-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(release): 2.164.0 #31881
Merged
Merged
chore(release): 2.164.0 #31881
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Issue # (if applicable) Closes #31779. ### Reason for this change Cloudformation supports for creating AWS IoT scheduled audit but AWS CDK does not. ### Description of changes - Define `ScheduledAudit` construct Cloudformation does not support two audit checks. Therefore I have not implemented these checks in the `AuditCheck` enum. - INTERMEDIATE_CA_REVOKED_FOR_ACTIVE_DEVICE_CERTIFICATES_CHECK - IOT_POLICY_POTENTIAL_MIS_CONFIGURATION_CHECK If we try to deploy these checks, the deployment will fail. ```sh Resource handler returned message: "Request contains an invalid Audit Check Name. (Service: Iot, Status Code: 400, Request ID: 3fb58c68-2845-4cc0-882c-7d9b5495ff2a)" (RequestToken: dcb09acd-609f-dfe5-7b63-6eb208052949, HandlerErrorCode: InvalidRequest) ``` ### Description of how you validated changes Added both unit and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
I found some typos by chance and fixed them :) ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…rifications (#31840) ### Description of changes Update the README to have the service be called *Amazon Data Firehose* instead of *Kinesis Data Firehose* as it has been renamed earlier this year: https://aws.amazon.com/about-aws/whats-new/2024/02/amazon-data-firehose-formerly-kinesis-data-firehose/ Additionally some more edits to include clarifications. ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…wsSDK (#31839) ### Issue # (if applicable) Closes #31789 ### Reason for this change Comments had grammatical mistakes. ### Description of changes Rephrased the sentence and added more clarifcation. ### Description of how you validated changes No ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…#31805) ### Reason for this change The `request-cli-integ-test` pipeline is currently broken after a dependabot commit ([af89640](af89640)) which upgraded the version of the `actions-comment-pull-request` action to the latest changes which had breaking changes. ### Description of changes Updated the parameters passed to the action to correspond to the new naming convention as defined in the [changelog](https://github.com/thollander/actions-comment-pull-request/releases/tag/v3.0.0). ### Description of how you validated changes I cannot test this myself, but the changes are straightforward. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #31653 ### Reason for this change With Role.customizeRoles enabled, dynamodb.Table.addGlobalSecondaryIndex causes an error. This is a critical blocker for customers who require the use of customizeRoles. ### Description of changes #### Intended behaviour When `customizeRoles` is used, the `iam-policy-report.txt` report will contain a list of IAM roles and associated permissions that would have been created. This report is generated so that it attempts to resolve any references and replace with a more user friendly value. The following are some examples of the value that will appear in the report: ```json "Resource": { "Fn::GetAtt": [ "SomeResource", "Arn" ] } ``` The policy report will instead get: ```json "(Path/To/SomeResource.Arn)" ``` #### Current issues There are two main issues here: 1. Policy synthesizer (which is used for customizeRoles to generate report) is created with `App` scope. This caused the failure in the original issue `Resolution error: PolicySynthesizer at 'PolicySynthesizer' should be created in the scope of a Stack, but no Stack found.` because token resolution requires a Stack scope not an App scope. 2. The policy synthesizer was using `DefaultTokenResolver`. The default token resolution class does not generate the same format of output values for the policy report. i.e. A concatenated token value, i.e. `${Token[Token.X]}/index/*` would be converted to `(PhysicalId).Arn` instead of `"(Path/To/SomeResource.Arn)"`. 3. Pseudo parameters like `AWS::NoValue` would be rendered as `Tokens` in the policy report which is not idea. Update it to make it output `NOVALUE`. This PR addresses the above two issues. ### Description of how you validated changes New and existing tests pass. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…legacy bucket names (#31852) ### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change PR #31813 ### Description of changes - update s3 README to mention support for uppercase letters in legacy bucket names ### Description of how you validated changes preview of the README file ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ge (#31811) ### Issue # (if applicable) N/A ### Reason for this change To ensure customers are using the module securely, we want to encourage them to follow the best practice of the principal of least privilege. That is, customers are only providing as much access as necessary to complete the task, and no privileges greater than that. ### Description of changes * Updated the README to include sentences around the privilege and access granting sections encouraging only giving the least amount of privileges necessary. * Updated the README example to remove wildcard privilege. ### Description of how you validated changes `yarn rosetta:extract` passes. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…Preview (#31854) ### Description of changes Updated the README stability banner as we move Cognito Identity Pools into developer preview, taking the next step towards being fully stabilized. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #31711 ### Reason for this change When we set mapPublicIpOnLaunch=false for public subnets, NAT instances does not get public IP addresses assigned, resulting in non-working NAT instances. Disabling mapPublicIpOnLaunch is recommended as AWS Config rule (and cdk-nag as well.) https://docs.aws.amazon.com/config/latest/developerguide/subnet-auto-assign-public-ip-disabled.html ### Description of changes Support `associatePublicIpAddress` ### Description of how you validated changes New unit and integ tests. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #31815. ### Reason for this change To use email based MFA. ### Description of changes Add email option to [MfaSecondFactor](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.MfaSecondFactor.html). ### Description of how you validated changes Add unit tests and integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Add Anthropic's Claude 3.5 Sonnet V2 model. - https://aws.amazon.com/blogs/aws/upgraded-claude-3-5-sonnet-from-anthropic-available-now-computer-use-public-beta-and-claude-3-5-haiku-coming-soon-in-amazon-bedrock/ - The upgraded [Claude 3.5 Sonnet](https://aws.amazon.com/bedrock/claude/) is available today in [Amazon Bedrock](https://aws.amazon.com/bedrock/) in the US West (Oregon). ``` % AWS_REGION=us-west-2 AWS_PROFILE=pahud aws bedrock li st-foundation-models | jq -r '.modelSummaries[] | select(.modelId | startswith("anthropic.claude-3-5")) | .modelId' anthropic.claude-3-5-sonnet-20241022-v2:0 anthropic.claude-3-5-sonnet-20240620-v1:0:18k anthropic.claude-3-5-sonnet-20240620-v1:0:51k anthropic.claude-3-5-sonnet-20240620-v1:0:200k anthropic.claude-3-5-sonnet-20240620-v1:0 ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…rget throws synth error (#31837) ### Issue # (if applicable) Closes #29284. ### Reason for this change Removed the same env check between the Schedule and the Lambda target to allow use of imported Lambda function as target. ### Description of changes Removed the check that forces the Schedule and the Lambda function to be in the same account and region. ### Description of how you validated changes - Unit test added to ensure no synth error when using imported Lambda function. - Integ test added to ensure imported function works. The test ensures the lambda is executed and did what it is supposed to do (i.e. added tag to itself). ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change There are some improper JSDoc formatting. ### Description of changes I have corrected multiple instances of improper JSDoc formatting. ```diff /** - * description - * - * @default - xxx - */ + * description + * + * @default - xxx + */ ``` ### Description of how you validated changes None ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue #29618 ### Reason for this change We aim to speed up deployment times in our development environment by using the hotswap feature. However, our services have dependencies on each other, and the current hotswap behavior is too disruptive. ### Description of changes We modified the hotswap implementation for ECS services to pass the `minimumHealthyPercent` and `maximumHealthyPercent` configurable parameters. These parameters are exposed to the cli and can be passed as `--hotswap-ecs-minimum-healthy-percent <number>` and `--hotswap-ecs-maximum-healthy-percent <number>` The implementation is careful to maintain the existing behaviour. That is, if none of the new flags is used, the current `minimumHealthyPercent = 0` and `maximumHealthyPercent = undefined` values are used. ### Description of how you validated changes We added a unit test validating that the correct values are passed to the task definition. We also executed using the locally built version of cdk validating that the behavior is as expected: the parameters are respected during hotswap deployments, and the existing API is maintained. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…rification (#31861) ### Description of changes Clarify in README that a LogGroup and LogStream with **default settings** will be created. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…key causes EventBridge FailedInvocations (#31836) ### Issue # (if applicable) Closes #10996. ### Reason for this change When a Kinesis Stream is encrypted with a custom managed KMS key, CDK will generate a KMS key for the Kinesis Stream. ``` stream = new kinesis.Stream(stack, 'MyStream', { encryption: kinesis.StreamEncryption.KMS, }); ``` If it is used as a events target, CDK will provide permissions to the role of target so it can write to the kinesis stream: ``` { Action: ['kinesis:PutRecord', 'kinesis:PutRecords'], Effect: 'Allow', Resource: streamArn, } ``` If the kinesis is not encrypted with the customer managed kms key, these permissions will be sufficient. However, since the kinesis is encrypted with the the customer managed kms key, the invocation will fail because events doesn't have the permissions to the KMS key. Actually there's already `grantWrite()` method to grant sufficient permissions in this case. When a customer managed KMS key is used, it will generate extra policies for the key. We should use it. https://github.com/aws/aws-cdk/blob/366b4927c50168113dd4057f6255ab6c76278135/packages/aws-cdk-lib/aws-kinesis/lib/stream.ts#L355 Difference: these permissions will be added to the event ``` { Action: ['kinesis:ListShards(new permission)', 'kinesis:PutRecord', 'kinesis:PutRecords'], Effect: 'Allow', Resource: streamArn, } ``` these permissions will be added to the event if the target kinesis stream is using a customer managed KMS key ``` { Action: ['kms:Encrypt', 'kms:ReEncrypt*', 'kms:GenerateDataKey*'], Effect: 'Allow', Resource: streamKeyArn, }, ``` ### Description of changes Use the existing `grantWrite()` method instead of manipulating IAM policies directly. ### Description of how you validated changes unit tests/integration tests ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…icies in TableV2 and feature flag (#31513) ### Issue # (if applicable) Closes #30705 ### Reason for this change Resource policies were shared across all replicas in a region. ### Description of changes Changed the logic to only apply resource policy to the local replica region, or to specific replicas only when defined. ### Description of how you validated changes yes ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…rces/destinations are supported in the CDK (#31868) ### Description of changes update README to explicitly clarify which sources/destinations are supported in the CDK ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ld projects (#31859) ### Issue # (if applicable) Closes #31614 ### Reason for this change Updates the default curated Docker image used for CodeBuild projects to the latest version. The existing default image version is deprecated. ### Description of changes Updated image constants in the CodeBuild project logic. ### Description of how you validated changes Updated and ran CodeBuild unit tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ap stack (#31876) If the bootstrap stack can't be found, it can't be validated. We used to fail closed, but that just means that cross-account publishing is broken. Instead, we have to fail open. This is not the only protection mechanism we have, so the local check is more of a bonus. Fixes #31866. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…rces (#31878) The cross-account asset uploading detection check required that the `deploy-role` could call `DescribeStackResources` -- which it can't. Instead, rely on parsing the `Outputs` of `DescribeStacks`. This is equivalent for the built-in stack, and relies on stack customizers to have removed the Output or put a dummy value there that does not look like a stack name (like `''`, `'-'` or `'*'`). It's not *as* good, but probably good enough. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws-cdk-automation
added
auto-approve
pr/no-squash
This PR should be merged instead of squash-merging it
labels
Oct 24, 2024
aws-cdk-automation
had a problem deploying
to
test-pipeline
October 24, 2024 13:01 — with
GitHub Actions
Failure
mrgrain
had a problem deploying
to
test-pipeline
October 24, 2024 13:09 — with
GitHub Actions
Failure
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork). |
Comments on closed issues and PRs are hard for our team to see. |
This was referenced Oct 28, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See CHANGELOG