Update dependency aws-cdk-lib to v2.189.1 [SECURITY] (#2163)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [aws-cdk-lib](https://redirect.github.com/aws/aws-cdk)
([source](https://redirect.github.com/aws/aws-cdk/tree/HEAD/packages/aws-cdk-lib))
| devDependencies | minor | [`2.181.0` ->
`2.189.1`](https://renovatebot.com/diffs/npm/aws-cdk-lib/2.181.0/2.189.1)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

### GitHub Vulnerability Alerts

####
[GHSA-qq4x-c6h6-rfxh](https://redirect.github.com/aws/aws-cdk/security/advisories/GHSA-qq4x-c6h6-rfxh)

### Summary
The [AWS Cloud Development Kit (CDK)](https://aws.amazon.com/cdk/) is an
open-source framework for defining cloud infrastructure using code.
Customers use it to create their own applications which are converted to
AWS CloudFormation templates during deployment to a customer’s AWS
account. CDK contains pre-built components called
"[constructs](https://docs.aws.amazon.com/cdk/v2/guide/constructs.html)"
that are higher-level abstractions providing defaults and best
practices. This approach enables developers to use familiar programming
languages to define complex cloud infrastructure more efficiently than
writing raw CloudFormation templates.

The CDK [Cognito
UserPool](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPool.html)
construct deploys an AWS cognito user pool. An [Amazon Cognito user
pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools.html)
is a user directory for web and mobile app authentication and
authorization. Customers can deploy a client under this user pool
through construct
‘[UserPoolClient](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPoolClient.html)’
or through helper method
'[addClient](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPool.html#addwbrclientid-options)'.
A user pool client resource represents an Amazon [Cognito user pool
client](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html)
which is a configuration within a user pool that interacts with one
mobile or web application authenticating with Amazon Cognito.

When users of the 'cognito.UserPoolClient' construct generate a secret
value for the application client in AWS CDK, they can then reference the
generated secrets in their stack. The CDK had an issue where, when the
custom resource performed an SDK API call to
'DescribeCognitoUserPoolClient' to retrieve the generated secret, the
full response was logged in the associated lambda function's log group.
Any user authenticated in the account where logs of the custom resource
are accessible and who has read-only permission could view the secret
written to those logs.

This issue does not affect customers who are generating the secret value
outside of the CDK as the secret is not referenced or logged.

### Impact
To leverage this issue, an actor has to be authenticated in the account
where logs of the custom resource Custom::DescribeCognitoUserPoolClient
are accessible and have read-only permission for lambda function logs.

Users can review access to their log group through AWS CloudTrail logs
to detect any unexpected access to read the logs.

**Impacted versions: >2.37.0 and <=2.187.0**

### Patches
The patches are included in the AWS CDK Library release v2.187.0. We
recommend upgrading to the latest version and ensuring any forked or
derivative code is patched to incorporate the new fixes. To fully
address this issue, users should rotate the secret by generating a new
secret stored in AWS Secrets Manager. References to the secret will use
the new secret on update.

When new CDK applications using the latest version are initialized, they
will use the new behavior with updated logging.

Existing applications must upgrade to the latest version, change the
[feature
flag](https://redirect.github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md)
(@&#8203;aws-cdk/cognito:logUserPoolClientSecretValue) to false,
redeploy the application to apply this fix and use the new
implementation with updated logging behavior.

### Workarounds
Users can override the implementation changing Logging to be
Logging.withDataHidden(). For example define class CustomUserPoolClient
extends UserPoolClient and  in the new class define get
userPoolClientSecret() to use Logging.withDataHidden().

Example

    export class CustomUserPoolClient extends UserPoolClient {

      private readonly customUserPool : UserPool;
      private readonly customuserPoolClientId : string;
constructor(scope: Construct, id: string, props: UserPoolClientProps) {
        super(scope, id, props);

        this.customUserPool = new UserPool(this, 'pool', {
          removalPolicy: RemovalPolicy.DESTROY,
        });

const client = this.customUserPool.addClient('client', { generateSecret:
true });
      }

// Override the userPoolClientSecret getter to always return the secret
      public get userPoolClientSecret(): SecretValue {
// Create the Custom Resource that assists in resolving the User Pool
Client secret
const secretValue = SecretValue.resourceAttribute(new AwsCustomResource(
          this,
          'DescribeCognitoUserPoolClient',
          {
        resourceType: 'Custom::DescribeCognitoUserPoolClient',
        onUpdate: {
          region: cdk.Stack.of(this).region,
          service: 'CognitoIdentityServiceProvider',
          action: 'describeUserPoolClient',
          parameters: {
            UserPoolId: this.customUserPool.userPoolId,
            ClientId: this.customUserPool,
          },
physicalResourceId: PhysicalResourceId.of(this.userPoolClientId),
          // Disable logging of sensitive data
          logging: Logging.withDataHidden(),
        },
        policy: AwsCustomResourcePolicy.fromSdkCalls({
          resources: [this.customUserPool.userPoolArn],
        }),
        installLatestAwsSdk: false,
          },
        ).getResponseField('UserPoolClient.ClientSecret'));
        
        return secretValue;
      }
    }

### References
If you have any questions or comments about this advisory please contact
AWS/Amazon Security via our [vulnerability reporting
page](https://aws.amazon.com/security/vulnerability-reporting) or
directly via email to
[[email protected]](mailto:[email protected]). Please do not
create a public GitHub issue.

####
[GHSA-5pq3-h73f-66hr](https://redirect.github.com/aws/aws-cdk/security/advisories/GHSA-5pq3-h73f-66hr)

### Summary

The [AWS Cloud Development Kit (CDK)](https://aws.amazon.com/cdk/) is an
open-source framework for defining cloud infrastructure using code.
Users use it to create their own applications, which are converted to
AWS CloudFormation templates during deployment to a user's AWS account.
AWS CDK contains pre-built components called "constructs," which are
higher-level abstractions providing defaults and best practices. This
approach enables developers to use familiar programming languages to
define complex cloud infrastructure more efficiently than writing raw
CloudFormation templates.

The [AWS CodePipeline](https://aws.amazon.com/codepipeline/) construct
deploys CodePipeline, a managed service that orchestrates software
release processes through a series of stages, each comprising one or
more actions executed by CodePipeline. To perform these actions,
CodePipeline assumes IAM roles with permissions necessary for each step,
allowing it to interact with AWS services and resources on behalf of the
user.

An issue exists where, when using CDK to create a CodePipeline with the
CDK Construct Library, CDK creates an AWS Identity and Access Management
(AWS IAM) trust policy with overly broad permissions. Any user with
unrestricted sts:AssumeRole permissions could assume that trust policy.
This issue does not affect users who supply their own role for
CodePipeline.

### Impact
To leverage the issue, an actor has to be authenticated in the account
and have an unrestricted sts:AssumeRole permission. The permissions an
actor could leverage depend on the actions added to the pipeline.
Possible permissions include actions on services such as CloudFormation,
CodeCommit, Lambda, and ECS, as well as access to the S3 bucket holding
pipeline build artifacts ([see
documentation](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_codepipeline_actions-readme.html)).

Users can review their AWS CloudTrail logs for when the role was assumed
to determine if this was expected.

#### Impacted versions: <v2.189.0

### Patches
The patches are included in the CDK Construct Library release
[v2.189.0](https://redirect.github.com/aws/aws-cdk/releases/tag/v2.189.0).
We recommend upgrading to the latest version and ensuring any forked or
derivative code is patched to incorporate the new fixes.

When new CDK applications using the latest version are initialized, they
will use the new behavior with more restrictive permissions.

Existing applications must upgrade to the latest version, change the
[feature
flag](https://redirect.github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md)
(@&#8203;aws-cdk/pipelines:reduceStageRoleTrustScope) and
(@&#8203;aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope) to
true and redeploy the application to apply this fix and use the new
behavior with more restrictive permissions.

### Workarounds
You can explicitly supply the role for your
[CodePipeline](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_codepipeline-readme.html#cross-account-codepipelines)
and follow the policy recommendations detailed in [CodePipeline
documentation](https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html).

### References
[Original reporting
issue.](https://redirect.github.com/aws/aws-cdk/issues/33709)

If you have any questions or comments about this advisory please contact
AWS/Amazon Security via our [vulnerability reporting
page](https://aws.amazon.com/security/vulnerability-reporting) or
directly via email to
[[email protected]](mailto:[email protected]). Please do not
create a public GitHub issue.

