chore(release): 2.250.0 by aws-cdk-automation · Pull Request #37592 · aws/aws-cdk

aws-cdk-automation · 2026-04-14T13:44:02Z

…s and extra naming validation (#37526) ### Reason for this change Allow cross-region references on an imported MediaPackageV2 channel and extra runtime validation on manifest naming. Docs: https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-medialive-channel-mediapackageoutputdestinationsettings.html (MediaPackageRegionName) ### Description of changes Overview of change: 1. Add region attribute on mediapackagev2 resources 2. add "from***Arn()" functions for imports 3. Added validation to unique manifest names ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Added new unit tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…roup across 1 directory (#37573) Bumps the npm_and_yarn group with 1 update in the / directory: [basic-ftp](https://github.com/patrickjuchli/basic-ftp). Updates `basic-ftp` from 5.2.1 to 5.2.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/patrickjuchli/basic-ftp/releases">basic-ftp's releases</a>.</em></p> <blockquote> <h2>5.2.2</h2> <ul> <li>Fixed: Improve control character rejection, fixes <a href="https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-6v7q-wjvx-w8wg">https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-6v7q-wjvx-w8wg</a>.</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md">basic-ftp's changelog</a>.</em></p> <blockquote> <h2>5.2.2</h2> <ul> <li>Fixed: Improve control character rejection, fixes <a href="https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-6v7q-wjvx-w8wg">https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-6v7q-wjvx-w8wg</a>.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/patrickjuchli/basic-ftp/commit/e9d09d6815b300b73e1297cdcf91786a979ef212"><code>e9d09d6</code></a> Bump version</li> <li><a href="https://github.com/patrickjuchli/basic-ftp/commit/20327d35126e57e5fdbaae79a4b65222fbadc53c"><code>20327d3</code></a> Move prevention of control character injection to more central place</li> <li>See full diff in <a href="https://github.com/patrickjuchli/basic-ftp/compare/v5.2.1...v5.2.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=basic-ftp&package-manager=npm_and_yarn&previous-version=5.2.1&new-version=5.2.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts). </details>

