v2.238.0

⚠ BREAKING CHANGES

• bedrock-agentcore: Interface extensions require new property implementations
• aws-bedrock-agentcore-alpha:
• • IGateway now requires gatewayRef getter
• • IGatewayTarget now requires gatewayTargetRef getter
• • IMemory now requires memoryRef getter
• • IBedrockAgentRuntime now requires runtimeRef getter
• • IRuntimeEndpoint now requires runtimeEndpointRef getter
• • IBrowserCustom now requires browserCustomRef getter
• • ICodeInterpreterCustom now requires codeInterpreterCustomRef getter

Features

• update L1 CloudFormation resource definitions (#36834) (5143fdf)
• core: allow indentation suppression in nested stacks (#35122) (d629b15), closes #32798 /github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/core/lib/stack.ts#L207 /github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/core/lib/stack.ts#L207 /github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/core/lib/nested-stack.ts#L25C18-L25C34
• ec2: support Firehose IDeliveryStreamRef as flow log destination (#36278) (cd73498), closes #33883 #34596 #33757
• eks: add removal policy for all constructs (#35835) (875d9b8)
• eks: add support for EC2, HYBRID_LINUX, and HYPERPOD_LINUX access entry types (#36350) (cc059c6), closes #34394
• glue: typed partition projection (#35660) (cb1658f), closes #35428

Bug Fixes

• core: intrinsic cfn function tokens are not detected as such in java (#36843) (3f29f11)
• events: restore Match.anyOf support for raw strings (#36908) (6804c7c), closes #36902 #36602 #36602
• iam: undeprecate openIdConnectProviderArn and openIdConnectProviderIssuer in IOidcProvider (#36859) (cbf0b03)

Miscellaneous Chores

• bedrock-agentcore: reference interface (#36803) (87f1087)

---

Alpha modules (2.238.0-alpha.0)

Features

• eks-v2-alpha: add support for bootstrapSelfManagedAddons (#36740) (1ffe38d)
• eks-v2-alpha: add support for EKS hybrid nodes (#36749) (48ace56)

Bug Fixes

• eks-v2-alpha: ensure kubectl provider and handler functions use the same vpc configuration (#36735) (4e02f08), closes #34878 #34877
• ivs-alpha: add region constraints to integration tests (#36851) (d55fec4)
• mixins-preview: apply mixins in order (#36847) (726060c)
• mixins-preview: apply mixins in order in MixinApplicator (#36877) (09db1c9), closes #36847

v2.237.1

Bug Fixes

• core: intrinsic cfn function tokens are not detected as such in java (#36843) (89cd54f)

---

Alpha modules (2.237.1-alpha.0)

v2.237.0

⚠ BREAKING CHANGES

• iam: Receivers of IEncryptedResource objects now have fewer guarantees about the shape of the object. If you still require an IResource, change the type to IEncryptedResource & IResource and/or add a type guard check using Resource.isResource(). Implementations of IEncryptedResource no longer need to implement IResource but must continue to implement IEnvironmentAware. Since IResource extends IEnvironmentAware, there is no change for implementors. Calls to GrantableResources.isEncryptedResource() now require an IEnvironmentAware argument instead of IConstruct.

Features

• eks: add OidcProviderNative using L1 and deprecate OpenIdConnectProvider custom resource (#36589) (09383cb)
• eks: add support overwriteServiceAccount prop in service account construct (#36751) (3aa38f6)
• kms: make trustAccountIdentities optional in KeyGrants (#36786) (06676ac)
• lambda: add observability support for kafka event source mappings (#36808) (dd8b419)
• update L1 CloudFormation resource definitions (#36799) (7ecd0a9)
• opensearchservice: support OI2 instance type with local NVMe storage (#36700) (034baf3), closes #36698

Bug Fixes

• iam: IEncryptedResource extends IEnvironmentAware instead of IResource (#36787) (90ad834)

---

Alpha modules (2.237.0-alpha.0)

Features

• bedrock-agentcore-alpha: add support for custom claims and scopes to runtime/gateway authorizers (#36810) (a3abcd0)
• eks-v2-alpha: pass additional helm chart values to aws-load-balancer-controller (#36754) (cf61814), closes /github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/helm/aws-load-balancer-controller/values.yaml#L199
• mixins-preview: align Mixins API with latest RFC proposal (#36825) (82c2fdb)
• mixins-preview: handle destination bucket with KMS keys (#36776) (950401f)