####
[GHSA-qc59-cxj2-c2w4](https://redirect.github.com/aws/aws-cdk/security/advisories/GHSA-qc59-cxj2-c2w4)

### Summary

The [AWS Cloud Development Kit (AWS CDK)](https://aws.amazon.com/cdk/)
is an open-source software development framework for defining cloud
infrastructure in code and provisioning it through AWS CloudFormation.
In the CDK, developers organize their applications into reusable
components called
"[constructs](https://docs.aws.amazon.com/cdk/v2/guide/constructs.html),"
which are organized into a hierarchical tree structure. One of the
features of this framework is the ability to call
"[Aspects](https://docs.aws.amazon.com/cdk/v2/guide/aspects.html),"
which are mechanisms to set configuration options for all AWS Resources
in a particular part of the hierarchy at once. Aspect execution happens
in a specific order, and the last Aspect to execute controls the final
values in the template.

AWS CDK version
[2.172.0](https://redirect.github.com/aws/aws-cdk/releases/tag/v2.172.0)
introduced a new priority system for Aspects. Prior to this version, CDK
would run Aspects based on hierarchical location. The new priority
system takes precedence over hierarchical location, altering the
invocation order of Aspects. Different priority classes were introduced:
Aspects added by CDK APIs were classified as MUTATING (priority 200),
while Aspects added directly by the user were classified as DEFAULT
(priority 500) unless the user specified otherwise. As a result of this
change, CDK apps that use a custom Aspect to assign a default
permissions boundary and then use a built-in CDK method to override it
on select resources could have unexpected permissions boundaries
assigned.

The following is an affected code sample:

```ts
Aspects.of(stack).add(new CustomAspectThatAssignsDefaultPermissionsBoundaries());   // {1}

PermissionsBoundary.of(lambdaFunc).apply(...);  // {2} -- uses Aspects internally
```

In versions prior to 2.172.0, the Aspect added by {2} would invoke last
and assign its permissions boundary to the Lambda function role.

In versions 2.172.0 and after, the Aspect added by {2} would have
priority 200 while the Aspect added by {1} would have priority 500 and
therefore be invoked last. The Lambda function role would get the
permissions boundary of {1} assigned, which may not be what users
expect.

### Impact

If an unexpected permissions boundary is selected for a role, it could
lead to that role having insufficient permissions. Alternatively, this
could lead to a role having wider permissions than intended; however,
this could happen only in combination with an overly permissive role
policy, as permissions boundaries do not grant permissions by
themselves.

Impacted versions: versions 2.172.0 up until 2.189.1

### Patches

In version 2.189.1, the behavior has been reverted to the behavior of
pre-2.172.0. The new behavior is available through a feature flag:

```json
{
  "context": {
    "@&#8203;aws-cdk/core:aspectPrioritiesMutating": true
  }
}
```

The patches are included in AWS CDK Library version 2.189.1 and after.
We recommend upgrading to the latest version and ensuring any forked or
derivative code is patched to incorporate the new fixes.

### Workarounds

As a workaround, users can use the location hierarchy to order the
invocation of Aspects. To do this, users can assign the custom Aspect a
priority of MUTATING to ensure it has the same priority as the Aspect
added by the CDK API, and that the location hierarchy is used for the
order of invocation Aspects.

The following code is an example:

```ts
Aspects.of(stack).add(new CustomAspectThatAssignsDefaultPermissionsBoundaries(), {
  priority: AspectPriority.MUTATING,
});
```

### References

If you have any questions or comments about this advisory, we ask that
you contact AWS/Amazon Security via our [vulnerability reporting
page](https://aws.amazon.com/security/vulnerability-reporting) or
directly via email to
[[email protected]](mailto:[email protected]). Please do not
create a public GitHub issue.

### Credit

We would like to thank GoDaddy for collaborating on this issue through
the coordinated vulnerability disclosure process.

---

### Release Notes

<details>
<summary>aws/aws-cdk (aws-cdk-lib)</summary>

###
[`v2.189.1`](https://redirect.github.com/aws/aws-cdk/releases/tag/v2.189.1)

[Compare
Source](https://redirect.github.com/aws/aws-cdk/compare/v2.189.0...v2.189.1)

##### Bug Fixes

- **core:** implicit Aspect applications do not override custom Aspect
applications
([#&#8203;34132](https://redirect.github.com/aws/aws-cdk/issues/34132))
([b7f4bc7](https://redirect.github.com/aws/aws-cdk/commit/b7f4bc7aee1d99b70e4d9d3cedea53e910ee37ef))

***

#### Alpha modules (2.189.1-alpha.0)

###
[`v2.189.0`](https://redirect.github.com/aws/aws-cdk/releases/tag/v2.189.0)

[Compare
Source](https://redirect.github.com/aws/aws-cdk/compare/v2.188.0...v2.189.0)

##### Features

- **apigatewayv2:** dualstack HTTP and WebSocket API
([#&#8203;34054](https://redirect.github.com/aws/aws-cdk/issues/34054))
([eec900e](https://redirect.github.com/aws/aws-cdk/commit/eec900e90f38f34f896b22cf36cb225fc9c13cc8))
- update L1 CloudFormation resource definitions
([#&#8203;34064](https://redirect.github.com/aws/aws-cdk/issues/34064))
([9cb2602](https://redirect.github.com/aws/aws-cdk/commit/9cb260266e92f45e40a19667e29ccf2decb3d2b8))
- **bedrock:** support Amazon Nova Reel 1.1
([#&#8203;34070](https://redirect.github.com/aws/aws-cdk/issues/34070))
([3da0c4d](https://redirect.github.com/aws/aws-cdk/commit/3da0c4d267dbb693ffc01b9fae69cebcb180cdec))
- support L2 constructs for Amazon S3 Tables
([#&#8203;33599](https://redirect.github.com/aws/aws-cdk/issues/33599))
([2e95252](https://redirect.github.com/aws/aws-cdk/commit/2e95252fecbb1fec9874fd5af4b4bd6449d50471))
- **pipelines:** add `V2` pipeline type support in L3 construct
([#&#8203;34005](https://redirect.github.com/aws/aws-cdk/issues/34005))
([994e952](https://redirect.github.com/aws/aws-cdk/commit/994e95289b589596179553a5b9d7201155bd9ed1)),
closes
[#&#8203;33995](https://redirect.github.com/aws/aws-cdk/issues/33995)

##### Bug Fixes

- **codepipeline:** replace account root principal with pipeline role in
trust policy for cross-account actions (under feature flag)
([#&#8203;34074](https://redirect.github.com/aws/aws-cdk/issues/34074))
([2d901f4](https://redirect.github.com/aws/aws-cdk/commit/2d901f4e7bb982221e1a48a13666939140109d5a))
- **custom-resources:** `AwsCustomResource` assumed role session name
may contain invalid characters
([#&#8203;34016](https://redirect.github.com/aws/aws-cdk/issues/34016))
([32b6b4d](https://redirect.github.com/aws/aws-cdk/commit/32b6b4d7fa99723efb667239fbe455ede43b92c6)),
closes
[#&#8203;23260](https://redirect.github.com/aws/aws-cdk/issues/23260)
[#&#8203;34011](https://redirect.github.com/aws/aws-cdk/issues/34011)

***

#### Alpha modules (2.189.0-alpha.0)

##### Features

- **ec2-alpha:** implement mapPublicIpOnLaunch prop in SubnetV2
([#&#8203;34057](https://redirect.github.com/aws/aws-cdk/issues/34057))
([836c5cf](https://redirect.github.com/aws/aws-cdk/commit/836c5cf3e4c627f817e4dc8ed2af28a5bba54792)),
closes
[#&#8203;32159](https://redirect.github.com/aws/aws-cdk/issues/32159)

##### Bug Fixes

- **amplify:** unable to re-run integ test due to missing `status` field
in `customRule`
([#&#8203;33973](https://redirect.github.com/aws/aws-cdk/issues/33973))
([6638c08](https://redirect.github.com/aws/aws-cdk/commit/6638c08d56afe7ecc4f23cff4cf334b887001e5e)),
closes
[#&#8203;33962](https://redirect.github.com/aws/aws-cdk/issues/33962)

###
[`v2.188.0`](https://redirect.github.com/aws/aws-cdk/releases/tag/v2.188.0)

[Compare
Source](https://redirect.github.com/aws/aws-cdk/compare/v2.187.0...v2.188.0)