… in Docker fails in an unclear way (#37572) Since I'm going to be making changes here in the near future and the code of this library has accreted a lot over time and probably has many subtle edge cases, I'm starting by establishing an exhaustive testing suite. One additional validation added in the course of this work: if the handler entry point is not under the project root, bundling inside a Docker container fails (because the entry point will not be under a mounted path), with an inscrutable error message. Catch that case early on as a misconfiguration, and report on it. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Bumps [actions/github-script](https://github.com/actions/github-script) from 8 to 9. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/github-script/releases">actions/github-script's releases</a>.</em></p> <blockquote> <h2>v9.0.0</h2> <p><strong>New features:</strong></p> <ul> <li><strong><code>getOctokit</code> factory function</strong> — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See <a href="https://github.com/actions/github-script#creating-additional-clients-with-getoctokit">Creating additional clients with <code>getOctokit</code></a> for details and examples.</li> <li><strong>Orchestration ID in user-agent</strong> — The <code>ACTIONS_ORCHESTRATION_ID</code> environment variable is automatically appended to the user-agent string for request tracing.</li> </ul> <p><strong>Breaking changes:</strong></p> <ul> <li><strong><code>require('@actions/github')</code> no longer works in scripts.</strong> The upgrade to <code>@actions/github</code> v9 (ESM-only) means <code>require('@actions/github')</code> will fail at runtime. If you previously used patterns like <code>const { getOctokit } = require('@actions/github')</code> to create secondary clients, use the new injected <code>getOctokit</code> function instead — it's available directly in the script context with no imports needed.</li> <li><code>getOctokit</code> is now an injected function parameter. Scripts that declare <code>const getOctokit = ...</code> or <code>let getOctokit = ...</code> will get a <code>SyntaxError</code> because JavaScript does not allow <code>const</code>/<code>let</code> redeclaration of function parameters. Use the injected <code>getOctokit</code> directly, or use <code>var getOctokit = ...</code> if you need to redeclare it.</li> <li>If your script accesses other <code>@actions/github</code> internals beyond the standard <code>github</code>/<code>octokit</code> client, you may need to update those references for v9 compatibility.</li> </ul> <h2>What's Changed</h2> <ul> <li>Add ACTIONS_ORCHESTRATION_ID to user-agent string by <a href="https://github.com/Copilot"><code>@Copilot</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/695">actions/github-script#695</a></li> <li>ci: use deployment: false for integration test environments by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/712">actions/github-script#712</a></li> <li>feat!: add getOctokit to script context, upgrade <code>@actions/github</code> v9, <code>@octokit/core</code> v7, and related packages by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/700">actions/github-script#700</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Copilot"><code>@Copilot</code></a> made their first contribution in <a href="https://redirect.github.com/actions/github-script/pull/695">actions/github-script#695</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/github-script/compare/v8.0.0...v9.0.0">https://github.com/actions/github-script/compare/v8.0.0...v9.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/github-script/commit/3a2844b7e9c422d3c10d287c895573f7108da1b3"><code>3a2844b</code></a> Merge pull request <a href="https://redirect.github.com/actions/github-script/issues/700">#700</a> from actions/salmanmkc/expose-getoctokit + prepare re...</li> <li><a href="https://github.com/actions/github-script/commit/ca10bbdd1a7739de09e99a200c7a59f5d73a4079"><code>ca10bbd</code></a> fix: use <code>@octokit/core/</code>types import for v7 compatibility</li> <li><a href="https://github.com/actions/github-script/commit/86e48e20ac85c970ed1f96e718fd068173948b7b"><code>86e48e2</code></a> merge: incorporate main branch changes</li> <li><a href="https://github.com/actions/github-script/commit/c1084728b5b935ec4ddc1e4cee877b01797b3ff9"><code>c108472</code></a> chore: rebuild dist for v9 upgrade and getOctokit factory</li> <li><a href="https://github.com/actions/github-script/commit/afff112e4f8b57c718168af75b89ce00bc8d091d"><code>afff112</code></a> Merge pull request <a href="https://redirect.github.com/actions/github-script/issues/712">#712</a> from actions/salmanmkc/deployment-false + fix user-ag...</li> <li><a href="https://github.com/actions/github-script/commit/ff8117e5b78c415f814f39ad6998f424fee7b817"><code>ff8117e</code></a> ci: fix user-agent test to handle orchestration ID</li> <li><a href="https://github.com/actions/github-script/commit/81c6b7876079abe10ff715951c9fc7b3e1ab389d"><code>81c6b78</code></a> ci: use deployment: false to suppress deployment noise from integration tests</li> <li><a href="https://github.com/actions/github-script/commit/3953caf8858d318f37b6cc53a9f5708859b5a7b7"><code>3953caf</code></a> docs: update README examples from <a href="https://github.com/v8"><code>@v8</code></a> to <a href="https://github.com/v9"><code>@v9</code></a>, add getOctokit docs and v9 brea...</li> <li><a href="https://github.com/actions/github-script/commit/c17d55b90dcdb3d554d0027a6c180a7adc2daf78"><code>c17d55b</code></a> ci: add getOctokit integration test job</li> <li><a href="https://github.com/actions/github-script/commit/a047196d9a02fe92098771cafbb98c2f1814e408"><code>a047196</code></a> test: add getOctokit integration tests via callAsyncFunction</li> <li>Additional commits viewable in <a href="https://github.com/actions/github-script/compare/v8...v9">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/github-script&package-manager=github_actions&previous-version=8&new-version=9)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-appstream │ └ resources │ └[~] resource AWS::AppStream::Fleet │ └ properties │ └[+] DisableIMDSV1: boolean ├[~] service aws-arcregionswitch │ └ resources │ └[~] resource AWS::ARCRegionSwitch::Plan │ └ - arnTemplate: arn:${Partition}:arc-region-switch::${Account}:plan/${ResourceId} │ + arnTemplate: arn:${Partition}:arc-region-switch:${Region}:${Account}:plan/${ResourceId} ├[+] service aws-bcmpricingcalculator │ ├ capitalized: BcmPricingCalculator │ │ cloudFormationNamespace: AWS::BcmPricingCalculator │ │ name: aws-bcmpricingcalculator │ │ shortName: bcmpricingcalculator │ └ resources │ └ resource AWS::BcmPricingCalculator::BillScenario │ ├ name: BillScenario │ │ cloudFormationType: AWS::BcmPricingCalculator::BillScenario │ │ documentation: Resource Type definition for AWS::BcmPricingCalculator::BillScenario │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ arnTemplate: arn:${Partition}:bcm-pricing-calculator::${Account}:bill-scenario/${BillScenarioId} │ │ primaryIdentifier: ["Arn"] │ ├ properties │ │ ├ Name: string │ │ ├ ExpiresAt: string │ │ ├ CostCategoryGroupSharingPreferenceArn: string │ │ ├ GroupSharingPreference: string<OPEN|PRIORITIZED|RESTRICTED> │ │ └ Tags: Array<tag> │ ├ attributes │ │ ├ Arn: string │ │ ├ Id: string │ │ ├ BillInterval: BillInterval │ │ ├ Status: string<READY|LOCKED|FAILED> │ │ ├ CreatedAt: string │ │ └ FailureMessage: string │ └ types │ └ type BillInterval │ ├ name: BillInterval │ └ properties │ ├ Start: string │ └ End: string ├[~] service aws-bedrock │ └ resources │ ├[+] resource AWS::Bedrock::DataAutomationLibrary │ │ ├ name: DataAutomationLibrary │ │ │ cloudFormationType: AWS::Bedrock::DataAutomationLibrary │ │ │ documentation: Resource Type definition for AWS::Bedrock::DataAutomationLibrary │ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ │ arnTemplate: arn:${Partition}:bedrock:${Region}:${Account}:data-automation-library/${DataAutomationLibraryId} │ │ │ primaryIdentifier: ["LibraryArn"] │ │ ├ properties │ │ │ ├ EncryptionConfiguration: EncryptionConfiguration (immutable) │ │ │ ├ LibraryDescription: string │ │ │ ├ LibraryName: string (required, immutable) │ │ │ └ Tags: Array<tag> │ │ ├ attributes │ │ │ ├ CreationTime: string │ │ │ ├ EntityTypes: Array<EntityTypeInfo> │ │ │ ├ LibraryArn: string │ │ │ └ Status: string<ACTIVE|DELETING> │ │ └ types │ │ ├ type EncryptionConfiguration │ │ │ ├ documentation: KMS Encryption Configuration │ │ │ │ name: EncryptionConfiguration │ │ │ └ properties │ │ │ ├ KmsKeyId: string (required) │ │ │ └ KmsEncryptionContext: Map<string, string> │ │ └ type EntityTypeInfo │ │ ├ documentation: Information about an entity type in the DataAutomationLibrary │ │ │ name: EntityTypeInfo │ │ └ properties │ │ ├ EntityType: string<VOCABULARY> (required) │ │ └ EntityMetadata: string │ ├[+] resource AWS::Bedrock::EnforcedGuardrailConfiguration │ │ ├ name: EnforcedGuardrailConfiguration │ │ │ cloudFormationType: AWS::Bedrock::EnforcedGuardrailConfiguration │ │ │ documentation: Definition of AWS::Bedrock::EnforcedGuardrailConfiguration Resource Type │ │ │ primaryIdentifier: ["ConfigId"] │ │ ├ properties │ │ │ ├ GuardrailIdentifier: string (required) │ │ │ ├ GuardrailVersion: string (required) │ │ │ ├ SelectiveContentGuarding: SelectiveContentGuarding │ │ │ └ ModelEnforcement: ModelEnforcement │ │ ├ attributes │ │ │ ├ ConfigId: string │ │ │ ├ GuardrailArn: string │ │ │ ├ GuardrailId: string │ │ │ ├ CreatedAt: string │ │ │ ├ CreatedBy: string │ │ │ ├ UpdatedAt: string │ │ │ ├ UpdatedBy: string │ │ │ └ Owner: string<ACCOUNT> │ │ └ types │ │ ├ type ModelEnforcement │ │ │ ├ documentation: Model-specific information for the enforced guardrail configuration. If not present, the configuration is enforced on all models │ │ │ │ name: ModelEnforcement │ │ │ └ properties │ │ │ ├ IncludedModels: Array<string> (required) │ │ │ └ ExcludedModels: Array<string> (required) │ │ └ type SelectiveContentGuarding │ │ ├ documentation: Selective content guarding controls for enforced guardrails │ │ │ name: SelectiveContentGuarding │ │ └ properties │ │ ├ System: string<SELECTIVE|COMPREHENSIVE> │ │ └ Messages: string<SELECTIVE|COMPREHENSIVE> │ └[+] resource AWS::Bedrock::ResourcePolicy │ ├ name: ResourcePolicy │ │ cloudFormationType: AWS::Bedrock::ResourcePolicy │ │ documentation: Definition of AWS::Bedrock::ResourcePolicy Resource Type │ │ scrutinizable: ResourcePolicyResource │ │ primaryIdentifier: ["ResourceArn"] │ └ properties │ ├ ResourceArn: string (required, immutable) │ └ PolicyDocument: json (required) ├[~] service aws-bedrockagentcore │ └ resources │ ├[+] resource AWS::BedrockAgentCore::ApiKeyCredentialProvider │ │ ├ name: ApiKeyCredentialProvider │ │ │ cloudFormationType: AWS::BedrockAgentCore::ApiKeyCredentialProvider │ │ │ documentation: Resource Type definition for AWS::BedrockAgentCore::ApiKeyCredentialProvider │ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ │ primaryIdentifier: ["CredentialProviderArn"] │ │ ├ properties │ │ │ ├ Name: string (required, immutable) │ │ │ ├ ApiKey: string │ │ │ └ Tags: Array<tag> │ │ ├ attributes │ │ │ ├ CredentialProviderArn: string │ │ │ ├ ApiKeySecretArn: ApiKeySecretArn │ │ │ ├ CreatedTime: string │ │ │ └ LastUpdatedTime: string │ │ └ types │ │ └ type ApiKeySecretArn │ │ ├ documentation: Contains information about the API key secret in AWS Secrets Manager │ │ │ name: ApiKeySecretArn │ │ └ properties │ │ └ SecretArn: string (required) │ ├[~] resource AWS::BedrockAgentCore::Memory │ │ └ types │ │ └[~] type EpisodicReflectionConfigurationInput │ │ └ properties │ │ └ Namespaces: - Array<string> (required) │ │ + Array<string> │ ├[+] resource AWS::BedrockAgentCore::OAuth2CredentialProvider │ │ ├ name: OAuth2CredentialProvider │ │ │ cloudFormationType: AWS::BedrockAgentCore::OAuth2CredentialProvider │ │ │ documentation: Resource Type definition for AWS::BedrockAgentCore::OAuth2CredentialProvider │ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ │ primaryIdentifier: ["CredentialProviderArn"] │ │ ├ properties │ │ │ ├ Name: string (required, immutable) │ │ │ ├ CredentialProviderVendor: string<GoogleOauth2|GithubOauth2|SlackOauth2|SalesforceOauth2|MicrosoftOauth2|CustomOauth2|AtlassianOauth2|LinkedinOauth2|XOauth2|OktaOauth2|OneLoginOauth2|PingOneOauth2|FacebookOauth2|YandexOauth2|RedditOauth2|ZoomOauth2|TwitchOauth2|SpotifyOauth2|DropboxOauth2|NotionOauth2|HubspotOauth2|CyberArkOauth2|FusionAuthOauth2|Auth0Oauth2|CognitoOauth2> (required, immutable) │ │ │ ├ Oauth2ProviderConfigInput: Oauth2ProviderConfigInput │ │ │ └ Tags: Array<tag> │ │ ├ attributes │ │ │ ├ CredentialProviderArn: string │ │ │ ├ ClientSecretArn: ClientSecretArn │ │ │ ├ CallbackUrl: string │ │ │ ├ Oauth2ProviderConfigOutput: Oauth2ProviderConfigOutput │ │ │ ├ CreatedTime: string │ │ │ └ LastUpdatedTime: string │ │ └ types │ │ ├ type AtlassianOauth2ProviderConfigInput │ │ │ ├ documentation: Input configuration for an Atlassian OAuth2 provider │ │ │ │ name: AtlassianOauth2ProviderConfigInput │ │ │ └ properties │ │ │ ├ ClientId: string (required) │ │ │ └ ClientSecret: string (required) │ │ ├ type ClientSecretArn │ │ │ ├ documentation: Contains information about a secret in AWS Secrets Manager │ │ │ │ name: ClientSecretArn │ │ │ └ properties │ │ │ └ SecretArn: string (required) │ │ ├ type CustomOauth2ProviderConfigInput │ │ │ ├ documentation: Input configuration for a custom OAuth2 provider │ │ │ │ name: CustomOauth2ProviderConfigInput │ │ │ └ properties │ │ │ ├ OauthDiscovery: Oauth2Discovery (required) │ │ │ ├ ClientId: string (required) │ │ │ └ ClientSecret: string (required) │ │ ├ type GithubOauth2ProviderConfigInput │ │ │ ├ documentation: Input configuration for a GitHub OAuth2 provider │ │ │ │ name: GithubOauth2ProviderConfigInput │ │ │ └ properties │ │ │ ├ ClientId: string (required) │ │ │ └ ClientSecret: string (required) │ │ ├ type GoogleOauth2ProviderConfigInput │ │ │ ├ documentation: Input configuration for a Google OAuth2 provider │ │ │ │ name: GoogleOauth2ProviderConfigInput │ │ │ └ properties │ │ │ ├ ClientId: string (required) │ │ │ └ ClientSecret: string (required) │ │ ├ type IncludedOauth2ProviderConfigInput │ │ │ ├ documentation: Input configuration for a supported non-custom OAuth2 provider │ │ │ │ name: IncludedOauth2ProviderConfigInput │ │ │ └ properties │ │ │ ├ ClientId: string (required) │ │ │ ├ ClientSecret: string (required) │ │ │ ├ Issuer: string │ │ │ ├ AuthorizationEndpoint: string │ │ │ └ TokenEndpoint: string │ │ ├ type LinkedinOauth2ProviderConfigInput │ │ │ ├ documentation: Input configuration for a LinkedIn OAuth2 provider │ │ │ │ name: LinkedinOauth2ProviderConfigInput │ │ │ └ properties │ │ │ ├ ClientId: string (required) │ │ │ └ ClientSecret: string (required) │ │ ├ type MicrosoftOauth2ProviderConfigInput │ │ │ ├ documentation: Input configuration for a Microsoft OAuth2 provider │ │ │ │ name: MicrosoftOauth2ProviderConfigInput │ │ │ └ properties │ │ │ ├ ClientId: string (required) │ │ │ ├ ClientSecret: string (required) │ │ │ └ TenantId: string │ │ ├ type Oauth2AuthorizationServerMetadata │ │ │ ├ documentation: Authorization server metadata for the OAuth2 provider │ │ │ │ name: Oauth2AuthorizationServerMetadata │ │ │ └ properties │ │ │ ├ Issuer: string (required) │ │ │ ├ AuthorizationEndpoint: string (required) │ │ │ ├ TokenEndpoint: string (required) │ │ │ └ ResponseTypes: Array<string> │ │ ├ type Oauth2Discovery │ │ │ ├ documentation: Discovery information for an OAuth2 provider │ │ │ │ name: Oauth2Discovery │ │ │ └ properties │ │ │ ├ DiscoveryUrl: string │ │ │ └ AuthorizationServerMetadata: Oauth2AuthorizationServerMetadata │ │ ├ type Oauth2ProviderConfigInput │ │ │ ├ documentation: Input configuration for an OAuth2 provider │ │ │ │ name: Oauth2ProviderConfigInput │ │ │ └ properties │ │ │ ├ CustomOauth2ProviderConfig: CustomOauth2ProviderConfigInput │ │ │ ├ GoogleOauth2ProviderConfig: GoogleOauth2ProviderConfigInput │ │ │ ├ GithubOauth2ProviderConfig: GithubOauth2ProviderConfigInput │ │ │ ├ SlackOauth2ProviderConfig: SlackOauth2ProviderConfigInput │ │ │ ├ SalesforceOauth2ProviderConfig: SalesforceOauth2ProviderConfigInput │ │ │ ├ MicrosoftOauth2ProviderConfig: MicrosoftOauth2ProviderConfigInput │ │ │ ├ AtlassianOauth2ProviderConfig: AtlassianOauth2ProviderConfigInput │ │ │ ├ LinkedinOauth2ProviderConfig: LinkedinOauth2ProviderConfigInput │ │ │ └ IncludedOauth2ProviderConfig: IncludedOauth2ProviderConfigInput │ │ ├ type Oauth2ProviderConfigOutput │ │ │ ├ documentation: Output configuration for an OAuth2 provider │ │ │ │ name: Oauth2ProviderConfigOutput │ │ │ └ properties │ │ │ ├ OauthDiscovery: Oauth2Discovery │ │ │ └ ClientId: string │ │ ├ type SalesforceOauth2ProviderConfigInput │ │ │ ├ documentation: Input configuration for a Salesforce OAuth2 provider │ │ │ │ name: SalesforceOauth2ProviderConfigInput │ │ │ └ properties │ │ │ ├ ClientId: string (required) │ │ │ └ ClientSecret: string (required) │ │ └ type SlackOauth2ProviderConfigInput │ │ ├ documentation: Input configuration for a Slack OAuth2 provider │ │ │ name: SlackOauth2ProviderConfigInput │ │ └ properties │ │ ├ ClientId: string (required) │ │ └ ClientSecret: string (required) │ └[~] resource AWS::BedrockAgentCore::Runtime │ ├ properties │ │ ├[+] FilesystemConfigurations: Array<FilesystemConfiguration> │ │ └ ProtocolConfiguration: - string<MCP|HTTP|A2A> │ │ + string<MCP|HTTP|A2A|AGUI> │ └ types │ ├[~] type CodeConfiguration │ │ └ properties │ │ └ Runtime: - string<PYTHON_3_10|PYTHON_3_11|PYTHON_3_12|PYTHON_3_13> (required) │ │ + string<PYTHON_3_10|PYTHON_3_11|PYTHON_3_12|PYTHON_3_13|PYTHON_3_14> (required) │ ├[+] type FilesystemConfiguration │ │ ├ documentation: Filesystem configuration for the runtime │ │ │ name: FilesystemConfiguration │ │ └ properties │ │ └ SessionStorage: SessionStorageConfiguration │ └[+] type SessionStorageConfiguration │ ├ documentation: Configuration for session storage │ │ name: SessionStorageConfiguration │ └ properties │ └ MountPath: string (required) ├[+] service aws-braket │ ├ capitalized: Braket │ │ cloudFormationNamespace: AWS::Braket │ │ name: aws-braket │ │ shortName: braket │ └ resources │ └ resource AWS::Braket::SpendingLimit │ ├ name: SpendingLimit │ │ cloudFormationType: AWS::Braket::SpendingLimit │ │ documentation: Creates a spending limit for a specified quantum device. Spending limits help you control costs by setting maximum amounts that can be spent on quantum computing tasks within a specified time period. │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ arnTemplate: arn:${Partition}:braket:${Region}:${Account}:spending-limit/${RandomId} │ │ primaryIdentifier: ["SpendingLimitArn"] │ ├ properties │ │ ├ DeviceArn: string (required, immutable) │ │ ├ SpendingLimit: string (required) │ │ ├ TimePeriod: TimePeriod │ │ └ Tags: Array<tag> │ ├ attributes │ │ ├ SpendingLimitArn: string │ │ ├ QueuedSpend: string │ │ ├ TotalSpend: string │ │ ├ CreatedAt: string │ │ └ UpdatedAt: string │ └ types │ └ type TimePeriod │ ├ documentation: Defines a time range for spending limits, specifying when the limit is active. │ │ name: TimePeriod │ └ properties │ ├ StartAt: string (required) │ └ EndAt: string (required) ├[~] service aws-connectcampaignsv2 │ └ resources │ └[~] resource AWS::ConnectCampaignsV2::Campaign │ ├ properties │ │ └[+] EntryLimitsConfig: EntryLimitsConfig │ └ types │ └[+] type EntryLimitsConfig │ ├ documentation: Entry limits config for a campaign │ │ name: EntryLimitsConfig │ └ properties │ ├ MaxEntryCount: integer (required) │ └ MinEntryInterval: string (required) ├[~] service aws-deadline │ └ resources │ └[~] resource AWS::Deadline::Fleet │ └ types │ ├[+] type CustomerManagedAutoScalingConfiguration │ │ ├ name: CustomerManagedAutoScalingConfiguration │ │ └ properties │ │ ├ StandbyWorkerCount: integer │ │ ├ WorkerIdleDurationSeconds: integer │ │ └ ScaleOutWorkersPerMinute: integer │ ├[~] type CustomerManagedFleetConfiguration │ │ └ properties │ │ └[+] AutoScalingConfiguration: CustomerManagedAutoScalingConfiguration │ ├[+] type ServiceManagedEc2AutoScalingConfiguration │ │ ├ name: ServiceManagedEc2AutoScalingConfiguration │ │ └ properties │ │ ├ StandbyWorkerCount: integer │ │ ├ WorkerIdleDurationSeconds: integer │ │ └ ScaleOutWorkersPerMinute: integer │ └[~] type ServiceManagedEc2FleetConfiguration │ └ properties │ └[+] AutoScalingConfiguration: ServiceManagedEc2AutoScalingConfiguration ├[~] service aws-ecs │ └ resources │ └[~] resource AWS::ECS::TaskDefinition │ └ types │ ├[+] type S3FilesVolumeConfiguration │ │ ├ name: S3FilesVolumeConfiguration │ │ └ properties │ │ ├ FileSystemArn: string (required) │ │ ├ AccessPointArn: string │ │ ├ RootDirectory: string │ │ └ TransitEncryptionPort: integer │ └[~] type Volume │ └ properties │ └[+] S3FilesVolumeConfiguration: S3FilesVolumeConfiguration ├[~] service aws-elasticloadbalancing │ └ resources │ └[~] resource AWS::ElasticLoadBalancing::LoadBalancer │ └ types │ └[~] type SourceSecurityGroup │ └ properties │ ├ GroupName: (documentation changed) │ └ OwnerAlias: (documentation changed) ├[~] service aws-emr │ └ resources │ └[~] resource AWS::EMR::Cluster │ ├ properties │ │ ├ Configurations: - Array<EMRConfiguration> ⇐ Array<Configuration> (immutable) │ │ │ + Array<Configuration> (immutable) │ │ └[-] MonitoringConfiguration: MonitoringConfiguration (immutable) │ └ types │ ├[-] type CloudWatchLogConfiguration │ │ ├ name: CloudWatchLogConfiguration │ │ └ properties │ │ ├ Enabled: boolean (required) │ │ ├ LogStreamNamePrefix: string │ │ ├ LogGroupName: string │ │ ├ LogTypes: json │ │ └ EncryptionKeyArn: string │ ├[-] type EMRConfiguration │ │ ├ name: EMRConfiguration │ │ └ properties │ │ ├ Classification: string │ │ ├ ConfigurationProperties: Map<string, string> │ │ └ Configurations: Array<EMRConfiguration> │ ├[~] type InstanceGroupConfig │ │ └ properties │ │ └ Configurations: - Array<EMRConfiguration> ⇐ Array<Configuration> (immutable) │ │ + Array<Configuration> (immutable) │ ├[~] type InstanceTypeConfig │ │ └ properties │ │ └ Configurations: - Array<EMRConfiguration> ⇐ Array<Configuration> (immutable) │ │ + Array<Configuration> (immutable) │ └[-] type MonitoringConfiguration │ ├ name: MonitoringConfiguration │ └ properties │ └ CloudWatchLogConfiguration: CloudWatchLogConfiguration ├[~] service aws-fsx │ └ resources │ └[~] resource AWS::FSx::S3AccessPointAttachment │ └ attributes │ └[+] Lifecycle: string<AVAILABLE|CREATING|DELETING|FAILED|MISCONFIGURED|UPDATING> ├[~] service aws-iotwireless │ └ resources │ └[~] resource AWS::IoTWireless::WirelessDeviceImportTask │ └ - arnTemplate: arn:${Partition}:iotwireless:${Region}:${Account}:WirelessDeviceImportTask/${WirelessDeviceImportTaskId} │ + arnTemplate: arn:${Partition}:iotwireless:${Region}:${Account}:ImportTask/${ImportTaskId} ├[~] service aws-lambda │ └ resources │ └[~] resource AWS::Lambda::Function │ └ types │ └[~] type Code │ └ properties │ └[+] S3ObjectStorageMode: string<COPY|REFERENCE> ├[~] service aws-logs │ └ resources │ └[~] resource AWS::Logs::QueryDefinition │ ├ properties │ │ └[+] Parameters: Array<QueryParameter> │ └ types │ └[+] type QueryParameter │ ├ documentation: This structure defines a query parameter for a saved CloudWatch Logs Insights query definition. Query parameters are supported only for Logs Insights QL queries. They are placeholder variables that you can reference in a query string using the {{parameterName}} syntax. Each parameter can include a default value and a description. │ │ name: QueryParameter │ └ properties │ ├ Name: string (required) │ ├ DefaultValue: string │ └ Description: string ├[~] service aws-networkfirewall │ └ resources │ └[~] resource AWS::NetworkFirewall::RuleGroup │ └ - arnTemplate: arn:${Partition}:network-firewall:${Region}:${Account}:stateful-rulegroup/${Name} │ + arnTemplate: arn:${Partition}:network-firewall:${Region}:${Account}:stateless-rulegroup/${Name} ├[~] service aws-novaact │ └ resources │ └[~] resource AWS::NovaAct::WorkflowDefinition │ └ - arnTemplate: undefined │ + arnTemplate: arn:${Partition}:nova-act:${Region}:${Account}:workflow-definition/${WorkflowDefinitionName} ├[~] service aws-pinpoint │ └ resources │ ├[~] resource AWS::Pinpoint::EmailTemplate │ │ └ - arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/EMAIL │ │ + arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/VOICE │ ├[~] resource AWS::Pinpoint::InAppTemplate │ │ └ - arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/EMAIL │ │ + arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/VOICE │ ├[~] resource AWS::Pinpoint::PushTemplate │ │ └ - arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/PUSH │ │ + arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/VOICE │ └[~] resource AWS::Pinpoint::SmsTemplate │ └ - arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/SMS │ + arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/VOICE ├[~] service aws-s3express │ └ resources │ └[~] resource AWS::S3Express::DirectoryBucket │ ├ properties │ │ └[+] MetricsConfigurations: Array<MetricsConfiguration> │ └ types │ └[+] type MetricsConfiguration │ ├ documentation: Specifies a metrics configuration for the CloudWatch request metrics from an Amazon S3 Express bucket. │ │ name: MetricsConfiguration │ └ properties │ ├ Id: string │ ├ Prefix: string │ └ AccessPointArn: string ├[+] service aws-s3files │ ├ capitalized: S3Files │ │ cloudFormationNamespace: AWS::S3Files │ │ name: aws-s3files │ │ shortName: s3files │ └ resources │ ├ resource AWS::S3Files::AccessPoint │ │ ├ name: AccessPoint │ │ │ cloudFormationType: AWS::S3Files::AccessPoint │ │ │ documentation: Resource Type definition for AWS::S3Files::AccessPoint │ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ │ primaryIdentifier: ["AccessPointId"] │ │ ├ properties │ │ │ ├ ClientToken: string (immutable) │ │ │ ├ Tags: Array<AccessPointTag> │ │ │ ├ FileSystemId: string (required, immutable) │ │ │ ├ PosixUser: PosixUser (immutable) │ │ │ └ RootDirectory: RootDirectory (immutable) │ │ ├ attributes │ │ │ ├ AccessPointId: string │ │ │ ├ AccessPointArn: string │ │ │ ├ Status: string<available|creating|updating|deleting|deleted|error> │ │ │ └ OwnerId: string │ │ └ types │ │ ├ type AccessPointTag │ │ │ ├ name: AccessPointTag │ │ │ └ properties │ │ │ ├ Key: string │ │ │ └ Value: string │ │ ├ type CreationPermissions │ │ │ ├ name: CreationPermissions │ │ │ └ properties │ │ │ ├ OwnerUid: string (required, immutable) │ │ │ ├ OwnerGid: string (required, immutable) │ │ │ └ Permissions: string (required, immutable) │ │ ├ type PosixUser │ │ │ ├ name: PosixUser │ │ │ └ properties │ │ │ ├ Uid: string (required, immutable) │ │ │ ├ Gid: string (required, immutable) │ │ │ └ SecondaryGids: Array<string> (immutable) │ │ └ type RootDirectory │ │ ├ name: RootDirectory │ │ └ properties │ │ ├ Path: string (immutable) │ │ └ CreationPermissions: CreationPermissions (immutable) │ ├ resource AWS::S3Files::FileSystem │ │ ├ name: FileSystem │ │ │ cloudFormationType: AWS::S3Files::FileSystem │ │ │ documentation: Resource Type definition for AWS::S3Files::FileSystem │ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ │ │ arnTemplate: arn:${Partition}:s3files:${Region}:${Account}:file-system/${FileSystemId} │ │ │ primaryIdentifier: ["FileSystemArn"] │ │ ├ properties │ │ │ ├ Tags: Array<tag> │ │ │ ├ KmsKeyId: string (immutable) │ │ │ ├ Bucket: string (required, immutable) │ │ │ ├ Prefix: string (immutable) │ │ │ ├ ClientToken: string (immutable) │ │ │ ├ RoleArn: string (required, immutable) │ │ │ ├ SynchronizationConfiguration: SynchronizationConfiguration │ │ │ └ AcceptBucketWarning: boolean (immutable) │ │ ├ attributes │ │ │ ├ CreationTime: string │ │ │ ├ FileSystemArn: string │ │ │ ├ FileSystemId: string │ │ │ ├ Status: string<creating|available|updating|deleting|deleted|error> │ │ │ ├ StatusMessage: string │ │ │ ├ OwnerId: string │ │ │ └ SynchronizationConfiguration.LatestVersionNumber: integer │ │ └ types │ │ ├ type ExpirationDataRule │ │ │ ├ name: ExpirationDataRule │ │ │ └ properties │ │ │ └ DaysAfterLastAccess: integer (required) │ │ ├ type ImportDataRule │ │ │ ├ name: ImportDataRule │ │ │ └ properties │ │ │ ├ Prefix: string (required) │ │ │ ├ Trigger: string<ON_DIRECTORY_FIRST_ACCESS|ON_FILE_ACCESS> (required) │ │ │ └ SizeLessThan: integer (required) │ │ └ type SynchronizationConfiguration │ │ ├ name: SynchronizationConfiguration │ │ └ properties │ │ ├ LatestVersionNumber: integer │ │ ├ ImportDataRules: Array<ImportDataRule> (required) │ │ └ ExpirationDataRules: Array<ExpirationDataRule> (required) │ ├ resource AWS::S3Files::FileSystemPolicy │ │ ├ name: FileSystemPolicy │ │ │ cloudFormationType: AWS::S3Files::FileSystemPolicy │ │ │ documentation: Resource Type definition for AWS::S3Files::FileSystemPolicy │ │ │ scrutinizable: ResourcePolicyResource │ │ │ primaryIdentifier: ["FileSystemId"] │ │ └ properties │ │ ├ FileSystemId: string (required, immutable) │ │ └ Policy: json (required) │ └ resource AWS::S3Files::MountTarget │ ├ name: MountTarget │ │ cloudFormationType: AWS::S3Files::MountTarget │ │ documentation: Resource Type definition for AWS::S3Files::MountTarget │ │ primaryIdentifier: ["MountTargetId"] │ ├ properties │ │ ├ Ipv4Address: string (immutable) │ │ ├ Ipv6Address: string (immutable) │ │ ├ IpAddressType: string<IPV4_ONLY|IPV6_ONLY|DUAL_STACK> (immutable) │ │ ├ FileSystemId: string (required, immutable) │ │ ├ SecurityGroups: Array<string> │ │ └ SubnetId: string (required, immutable) │ └ attributes │ ├ MountTargetId: string │ ├ AvailabilityZoneId: string │ ├ OwnerId: string │ ├ NetworkInterfaceId: string │ ├ VpcId: string │ ├ Status: string<available|creating|updating|deleting|deleted|error> │ └ StatusMessage: string └[~] service aws-s3tables └ resources ├[~] resource AWS::S3Tables::Table │ └ types │ ├[~] type IcebergMetadata │ │ └ properties │ │ ├ IcebergSchema: - IcebergSchema (required) │ │ │ + IcebergSchema │ │ └[+] IcebergSchemaV2: IcebergSchemaV2 │ ├[+] type IcebergSchemaV2 │ │ ├ documentation: Contains details about the schema version 2 (V2) for an Iceberg table that supports Apache Iceberg Nested Types (struct, list, map). Primitive types are also supported. │ │ │ name: IcebergSchemaV2 │ │ └ properties │ │ ├ SchemaV2FieldList: Array<SchemaV2Field> (required) │ │ ├ SchemaV2FieldType: string<struct> (required) │ │ ├ SchemaId: integer │ │ └ IdentifierFieldIds: Array<integer> │ └[+] type SchemaV2Field │ ├ documentation: Contains details about a schema field for an Iceberg table that supports nested types (struct, list, map) │ │ name: SchemaV2Field │ └ properties │ ├ Type: string | json (required) │ ├ Required: boolean (required) │ ├ Doc: string │ ├ Id: integer (required) │ └ Name: string (required) └[~] resource AWS::S3Tables::TableBucket ├ properties │ └[+] ReplicationConfiguration: ReplicationConfiguration └ types ├[+] type ReplicationConfiguration │ ├ documentation: Specifies replication configuration for the table bucket │ │ name: ReplicationConfiguration │ └ properties │ ├ Role: string (required) │ └ Rules: Array<ReplicationRule> (required) ├[+] type ReplicationDestination │ ├ documentation: A replication destination │ │ name: ReplicationDestination │ └ properties │ └ DestinationTableBucketARN: string (required) └[+] type ReplicationRule ├ documentation: A replication rule for the table bucket │ name: ReplicationRule └ properties └ Destinations: Array<ReplicationDestination> (required) ``` **CHANGES TO L1 RESOURCES:** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed: aws-emr: AWS::EMR::Cluster: MonitoringConfiguration property removed. aws-emr: AWS::EMR::Cluster: CloudWatchLogConfiguration type removed. aws-emr: AWS::EMR::Cluster: EMRConfiguration type removed. aws-emr: AWS::EMR::Cluster: MonitoringConfiguration type removed.

