deploying
to
test-pipeline
GitHub Actions
Failure
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See CHANGELOG