##### Features

- update L1 CloudFormation resource definitions
([#&#8203;33980](https://redirect.github.com/aws/aws-cdk/issues/33980))
([0923b5e](https://redirect.github.com/aws/aws-cdk/commit/0923b5e82dd0c8da864f0c806f295fae270c22c1))
- update L1 CloudFormation resource definitions
([#&#8203;34029](https://redirect.github.com/aws/aws-cdk/issues/34029))
([be6210f](https://redirect.github.com/aws/aws-cdk/commit/be6210f246b97befcdc9446862e991071738008d))
- **codepipeline:** add usePipelineRoleForActions field support in L2
([#&#8203;33961](https://redirect.github.com/aws/aws-cdk/issues/33961))
([d8bbc1c](https://redirect.github.com/aws/aws-cdk/commit/d8bbc1c3f8479ab5031b8684364735b9a6c31fa2))
- **codepipeline-actions:** support `ECRBuildAndPublish` action
([#&#8203;33375](https://redirect.github.com/aws/aws-cdk/issues/33375))
([c5cd679](https://redirect.github.com/aws/aws-cdk/commit/c5cd679b2f979b9e51c7a071b18d930d3a475129)),
closes
[#&#8203;33376](https://redirect.github.com/aws/aws-cdk/issues/33376)
- **codepipeline-actions:** support `InspectorEcrImageScanAction` and
`InspectorSourceCodeScanAction` actions
([#&#8203;33378](https://redirect.github.com/aws/aws-cdk/issues/33378))
([2dc8cc7](https://redirect.github.com/aws/aws-cdk/commit/2dc8cc7f703ebcd61f2b5f4d20401a1ade788e7a)),
closes
[#&#8203;33377](https://redirect.github.com/aws/aws-cdk/issues/33377)
- **cognito:** v3.0 pre token generation trigger event
([#&#8203;33778](https://redirect.github.com/aws/aws-cdk/issues/33778))
([ea1436f](https://redirect.github.com/aws/aws-cdk/commit/ea1436f85d036bddb9a96dd54f02a639c3aab212)),
closes
[#&#8203;33733](https://redirect.github.com/aws/aws-cdk/issues/33733)
- **events-targets:** support ApiGatewayV2 HttpApi
([#&#8203;33864](https://redirect.github.com/aws/aws-cdk/issues/33864))
([91a3076](https://redirect.github.com/aws/aws-cdk/commit/91a3076fb16369629a710ebc560c103a91c2ea20)),
closes
[#&#8203;26649](https://redirect.github.com/aws/aws-cdk/issues/26649)
- **kinesisfirehose:** support S3 file extension format
([#&#8203;33776](https://redirect.github.com/aws/aws-cdk/issues/33776))
([e314a9a](https://redirect.github.com/aws/aws-cdk/commit/e314a9aa5d149704cc2abd30927a41d317a3ce6c)),
closes
[#&#8203;32154](https://redirect.github.com/aws/aws-cdk/issues/32154)
- **logs-destinations:** support Amazon Data Firehose logs destination
([#&#8203;33683](https://redirect.github.com/aws/aws-cdk/issues/33683))
([a8edf69](https://redirect.github.com/aws/aws-cdk/commit/a8edf696e91c44cbda286889896464960dd03266)),
closes
[#&#8203;32038](https://redirect.github.com/aws/aws-cdk/issues/32038)
[#&#8203;24766](https://redirect.github.com/aws/aws-cdk/issues/24766)
- **pipelines:** actions can default to the pipeline service role
instead of a newly created role
([#&#8203;33991](https://redirect.github.com/aws/aws-cdk/issues/33991))
([2ebc51e](https://redirect.github.com/aws/aws-cdk/commit/2ebc51e694e85aa0d8e0401dbb1fc1037298eda5))
- **rds:** engine lifecycle support
([#&#8203;33902](https://redirect.github.com/aws/aws-cdk/issues/33902))
([c0f8d29](https://redirect.github.com/aws/aws-cdk/commit/c0f8d293df157cd196e2bd9fb569374d0535f471)),
closes
[#&#8203;33859](https://redirect.github.com/aws/aws-cdk/issues/33859)

##### Bug Fixes

- **cloudformation-include:** parse MinActiveInstancesPercent in
AutoScalingRollingUpdate policy
([#&#8203;33852](https://redirect.github.com/aws/aws-cdk/issues/33852))
([89d2d5c](https://redirect.github.com/aws/aws-cdk/commit/89d2d5c561860c1a9b55e1660efeec068fc4e6a3)),
closes
[#&#8203;33810](https://redirect.github.com/aws/aws-cdk/issues/33810)
[#&#8203;33810](https://redirect.github.com/aws/aws-cdk/issues/33810)
- **cx-api:** adding missing readme
([#&#8203;34003](https://redirect.github.com/aws/aws-cdk/issues/34003))
([1c5cbfa](https://redirect.github.com/aws/aws-cdk/commit/1c5cbfa2798a68c99ce58dd8164c1aa01e7bd885)),
closes
[#&#8203;34006](https://redirect.github.com/aws/aws-cdk/issues/34006)
[1#L698-L714](https://redirect.github.com/aws/1/issues/L698-L714)
- **ecr-assets:** handle Docker 27.4+ output format in TarballImageAsset
([#&#8203;33967](https://redirect.github.com/aws/aws-cdk/issues/33967))
([009680d](https://redirect.github.com/aws/aws-cdk/commit/009680dc758c62843e06005d6b0172c0c2f95bdb)),
closes
[#&#8203;33428](https://redirect.github.com/aws/aws-cdk/issues/33428)
- **eks:** Only one type of update can be allowed with updateVersion
([#&#8203;33975](https://redirect.github.com/aws/aws-cdk/issues/33975))
([95c06e2](https://redirect.github.com/aws/aws-cdk/commit/95c06e268025ca947254ee2e931b8546333cd065)),
closes
[#&#8203;33452](https://redirect.github.com/aws/aws-cdk/issues/33452)
- **iam:** add validation for OrganizationPrincipal IDs
([#&#8203;33968](https://redirect.github.com/aws/aws-cdk/issues/33968))
([217d75f](https://redirect.github.com/aws/aws-cdk/commit/217d75f28b48778777ebe218cd71386b79dcc74b)),
closes
[#&#8203;32756](https://redirect.github.com/aws/aws-cdk/issues/32756)
[#&#8203;33555](https://redirect.github.com/aws/aws-cdk/issues/33555)
[#&#8203;33773](https://redirect.github.com/aws/aws-cdk/issues/33773)
- **lambda:** allow retryAttempts = -1 for infinite retries in
EventSourceMapping
([#&#8203;34009](https://redirect.github.com/aws/aws-cdk/issues/34009))
([88e04f0](https://redirect.github.com/aws/aws-cdk/commit/88e04f02251baa1604c3d613499984101f96d4df)),
closes
[#&#8203;34007](https://redirect.github.com/aws/aws-cdk/issues/34007)
- **lambda:** deprecate default feature flag
[@&#8203;aws-cdk/aws-lambda](https://redirect.github.com/aws-cdk/aws-lambda):createNewPoliciesWithAddToRolePolicy
([#&#8203;34010](https://redirect.github.com/aws/aws-cdk/issues/34010))
([242091a](https://redirect.github.com/aws/aws-cdk/commit/242091ae2edacc90017919b52d4461790c587de9)),
closes
[#&#8203;33688](https://redirect.github.com/aws/aws-cdk/issues/33688)
- **pipelines:** can't have the same asset display name 3 times
([#&#8203;34017](https://redirect.github.com/aws/aws-cdk/issues/34017))
([1418277](https://redirect.github.com/aws/aws-cdk/commit/1418277cb80f1340e9c0d4f36905d805d95ad5ec)),
closes
[#&#8203;33844](https://redirect.github.com/aws/aws-cdk/issues/33844)
[#&#8203;34004](https://redirect.github.com/aws/aws-cdk/issues/34004)
- **stepfunctions-tasks:** associateWithParent when using JSONata
([#&#8203;33972](https://redirect.github.com/aws/aws-cdk/issues/33972))
([e839d45](https://redirect.github.com/aws/aws-cdk/commit/e839d451f323293a26d321db1885bfa41070fcf8)),
closes
[#&#8203;33850](https://redirect.github.com/aws/aws-cdk/issues/33850)
- customer aspect cannot add Tags if a BucketNotifications construct is
present
([#&#8203;33979](https://redirect.github.com/aws/aws-cdk/issues/33979))
([2cff67e](https://redirect.github.com/aws/aws-cdk/commit/2cff67e53dd67725ac9f5b12d5374a2803361e84)),
closes
[#&#8203;33943](https://redirect.github.com/aws/aws-cdk/issues/33943)