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.249.0/CHANGELOG.md)

### Issue # (if applicable) Closes #36653. ### Reason for this change When specifying a `securityGroup` in `KubectlProviderOptions`, the value was being ignored. The cluster's security group was always applied to the kubectl handler (Lambda) instead of the user-specified one. The root cause was twofold: 1. `cluster.ts` was not passing `securityGroup` through to the `KubectlProvider` constructor 2. `kubectl-provider.ts` always fell back to `props.cluster.clusterSecurityGroup` regardless of whether `props.securityGroup` was set ### Description of changes **`kubectl-provider.ts`** - Fixed the security group resolution logic with the following priority order: 1. `securityGroups` (new array property) — highest priority 2. `securityGroup` (existing single property) — backwards compatible fallback 3. `clusterSecurityGroup` — default (preserves existing behavior) - Added new `securityGroups?: ec2.ISecurityGroup[]` property to `KubectlProviderOptions` to support specifying multiple security groups (consistent with `lambda.Function` which accepts an array) - Emits a warning via `Annotations.of(this).addWarningV2` when both `securityGroup` and `securityGroups` are specified simultaneously **`cluster.ts`** - Pass `securityGroup` and `securityGroups` from `_kubectlProviderOptions` to the `KubectlProvider` constructor > **Question for maintainers:** > `securityGroup` and `securityGroups` use `ec2.ISecurityGroup` rather > than `ec2.ISecurityGroupRef`, which triggers an awslint warning > suppressed with `[disable-awslint:prefer-ref-interface]`. > The reason is that the underlying `lambda.Function` expects > `ISecurityGroup[]`, so converting from `ISecurityGroupRef` would add > unnecessary complexity. The existing `securityGroup` property also > uses `ISecurityGroup` for consistency. > Is this approach acceptable, or would you prefer a different solution? ### Describe any new or updated permissions being added No new IAM permissions are required. ### Description of how you validated changes - Added 5 unit tests in `cluster.test.ts` covering: - `securityGroups` only (multiple security groups applied correctly) - `securityGroup` only (backwards compatibility) - Both specified (warning issued, `securityGroups` takes priority) - Neither specified (default `clusterSecurityGroup` used — existing behavior preserved) - Empty `securityGroups` array treated as unspecified - Added an integration test (`integ.eks-kubectl-security-groups.ts`) with a single stack containing one VPC and three EKS clusters, each demonstrating a different security group configuration ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ret access (#37333) ### Reason for this change pull_request_review trigger has no access to repository secrets for PRs, breaking team membership checks and OIDC auth in the auto integ test workflow. ### Description of changes Split into two-stage workflow_run pattern (matching pr-linter-review-trigger.yml → pr-linter.yml): - **Stage 1** (integration-test-deployment-auto-trigger.yml): Unprivileged pull_request_review trigger. Runs snapshot check, saves PR metadata as artifacts. - **Stage 2** (integration-test-deployment-auto.yml): Privileged workflow_run trigger. Downloads artifacts, validates team membership, runs integ tests. Reports results to PR via Checks API for future use as required status check. ### Describe any new or updated permissions being added - actions: read — download cross-workflow artifacts - checks: write — report test results to PR via Checks API ### Description of how you validated changes - Local act dry-runs for event matching and if conditions - Fork end-to-end tests on [ozelalisen/aws-cdk PR #8](ozelalisen#8): - [Stage 1 run](https://github.com/ozelalisen/aws-cdk/actions/runs/23439487096) — artifact handoff - [Stage 2 run](https://github.com/ozelalisen/aws-cdk/actions/runs/23439590531) — team check + Checks API - [Check run on PR](https://github.com/ozelalisen/aws-cdk/runs/68186566846) — "Integration Tests (Auto)" passed - [Non-member test](https://github.com/ozelalisen/aws-cdk/actions/runs/23429560707) — deployment correctly skipped ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

