Merge branch 'main' into rds-aurora-mysql-versions

Author: Tietew

Diff for: .gitattributes

@@ -17,3 +17,6 @@ packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.buck
 packages/@aws-cdk-testing/framework-integ/test/**/*.snapshot/**/asset*.zip filter=lfs diff=lfs merge=lfs -text
 packages/@aws-cdk/*-alpha/test/**/*.snapshot/**/asset*.zip filter=lfs diff=lfs merge=lfs -text
 packages/@aws-cdk/*-alpha/test/*.snapshot/asset.*/bootstrap filter=lfs diff=lfs merge=lfs -text
+packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-large-file/asset*/large*  filter=lfs diff=lfs merge=lfs -text
+packages/@aws-cdk/*-alpha/test/*.snapshot/asset*.zip filter=lfs diff=lfs merge=lfs -text
+packages/@aws-cdk-testing/framework-integ/test/**/*.snapshot/asset*.zip filter=lfs diff=lfs merge=lfs -text

Diff for: .github/ISSUE_TEMPLATE/region.yml

@@ -83,4 +83,5 @@ body:
         * [ ] Add region and ARN in [ADOT_LAMBDA_LAYER_PYTHON_SDK_ARNS](https://github.com/aws/aws-cdk/blob/v2.65.0/packages/@aws-cdk/region-info/build-tools/fact-tables.ts#L768) for most recent version in `x86_64` and `arm64`.
         * [ ] Add region and ARN in [ADOT_LAMBDA_LAYER_GENERIC_ARNS](https://github.com/aws/aws-cdk/blob/v2.65.0/packages/@aws-cdk/region-info/build-tools/fact-tables.ts#L847) for most recent version in `x86_64` and `arm64`.
         * [ ] Add region in [AWS_REGIONS_AND_RULES](https://github.com/aws/aws-cdk/blob/v2.65.0/packages/@aws-cdk/region-info/lib/aws-entities.ts).
+        * [ ] Add partition info if the region is also a new partition in [PARTITION_MAP](https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/region-info/build-tools/fact-tables.ts#L88)
         * [ ] Run integ tests and update snapshots

Diff for: .github/workflows/codecov.yml

@@ -13,6 +13,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
+      contents: read
+      pages: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4

Diff for: .github/workflows/enum-auto-updater.yml

@@ -1,6 +1,8 @@
 name: CDK Enums Auto Updater
 on:
   workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * 1'
 
 jobs:
   update-l2-enums:
@@ -23,6 +25,40 @@ jobs:
       - name: Install dependencies
         run: cd tools/@aws-cdk/enum-updater && yarn install --frozen-lockfile && yarn build
 
+      - name: Update enum static mapping
+        run: |
+          cd tools/@aws-cdk/enum-updater
+          ./bin/update-static-enum-mapping
+
+      - name: Check for changes
+        id: static-mapping-check
+        run: |
+          if [[ -n "$(git status --porcelain ./lib/static-enum-mapping.json)" ]]; then
+            echo "changes=true" >> $GITHUB_OUTPUT
+          else
+            echo "changes=false" >> $GITHUB_OUTPUT
+          fi
+      
+      - name: Create PR for static mapping changes
+        if: steps.static-mapping-check.outputs.changes == 'true'
+        run: |
+          git config --global user.name 'aws-cdk-automation'
+          git config --global user.email '[email protected]'
+
+          # Create a new branch for the module
+          branchName="enum-update/static-mapping-update"
+          git checkout -b "$branchName"
+
+          git add .  # Add all files changed
+          git commit -m "chore: update enum static mapping"
+          git push origin "$branchName"
+
+          gh pr create --title "chore: update enum static mapping" \
+           --body "This PR updates the CDK enum mapping file." \
+           --base main \
+           --head "$branchName"
+           --label "contribution/core,pr-linter/exempt-integ-test,pr-linter/exempt-readme,pr-linter/exempt-test"
+
       - name: Identify Missing Values and Apply Code Changes
         run: |
           cd tools/@aws-cdk/enum-updater
@@ -40,9 +76,6 @@ jobs:
       - name: Commit & Push changes
         if: steps.git-check.outputs.changes == 'true'
         run: |
-          git config --global user.name 'aws-cdk-automation'
-          git config --global user.email '[email protected]'
-          
           # Iterate through each module directory that has changes
           for module in $(git diff --name-only | grep -E '^packages/(@aws-cdk|aws-cdk-lib)/.*' | sed -E 's|^packages/(@aws-cdk\|aws-cdk-lib)/([^/]+).*|\2|' | sort -u); do
             moduleName=$(basename $module)