***

#### Alpha modules (2.188.0-alpha.0)

##### Features

- **ec2:** add mailmanager vpc endpoints
([#&#8203;33996](https://redirect.github.com/aws/aws-cdk/issues/33996))
([7ee77d7](https://redirect.github.com/aws/aws-cdk/commit/7ee77d71df569d21c280866976109333e3266132))
- **eks-v2-alpha:** add new nodegroup ami type
([#&#8203;34025](https://redirect.github.com/aws/aws-cdk/issues/34025))
([864a7c6](https://redirect.github.com/aws/aws-cdk/commit/864a7c6f6811777971d1349e7552567604167f02))

##### Bug Fixes

- **ec2-alpha:** addInternetGW handles shared route table for subnets
([#&#8203;33824](https://redirect.github.com/aws/aws-cdk/issues/33824))
([3154d01](https://redirect.github.com/aws/aws-cdk/commit/3154d016ba31455f2d57ff5d90ee7b394c25e88f)),
closes
[#&#8203;33672](https://redirect.github.com/aws/aws-cdk/issues/33672)

###
[`v2.187.0`](https://redirect.github.com/aws/aws-cdk/releases/tag/v2.187.0)

[Compare
Source](https://redirect.github.com/aws/aws-cdk/compare/v2.186.0...v2.187.0)

##### Features

- **cx-api:** declare support for CDK_TOOLKIT_VERSION env var
([#&#8203;33963](https://redirect.github.com/aws/aws-cdk/issues/33963))
([22dc717](https://redirect.github.com/aws/aws-cdk/commit/22dc717f8884f18c8afbc5367f40f0e733ce7a6e))
- update L1 CloudFormation resource definitions
([#&#8203;33954](https://redirect.github.com/aws/aws-cdk/issues/33954))
([7c15988](https://redirect.github.com/aws/aws-cdk/commit/7c1598818ac4802f98b5bc583bdb38d28a971362))
- **ecr:** lookup existing repository
([#&#8203;33662](https://redirect.github.com/aws/aws-cdk/issues/33662))
([5fff3d6](https://redirect.github.com/aws/aws-cdk/commit/5fff3d6c090a5c381af5a02be4bb588390ea0ee4)),
closes
[#&#8203;8461](https://redirect.github.com/aws/aws-cdk/issues/8461)
- **eks:** `Nodegroup` support `nodeRepairConfig`
([#&#8203;32626](https://redirect.github.com/aws/aws-cdk/issues/32626))
([b9cb47c](https://redirect.github.com/aws/aws-cdk/commit/b9cb47c4dbaacd839ddfdc38febdc58260d20c57)),
closes
[#&#8203;32562](https://redirect.github.com/aws/aws-cdk/issues/32562)
- **kinesisfirehose:** throw `ValidationErrors` instead of untyped
Errors
([#&#8203;33912](https://redirect.github.com/aws/aws-cdk/issues/33912))
([8b23b5d](https://redirect.github.com/aws/aws-cdk/commit/8b23b5db3668c5c5b845e06397bf0001a55f5d0e)),
closes
[#&#8203;32569](https://redirect.github.com/aws/aws-cdk/issues/32569)
- **lambda-event-sources:** starting position timestamp for kafka
([#&#8203;31439](https://redirect.github.com/aws/aws-cdk/issues/31439))
([5077d8a](https://redirect.github.com/aws/aws-cdk/commit/5077d8abe0a776c6b3e762c2d1f38f0da2003b48)),
closes
[#&#8203;31808](https://redirect.github.com/aws/aws-cdk/issues/31808)
- show friendly display names for assets
([#&#8203;33844](https://redirect.github.com/aws/aws-cdk/issues/33844))
([4e958d4](https://redirect.github.com/aws/aws-cdk/commit/4e958d41f2825fd9c20ae27643aefd4c11d7aa8e))

##### Bug Fixes

- **cognito:** fix logging behaviour for user pool client custom
resource
([#&#8203;33983](https://redirect.github.com/aws/aws-cdk/issues/33983))
([d02e64a](https://redirect.github.com/aws/aws-cdk/commit/d02e64aac18a72195ddcdb973defea7f32382c33)),
closes
[GHSA-qq4x-c6h6-rfxh](https://redirect.github.com/aws/aws-cdk/security/advisories/GHSA-qq4x-c6h6-rfxh)
- **core:** asset names for nested stacks contain Tokens
([#&#8203;33966](https://redirect.github.com/aws/aws-cdk/issues/33966))
([85fc87f](https://redirect.github.com/aws/aws-cdk/commit/85fc87f0773ca1e68b395dcc5aae6103b239c38d))
- **dynamodb:** table v1 retain replica table if table is retain
([#&#8203;33953](https://redirect.github.com/aws/aws-cdk/issues/33953))
([21d0a5c](https://redirect.github.com/aws/aws-cdk/commit/21d0a5ce687e88250a08492e7c5f43cc30da50cf)),
closes
[#&#8203;33952](https://redirect.github.com/aws/aws-cdk/issues/33952)
- **eks:** looked up vpc causing premature validation errors for private
subnets
([#&#8203;33786](https://redirect.github.com/aws/aws-cdk/issues/33786))
([73744b4](https://redirect.github.com/aws/aws-cdk/commit/73744b452c2dd6809fddb123fa2ef6087ed18287)),
closes
[#&#8203;22025](https://redirect.github.com/aws/aws-cdk/issues/22025)
[/github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-ec2/lib/vpc.ts#L2705](https://redirect.github.com/aws//github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-ec2/lib/vpc.ts/issues/L2705)

***

#### Alpha modules (2.187.0-alpha.0)

##### Features

- **apprunner:** throw ValidationError instead of untyped errors
([#&#8203;33914](https://redirect.github.com/aws/aws-cdk/issues/33914))
([38f89af](https://redirect.github.com/aws/aws-cdk/commit/38f89afe2ffdf67b0918e38f861166bdb0f8738f))
- **ec2:** adding `placementGroup` to `LaunchTemplateProps` and
`LaunchTemplate`
([#&#8203;33726](https://redirect.github.com/aws/aws-cdk/issues/33726))
([e5f71db](https://redirect.github.com/aws/aws-cdk/commit/e5f71db53ce985172e565eb9da5692d77ab7b268)),
closes
[#&#8203;33721](https://redirect.github.com/aws/aws-cdk/issues/33721)
- **ec2:** support the new `SupportedRegions` property for
`AWS::EC2::VPCEndpointService`
([#&#8203;33959](https://redirect.github.com/aws/aws-cdk/issues/33959))
([0c77cb6](https://redirect.github.com/aws/aws-cdk/commit/0c77cb627e1e7e729205624a9603331f5442af8e))
- **iot:** backfill enum values in iot module
([#&#8203;33969](https://redirect.github.com/aws/aws-cdk/issues/33969))
([2a8a8a3](https://redirect.github.com/aws/aws-cdk/commit/2a8a8a36ed872f7f3de4b24fd7d9c874a3da9dbf))

###
[`v2.186.0`](https://redirect.github.com/aws/aws-cdk/releases/tag/v2.186.0)

[Compare
Source](https://redirect.github.com/aws/aws-cdk/compare/v2.185.0...v2.186.0)

##### ⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES

- **redshiftserverless:** The `CfnWorkgroup.attrWorkgroupMaxCapacity`
attribute has been removed.
- **quicksight:** The `CfnAnalysis.SheetTextBoxProperty.interactions`,
`CfnDashboard.SheetTextBoxProperty.interactions`, and
`CfnTemplate.SheetTextBoxProperty.interactions` properties have been
removed.
- **imagebuilder:** The
`CfnDistributionConfiguration.DistributionProperty.ssmParameterConfigurations`
property has been removed.