Bug Fixes

• bedrock-agentcore-alpha: construct ID collision when multiple schemas are set (#36565) (9ebfb62), closes #36559

v2.236.0

Features

• update L1 CloudFormation resource definitions (#36721) (7a4a443)
• ecs: add capacityOptionType (Spot support) to ManagedInstancesCapacityProvider L2 construct (#36497) (e8ad85b), closes #35648
• ecs: add built-in Linear and Canary deployments (#35981) (67ac5e7), closes #35986 #35987
• logs: add support for deletion protection configuration (#36583) (c4d1389), closes #36554 #36554

Bug Fixes

• apigatewayv2: use custom domain name instead of regional domain name when importing domain name via fromDomainNameAttributes (#36710) (fe6eb0b)
• batch: undeprecate useOptimalInstanceClasses property (#36353) (3485d53), closes #36291 #36291
• core: resources allocate unnecessary string tokens upon instantiation (#36692) (59d4928)
• core: tree.json unintentionally includes telemetry metadata (#36748) (87fd86b)
• scheduler: scheduleName returns undefined when imported from ARN (#36400) (752bd9b), closes #36361
• recent change to IAlarmAction breaks too many implementors (#36695) (0c5b0db)

---

Alpha modules (2.236.0-alpha.0)

Features

• bedrock-agentcore-alpha: added episodic memory strategy (#36591) (21dcfc6)
• bedrock-agentcore-alpha: added gateway interceptors (#36604) (ba8aa48)
• bedrock-agentcore-alpha: make physical name properties optional for AgentCore resources (#36354) (5137d81), closes #36341
• mixins-preview: expose BucketPolicyStatementsMixin publicly (#36771) (458156d)
• sagemaker: add containerStartupHealthCheckTimeoutInSeconds support for EndpointConfig (#35626) (47d707a), closes #35566

Bug Fixes

• eks-v2-alpha: ensure kubectl provider access entry is depended upon by downstream resources (#36734) (e104f45), closes #34898 #34897

v2.235.1

Bug Fixes

• apigatewayv2: use custom domain name instead of regional domain name when importing domain name via fromDomainNameAttributes (#36710) (29e5642)

---

Alpha modules (2.235.1-alpha.0)

v2.235.0

⚠ BREAKING CHANGES

• ** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

• aws-ecs: AWS::ECS::CapacityProvider: ManagedInstancesNetworkConfiguration.SecurityGroups property is now required.

• ecs: securityGroups is now required in ManagedInstancesCapacityProviderProps. CloudFormation has always required this field, so any code that omitted it would have failed at deployment time with a validation error. This change catches the error at compile time instead, improving the developer experience. If your code previously omitted securityGroups, you must now explicitly provide at least one security group.
• aws-cdk-lib: JobQueue.computeEnvironments contains an computeEnvironment: IComputeEnvironment → IComputeEnvironmentRef. BackupPlanRule.props contains a backupVault: IBackupVault → IBackupVaultRef. ApiDestination.fromApiDestinationAttributes() return type ApiDestination → IApiDestination. This should never have returned a class but always an interface, as is the standard for referencing factories. EventDestination.bus changed IEventBus →IEventBusRef; FlowLogDestination.bind() now returns and ICluster.executeCommandConfiguration contains a member changing type ILogGroup → ILogGroupRef.
• events: ApiDestination.fromApiDestinationAttributes() now returns an IApiDestination. It used to return an ApiDestination but this was a mistake, referencing methods always return a type by interface, not by class.EventDestination.bus used to be an IEventBus but is now an IEventBusRef; it needs to be type tested to assert it is actually an IEventBus if that is necessary.
• logs: the return types of FlowLogDestination.bind() and ICluster.executeCommandConfiguration now contain an ILogGroupRef instead of an ILogGroup, which guarantees less. These fields are for communication between constructs, and their values should not be used by application builders. If they do, they will need to add a cast or a type check.
• iot-actions: enableBatchConfig property is explicitly disabled by default. Even with this modification, the behavior of HttpAction remains unchanged from before, but only the Cfn template will be modified.

