feat(s3): autoDeleteObjects log group allows retention period and removal policy definitions #2

kishiel · 2024-04-02T20:22:17Z

Issue aws#24815

Reason for this change

S3 bucket autoDeleteObjects leaves behind a log group for each bucket that uses the feature. This results in a lot of cruft, especially in test accounts, which should be configurable by the bucket owner. The account limit for log groups is 10,000 and I've got test accounts that have hit this limit several times.

Description of changes

Creates a log group rather than relying on the underlying custom-resource to create it automatically (a side effect of using CfnResource for AWS::Lambda::Function)
Sets a default retention period of 90 days on the log group (I picked a number)
Sets a default removal policy of delete on the log group (I don't think anyone wants these after they delete a bucket)
Denies the custom-resource Lambda role permission to create a log group (prevents log group recreation on delete)
Adds log group name as an optional to the interface of the custom-resource. This is plumbed into the loggingConfig and results in an undefined entry if not provided.

Description of how you validated changes

Unit tests in addition to some simple functional tests.

When making a bucket with autoDeleteObjects enabled I wanted to confirm that the log group for the lambda was, in fact, gone after I deleted the stack. This is how I found that I needed to modify the permission of the Lambda role to deny log group creation.

I also confirmed that the custom-resources which do not provide a log group name still produce a log group and logs within.

Also, over 100 snapshot tests (RIP me).

Checklist

My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

### Issue # (if applicable) Closes #29560. ### Reason for this change The service name generated by the CDK for global VPC endpoints was incorrect, as it contained the stack's region: ```sh $ aws ec2 describe-vpc-endpoint-services --region=us-east-1 --service-names=com.amazonaws.s3-global.accesspoint | jq '.ServiceDetails[] | .ServiceName' "com.amazonaws.s3-global.accesspoint" ``` ```ts new CfnOutput(this, "endpoint", { value: ec2.InterfaceVpcEndpointAwsService.S3_MULTI_REGION_ACCESS_POINTS.name, }); // TestDeployStack.endpoint = com.amazonaws.eu-west-1.s3-global.accesspoint ``` In addition, another global endpoint was missing from `InterfaceVpcEndpointAwsService`. ### Description of changes * The `InterfaceVpcEndpointAwsService` constructor was modified to * I would have preferred to switch to a single object for the optional constructor properties (`prefix`, `port`, and now `global`), but couldn't make a breaking change to a publicly accessible constructor * `InterfaceVpcEndpointAwsService.S3_MULTI_REGION_ACCESS_POINTS` was changed to be a global VPC endpoint * `InterfaceVpcEndpointAwsService.CODECATALYST` was added ### Description of how you validated changes I've added a unit test to check that the global endpoints' name were set correctly. I also added an integration test for `InterfaceVpcEndpointAwsService.S3_MULTI_REGION_ACCESS_POINTS`. To test it, I created a publicly accessible EC2 instance on the VPC, connected to it and ran `nslookup accesspoint.s3-global.amazonaws.com` to make sure it was resolvable (see [Configuring a Multi-Region Access Point for use with AWS PrivateLink](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPointsPrivateLink.html)): Without the `InterfaceVpcEndpointAwsService.S3_MULTI_REGION_ACCESS_POINTS` interface endpoint: ```sh $ nslookup accesspoint.s3-global.amazonaws.com Server: 10.0.0.2 Address: 10.0.0.2#53 Non-authoritative answer: *** Can't find accesspoint.s3-global.amazonaws.com: No answer ``` With the `InterfaceVpcEndpointAwsService.S3_MULTI_REGION_ACCESS_POINTS` interface endpoint: ```sh $ nslookup accesspoint.s3-global.amazonaws.com Server: 10.0.0.2 Address: 10.0.0.2#53 Non-authoritative answer: Name: accesspoint.s3-global.amazonaws.com Address: 10.0.156.75 Name: accesspoint.s3-global.amazonaws.com Address: 10.0.246.83 ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Automated changes by [create-pull-request](https://github.com/peter-evans/create-pull-request) GitHub action

