v2.235.1

Bug Fixes

• apigatewayv2: use custom domain name instead of regional domain name when importing domain name via fromDomainNameAttributes (#36710) (29e5642)

---

Alpha modules (2.235.1-alpha.0)

v2.235.0

⚠ BREAKING CHANGES

• ** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

• aws-ecs: AWS::ECS::CapacityProvider: ManagedInstancesNetworkConfiguration.SecurityGroups property is now required.

• ecs: securityGroups is now required in ManagedInstancesCapacityProviderProps. CloudFormation has always required this field, so any code that omitted it would have failed at deployment time with a validation error. This change catches the error at compile time instead, improving the developer experience. If your code previously omitted securityGroups, you must now explicitly provide at least one security group.
• aws-cdk-lib: JobQueue.computeEnvironments contains an computeEnvironment: IComputeEnvironment → IComputeEnvironmentRef. BackupPlanRule.props contains a backupVault: IBackupVault → IBackupVaultRef. ApiDestination.fromApiDestinationAttributes() return type ApiDestination → IApiDestination. This should never have returned a class but always an interface, as is the standard for referencing factories. EventDestination.bus changed IEventBus →IEventBusRef; FlowLogDestination.bind() now returns and ICluster.executeCommandConfiguration contains a member changing type ILogGroup → ILogGroupRef.
• events: ApiDestination.fromApiDestinationAttributes() now returns an IApiDestination. It used to return an ApiDestination but this was a mistake, referencing methods always return a type by interface, not by class.EventDestination.bus used to be an IEventBus but is now an IEventBusRef; it needs to be type tested to assert it is actually an IEventBus if that is necessary.
• logs: the return types of FlowLogDestination.bind() and ICluster.executeCommandConfiguration now contain an ILogGroupRef instead of an ILogGroup, which guarantees less. These fields are for communication between constructs, and their values should not be used by application builders. If they do, they will need to add a cast or a type check.
• iot-actions: enableBatchConfig property is explicitly disabled by default. Even with this modification, the behavior of HttpAction remains unchanged from before, but only the Cfn template will be modified.

Features

• update L1 CloudFormation resource definitions (#36694) (861f437)
• apigatewayv2-integrations: add PutEvents support for EventBridge integration (#35766) (d879e4d), closes #35714 #35714
• ecs: add none log driver option for ECS containers (#35819) (5636820), closes #35795 #35795
• iot-actions: batching HTTP action messages (#36642) (fbc50ea)
• rds: add Read/Write IOPS metrics to DatabaseInstance and VolumeRead/Write IOPs metrics to DatabaseCluster (#35773) (d8e023d), closes #35327 #35327
• rds: support default auth scheme for RDS Proxy (#35635) (99f6c74), closes #35558
• spec2cdk: support for auto-generated grants in alpha modules (#36206) (776f837)
• synthetics: add syn-nodejs-3.0 runtime (#36652) (18f9fef), closes #36648
• synthetics: playwright 4.0 and 5.0 runtimes (#36590) (82cd9a6)

Bug Fixes

• aws-cdk-lib: reference interfaces for remaining services (#36359) (ed1f9de)
• core: make DetachedConstruct.node non-enumerable (#36672) (98d41ca), closes #36078 #36015
• ecs: make securityGroups required in ManagedInstancesCapacityProvider (#36685) (6734426)
• events: event Matcher class to be compatible with mergeEventPattern function (#36602) (e3f7dba), closes /github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-s3/lib/bucket.ts#L657-L657
• opensearchservice: use KMS Key ARN for cross-account encryption (#36020) (cccd94c), closes #36017
• stepfunctions: allow JSONata expressions for Map maxConcurrency (#36462) (2230c87), closes #36274
• RuntimeError: apiEndpoint is not configured on the imported HttpApi (revert of "chore(apigatewayv2): reference interfaces") (#36623) (fb17d39), closes aws/aws-cdk#36378

Miscellaneous Chores

• events: reference interfaces (#36535) (0bea5c9)
• logs: reference interfaces (#36566) (5b426b8)

---

Alpha modules (2.235.0-alpha.0)

⚠ BREAKING CHANGES

• bedrock-agentcore-alpha: The User Pool Client will be replaced and new Resource Server and Domain resources will be added for existing Gateway stacks using the default Cognito authorizer.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

Bug Fixes

• bedrock-agentcore-alpha: default Cognito User Pool for AgentCore Gateway is not set up for M2M authentication. (#36323) (5a5605a)

v2.234.1

Bug Fixes

• RuntimeError: apiEndpoint is not configured on the imported HttpApi (revert of "chore(apigatewayv2): reference interfaces") (#36623) (1c10d49), closes aws/aws-cdk#36378