##### Features

- **codecommit:** throw `ValidationErrors` instead of untyped Errors
([#&#8203;33854](https://redirect.github.com/aws/aws-cdk/issues/33854))
([f28eae2](https://redirect.github.com/aws/aws-cdk/commit/f28eae24348c9a90335d8ece7330e1dd9b6675f2)),
closes
[#&#8203;32569](https://redirect.github.com/aws/aws-cdk/issues/32569)
- **codedeploy:** throw `ValidationErrors` instead of untyped Errors
([#&#8203;33853](https://redirect.github.com/aws/aws-cdk/issues/33853))
([b6b91dd](https://redirect.github.com/aws/aws-cdk/commit/b6b91dd00187e53c79bea9ee9f43fe9c2adfe487)),
closes
[#&#8203;32569](https://redirect.github.com/aws/aws-cdk/issues/32569)
- **codepipeline:** branches and files support in git push filter L2
construct
([#&#8203;33872](https://redirect.github.com/aws/aws-cdk/issues/33872))
([45623d6](https://redirect.github.com/aws/aws-cdk/commit/45623d6b002a51706f1931dcdce80742618d9969))
- **codepipeline:** stage level condition feature L2 construct
([#&#8203;33809](https://redirect.github.com/aws/aws-cdk/issues/33809))
([8e4374f](https://redirect.github.com/aws/aws-cdk/commit/8e4374fbb4905016ddb575c3b03f662f394444ce))
- **codepipeline:** throw `ValidationErrors` instead of untyped Errors
([#&#8203;33855](https://redirect.github.com/aws/aws-cdk/issues/33855))
([3ff5501](https://redirect.github.com/aws/aws-cdk/commit/3ff5501b3cd4fd10eeba5f4bebbbe7e064f844c5)),
closes
[#&#8203;32569](https://redirect.github.com/aws/aws-cdk/issues/32569)
- **cognito-identitypool:** graduate to stable 🚀
([#&#8203;33905](https://redirect.github.com/aws/aws-cdk/issues/33905))
([ba52ac7](https://redirect.github.com/aws/aws-cdk/commit/ba52ac7dbdff56fe93da29f97d81cf1e3fd666f4)),
closes
[#&#8203;27483](https://redirect.github.com/aws/aws-cdk/issues/27483)
- **config:** throw `ValidationErrors` instead of untyped Errors
([#&#8203;33869](https://redirect.github.com/aws/aws-cdk/issues/33869))
([5bc9292](https://redirect.github.com/aws/aws-cdk/commit/5bc92922230e3efaef2658ca85be59e912c1625d)),
closes
[#&#8203;32569](https://redirect.github.com/aws/aws-cdk/issues/32569)
- **docdb:** throw `ValidationErrors` instead of untyped Errors
([#&#8203;33870](https://redirect.github.com/aws/aws-cdk/issues/33870))
([2dc5d70](https://redirect.github.com/aws/aws-cdk/commit/2dc5d702bc55030927dd45fe88a6cd68f629fee9)),
closes
[#&#8203;32569](https://redirect.github.com/aws/aws-cdk/issues/32569)
- **dynamodb:** throw `ValidationErrors` instead of untyped Errors
([#&#8203;33871](https://redirect.github.com/aws/aws-cdk/issues/33871))
([a9bae27](https://redirect.github.com/aws/aws-cdk/commit/a9bae276f595d3b3d18c8a56d40549ab1044cbb7)),
closes
[#&#8203;32569](https://redirect.github.com/aws/aws-cdk/issues/32569)
- **ecr-assets:** throw `ValidationErrors` instead of untyped Errors
([#&#8203;33899](https://redirect.github.com/aws/aws-cdk/issues/33899))
([0787840](https://redirect.github.com/aws/aws-cdk/commit/0787840f1ed50c7e7863e1188d8a7c9d3d0d14e7))
- **efs:** throw `ValidationErrors` instead of untyped Errors
([#&#8203;33885](https://redirect.github.com/aws/aws-cdk/issues/33885))
([6bf8095](https://redirect.github.com/aws/aws-cdk/commit/6bf809578b00377306aa1258fcfbc807c70f9148))
- **imagebuilder:** update L1 CloudFormation resource definitions
([#&#8203;33909](https://redirect.github.com/aws/aws-cdk/issues/33909))
([8cac7bc](https://redirect.github.com/aws/aws-cdk/commit/8cac7bc567aba2aed1f7c877b0ea5c0447a56c1c)),
closes
[#&#8203;33906](https://redirect.github.com/aws/aws-cdk/issues/33906)
- **lambda:** add Ruby3.4 Lambda runtime support
([#&#8203;33832](https://redirect.github.com/aws/aws-cdk/issues/33832))
([3154615](https://redirect.github.com/aws/aws-cdk/commit/31546155504f2d7719747f607d509e67009d38f0))
- **quicksight:** update L1 CloudFormation resource definitions
([#&#8203;33910](https://redirect.github.com/aws/aws-cdk/issues/33910))
([21e21cb](https://redirect.github.com/aws/aws-cdk/commit/21e21cb2e5261e47f6a9f7c45a9d9609c93112a7)),
closes
[#&#8203;33906](https://redirect.github.com/aws/aws-cdk/issues/33906)
- **redshiftserverless:** update L1 CloudFormation resource definitions
([#&#8203;33911](https://redirect.github.com/aws/aws-cdk/issues/33911))
([fb9fa74](https://redirect.github.com/aws/aws-cdk/commit/fb9fa74dbc80009aabe6260087e873b275b45fea)),
closes
[#&#8203;33906](https://redirect.github.com/aws/aws-cdk/issues/33906)
- update L1 CloudFormation resource definitions
([#&#8203;33906](https://redirect.github.com/aws/aws-cdk/issues/33906))
([b855978](https://redirect.github.com/aws/aws-cdk/commit/b8559782d95eb10e8678f407d61e8c4b00114733))
- **scheduler-and-scheduler-targets:** graduate to stable 🚀
([#&#8203;33903](https://redirect.github.com/aws/aws-cdk/issues/33903))
([1740f87](https://redirect.github.com/aws/aws-cdk/commit/1740f878ff35ac222d328c36f6b496d979236919)),
closes
[#&#8203;31785](https://redirect.github.com/aws/aws-cdk/issues/31785)
- **scheduler-targets:** EcsRunTask scheduler target
([#&#8203;33697](https://redirect.github.com/aws/aws-cdk/issues/33697))
([3fe58b5](https://redirect.github.com/aws/aws-cdk/commit/3fe58b5e96790a5b9cf758d9bda3b06cfe28d603)),
closes
[#&#8203;27456](https://redirect.github.com/aws/aws-cdk/issues/27456)

##### Bug Fixes

- context provider's `ignoreErrorOnMissingContext` parameter is
misleading
([#&#8203;33875](https://redirect.github.com/aws/aws-cdk/issues/33875))
([b3187b9](https://redirect.github.com/aws/aws-cdk/commit/b3187b94c3b3e1c9fcbfc101f69d3f2ebf39e8fd))
- **core:** does not generate a valid artifact id from some construct
IDs
([#&#8203;33863](https://redirect.github.com/aws/aws-cdk/issues/33863))
([6a5638a](https://redirect.github.com/aws/aws-cdk/commit/6a5638a0a5a4550a15895de36a084be2a68d8009)),
closes
[#&#8203;32808](https://redirect.github.com/aws/aws-cdk/issues/32808)
- **cx-api:** adding missing readme
([#&#8203;33867](https://redirect.github.com/aws/aws-cdk/issues/33867))
([6761f56](https://redirect.github.com/aws/aws-cdk/commit/6761f56d65a49b50547e7189bf89b7d2ea523c2e)),
closes
[#&#8203;33866](https://redirect.github.com/aws/aws-cdk/issues/33866)
[1#L662-L681](https://redirect.github.com/aws/1/issues/L662-L681)
- **events:** now `EventBus.grantPutEventsTo` correctly handles service
principals (under feature flag)
([#&#8203;33729](https://redirect.github.com/aws/aws-cdk/issues/33729))
([38d82c4](https://redirect.github.com/aws/aws-cdk/commit/38d82c4264e9edf25d982530283049f338f9f455)),
closes
[#&#8203;22080](https://redirect.github.com/aws/aws-cdk/issues/22080)
[#&#8203;22080](https://redirect.github.com/aws/aws-cdk/issues/22080)

***

#### Alpha modules (2.186.0-alpha.0)

##### Features

- **ec2:** backfill missing enums for ec2
([#&#8203;33821](https://redirect.github.com/aws/aws-cdk/issues/33821))
([ae3fd67](https://redirect.github.com/aws/aws-cdk/commit/ae3fd67d3e153187d2e6fa53df9ec78080fe71d0)),
closes
[/docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpc.html#cfn-ec2](https://redirect.github.com/aws//docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpc.html/issues/cfn-ec2)
[/docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcendpoint.html#cfn-ec2](https://redirect.github.com/aws//docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcendpoint.html/issues/cfn-ec2)
- **ec2:** support `PrefixList.fromLookup()`
([#&#8203;33619](https://redirect.github.com/aws/aws-cdk/issues/33619))
([b6a15f3](https://redirect.github.com/aws/aws-cdk/commit/b6a15f384e79eb0020f46ffeea20507f07380a97)),
closes
[aws/aws-cdk#33606](https://redirect.github.com/aws/aws-cdk/issues/33606)
[aws/aws-cdk#15115](https://redirect.github.com/aws/aws-cdk/issues/15115)
- **ec2:** support AWS::EC2::VPCEndpointService SupportedIpAddressTypes
property
([#&#8203;33877](https://redirect.github.com/aws/aws-cdk/issues/33877))
([ed5df9c](https://redirect.github.com/aws/aws-cdk/commit/ed5df9cac46dd862ec67751f5d0e6a53f81e8d0a))