### Issue # (if applicable) N/A ### Reason for this change Currently, when a guard rule fails, the security guardian report only shows the rule name and a pass/fail indicator. After this change, each failure annotation will include a human-readable description of what's wrong and how to fix it. ### Description of changes 1. Updated summary message to include instructions on how to suppress rules as this is an experimental feature 2. Add custom error messages to each guard rule 3. Updated Junit XML post processing to include the custom error messages in annotations 4. Updated unit-tests ### Describe any new or updated permissions being added N/A ### Description of how you validated changes `yarn test` succeeded Validated with an incorrect template using `yarn security-guardian --enhance_xml=true` - ``` Static: <testcase name="sqs-encryption-enabled.guard" time="0"> <failure message="[Type: Static] SQS queue must have encryption enabled. Set 'KmsMasterKeyId' to a KMS key ARN or 'SqsManagedSseEnabled' to true."> Check was not compliant as property [Properties.KmsMasterKeyId] is missing. Value traversed to [Path=/Resources/SourceQueue6E809DF0[L:2,C:25] Value={"Type":"AWS::SQS::Queue","UpdateReplacePolicy":"Delete","DeletionPolicy":"Delete"}]. Check was not compliant as property [Properties.SqsManagedSseEnabled] to compare from is missing. Value traversed to [Path=/Resources/SourceQueue6E809DF0[L:2,C:25] Value={"Type":"AWS::SQS::Queue","UpdateReplacePolicy":"Delete","DeletionPolicy":"Delete"}].</failure> </testcase> Resolved: <testcase name="kinesis-firehose-encryption-enabled.guard" time="0"> <failure message="[Type: Resolved] Kinesis Firehose delivery stream must have encryption enabled. Set 'DeliveryStreamEncryptionConfigurationInput.KeyType' to 'AWS_OWNED_CMK' or 'CUSTOMER_MANAGED_CMK'."> Check was not compliant as property [DeliveryStreamEncryptionConfigurationInput] is missing. Value traversed to [Path=/Resources/DeliveryStream58CF96DB/Properties[L:149,C:20] Value={"DeliveryStreamType":"DirectPut","ExtendedS3DestinationConfiguration":{"BucketARN":"arn:aws:s3:::Bucket83908E77","BufferingHints":{"IntervalInSeconds":30,"SizeInMBs":5},"RoleARN":"arn:aws:iam::123456789012:role/DeliveryStreamS3DestinationRoleD96B8345"}}]. Check was not compliant as property [DeliveryStreamEncryptionConfigurationInput.KeyType] is missing. Value traversed to [Path=/Resources/DeliveryStream58CF96DB/Properties[L:149,C:20] Value={"DeliveryStreamType":"DirectPut","ExtendedS3DestinationConfiguration":{"BucketARN":"arn:aws:s3:::Bucket83908E77","BufferingHints":{"IntervalInSeconds":30,"SizeInMBs":5},"RoleARN":"arn:aws:iam::123456789012:role/DeliveryStreamS3DestinationRoleD96B8345"}}]. Check was not compliant as property [DeliveryStreamEncryptionConfigurationInput.KeyType] to compare from is missing. Value traversed to [Path=/Resources/DeliveryStream58CF96DB/Properties[L:149,C:20] Value={"DeliveryStreamType":"DirectPut","ExtendedS3DestinationConfiguration":{"BucketARN":"arn:aws:s3:::Bucket83908E77","BufferingHints":{"IntervalInSeconds":30,"SizeInMBs":5},"RoleARN":"arn:aws:iam::123456789012:role/DeliveryStreamS3DestinationRoleD96B8345"}}].</failure> </testcase> ``` Example PR with updated security guardian - https://github.com/gudipati/aws-cdk/pull/1/changes#diff-f21e6d7f4ef5955cb4419b155fb577b7d2f41071077c48356c0063b5d49eb85f ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…and_yarn group across 1 directory (#37591) Bumps the npm_and_yarn group with 1 update in the / directory: [follow-redirects](https://github.com/follow-redirects/follow-redirects). Updates `follow-redirects` from 1.15.11 to 1.16.0 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/follow-redirects/follow-redirects/commit/0c23a223067201c368035e82954c11eb2578a33b"><code>0c23a22</code></a> Release version 1.16.0 of the npm package.</li> <li><a href="https://github.com/follow-redirects/follow-redirects/commit/844c4d302ac963d29bdb5dc1754ec7df3d70d7f9"><code>844c4d3</code></a> Add sensitiveHeaders option.</li> <li><a href="https://github.com/follow-redirects/follow-redirects/commit/5e8b8d024e2c76f804a284258e585ecb49a575be"><code>5e8b8d0</code></a> ci: add Node.js 24.x to the CI matrix</li> <li><a href="https://github.com/follow-redirects/follow-redirects/commit/7953e2255aa0b93602eed3804f3bc5e6923a03af"><code>7953e22</code></a> ci: upgrade GitHub Actions to use setup-node@v6 and checkout@v6</li> <li><a href="https://github.com/follow-redirects/follow-redirects/commit/86dc1f86e4b56bcd642c78384d51f10f123aea75"><code>86dc1f8</code></a> Sanitizing input.</li> <li>See full diff in <a href="https://github.com/follow-redirects/follow-redirects/compare/v1.15.11...v1.16.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=follow-redirects&package-manager=npm_and_yarn&previous-version=1.15.11&new-version=1.16.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts). </details>