---

Alpha modules (2.234.1-alpha.0)

v2.234.0

⚠ BREAKING CHANGES

• batch: unfortunately JobQueue exposes public readonly computeEnvironments: OrderedComputeEnvironment[]. The computeEnvironment member of that structure now fewer guarantees, and needs casting. This should not have been exposed, and we assume the use of the exposed property here is rare.
• backup: unfortunately BackupPlanRule exposes public readonly props: BackupPlanRuleProps. The backupVault member of that structure now guarantees less, and needs casting. This should never have been exposed, and we assume the use of the exposed property here is rare.
• ** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

aws-securityhub: AWS::SecurityHub::ConnectorV2: Provider.JiraCloud.AuthStatus attribute removed.
aws-securityhub: AWS::SecurityHub::ConnectorV2: Provider.JiraCloud.AuthUrl attribute removed.
aws-securityhub: AWS::SecurityHub::ConnectorV2: Provider.JiraCloud.CloudId attribute removed.
aws-securityhub: AWS::SecurityHub::ConnectorV2: Provider.JiraCloud.Domain attribute removed.
aws-securityhub: AWS::SecurityHub::ConnectorV2: Provider.ServiceNow.AuthStatus attribute removed.
aws-securityhub: AWS::SecurityHub::ConnectorV2: JiraCloud type removed, replaced by JiraCloudProviderConfiguration.
aws-securityhub: AWS::SecurityHub::ConnectorV2: ServiceNow type removed, replaced by ServiceNowProviderConfiguration.
aws-ssm: AWS::SSM::MaintenanceWindowTarget: Id attribute removed.

Features

• ecs: automatically create ec2InstanceProfile for ManagedInstancesCapacityProvider (#35796) (9218ea8)
• rds: add name property to option group (#36319) (708d0ac), closes #35720
• stepfunctions-tasks: allow EcsRunTask on fargate and ec2 to set capacity provider strategy (#35465) (63ca2ae), closes #20013 #30171 #7967
• synthetics: add puppeteer 12.0/13.0 runtime (#36562) (5b74dd4), closes #36501

Bug Fixes

• cloudwatch: skip MathExpression validation when prop is a token (#36487) (2845d47)
• core: App.of() returns incorrect values (#36475) (78034d3)
• core: arnForXxxx() helpers ignore environments from referenced resources (#36599) (4744c59)
• core: account for { Ref } incompatibility between schema and CFN (#36493) (3b06942)
• ec2: add proper handling for VPC endpoint service name prefix eu.amazonaws for new region eusc-de-east-1 for ECR & API Gateway services (#36471) (d5561e0)
• lambda: add token resolution validation to capacity providers (#36275) (c5fbd97)

Miscellaneous Chores

• backup: reference interfaces (#36415) (4418612)
• batch: reference interfaces (#36522) (fefc7be)

---

Alpha modules (2.234.0-alpha.0)

Features

• msk-alpha: support express broker for Kafka v3.9 (#36450) (afcc953)

Bug Fixes

• elasticache-alpha: deployment fails when serverlessCacheName or userGroupId is not specified (#36459) (b3f62f7), closes #36458
• elasticache-alpha: security group for ServerlessCache does not use default endpoint port (#35738) (79d91ad)

v2.233.0

⚠ BREAKING CHANGES

CHANGES TO L1 RESOURCES: L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

aws-ec2: AWS::EC2::EC2Fleet: DefaultTargetCapacityType property is now immutable.
aws-ec2: AWS::EC2::EC2Fleet: TargetCapacityUnitType property is now immutable.

Features

• update L1 CloudFormation resource definitions (#36390) (a6077a2)
• events-targets: support messageGroupId for standard SQS queues (#36068) (95d4ed5)
• update L1 CloudFormation resource definitions (#36367) (e551afe)
• codebuild: add support for macOS 15 runners (#35836) (1b8b4e3)
• route53-patterns: HttpsRedirect use Distribution as the default CloudFront distribution (under feature flag) (#34312) (e2987eb), closes #31546
• update L1 CloudFormation resource definitions (#36326) (cb82627)
• ec2: add Interface VPC Endpoints for ACM and ACM-PCA (#35890) (06e6b25)
• route53: support failover routing policy for record sets (#35909) (9395467), closes #35910

Bug Fixes

• aws-cdk-lib: make grants factory methods public (#36317) (7dde625)
• ci: checkout the pr head instead of the default main head (#36311) (a1cbcf9), closes /github.com/aws/aws-cdk/blob/main/.github/workflows/integration-test-deployment.yml#L39C11-L39C57
• cloudtrail: do not attach s3 bucket permission when orgId is not set for organization trail (#30778) (61ee074), closes #30490
• custom-resources: waiter state machine retry fails with ExecutionAlreadyExists (#35988) (36ea606), closes #35957
• ecs: removal of canContainersAccessInstanceRole instance role (#36362) (7395b41)
• pipelines: propagate CodeBuild fleet and certificate (#35673) (71cfd60), closes #35664
• region-info: standalone use of @aws-cdk/region-info throws an Cannot find module 'aws-cdk-lib/core/lib/errors' error (#36414) (01c7d2e), closes #36399
• ci fix for spec updater workflow (#36364) (a0b42cc)
• re-export of ResourceEnvironment is not an alias (#36370) (ba8e194)

---

Alpha modules (2.233.0-alpha.0)

⚠ BREAKING CHANGES

• bedrock-agentcore-alpha: Runtime constructs will no longer automatically include lifecycleConfiguration with default values when not explicitly specified by users.
• elasticache-alpha: The engine property in NoPasswordUserProps has been removed.