Diff for: .github/workflows/security-guardian.yml

@@ -0,0 +1,67 @@
+name: Security Guardian
+on:
+  pull_request: {}
+
+jobs:
+  run-security-guardian:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Fetches full history
+
+      - name: Get list of changed .template.json files
+        id: filter_files
+        run: |
+          echo "Getting changed CloudFormation templates..."
+          mkdir -p changed_templates
+
+          git fetch origin main --depth=1
+
+          base_sha="${{ github.event.pull_request.base.sha }}"
+          head_sha="${{ github.event.pull_request.head.sha }}"
+          if [[ -z "$base_sha" ]]; then base_sha=$(git merge-base origin/main HEAD); fi
+          if [[ -z "$head_sha" ]]; then head_sha=HEAD; fi
+
+          git diff --name-status "$base_sha" "$head_sha" \
+            | grep -E '^(A|M)\s+.*\.template\.json$' \
+            | awk '{print $2}' > changed_files.txt || true
+
+          while IFS= read -r file; do
+            if [ -f "$file" ]; then
+              safe_name=$(echo "$file" | sed 's|/|_|g')
+              cp "$file" "changed_templates/$safe_name"
+            else
+              echo "::warning::Changed file not found in workspace: $file"
+            fi
+          done < changed_files.txt
+
+          if [ -s changed_files.txt ]; then
+            echo "files_changed=true" >> $GITHUB_OUTPUT
+          else
+            echo "files_changed=false" >> $GITHUB_OUTPUT
+          fi
+  
+      - name: Install cfn-guard
+        if: steps.filter_files.outputs.files_changed == 'true'
+        run: |
+          mkdir -p $HOME/.local/bin
+          curl -L -o cfn-guard.tar.gz https://github.com/aws-cloudformation/cloudformation-guard/releases/latest/download/cfn-guard-v3-x86_64-ubuntu-latest.tar.gz
+          tar -xzf cfn-guard.tar.gz
+          mv cfn-guard-v3-*/cfn-guard $HOME/.local/bin/cfn-guard
+          chmod +x $HOME/.local/bin/cfn-guard
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
+  
+      - name: Install & Build security-guardian
+        if: steps.filter_files.outputs.files_changed == 'true'
+        run: yarn install --frozen-lockfile && cd tools/@aws-cdk/security-guardian && yarn build
+
+      - name: Run cfn-guard if templates changed
+        if: steps.filter_files.outputs.files_changed == 'true'
+        uses: ./tools/@aws-cdk/security-guardian
+        with:
+          data_directory: './changed_templates'
+          rule_set_path: './tools/@aws-cdk/security-guardian/rules/trust_scope_rules.guard'
+          show_summary: 'fail'
+          output_format: 'single-line-summary'

Diff for: CHANGELOG.v2.alpha.md

@@ -2,6 +2,20 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.189.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.189.0-alpha.0...v2.189.1-alpha.0) (2025-04-14)
+
+## [2.189.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.188.0-alpha.0...v2.189.0-alpha.0) (2025-04-09)
+
+
+### Features
+
+* **ec2-alpha:** implement mapPublicIpOnLaunch prop in SubnetV2 ([#34057](https://github.com/aws/aws-cdk/issues/34057)) ([836c5cf](https://github.com/aws/aws-cdk/commit/836c5cf3e4c627f817e4dc8ed2af28a5bba54792)), closes [#32159](https://github.com/aws/aws-cdk/issues/32159)
+
+
+### Bug Fixes
+
+* **amplify:** unable to re-run integ test due to missing `status` field in `customRule` ([#33973](https://github.com/aws/aws-cdk/issues/33973)) ([6638c08](https://github.com/aws/aws-cdk/commit/6638c08d56afe7ecc4f23cff4cf334b887001e5e)), closes [#33962](https://github.com/aws/aws-cdk/issues/33962)
+
 ## [2.188.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.187.0-alpha.0...v2.188.0-alpha.0) (2025-04-03)
 
 