##### Bug Fixes

- **eks-v2-alpha:** prevent IAM role creation when node pools are empty
([#&#8203;33894](https://redirect.github.com/aws/aws-cdk/issues/33894))
([55bf451](https://redirect.github.com/aws/aws-cdk/commit/55bf451c48da33ce2ecda1c17cccdedea4e3527f)),
closes
[#&#8203;33771](https://redirect.github.com/aws/aws-cdk/issues/33771)

###
[`v2.185.0`](https://redirect.github.com/aws/aws-cdk/releases/tag/v2.185.0)

[Compare
Source](https://redirect.github.com/aws/aws-cdk/compare/v2.184.1...v2.185.0)

##### Features

- **s3-deployment:** backfill missing enums for s3-deployment
([#&#8203;33819](https://redirect.github.com/aws/aws-cdk/issues/33819))
([2623e00](https://redirect.github.com/aws/aws-cdk/commit/2623e00546721f43a180871e2f8fb72712a9ffa1)),
closes
[/docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-serversideencryptionbydefault.html#aws-properties-s3](https://redirect.github.com/aws//docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-serversideencryptionbydefault.html/issues/aws-properties-s3)
- update L1 CloudFormation resource definitions
([#&#8203;33800](https://redirect.github.com/aws/aws-cdk/issues/33800))
([fada917](https://redirect.github.com/aws/aws-cdk/commit/fada917f8197527cd90622614fe1b6769c6cab1a))
- **ecs:** add validation checks to memory cpu combinations of FARGATE
compatible task definitions
([#&#8203;33608](https://redirect.github.com/aws/aws-cdk/issues/33608))
([734ca66](https://redirect.github.com/aws/aws-cdk/commit/734ca662c82cbedf06393d223a870381ad55520c)),
closes
[#&#8203;22216](https://redirect.github.com/aws/aws-cdk/issues/22216)
[/github.com/aws/aws-cdk/issues/31106#issuecomment-2289166090](https://redirect.github.com/aws//github.com/aws/aws-cdk/issues/31106/issues/issuecomment-2289166090)
- **ecs:** backfill missing enums for ecs
([#&#8203;33644](https://redirect.github.com/aws/aws-cdk/issues/33644))
([28c6a22](https://redirect.github.com/aws/aws-cdk/commit/28c6a22f14ea10c76c1aee87b57d3931809daba8))
- **eks:** backfill missing enums for eks
([#&#8203;33646](https://redirect.github.com/aws/aws-cdk/issues/33646))
([f67a88b](https://redirect.github.com/aws/aws-cdk/commit/f67a88bf77db6b100fff07aab1a161167ba319e6))
- **logs:** throw `ValidationError` instead of untyped Errors
([#&#8203;33753](https://redirect.github.com/aws/aws-cdk/issues/33753))
([1fea9f1](https://redirect.github.com/aws/aws-cdk/commit/1fea9f167a0521b49b5d0738b27f07fcfa3b36ad))

##### Bug Fixes

- **core:** remove whitespaces in tree.json
([#&#8203;33784](https://redirect.github.com/aws/aws-cdk/issues/33784))
([73b9138](https://redirect.github.com/aws/aws-cdk/commit/73b91382c6f681e91b662dc0599cc19ba91c8a5a)),
closes
[#&#8203;27261](https://redirect.github.com/aws/aws-cdk/issues/27261)
[#&#8203;27261](https://redirect.github.com/aws/aws-cdk/issues/27261)
- **s3:** add validation for lifecycle rule transitions
([#&#8203;33731](https://redirect.github.com/aws/aws-cdk/issues/33731))
([4128ff4](https://redirect.github.com/aws/aws-cdk/commit/4128ff44bf5f1112467851ce61c1826107e3a07d)),
closes
[#&#8203;22103](https://redirect.github.com/aws/aws-cdk/issues/22103)
[#&#8203;22103](https://redirect.github.com/aws/aws-cdk/issues/22103)
- **s3-deployment:** handle properly quoted strings in JSON files
([#&#8203;33698](https://redirect.github.com/aws/aws-cdk/issues/33698))
([bff85e8](https://redirect.github.com/aws/aws-cdk/commit/bff85e88fbe0ddb10bdcde8039af1736afa77cc2)),
closes
[#&#8203;22661](https://redirect.github.com/aws/aws-cdk/issues/22661)
[#&#8203;22661](https://redirect.github.com/aws/aws-cdk/issues/22661)
- **stepfunctions-tasks:** jobQueueArn support JsonPath or JSONata
([#&#8203;33670](https://redirect.github.com/aws/aws-cdk/issues/33670))
([1c09c8b](https://redirect.github.com/aws/aws-cdk/commit/1c09c8bb404b03929f245f7a888dfd84ac7cab32)),
closes
[#&#8203;33580](https://redirect.github.com/aws/aws-cdk/issues/33580)

***

##### Alpha modules (2.185.0-alpha.0)

##### ⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES

- **scheduler-targets-alpha:** The class `KinesisDataFirehosePutRecord`
has been renamed to `FirehosePutRecord`.

##### Bug Fixes

- **scheduler-targets-alpha:** rename `KinesisDataFirehosePutRecord` to
`FirehosePutRecord`
([#&#8203;33758](https://redirect.github.com/aws/aws-cdk/issues/33758))
([e6f5bc8](https://redirect.github.com/aws/aws-cdk/commit/e6f5bc8915081a74a83e4055ccbaa11987ba943c)),
closes
[#&#8203;33757](https://redirect.github.com/aws/aws-cdk/issues/33757)
[#&#8203;33798](https://redirect.github.com/aws/aws-cdk/issues/33798)

###
[`v2.184.1`](https://redirect.github.com/aws/aws-cdk/releases/tag/v2.184.1)

[Compare
Source](https://redirect.github.com/aws/aws-cdk/compare/v2.184.0...v2.184.1)

##### Reverts

- **iam:** fix(iam): adding organization id pattern verification
([#&#8203;33773](https://redirect.github.com/aws/aws-cdk/pull/33773))
([f7ed316](https://redirect.github.com/aws/aws-cdk/commit/f7ed3165056c385249735ebb17a53d0fedd69c54)),
closes
[aws/aws-cdk#33768](https://redirect.github.com/aws/aws-cdk/issues/33768)

***

##### Alpha modules (2.184.1-alpha.0)

###
[`v2.184.0`](https://redirect.github.com/aws/aws-cdk/releases/tag/v2.184.0)

[Compare
Source](https://redirect.github.com/aws/aws-cdk/compare/v2.183.0...v2.184.0)

##### Features

- **ecr:** throw ValidationError instead of untyped Errors
([#&#8203;33750](https://redirect.github.com/aws/aws-cdk/issues/33750))
([242690f](https://redirect.github.com/aws/aws-cdk/commit/242690f9aa897b11e1b1a73036a9927ed3473eb2))
- **lambda:** support s3 OFD for Kinesis/DynamoDB
([#&#8203;33739](https://redirect.github.com/aws/aws-cdk/issues/33739))
([3f1fecf](https://redirect.github.com/aws/aws-cdk/commit/3f1fecfecb871d3912a74471a555b223a6dcaa20))
- **rds:** allow to specify availability zone for Aurora instances
([#&#8203;33515](https://redirect.github.com/aws/aws-cdk/issues/33515))
([583d5f2](https://redirect.github.com/aws/aws-cdk/commit/583d5f24f03d3b2f8b072d0a41d41b75f8814f8c)),
closes
[#&#8203;33503](https://redirect.github.com/aws/aws-cdk/issues/33503)
[#&#8203;30618](https://redirect.github.com/aws/aws-cdk/issues/30618)

##### Bug Fixes

- **codepipeline:** replace account root principal with current pipeline
role in the trust policy under ff:
[@&#8203;aws-cdk/pipelines](https://redirect.github.com/aws-cdk/pipelines):reduceStageRoleTrustScope
([#&#8203;33742](https://redirect.github.com/aws/aws-cdk/issues/33742))
([a64b01c](https://redirect.github.com/aws/aws-cdk/commit/a64b01cc2969822bb92d7bd72152ecb2ccf1c1cf)),
closes
[#&#8203;33709](https://redirect.github.com/aws/aws-cdk/issues/33709)
- **core:** message including tokens from annotations cannot output
correctly
([#&#8203;33706](https://redirect.github.com/aws/aws-cdk/issues/33706))
([55a3c4c](https://redirect.github.com/aws/aws-cdk/commit/55a3c4caefdb283280d6c16d3719f3e311e31ec9)),
closes
[#&#8203;33707](https://redirect.github.com/aws/aws-cdk/issues/33707)
- **events-targets:** add LogGroupTargetInput.fromObjectV2() method
([#&#8203;33720](https://redirect.github.com/aws/aws-cdk/issues/33720))
([584a58c](https://redirect.github.com/aws/aws-cdk/commit/584a58c2dcd43d9ebd2533186a2f5f9a083bb478))

***

##### Alpha modules (2.184.0-alpha.0)

##### ⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES

- **glue-alpha:** Updated casing of `workflow.addconditionalTrigger` to
`workflow.addConditionalTrigger`.