### Reason for this change S3Files is a new feature being developed with S3 and EFS to allow customer to access their S3 buckets as high performant file systems. This PE introduces the L1 generated constructs and adds an integration to the L2 Lambda constructs to allow it to be mounted by the Function. ### Description of changes L1 constructs generated via the added schemas in temporary-schema + a new function for Lambda.FileSystem: ```ts FileSystem.fromS3FilesAccessPoint(ap: IAccessPointRef, mountPath: string): FileSystem ``` This function enables Lambda to mount an S3 Files file system. It uses AccessPointReflection to automatically resolve the file system, mount targets, security groups, and IAM policies from the construct tree — so the user only needs to pass the access point and mount path. A new AccessPointReflection class in aws-s3files walks the construct tree to find: - The CfnFileSystem associated with the access point - All CfnMountTarget resources for that file system (added as DependsOn) - Security groups from mount targets (wired into Connections for ingress) ### Describe any new or updated permissions being added Lambda gives itself permission to mount and write to the file system: - s3files:ClientMount on the access point ARN - s3files:ClientMount + s3files:ClientWrite on the file system ARN ### Description of how you validated changes Unit tests (11 passing): AccessPointReflection (10 tests including cross-stack, mixed token matching, deduplication) + Lambda s3files integration (1 test). Deployed to an account onboarded for the feature with: ```ts const fileSystem = new s3files.CfnFileSystem(this, 'FileSystem', { bucket: bucket.bucketArn, roleArn: s3filesRole.roleArn, }); vpc.privateSubnets.forEach((subnet, i) => new s3files.CfnMountTarget(this, `MountTarget${i}`, { fileSystemId: fileSystem.attrFileSystemId, subnetId: subnet.subnetId, securityGroups: [sg.securityGroupId], }), ); const accessPoint = new s3files.CfnAccessPoint(this, 'AccessPoint', { fileSystemId: fileSystem.ref, posixUser: { uid: '1000', gid: '1000' }, rootDirectory: { path: '/lambda', creationInfo: { ownerUid: '1000', ownerGid: '1000', permissions: '755' }, }, }); new lambda.Function(this, 'MyFunction', { runtime: lambda.Runtime.NODEJS_20_X, handler: 'index.handler', code: lambda.Code.fromAsset('lambda'), vpc, filesystem: lambda.FileSystem.fromS3FilesAccessPoint(accessPoint, '/mnt/s3files'), }); ``` Was able to invoke the lambda which writes a file to the fs. Verified the synthesized template includes DependsOn for mount targets on the Lambda resource. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