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-appintegrations │ └ resources │ └[~] resource AWS::AppIntegrations::Application │ ├ - documentation: Resource Type definition for AWS:AppIntegrations::Application │ │ + documentation: Creates and persists an Application resource. │ ├ properties │ │ ├ ApplicationSourceConfig: (documentation changed) │ │ ├ Description: (documentation changed) │ │ └ Tags: (documentation changed) │ └ types │ ├[~] type ApplicationSourceConfig │ │ ├ - documentation: Application source config │ │ │ + documentation: The configuration for where the application should be loaded from. │ │ └ properties │ │ └ ExternalUrlConfig: (documentation changed) │ └[~] type ExternalUrlConfig │ ├ - documentation: undefined │ │ + documentation: The external URL source for the application. │ └ properties │ ├ AccessUrl: (documentation changed) │ └ ApprovedOrigins: (documentation changed) ├[~] service aws-applicationautoscaling │ └ resources │ └[~] resource AWS::ApplicationAutoScaling::ScalingPolicy │ └ types │ └[~] type TargetTrackingMetricStat │ └ - documentation: This structure defines the CloudWatch metric to return, along with the statistic, period, and unit. │ `TargetTrackingMetricStat` is a property of the [AWS::ApplicationAutoScaling::ScalingPolicy TargetTrackingMetricDataQuery](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-applicationautoscaling-scalingpolicy-targettrackingmetricdataquery.html) property type. │ For more information about the CloudWatch terminology below, see [Amazon CloudWatch concepts](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html) in the *Amazon CloudWatch User Guide* . │ + documentation: This structure defines the CloudWatch metric to return, along with the statistic and unit. │ `TargetTrackingMetricStat` is a property of the [AWS::ApplicationAutoScaling::ScalingPolicy TargetTrackingMetricDataQuery](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-applicationautoscaling-scalingpolicy-targettrackingmetricdataquery.html) property type. │ For more information about the CloudWatch terminology below, see [Amazon CloudWatch concepts](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html) in the *Amazon CloudWatch User Guide* . ├[~] service aws-appmesh │ └ resources │ └[~] resource AWS::AppMesh::VirtualNode │ └ - documentation: Creates a virtual node within a service mesh. │ A virtual node acts as a logical pointer to a particular task group, such as an Amazon ECS service or a Kubernetes deployment. When you create a virtual node, you can specify the service discovery information for your task group, and whether the proxy running in a task group will communicate with other proxies using Transport Layer Security (TLS). │ You define a `listener` for any inbound traffic that your virtual node expects. Any virtual service that your virtual node expects to communicate to is specified as a `backend` . │ The response metadata for your new virtual node contains the `arn` that is associated with the virtual node. Set this value to the full ARN; for example, `arn:aws:appmesh:us-west-2:123456789012:myMesh/default/virtualNode/myApp` ) as the `APPMESH_RESOURCE_ARN` environment variable for your task group's Envoy proxy container in your task definition or pod spec. This is then mapped to the `node.id` and `node.cluster` Envoy parameters. │ > By default, App Mesh uses the name of the resource you specified in `APPMESH_RESOURCE_ARN` when Envoy is referring to itself in metrics and traces. You can override this behavior by setting the `APPMESH_RESOURCE_CLUSTER` environment variable with your own name. │ For more information about virtual nodes, see [Virtual nodes](https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_nodes.html) . You must be using `1.15.0` or later of the Envoy image when setting these variables. For more information about App Mesh Envoy variables, see [Envoy image](https://docs.aws.amazon.com/app-mesh/latest/userguide/envoy.html) in the AWS App Mesh User Guide. │ + documentation: Creates a virtual node within a service mesh. │ A virtual node acts as a logical pointer to a particular task group, such as an Amazon ECS service or a Kubernetes deployment. When you create a virtual node, you can specify the service discovery information for your task group, and whether the proxy running in a task group will communicate with other proxies using Transport Layer Security (TLS). │ You define a `listener` for any inbound traffic that your virtual node expects. Any virtual service that your virtual node expects to communicate to is specified as a `backend` . │ The response metadata for your new virtual node contains the `arn` that is associated with the virtual node. Set this value to the full ARN; for example, `arn:aws:appmesh:us-west-2:123456789012:myMesh/default/virtualNode/myApp` ) as the `APPMESH_RESOURCE_ARN` environment variable for your task group's Envoy proxy container in your task definition or pod spec. This is then mapped to the `node.id` and `node.cluster` Envoy parameters. │ > By default, App Mesh uses the name of the resource you specified in `APPMESH_RESOURCE_ARN` when Envoy is referring to itself in metrics and traces. You can override this behavior by setting the `APPMESH_RESOURCE_CLUSTER` environment variable with your own name. │ For more information about virtual nodes, see [Virtual