Bug Fixes

• bedrock-agentcore-alpha: runtime construct incorrectly forces default lifecycleConfiguration values (#36379) (7954354), closes #36376
• elasticache-alpha: the default engine for NoPasswordUser contradict in the docs (#35920) (495fa37), closes #35847
• mixins-preview: improving delivery source and delivery destination creation (#36314) (86092ab)

v2.232.2

Bug Fixes

• re-export of ResourceEnvironment is not an alias (#36370) (6178d32)

---

Alpha modules (2.232.2-alpha.0)

v2.232.1

Bug Fixes

• core: TypeScript properties missing for types which extend internal interfaces (#36313) (3e7e17c), closes #36310

---

Alpha modules (2.232.1-alpha.0)

v2.232.0

Features

• update L1 CloudFormation resource definitions (#36299) (0945692)
• bedrock-agentcore: add fromImageUri method to AgentRuntimeArtifact (#36263) (ad25aba)
• lambda: add support for durable functions (#36282) (599a1d3)
• update L1 CloudFormation resource definitions (#36277) (c4fa99b)

Bug Fixes

• core: temp cleanup does not work with jest (#36238) (1f4a224), closes #36226

---

Alpha modules (2.232.0-alpha.0)

Bug Fixes

• bedrock-agentcore-alpha: use static construct ID for asset-based runtime artifacts (#36241) (e2bdddd), closes #35968
• mixins-preview: service exports are different then in aws-cdk-lib (#36201) (5858006), closes #36210
• mixins-preview: strongly-typed ConstructSelector interface (#36266) (1d2f473)

v2.231.0

Features

• lambda: support for capacity providers (#36255) (2e4c1cf)
• update L1 CloudFormation resource definitions (#36253) (8410b13)
• aws-cdk-lib: add arnFor<ResourceName> for 47 more resources (#36231) (5a8be4f)
• aws-cdk-lib: all L1s now have a isCfn<ResourceName> static helper to check if a value is this L1 resource (#36243) (dc9db9b)
• ec2: expose EC2 instance MetadataOptions (#35369) (4056e14), closes #35357

Bug Fixes

• dynamodb: unsupported actions added to table resource policy (#36228) (10de047), closes #32230

---

Alpha modules (2.231.0-alpha.0)

Features

• glue-alpha: support Glue Version 5.1 (#36223) (b956492)
• imagebuilder-alpha: add support for Image Construct (#36154) (eee3ae6), closes aws/aws-cdk-rfcs#789 aws/aws-cdk-rfcs#789

v2.230.0

Features

• apigateway: support response streaming with response transfer mode (#36155) (f431021), closes #36156
• update L1 CloudFormation resource definitions (f203b8e)
• update L1 CloudFormation resource definitions (#36193) (d074024)
• events: the L2 EventPattern interfaces can be used with CfnRule (#36191) (efc135e)
• update L1 CloudFormation resource definitions (#36180) (5cddd7e)

Bug Fixes

• ecs: wrong ARN generated in Cluster.grantTaskProtection method (#36207) (9b337df)
• ecs-patterns: target group ID changes without setting feature flag (#36199) (b7ca082), closes #36149
• scheduler: wrong ARN generated in ScheduleGroup.grant* methods (#36175) (eae8838)

---

Alpha modules (2.230.0-alpha.0)

Features

• bedrock-agentcore-alpha: update resources on grantInvokeXXX for runtime (#35864) (5dad62f)
• imagebuilder-alpha: add support for Image Pipeline Construct (#36153) (d8c324a), closes aws/aws-cdk-rfcs#789 aws/aws-cdk-rfcs#789
• imagebuilder-alpha: add support for Lifecycle Policy Construct (#36152) (7e31eb6), closes aws/aws-cdk-rfcs#789 aws/aws-cdk-rfcs#789
• mixins-preview: adds LogDelivery Mixins for 47 resources (#36158) (6607ce9)
• mixins-preview: vended log deliveries (#36138) (69442a8)
• mixins-preview: helpers to generate EventBridge event patterns for 26 services (#36121) (073185d)

Bug Fixes

• mixins-preview: AutoDeleteObjects mixin fails with cannot find file error (#36188) (3ef337d), closes aws-cdk/mixins-preview/lib/custom-resource-handlers/aws-s3/auto-delete-objects-provider.ts#L21
• mixins-preview: ResourcePolicy with this name already exists error when setting up LogDelivery (#36195) (f9aa31d)
• mixins-preview: cannot use string literal types for S3LogsDeliveryProps.permissionsVersion (#36197) (cc491df)