##### Bug Fixes

- **glue-alpha:** inconsistent workflow addconditionalTrigger casing
([#&#8203;33752](https://redirect.github.com/aws/aws-cdk/issues/33752))
([4886a3e](https://redirect.github.com/aws/aws-cdk/commit/4886a3e503b22f3dfadca908501a2cb208c2ebee)),
closes
[#&#8203;33751](https://redirect.github.com/aws/aws-cdk/issues/33751)
[#&#8203;33751](https://redirect.github.com/aws/aws-cdk/issues/33751)

###
[`v2.183.0`](https://redirect.github.com/aws/aws-cdk/releases/tag/v2.183.0)

[Compare
Source](https://redirect.github.com/aws/aws-cdk/compare/v2.182.0...v2.183.0)

##### Features

- **bedrock:** support DeepSeek R1
([#&#8203;33727](https://redirect.github.com/aws/aws-cdk/issues/33727))
([3de0818](https://redirect.github.com/aws/aws-cdk/commit/3de0818b92c7130ac31f647329a265a742d4bc04))
- **rds:** add MySQL enginge versions 5.7.44(patch), 8.0.41 and 8.4.4
([#&#8203;33732](https://redirect.github.com/aws/aws-cdk/issues/33732))
([d1a8cbe](https://redirect.github.com/aws/aws-cdk/commit/d1a8cbeaa8153296ecf2d797d95fa31fd6b79582))
- update L1 CloudFormation resource definitions
([#&#8203;33718](https://redirect.github.com/aws/aws-cdk/issues/33718))
([c4fceb2](https://redirect.github.com/aws/aws-cdk/commit/c4fceb2f28b9582cd957040a2c9e983343b9eba9))
- **codebuild:** throw `ValidationError` instead of untyped Errors
([#&#8203;33700](https://redirect.github.com/aws/aws-cdk/issues/33700))
([d12854a](https://redirect.github.com/aws/aws-cdk/commit/d12854a96cebb428feb78908a093743889ef52bf)),
closes
[#&#8203;32569](https://redirect.github.com/aws/aws-cdk/issues/32569)
- **core:** `RemovalPolicies.of(scope)`
([#&#8203;32283](https://redirect.github.com/aws/aws-cdk/issues/32283))
([34c547c](https://redirect.github.com/aws/aws-cdk/commit/34c547c83e9fa5f055b0c60be975087e4f836ebb))
- **logs:** add support for fieldIndexPolicies in log group L2 Construct
([#&#8203;33416](https://redirect.github.com/aws/aws-cdk/issues/33416))
([6c882e0](https://redirect.github.com/aws/aws-cdk/commit/6c882e0acc36b632ff80286e72bac08734d70d72)),
closes
[#&#8203;33366](https://redirect.github.com/aws/aws-cdk/issues/33366)
- **lambda:** backfill missing enums for lambda
([#&#8203;33651](https://redirect.github.com/aws/aws-cdk/issues/33651))
([4227747](https://redirect.github.com/aws/aws-cdk/pull/33740/commits/42277471040c4c845d9a4f1b3649df9cb675ecfb))
- **rds:** add new MariaDB engine versions 10.5.28, 10.6.21, 10.11.11,
and 11.4.5
([#&#8203;33665](https://redirect.github.com/aws/aws-cdk/issues/33665))
([7f5bf4e](https://redirect.github.com/aws/aws-cdk/pull/33740/commits/7f5bf4e311555bdf7aa0d7637d7b89dd0421c2f6))
- **ec2:** add VPC interface endpoints for Location Service
([#&#8203;33667](https://redirect.github.com/aws/aws-cdk/issues/33667))
([4bc151b](https://redirect.github.com/aws/aws-cdk/pull/33740/commits/4bc151bafdd4398f632b06f7d801c2a550e2340a))
- **ec2:** add VPC interface endpoints for WAFV2
([#&#8203;33685](https://redirect.github.com/aws/aws-cdk/issues/33685))
([5eb11d2](https://redirect.github.com/aws/aws-cdk/pull/33740/commits/5eb11d26d00a5cccc18d9e4e6483dd613d4c4dbb))
- **ec2:** add VPC interface endpoints for Emr Serverless
([#&#8203;33715](https://redirect.github.com/aws/aws-cdk/issues/33715))
([25619a0](https://redirect.github.com/aws/aws-cdk/pull/33740/commits/25619a01e78040c8b9442a9a7ed434b936e01491))
- **ec2:** add VPC interface endpoints for Security Lake
([#&#8203;33728](https://redirect.github.com/aws/aws-cdk/issues/33728))
([5fcbe2a](https://redirect.github.com/aws/aws-cdk/pull/33740/commits/5fcbe2ac2e3c377e39b38c278434997dbed19ab6))

##### Bug Fixes

- **core:** pressing Ctrl-C when content is bundled leaves broken asset
([#&#8203;33692](https://redirect.github.com/aws/aws-cdk/issues/33692))
([00ef50d](https://redirect.github.com/aws/aws-cdk/commit/00ef50d36d5b7322f71e38062f03017eff878705)),
closes
[#&#8203;33201](https://redirect.github.com/aws/aws-cdk/issues/33201)
[#&#8203;32869](https://redirect.github.com/aws/aws-cdk/issues/32869)
[#&#8203;14474](https://redirect.github.com/aws/aws-cdk/issues/14474)
- **custom-resources:** fix circular dependency when a custom role
provided to Provider
([#&#8203;33600](https://redirect.github.com/aws/aws-cdk/issues/33600))
([77b6fa9](https://redirect.github.com/aws/aws-cdk/commit/77b6fa94c0446ec81e5ae8949d6d0eb571d89dea)),
closes
[#&#8203;20360](https://redirect.github.com/aws/aws-cdk/issues/20360)
- **efs:** cannot run an integ test when `transitionToArchivePolicy` is
specified and `throughputMode` is `undefined`
([#&#8203;33713](https://redirect.github.com/aws/aws-cdk/issues/33713))
([842201c](https://redirect.github.com/aws/aws-cdk/commit/842201c344a6f76f8cfd74b65cd73f63259b777b))
- **eks:** cluster deployment issue when the authentication mode is not
changing
([#&#8203;33680](https://redirect.github.com/aws/aws-cdk/issues/33680))
([ba2dfd1](https://redirect.github.com/aws/aws-cdk/commit/ba2dfd10504504d78e55bc242a4747024a504389))

***

##### Alpha modules (2.183.0-alpha.0)

##### ⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES

- **scheduler-targets-alpha:** The `InspectorStartAssessmentRun`
target's constructor now accepts `IAssessmentTemplate` instead of
`CfnAssessmentTemplate` as its parameter type. To migrate existing code,
use the `AssessmentTemplate.fromCfnAssessmentTemplate()` method to
convert your `CfnAssessmentTemplate` instances to `IAssessmentTemplate`.