nodes](https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_nodes.html) . You must be using `1.15.0` or later of the Envoy image when setting these variables. For more information aboutApp Mesh Envoy variables, see [Envoy image](https://docs.aws.amazon.com/app-mesh/latest/userguide/envoy.html) in the AWS App Mesh User Guide. ├[~] service aws-aps │ └ resources │ ├[~] resource AWS::APS::RuleGroupsNamespace │ │ └ - documentation: The definition of a rule groups namespace in an Amazon Managed Service for Prometheus workspace. A rule groups namespace is associated with exactly one rules file. A workspace can have multiple rule groups namespaces. For more information about rules files, seee [Creating a rules file](https://docs.aws.amazon.com/prometheus/latest/userguide/AMP-ruler-rulesfile.html) , in the *Amazon Managed Service for Prometheus User Guide* . │ │ + documentation: The definition of a rule groups namespace in an Amazon Managed Service for Prometheus workspace. A rule groups namespace is associated with exactly one rules file. A workspace can have multiple rule groups namespaces. For more information about rules files, see [Creating a rules file](https://docs.aws.amazon.com/prometheus/latest/userguide/AMP-ruler-rulesfile.html) , in the *Amazon Managed Service for Prometheus User Guide* . │ └[+] resource AWS::APS::Scraper │ ├ name: Scraper │ │ cloudFormationType: AWS::APS::Scraper │ │ documentation: Resource Type definition for AWS::APS::Scraper │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} │ ├ properties │ │ ├Alias: string (immutable) │ │ ├ScrapeConfiguration: ScrapeConfiguration (required, immutable) │ │ ├Source: Source (required, immutable) │ │ ├Destination: Destination (required, immutable) │ │ └Tags: Array<tag> │ ├ attributes │ │ ├ScraperId: string │ │ ├Arn: string │ │ └RoleArn: string │ └ types │ ├type ScrapeConfiguration │ │├ documentation: Scraper configuration │ ││ name: ScrapeConfiguration │ │└ properties │ │ └ConfigurationBlob: string (required) │ ├type Source │ │├ documentation: Scraper metrics source │ ││ name: Source │ │└ properties │ │ └EksConfiguration: EksConfiguration (required) │ ├type EksConfiguration │ │├ documentation: Configuration for EKS metrics source │ ││ name: EksConfiguration │ │└ properties │ │ ├ClusterArn: string (required) │ │ ├SecurityGroupIds: Array<string> │ │ └SubnetIds: Array<string> (required) │ ├type Destination │ │├ documentation: Scraper metrics destination │ ││ name: Destination │ │└ properties │ │ └AmpConfiguration: AmpConfiguration (required) │ └type AmpConfiguration │ ├ documentation: Configuration for Amazon Managed Prometheus metrics destination │ │ name: AmpConfiguration │ └ properties │ └WorkspaceArn: string (required) ├[~] service aws-cleanrooms │ └ resources │ └[~] resource AWS::CleanRooms::ConfiguredTable │ └ types │ ├[~] type AnalysisRuleCustom │ │ └ properties │ │ └[+] DifferentialPrivacy: DifferentialPrivacy │ ├[+] type DifferentialPrivacy │ │ ├ name: DifferentialPrivacy │ │ └ properties │ │ └Columns: Array<DifferentialPrivacyColumn> (required) │ └[+] type DifferentialPrivacyColumn │ ├ documentation: Specifies the name of the column that contains the unique identifier of your users, whose privacy you want to protect. │ │ name: DifferentialPrivacyColumn │ └ properties │ └Name: string (required) ├[~] service aws-codebuild │ └ resources │ ├[~] resource AWS::CodeBuild::Project │ │ └ types │ │ ├[~] type ProjectSourceVersion │ │ │ └ properties │ │ │ └ SourceVersion: (documentation changed) │ │ └[~] type Source │ │ └ properties │ │ ├ Location: (documentation changed) │ │ └ Type: (documentation changed) │ └[~] resource AWS::CodeBuild::SourceCredential │ └ properties │ ├ AuthType: (documentation changed) │ └ ServerType: (documentation changed) ├[~] service aws-codestarconnections │ └ resources │ └[~] resource AWS::CodeStarConnections::SyncConfiguration │ └ properties │ ├[+] PublishDeploymentStatus: string │ └[+] TriggerResourceUpdateOn: string ├[~] service aws-connect │ └ resources │ └[~] resource AWS::Connect::PredefinedAttribute │ └ attributes │ ├[+] LastModifiedRegion: string │ └[+] LastModifiedTime: number ├[~] service aws-dms │ └ resources │ └[~] resource AWS::DMS::Endpoint │ └ types │ └[~] type PostgreSqlSettings │ └ properties │ ├ CaptureDdls: (documentation changed) │ ├ DdlArtifactsSchema: (documentation changed) │ ├ FailTasksOnLobTruncation: (documentation changed) │ ├ HeartbeatEnable: (documentation changed) │ ├ HeartbeatFrequency: (documentation changed) │ ├ HeartbeatSchema: (documentation changed) │ ├ MapBooleanAsBoolean: (documentation changed) │ ├ MaxFileSize: (documentation changed) │ └ PluginName: (documentation changed) ├[~] service aws-docdbelastic │ └ resources │ └[~] resource AWS::DocDBElastic::Cluster │ └ properties │ ├ BackupRetentionPeriod: (documentation changed) │ ├ PreferredBackupWindow: (documentation changed) │ └ ShardInstanceCount: (documentation changed) ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::Subnet │ │ └ properties │ │ └[+] EnableLniAtDeviceIndex: integer │ └[~] resource AWS::EC2::TransitGatewayRouteTableAssociation ├[~] service aws-ecs │ └ resources │ └[~] resource AWS::ECS::TaskSet │ └ - documentation: Create a task set in the specified cluster and service. This is used when a service uses the `EXTERNAL` deployment controller type. For more information, see [Amazon ECS deployment