Diff for: CHANGELOG.v2.md

@@ -2,6 +2,30 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.189.1](https://github.com/aws/aws-cdk/compare/v2.189.0...v2.189.1) (2025-04-14)
+
+
+### Bug Fixes
+
+* **core:** implicit Aspect applications do not override custom Aspect applications ([#34132](https://github.com/aws/aws-cdk/issues/34132)) ([b7f4bc7](https://github.com/aws/aws-cdk/commit/b7f4bc7aee1d99b70e4d9d3cedea53e910ee37ef))
+
+## [2.189.0](https://github.com/aws/aws-cdk/compare/v2.188.0...v2.189.0) (2025-04-09)
+
+
+### Features
+
+* **apigatewayv2:** dualstack HTTP and WebSocket API ([#34054](https://github.com/aws/aws-cdk/issues/34054)) ([eec900e](https://github.com/aws/aws-cdk/commit/eec900e90f38f34f896b22cf36cb225fc9c13cc8))
+* update L1 CloudFormation resource definitions ([#34064](https://github.com/aws/aws-cdk/issues/34064)) ([9cb2602](https://github.com/aws/aws-cdk/commit/9cb260266e92f45e40a19667e29ccf2decb3d2b8))
+* **bedrock:** support Amazon Nova Reel 1.1 ([#34070](https://github.com/aws/aws-cdk/issues/34070)) ([3da0c4d](https://github.com/aws/aws-cdk/commit/3da0c4d267dbb693ffc01b9fae69cebcb180cdec))
+* support L2 constructs for Amazon S3 Tables ([#33599](https://github.com/aws/aws-cdk/issues/33599)) ([2e95252](https://github.com/aws/aws-cdk/commit/2e95252fecbb1fec9874fd5af4b4bd6449d50471))
+* **pipelines:** add `V2` pipeline type support in L3 construct ([#34005](https://github.com/aws/aws-cdk/issues/34005)) ([994e952](https://github.com/aws/aws-cdk/commit/994e95289b589596179553a5b9d7201155bd9ed1)), closes [#33995](https://github.com/aws/aws-cdk/issues/33995)
+
+
+### Bug Fixes
+
+* **codepipeline:** replace account root principal with pipeline role in trust policy for cross-account actions (under feature flag) ([#34074](https://github.com/aws/aws-cdk/issues/34074)) ([2d901f4](https://github.com/aws/aws-cdk/commit/2d901f4e7bb982221e1a48a13666939140109d5a))
+* **custom-resources:** `AwsCustomResource` assumed role session name may contain invalid characters ([#34016](https://github.com/aws/aws-cdk/issues/34016)) ([32b6b4d](https://github.com/aws/aws-cdk/commit/32b6b4d7fa99723efb667239fbe455ede43b92c6)), closes [#23260](https://github.com/aws/aws-cdk/issues/23260) [#34011](https://github.com/aws/aws-cdk/issues/34011)
+
 ## [2.188.0](https://github.com/aws/aws-cdk/compare/v2.187.0...v2.188.0) (2025-04-03)
 
 

Diff for: CONTRIBUTING.md

@@ -222,8 +222,9 @@ The following tools need to be installed on your system prior to installing the
 - [Yarn >= 1.19.1, < 2](https://yarnpkg.com/lang/en/docs/install)
 - [.NET SDK >= 6.0.x](https://www.microsoft.com/net/download)
 - [Python >= 3.8.0, < 4.0](https://www.python.org/downloads/release/python-380/)
-- [Docker >= 19.03](https://docs.docker.com/get-docker/)
-  - the Docker daemon must also be running
+- Either [Docker >= 19.03](https://docs.docker.com/get-docker/), [Finch >= 0.3.0](https://runfinch.com/), or another Docker replacement
+  - If using a Docker replacement, the `CDK_DOCKER` environment variable must be set to the replacement command's name (e.g. `export CDK_DOCKER=finch`)
+  - The Docker or replacement daemon must be running
 - [git-lfs](https://docs.github.com/en/repositories/working-with-files/managing-large-files/installing-git-large-file-storage)
   - Without this, you'll get the message that the clone succeeded but the checkout failed when you initially clone the repo.
 

Diff for: packages/@aws-cdk-testing/framework-integ/test/aws-apigatewayv2/test/http/integ.api-dualstack.js.snapshot/DualStackHttpApiIntegDefaultTestDeployAssertCB101E5C.assets.json

@@ -0,0 +1,57 @@
+{
+ "Resources": {
+  "HttpApiF5A9A8A7": {
+   "Type": "AWS::ApiGatewayV2::Api",
+   "Properties": {
+    "IpAddressType": "dualstack",
+    "Name": "HttpApi",
+    "ProtocolType": "HTTP",
+    "RouteSelectionExpression": "${request.method} ${request.path}"
+   }
+  },
+  "HttpApiDefaultStage3EEB07D6": {
+   "Type": "AWS::ApiGatewayV2::Stage",
+   "Properties": {
+    "ApiId": {
+     "Ref": "HttpApiF5A9A8A7"
+    },
+    "AutoDeploy": true,
+    "StageName": "$default"
+   }
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}