##### Features

- **kinesisanalytics-flink-alpha:** backfill missing enums for
kinesisanalytics-flink-alpha
([#&#8203;33632](https://redirect.github.com/aws/aws-cdk/pull/33632))
([b55199a](https://redirect.github.com/aws/aws-cdk/pull/33740/commits/b55199a782582348408fb75123c533977b38326d))
- **kinesisfirehose-destinations-alpha:** backfill missing enums for
kinesisfirehose-destinations-alpha
([#&#8203;33633](https://redirect.github.com/aws/aws-cdk/pull/33633))
([6ed7a45](https://redirect.github.com/aws/aws-cdk/pull/33740/commits/6ed7a452e261b0033b44d0b2b61b18466d6e6b48))

##### Bug Fixes

- **scheduler-alpha:** deprecate `Group` in favour of `ScheduleGroup`
([#&#8203;33678](https://redirect.github.com/aws/aws-cdk/issues/33678))
([4d8eae9](https://redirect.github.com/aws/aws-cdk/commit/4d8eae9da577a94114602df261c98b65aa616956))
- **scheduler-targets-alpha:** update inspector target to use
IAssessmentTemplate instead of CfnAssessmentTemplate
([#&#8203;33682](https://redirect.github.com/aws/aws-cdk/issues/33682))
([50ba3ef](https://redirect.github.com/aws/aws-cdk/commit/50ba3efabca81a3c57ce34654f8ec1002deace6f))

###
[`v2.182.0`](https://redirect.github.com/aws/aws-cdk/releases/tag/v2.182.0)

[Compare
Source](https://redirect.github.com/aws/aws-cdk/compare/v2.181.1...v2.182.0)

##### Features

- **assertions:** added getResourceId method to Template
([#&#8203;33521](https://redirect.github.com/aws/aws-cdk/issues/33521))
([a96b0f1](https://redirect.github.com/aws/aws-cdk/commit/a96b0f1dca27b262fb2c72637ed9043830477c2c))
- **autoscaling:** add new `HealthChecks` for multiple health check
types, including EBS and VPC_LATTICE types
([#&#8203;31286](https://redirect.github.com/aws/aws-cdk/issues/31286))
([b3edd0d](https://redirect.github.com/aws/aws-cdk/commit/b3edd0da9d0f49070b94120051c48716a69102c3)),
closes
[#&#8203;31289](https://redirect.github.com/aws/aws-cdk/issues/31289)
[/github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-autoscaling/lib/auto-scaling-group.ts#L233](https://redirect.github.com/aws//github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-autoscaling/lib/auto-scaling-group.ts/issues/L233)
[/github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-autoscaling/lib/auto-scaling-group.ts#L2232-L2258](https://redirect.github.com/aws//github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-autoscaling/lib/auto-scaling-group.ts/issues/L2232-L2258)
[/github.com/aws/aws-cdk/pull/31286#discussion_r1740763781](https://redirect.github.com/aws//github.com/aws/aws-cdk/pull/31286/issues/discussion_r1740763781)
- **ecs:** encrypting managed storage
([#&#8203;33535](https://redirect.github.com/aws/aws-cdk/issues/33535))
([07f0fe3](https://redirect.github.com/aws/aws-cdk/commit/07f0fe3a851cce328433ada9aac674ab9464b5ca)),
closes
[#&#8203;33380](https://redirect.github.com/aws/aws-cdk/issues/33380)
- **inspector:** add minimal L2 interface for Inspector assessment
template and fromCfnAssessmentTemplate()
([#&#8203;33614](https://redirect.github.com/aws/aws-cdk/issues/33614))
([d51f70a](https://redirect.github.com/aws/aws-cdk/commit/d51f70ab40d237a3145d986e75c7ea2465afd6b4))
- **opensearchservice:** nodeoptions for domain
([#&#8203;32936](https://redirect.github.com/aws/aws-cdk/issues/32936))
([1b6f0c3](https://redirect.github.com/aws/aws-cdk/commit/1b6f0c3d0eb4aedfc72c716ee18aa3ae4dbf16b8)),
closes
[#&#8203;32553](https://redirect.github.com/aws/aws-cdk/issues/32553)
- **rds:** `DatabaseCluster` support `replicationSourceIdentifier`
([#&#8203;33471](https://redirect.github.com/aws/aws-cdk/issues/33471))
([878ad54](https://redirect.github.com/aws/aws-cdk/commit/878ad546c2d4f330c777734a0c7919bd6ce46395)),
closes
[#&#8203;33280](https://redirect.github.com/aws/aws-cdk/issues/33280)
- update L1 CloudFormation resource definitions
([#&#8203;33676](https://redirect.github.com/aws/aws-cdk/issues/33676))
([92dba49](https://redirect.github.com/aws/aws-cdk/commit/92dba49571caec118001b9f13b82378bec2150f0))
- upgrade
[@&#8203;aws-cdk/cloud-assembly-schema](https://redirect.github.com/aws-cdk/cloud-assembly-schema)
to v40
([#&#8203;33620](https://redirect.github.com/aws/aws-cdk/issues/33620))
([127059e](https://redirect.github.com/aws/aws-cdk/commit/127059e890c78fcfaf11a97a961395b2ceb2a339))

##### Bug Fixes

- **apigateway:** move endpointConfiguration to RestApiBaseProps
([#&#8203;33514](https://redirect.github.com/aws/aws-cdk/issues/33514))
([e07a89c](https://redirect.github.com/aws/aws-cdk/commit/e07a89ccb053fe22bcb96456c75304ac7a3c7670)),
closes
[#&#8203;33295](https://redirect.github.com/aws/aws-cdk/issues/33295)
- **appsync:** appsync Event API integration assertion tests
([#&#8203;33572](https://redirect.github.com/aws/aws-cdk/issues/33572))
([6f966a6](https://redirect.github.com/aws/aws-cdk/commit/6f966a6dcc010fe6af7999e7b5f97a447287aed3))
- **cloudwatch:** update regex expression that prevents
CloudWatch:Mah:UnknownIdentifier warnings
([#&#8203;33591](https://redirect.github.com/aws/aws-cdk/issues/33591))
([#&#8203;33592](https://redirect.github.com/aws/aws-cdk/issues/33592))
([97744e7](https://redirect.github.com/aws/aws-cdk/commit/97744e746670bf067da40c8ff6a902a9c15b707e))
- **iam:** adding organization id pattern verification
([#&#8203;33555](https://redirect.github.com/aws/aws-cdk/issues/33555))
([6df9bfe](https://redirect.github.com/aws/aws-cdk/commit/6df9bfe566a913c6c0538b2f380a83d06891a027)),
closes
[#&#8203;32756](https://redirect.github.com/aws/aws-cdk/issues/32756)
- **lambda-nodejs:** do not require a frozen lockfile for bun
([#&#8203;32908](https://redirect.github.com/aws/aws-cdk/issues/32908))
([a21190e](https://redirect.github.com/aws/aws-cdk/commit/a21190eb85bbc64820389ca5979a324932b9ab4b)),
closes
[#&#8203;32906](https://redirect.github.com/aws/aws-cdk/issues/32906)
[#&#8203;32906](https://redirect.github.com/aws/aws-cdk/issues/32906)
- **s3:** cannot deploy multiple replication source buckets (under
feature flag)
([#&#8203;33360](https://redirect.github.com/aws/aws-cdk/issues/33360))
([d580853](https://redirect.github.com/aws/aws-cdk/commit/d580853c546b4ee2d49afb52be75b4eb036bd6cd)),
closes
[#&#8203;33355](https://redirect.github.com/aws/aws-cdk/issues/33355)
- **sns:** for SSE topics, add KMS permissions in grantPublish
([#&#8203;32794](https://redirect.github.com/aws/aws-cdk/issues/32794))
([f1c0926](https://redirect.github.com/aws/aws-cdk/commit/f1c092634a391b0b7aed0f75626dd6d0ffd56564)),
closes
[#&#8203;18387](https://redirect.github.com/aws/aws-cdk/issues/18387)
[#&#8203;31012](https://redirect.github.com/aws/aws-cdk/issues/31012)
[#&#8203;24848](https://redirect.github.com/aws/aws-cdk/issues/24848)
[#&#8203;16271](https://redirect.github.com/aws/aws-cdk/issues/16271)
[#&#8203;29511](https://redirect.github.com/aws/aws-cdk/issues/29511)
[/github.com/aws/aws-cdk/issues/16271#issuecomment-917221985](https://redirect.github.com/aws//github.com/aws/aws-cdk/issues/16271/issues/issuecomment-917221985)

***

##### Alpha modules (2.182.0-alpha.0)

##### Features

- **pipes-alpha:** support for customer-managed KMS keys to encrypt pipe
data
([#&#8203;33546](https://redirect.github.com/aws/aws-cdk/issues/33546))
([dd0d62f](htt

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - "every weekday"
(UTC).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xOS4wIiwidXBkYXRlZEluVmVyIjoiMzkuMTkuMCIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJpbXBhY3Qvbm8tY2hhbmdlbG9nLXJlcXVpcmVkIl19-->

Co-authored-by: pulumi-renovate[bot] <189166143+pulumi-renovate[bot]@users.noreply.github.com>

Author: pulumi-renovate[bot]

aws-ts-nextjs/demoapp/package.json

@@ -25,7 +25,7 @@
     "typescript": "5.8.2"
   },
   "devDependencies": {
-    "aws-cdk-lib": "2.181.0",
+    "aws-cdk-lib": "2.189.1",
     "constructs": "10.4.2",
     "sst": "3.10.12"
   }