types](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-types.html) in the *Amazon Elastic Container Service Developer Guide* . │ For information about the maximum number of task sets and otther quotas, see [Amazon ECS service quotas](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-quotas.html) in the *Amazon Elastic Container Service Developer Guide* . │ + documentation: Create a task set in the specified cluster and service. This is used when a service uses the `EXTERNAL` deployment controller type. For more information, see [Amazon ECS deployment types](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-types.html) in the *Amazon Elastic Container Service Developer Guide* . │ > On March 21, 2024, a change was made to resolve the task definition revision before authorization. When a task definition revision is not specified, authorization will occur using the latest revision of a task definition. │ For information about the maximum number of task sets and otther quotas, see [Amazon ECS service quotas](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-quotas.html) in the *Amazon Elastic Container Service Developer Guide* . ├[~] service aws-entityresolution │ └ resources │ └[~] resource AWS::EntityResolution::MatchingWorkflow │ └ types │ └[~] type ResolutionTechniques │ └ properties │ └ ResolutionType: (documentation changed) ├[~] service aws-globalaccelerator │ └ resources │ └[~] resource AWS::GlobalAccelerator::EndpointGroup │ └ types │ └[~] type EndpointConfiguration │ └ properties │ └ AttachmentArn: (documentation changed) ├[~] service aws-glue │ └ resources │ └[~] resource AWS::Glue::Crawler │ ├ properties │ │ └ LakeFormationConfiguration: (documentation changed) │ └ types │ └[~] type LakeFormationConfiguration │ ├ - documentation: undefined │ │ + documentation: Specifies AWS Lake Formation configuration settings for the crawler. │ └ properties │ ├ AccountId: (documentation changed) │ └ UseLakeFormationCredentials: (documentation changed) ├[~] service aws-iotsitewise │ └ resources │ └[~] resource AWS::IoTSiteWise::AssetModel │ └ types │ ├[~] type AssetModelCompositeModel │ │ └ properties │ │ ├ Description: (documentation changed) │ │ ├ ExternalId: (documentation changed) │ │ ├ ParentAssetModelCompositeModelExternalId: (documentation changed) │ │ └ Path: (documentation changed) │ ├[~] type AssetModelHierarchy │ │ └ properties │ │ ├ ExternalId: (documentation changed) │ │ └ LogicalId: (documentation changed) │ └[~] type AssetModelProperty │ └ properties │ ├ ExternalId: (documentation changed) │ └ LogicalId: (documentation changed) ├[~] service aws-kafkaconnect │ └ resources │ ├[~] resource AWS::KafkaConnect::CustomPlugin │ │ ├ - documentation: An example resource schema demonstrating some basic constructs and validation rules. │ │ │ + documentation: Creates a custom plugin using the specified properties. │ │ ├ properties │ │ │ ├ ContentType: (documentation changed) │ │ │ ├ Description: (documentation changed) │ │ │ └ Location: (documentation changed) │ │ ├ attributes │ │ │ └ CustomPluginArn: (documentation changed) │ │ └ types │ │ ├[~] type CustomPluginFileDescription │ │ │ └ - documentation: Details about the custom plugin file. │ │ │ + documentation: Details about a custom plugin file. │ │ └[~] type S3Location │ │ └ - documentation: The S3 bucket Amazon Resource Name (ARN), file key, and object version of the plugin file stored in Amazon S3. │ │ + documentation: The location of an object in Amazon S3. │ └[~] resource AWS::KafkaConnect::WorkerConfiguration │ ├ - documentation: The configuration of the workers, which are the processes that run the connector logic. │ │ + documentation: Creates a worker configuration using the specified properties. │ ├ properties │ │ ├ Description: (documentation changed) │ │ └ PropertiesFileContent: (documentation changed) │ └ attributes │ ├ Revision: (documentation changed) │ └ WorkerConfigurationArn: (documentation changed) ├[~] service aws-kendra │ └ resources │ └[~] resource AWS::Kendra::DataSource │ └ types │ ├[~] type ConnectionConfiguration │ │ └ properties │ │ └ SecretArn: (documentation changed) │ ├[~] type CustomDocumentEnrichmentConfiguration │ │ └ properties │ │ └ RoleArn: (documentation changed) │ ├[~] type HookConfiguration │ │ └ properties │ │ └ LambdaArn: (documentation changed) │ ├[~] type OneDriveUsers │ │ └ properties │ │ └ OneDriveUserList: (documentation changed) │ ├[~] type ProxyConfiguration │ │ └ properties │ │ └ Credentials: (documentation changed) │ └[~] type WebCrawlerBasicAuthentication │ └ properties │ └ Credentials: (documentation changed) ├[~] service aws-kinesisfirehose │ └ resources │ └[~] resource AWS::KinesisFirehose::DeliveryStream │ ├ properties │ │ └ Tags: (documentation changed) │ └ types │ └[~] type ParquetSerDe │ └ - documentation: A serializer to use for converting data to the Parquet format before storing it in Amazon S3. For more information, see [Apache Parquet](https://docs.aws.amazon.com/https://parquet.apache.org/documentation/latest/) . │ + documentation: A serializer to use for converting data to the Parquet format before storing it in Amazon S3. For more information, see [Apache Parquet](https://docs.aws.amazon.com/https://parquet.apache.org/docs/) . ├[~] service aws-managedblockchain │ └ resources │ └[~] resource AWS::ManagedBlockchain::Node │ └ properties │ └ NetworkId: (documentation changed) ├[~] service