Features

• update L1 CloudFormation resource definitions (#36694) (861f437)
• apigatewayv2-integrations: add PutEvents support for EventBridge integration (#35766) (d879e4d), closes #35714 #35714
• ecs: add none log driver option for ECS containers (#35819) (5636820), closes #35795 #35795
• iot-actions: batching HTTP action messages (#36642) (fbc50ea)
• rds: add Read/Write IOPS metrics to DatabaseInstance and VolumeRead/Write IOPs metrics to DatabaseCluster (#35773) (d8e023d), closes #35327 #35327
• rds: support default auth scheme for RDS Proxy (#35635) (99f6c74), closes #35558
• spec2cdk: support for auto-generated grants in alpha modules (#36206) (776f837)
• synthetics: add syn-nodejs-3.0 runtime (#36652) (18f9fef), closes #36648
• synthetics: playwright 4.0 and 5.0 runtimes (#36590) (82cd9a6)

Bug Fixes

• aws-cdk-lib: reference interfaces for remaining services (#36359) (ed1f9de)
• core: make DetachedConstruct.node non-enumerable (#36672) (98d41ca), closes #36078 #36015
• ecs: make securityGroups required in ManagedInstancesCapacityProvider (#36685) (6734426)
• events: event Matcher class to be compatible with mergeEventPattern function (#36602) (e3f7dba), closes /github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-s3/lib/bucket.ts#L657-L657
• opensearchservice: use KMS Key ARN for cross-account encryption (#36020) (cccd94c), closes #36017
• stepfunctions: allow JSONata expressions for Map maxConcurrency (#36462) (2230c87), closes #36274
• RuntimeError: apiEndpoint is not configured on the imported HttpApi (revert of "chore(apigatewayv2): reference interfaces") (#36623) (fb17d39), closes aws/aws-cdk#36378

Miscellaneous Chores

• events: reference interfaces (#36535) (0bea5c9)
• logs: reference interfaces (#36566) (5b426b8)

---

Alpha modules (2.235.0-alpha.0)

⚠ BREAKING CHANGES

• bedrock-agentcore-alpha: The User Pool Client will be replaced and new Resource Server and Domain resources will be added for existing Gateway stacks using the default Cognito authorizer.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

Bug Fixes

• bedrock-agentcore-alpha: default Cognito User Pool for AgentCore Gateway is not set up for M2M authentication. (#36323) (5a5605a)

v2.234.1

Bug Fixes

• RuntimeError: apiEndpoint is not configured on the imported HttpApi (revert of "chore(apigatewayv2): reference interfaces") (#36623) (1c10d49), closes aws/aws-cdk#36378

---

Alpha modules (2.234.1-alpha.0)

v2.234.0

⚠ BREAKING CHANGES

• batch: unfortunately JobQueue exposes public readonly computeEnvironments: OrderedComputeEnvironment[]. The computeEnvironment member of that structure now fewer guarantees, and needs casting. This should not have been exposed, and we assume the use of the exposed property here is rare.
• backup: unfortunately BackupPlanRule exposes public readonly props: BackupPlanRuleProps. The backupVault member of that structure now guarantees less, and needs casting. This should never have been exposed, and we assume the use of the exposed property here is rare.
• ** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

aws-securityhub: AWS::SecurityHub::ConnectorV2: Provider.JiraCloud.AuthStatus attribute removed.
aws-securityhub: AWS::SecurityHub::ConnectorV2: Provider.JiraCloud.AuthUrl attribute removed.
aws-securityhub: AWS::SecurityHub::ConnectorV2: Provider.JiraCloud.CloudId attribute removed.
aws-securityhub: AWS::SecurityHub::ConnectorV2: Provider.JiraCloud.Domain attribute removed.
aws-securityhub: AWS::SecurityHub::ConnectorV2: Provider.ServiceNow.AuthStatus attribute removed.
aws-securityhub: AWS::SecurityHub::ConnectorV2: JiraCloud type removed, replaced by JiraCloudProviderConfiguration.
aws-securityhub: AWS::SecurityHub::ConnectorV2: ServiceNow type removed, replaced by ServiceNowProviderConfiguration.
aws-ssm: AWS::SSM::MaintenanceWindowTarget: Id attribute removed.