mergify · 2026-04-14T15:28:35Z

Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork).

mergify · 2026-04-14T15:28:36Z

github-actions · 2026-04-14T15:28:59Z

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

jamiepmullan and others added 14 commits April 10, 2026 17:03

Merge branch 'main' into merge-back/2.249.0

57a4908

chore(merge-back): 2.249.0 (#37584)

109e0c3

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.249.0/CHANGELOG.md)

chore(release): 2.250.0

235eece

aws-cdk-automation added auto-approve pr/no-squash This PR should be merged instead of squash-merging it labels Apr 14, 2026

aws-cdk-automation temporarily deployed to automation April 14, 2026 13:44 — with GitHub Actions Inactive

aws-cdk-automation requested a review from a team April 14, 2026 13:44

github-actions bot approved these changes Apr 14, 2026

View reviewed changes

github-actions bot added the p2 label Apr 14, 2026

github-actions bot approved these changes Apr 14, 2026

View reviewed changes

aws-cdk-automation temporarily deployed to automation April 14, 2026 13:44 — with GitHub Actions Inactive

abidhasan-aws added the pr/do-not-merge This PR should not be merged at this time. label Apr 14, 2026

abidhasan-aws temporarily deployed to automation April 14, 2026 13:46 — with GitHub Actions Inactive

chore: update analytics metadata blueprints

89773c3

abidhasan-aws temporarily deployed to automation April 14, 2026 13:46 — with GitHub Actions Inactive

github-actions bot requested a review from a team as a code owner April 14, 2026 13:46

abidhasan-aws removed the pr/do-not-merge This PR should not be merged at this time. label Apr 14, 2026

abidhasan-aws temporarily deployed to automation April 14, 2026 13:58 — with GitHub Actions Inactive

chore: trigger build

2ebf82f

abidhasan-aws temporarily deployed to automation April 14, 2026 14:48 — with GitHub Actions Inactive

mergify bot merged commit 26014d4 into v2-release Apr 14, 2026
20 of 21 checks passed

mergify bot deleted the bump/2.250.0 branch April 14, 2026 15:28

aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Apr 14, 2026

aws-cdk-automation temporarily deployed to automation April 14, 2026 15:28 — with GitHub Actions Inactive

aws-cdk-automation temporarily deployed to automation April 14, 2026 15:29 — with GitHub Actions Inactive

github-actions bot locked as resolved and limited conversation to collaborators Apr 14, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(release): 2.250.0#37592

chore(release): 2.250.0#37592
mergify[bot] merged 16 commits intov2-releasefrom
bump/2.250.0

aws-cdk-automation commented Apr 14, 2026 •

edited

Loading

Uh oh!

mergify bot commented Apr 14, 2026

Uh oh!

mergify bot commented Apr 14, 2026 •

edited

Loading

Uh oh!

Uh oh!

github-actions bot commented Apr 14, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

Conversation

aws-cdk-automation commented Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

mergify bot commented Apr 14, 2026

Uh oh!

mergify bot commented Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Merge Queue Status

Uh oh!

Uh oh!

github-actions bot commented Apr 14, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

aws-cdk-automation commented Apr 14, 2026 •

edited

Loading

mergify bot commented Apr 14, 2026 •

edited

Loading