aws-oam │ └ resources │ └[~] resource AWS::Oam::Link │ └ properties │ └ ResourceTypes: (documentation changed) ├[~] service aws-rds │ └ resources │ ├[~] resource AWS::RDS::DBCluster │ │ ├ properties │ │ │ ├ ScalingConfiguration: (documentation changed) │ │ │ └ ServerlessV2ScalingConfiguration: (documentation changed) │ │ └ types │ │ ├[~] type ScalingConfiguration │ │ │ └ - documentation: The `ScalingConfiguration` property type specifies the scaling configuration of an Aurora Serverless DB cluster. │ │ │ For more information, see [Using Amazon Aurora Serverless](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html) in the *Amazon Aurora User Guide* . │ │ │ This property is only supported for Aurora Serverless v1. For Aurora Serverless v2, Use the `ServerlessV2ScalingConfiguration` property. │ │ │ Valid for: Aurora DB clusters only │ │ │ + documentation: The `ScalingConfiguration` property type specifies the scaling configuration of an Aurora Serverless v1 DB cluster. │ │ │ For more information, see [Using Amazon Aurora Serverless](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html) in the *Amazon Aurora User Guide* . │ │ │ This property is only supported for Aurora Serverless v1. For Aurora Serverless v2, Use the `ServerlessV2ScalingConfiguration` property. │ │ │ Valid for: Aurora Serverless v1 DB clusters only │ │ └[~] type ServerlessV2ScalingConfiguration │ │ └ - documentation: The `ServerlessV2ScalingConfiguration` property type specifies the scaling configuration of an Aurora Serverless V2 DB cluster. │ │ For more information, see [Using Amazon Aurora Serverless v2](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless-v2.html) in the *Amazon Aurora User Guide* . │ │ If you have an Aurora cluster, you must set the `ScalingConfigurationInfo` attribute before you add a DB instance that uses the `db.serverless` DB instance class. For more information, see [Clusters that use Aurora Serverless v2 must have a capacity range specified](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless-v2.requirements.html#aurora-serverless-v2.requirements.capacity-range) in the *Amazon Aurora User Guide* . │ │ This property is only supported for Aurora Serverless v2. For Aurora Serverless v1, Use the `ScalingConfiguration` property. │ │ + documentation: The `ServerlessV2ScalingConfiguration` property type specifies the scaling configuration of an Aurora Serverless V2 DB cluster. │ │ For more information, see [Using Amazon Aurora Serverless v2](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless-v2.html) in the *Amazon Aurora User Guide* . │ │ If you have an Aurora cluster, you must set the `ScalingConfigurationInfo` attribute before you add a DB instance that uses the `db.serverless` DB instance class. For more information, see [Clusters that use Aurora Serverless v2 must have a capacity range specified](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless-v2.requirements.html#aurora-serverless-v2.requirements.capacity-range) in the *Amazon Aurora User Guide* . │ │ This property is only supported for Aurora Serverless v2. For Aurora Serverless v1, use the `ScalingConfiguration` property. │ │ Valid for: Aurora Serverless v2 DB clusters │ └[~] resource AWS::RDS::Integration │ └ properties │ ├[+] DataFilter: string │ ├[+] Description: string │ └ IntegrationName: - string (immutable) │ + string ├[~] service aws-securityhub │ └ resources │ └[~] resource AWS::SecurityHub::AutomationRule │ └ types │ ├[~] type AutomationRulesFindingFilters │ │ └ properties │ │ ├ CreatedAt: (documentation changed) │ │ ├ FirstObservedAt: (documentation changed) │ │ ├ LastObservedAt: (documentation changed) │ │ ├ NoteUpdatedAt: (documentation changed) │ │ └ UpdatedAt: (documentation changed) │ └[~] type DateFilter │ └ properties │ ├ End: (documentation changed) │ └ Start: (documentation changed) └[+] service aws-securitylake ├ capitalized: SecurityLake │ cloudFormationNamespace: AWS::SecurityLake │ name: aws-securitylake │ shortName: securitylake └ resources └resource AWS::SecurityLake::DataLake ├ name: DataLake │ cloudFormationType: AWS::SecurityLake::DataLake │ documentation: Resource Type definition for AWS::SecurityLake::DataLake │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"} ├ properties │ ├EncryptionConfiguration: EncryptionConfiguration │ ├LifecycleConfiguration: LifecycleConfiguration │ ├ReplicationConfiguration: ReplicationConfiguration │ ├MetaStoreManagerRoleArn: string (immutable) │ └Tags: Array<tag> ├ attributes │ ├Arn: string │ └S3BucketArn: string └ types ├type EncryptionConfiguration │├ documentation: Provides encryption details of Amazon Security Lake object. ││ name: EncryptionConfiguration │└ properties │ └KmsKeyId: string ├type LifecycleConfiguration │├ documentation: Provides lifecycle details of Amazon Security Lake object. ││ name: LifecycleConfiguration │└ properties │ ├Expiration: Expiration │ └Transitions: Array<Transitions> ├type Expiration │├ documentation: Provides data expiration details of Amazon Security Lake object. ││ name: Expiration │└ properties │ └Days: integer ├type Transitions │├ name: Transitions │└ properties │ ├Days: integer │ └StorageClass: string └type ReplicationConfiguration ├ documentation: Provides replication details of Amazon Security Lake object. │ name: ReplicationConfiguration └ properties ├Regions: Array<string> └RoleArn: string ```