Features

• ecs: automatically create ec2InstanceProfile for ManagedInstancesCapacityProvider (#35796) (9218ea8)
• rds: add name property to option group (#36319) (708d0ac), closes #35720
• stepfunctions-tasks: allow EcsRunTask on fargate and ec2 to set capacity provider strategy (#35465) (63ca2ae), closes #20013 #30171 #7967
• synthetics: add puppeteer 12.0/13.0 runtime (#36562) (5b74dd4), closes #36501

Bug Fixes

• cloudwatch: skip MathExpression validation when prop is a token (#36487) (2845d47)
• core: App.of() returns incorrect values (#36475) (78034d3)
• core: arnForXxxx() helpers ignore environments from referenced resources (#36599) (4744c59)
• core: account for { Ref } incompatibility between schema and CFN (#36493) (3b06942)
• ec2: add proper handling for VPC endpoint service name prefix eu.amazonaws for new region eusc-de-east-1 for ECR & API Gateway services (#36471) (d5561e0)
• lambda: add token resolution validation to capacity providers (#36275) (c5fbd97)

Miscellaneous Chores

• backup: reference interfaces (#36415) (4418612)
• batch: reference interfaces (#36522) (fefc7be)

---

Alpha modules (2.234.0-alpha.0)

Features

• msk-alpha: support express broker for Kafka v3.9 (#36450) (afcc953)

Bug Fixes

• elasticache-alpha: deployment fails when serverlessCacheName or userGroupId is not specified (#36459) (b3f62f7), closes #36458
• elasticache-alpha: security group for ServerlessCache does not use default endpoint port (#35738) (79d91ad)

v2.233.0

⚠ BREAKING CHANGES

CHANGES TO L1 RESOURCES: L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

aws-ec2: AWS::EC2::EC2Fleet: DefaultTargetCapacityType property is now immutable.
aws-ec2: AWS::EC2::EC2Fleet: TargetCapacityUnitType property is now immutable.

Features

• update L1 CloudFormation resource definitions (#36390) (a6077a2)
• events-targets: support messageGroupId for standard SQS queues (#36068) (95d4ed5)
• update L1 CloudFormation resource definitions (#36367) (e551afe)
• codebuild: add support for macOS 15 runners (#35836) (1b8b4e3)
• route53-patterns: HttpsRedirect use Distribution as the default CloudFront distribution (under feature flag) (#34312) (e2987eb), closes #31546
• update L1 CloudFormation resource definitions (#36326) (cb82627)
• ec2: add Interface VPC Endpoints for ACM and ACM-PCA (#35890) (06e6b25)
• route53: support failover routing policy for record sets (#35909) (9395467), closes #35910

Bug Fixes

• aws-cdk-lib: make grants factory methods public (#36317) (7dde625)
• ci: checkout the pr head instead of the default main head (#36311) (a1cbcf9), closes /github.com/aws/aws-cdk/blob/main/.github/workflows/integration-test-deployment.yml#L39C11-L39C57
• cloudtrail: do not attach s3 bucket permission when orgId is not set for organization trail (#30778) (61ee074), closes #30490
• custom-resources: waiter state machine retry fails with ExecutionAlreadyExists (#35988) (36ea606), closes #35957
• ecs: removal of canContainersAccessInstanceRole instance role (#36362) (7395b41)
• pipelines: propagate CodeBuild fleet and certificate (#35673) (71cfd60), closes #35664
• region-info: standalone use of @aws-cdk/region-info throws an Cannot find module 'aws-cdk-lib/core/lib/errors' error (#36414) (01c7d2e), closes #36399
• ci fix for spec updater workflow (#36364) (a0b42cc)
• re-export of ResourceEnvironment is not an alias (#36370) (ba8e194)

---

Alpha modules (2.233.0-alpha.0)

⚠ BREAKING CHANGES

• bedrock-agentcore-alpha: Runtime constructs will no longer automatically include lifecycleConfiguration with default values when not explicitly specified by users.
• elasticache-alpha: The engine property in NoPasswordUserProps has been removed.

Bug Fixes

• bedrock-agentcore-alpha: runtime construct incorrectly forces default lifecycleConfiguration values (#36379) (7954354), closes #36376
• elasticache-alpha: the default engine for NoPasswordUser contradict in the docs (#35920) (495fa37), closes #35847
• mixins-preview: improving delivery source and delivery destination creation (#36314) (86092ab)

v2.232.2

Bug Fixes

• re-export of ResourceEnvironment is not an alias (#36370) (6178d32)

---

Alpha modules (2.232.2-alpha.0)