### Issue # (if applicable) Closes #29663 ### Reason for this change kms key created within integ test remains after integ test. ### Description of changes Added "pendingWindow" and "removalPolicy" to kms resource. ```ts const key = new Key(this, 'CustomKey', { pendingWindow: Duration.days(7), removalPolicy: RemovalPolicy.DESTROY, }); ``` ### Description of how you validated changes I confirmed with integ test that it works as expected. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Adds `ruby 3.3` to the available [Lambda Runtimes constants](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Runtime.html#initializer) *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/bump/2.135.0/CHANGELOG.md)

### Issue #29637 Closes #29637 ### Reason for this change Allow setting the enableExecuteCommand for ECSRunTask in sfn ### Description of changes Add the enableExecuteCommand property to the EcsRunTaskProps, to start the task from step functions with execution command enabled. ### Description of how you validated changes Unit-test added. Existing ones passed. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) Closes #27504 ### Reason for this change The current validation of `repoString` in constructor of `CodeStarConnectionSource` does not support nested repository that can appear in GitLab. ### Description of changes The validation is fixed to accept nested repository. ### Description of how you validated changes I added unit tests and confirmed all tests passed. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.135.0/CHANGELOG.md)

Some customers have typo'd `--no-changeset` where `--no-change-set` was expected. Make these two aliases of each other since they're easy to mix up, and this flag being valid changes the permissions used by diff, which will cause errors in certain environments. tested manually. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

kishiel · 2024-04-02T20:29:14Z

There are about 10 snapshot tests which are failing that I'm unable to resolve on my own and I could use some help in running them. I believe that a few of them are because I'm using an internal AWS account so hopefully they just need to be run from someone's not-quite-so-special account.

kishiel · 2024-04-02T20:31:17Z

Oh, I definitely did something wrong on opening this PR I have no idea what though, changing to a draft.

kishiel · 2024-04-02T20:32:09Z

Opened this backwards. Closing.

kishiel · 2024-04-02T20:42:25Z

Actual PR: aws#29698

nmussy and others added 14 commits March 30, 2024 10:41

chore: update Contributors File (#29666)

ac4b32a

Automated changes by [create-pull-request](https://github.com/peter-evans/create-pull-request) GitHub action

chore(release): 2.135.0

ef05a4b

chore(release): 2.135.0 (#29682)

d46c474

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/bump/2.135.0/CHANGELOG.md)

Merge branch 'main' into merge-back/2.135.0

0ea2328

chore(merge-back): 2.135.0 (#29684)

b148e58

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.135.0/CHANGELOG.md)

github-actions bot added the beginning-contributor label Apr 2, 2024

kishiel marked this pull request as draft April 2, 2024 20:31

kishiel closed this Apr 2, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(s3): autoDeleteObjects log group allows retention period and removal policy definitions #2

feat(s3): autoDeleteObjects log group allows retention period and removal policy definitions #2

kishiel commented Apr 2, 2024

kishiel commented Apr 2, 2024

kishiel commented Apr 2, 2024

kishiel commented Apr 2, 2024

kishiel commented Apr 2, 2024

feat(s3): autoDeleteObjects log group allows retention period and removal policy definitions #2

feat(s3): autoDeleteObjects log group allows retention period and removal policy definitions #2

Conversation

kishiel commented Apr 2, 2024

Issue aws#24815

Reason for this change

Description of changes

Description of how you validated changes

Checklist

kishiel commented Apr 2, 2024

kishiel commented Apr 2, 2024

kishiel commented Apr 2, 2024

kishiel commented Apr 2, 2024