v2.222.0

⚠ BREAKING CHANGES

• bedrock-agentcore: The signature of RuntimeAuthorizerConfiguration.usingCognito() has changed to accept IUserPool and IUserPoolClient constructs instead of string parameters, and now supports multiple clients.

Features

• apigateway: add binaryMediaTypes property to SpecRestApi (#35502) (bf10d94), closes #35498
• apigatewayv2: WebSocketStage support accessLogSettings (#34766) (dad112e), closes #21935
• bedrock-agentcore: use IUserPool and IUserPoolClient interfaces instead of string identifiers (#35860) (a38afc9), closes #35854
• core: IEnvironmentAware interface to retrieve a construct's environment (#35817) (8ee5d4b)
• elasticloadbalancingv2: create security group settings for NLB by default (under feature flag) (#34675) (ff83cfd), closes #34606 /github.com/aws/aws-cdk/issues/34606#issuecomment-2931313249
• events-targets: support Amazon Data Firehose target using Firehose's IDeliveryStream (#33798) (a374b6b), closes #33757 #33758
• kinesisfirehose: add built-in data processors to decompress CloudWatch logs and extract messages (#33749) (5dec21e), closes #33691 #20242 /github.com/aws/aws-cdk/issues/33691#issuecomment-2713012245
• lambda: add Java25 runtime for Lambda (#35867) (db71fac)
• lambda: add Python 3.14 runtime for Lambda (#35869) (ebef303)
• memory: add agentcore memory l2 construct (#35757) (6a2e17e)
• msk: support Express brokers (#34741) (0a69e5f), closes #32923

Bug Fixes

• agentcore: addToRolePolicy for runtime with imported role destroys and recreates policies on every deployment (#35842) (92525e4), closes #35844 40aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-base.ts#L253
• agentcore: custom execution role policy for runtime lacks proper permissions (#35849) (ee94b63), closes #35852 40aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-artifact.ts#L65 40aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime.ts#L252-L259 /github.com/aws/aws-cdk/blob/v2.221.0/packages/aws-cdk-lib/aws-codepipeline/lib/pipeline.ts#L693 /github.com/aws/aws-cdk/blob/v2.221.0/packages/aws-cdk-lib/aws-lambda/lib/function.ts#L1468 /github.com/aws/aws-cdk/blob/v2.221.0/packages/aws-cdk-lib/aws-ecs/lib/base/base-service.ts#L1161
• dynamodb: addToResourcePolicy has no effect (#35554) (94d7e34), closes #35062
• ecs: remove empty CfnClusterCapacityProviderAssociations resource (#35783) (c8a131b), closes #35699 #35742
• iam: cannot grant lambda:InvokeFunction on ManagedPolicy or Policy via grantInvoke() method (#32984) (a07d75a), closes #32980 /github.com/aws/aws-cdk/pull/32984#pullrequestreview-2863553504
• compilation failure in Go (#35871) (5e4f603), closes aws/aws-cdk#35770 #35862
• ec2: remove PassRole policy emitted by cloudwatch vpc flow destination (#35762) (c4b80df), closes #35729

---

Alpha modules (2.222.0-alpha.0)

Features

• eks-v2-alpha: eks-v2-alpha is now in developer preview (#35801) (32afc0f)

Bug Fixes

• bedrock-alpha: apply permission dependency to existing and non-existing roles (#35123) (b39ccf3), closes #35120
• eks-v2-alpha: remove hyphen from Go package name (#35927) (2cdfc8a)

v2.221.1

Bug Fixes

• compilation failure in Go (#35871) (4379f66), closes aws/aws-cdk#35770 #35862

---

Alpha modules (2.221.1-alpha.0)

v2.221.0

⚠ BREAKING CHANGES

• ** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

• aws-datazone: AWS::DataZone::ProjectProfile: Id property removed.
• aws-logs: AWS::Logs::DeliveryDestination: DeliveryDestinationType attribute removed.
• aws-s3: AWS::S3::AccessGrantsLocation: IamRoleArn property is now required.
• aws-s3: AWS::S3::AccessGrantsLocation: LocationScope property is now required.
• aws-servicecatalog: AWS::ServiceCatalog::TagOptionAssociation: Id attribute removed.

Features

• update L1 CloudFormation resource definitions (#35816) (82bef28)
• agentcore: add agentcore L2 constructs for 1p tools (#35577) (3087ffa)
• agentcore: add agentcore runtime L2 construct (#35623) (c57484a)
• ecr: image tag mutability exclusion filters (#35246) (f6dd5cf), closes #35454
• ecs: implement IConnectable interface for ManagedInstancesCapacityProvider (#35745) (fd5ff76)
• kinesisfirehose: support DeliveryStream record format conversion for S3 Bucket Destination (#35410) (79bcba2), closes #15501 /github.com/aws/aws-cdk/issues/15501#issuecomment-3255582302
• update L1 CloudFormation resource definitions (#35769) (a165905)

Bug Fixes

• ecs-patterns: resolve target group conflict when updating ALB internetFacing or loadBalancerName (under feature flag) (#35508) (69b9c03), closes #33253 #33253 #33253
• lambda: can't find entry file under ESM module system (#35797) (7becd79), closes #21630
• lambda-runtime: change fallback for latest lambda node runtime to node 22.x (#35764) (10fcb1b)
• opensearchservice: add i8g nodes validation without EBS (#35668) (9594842), closes #35666
• s3-deployment: handle empty string in Source.data() (#35824) (95c8d73), closes #35809
• stepfunctions-tasks: allow passing apiEndpoint as intrinsic function (under feature flag) (#32139) (ddfef06), closes #29925 #29925 #30749

---

Alpha modules (2.221.0-alpha.0)

Features

• msk-alpha: support Kafka 4.1 (#35759) (67539de)

Bug Fixes

• elasticache-alpha: cannot import Redis 7 serverless cache (#35629) (2bde1a0)

v2.220.0

⚠ BREAKING CHANGES

---

L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

• aws-neptune: AWS::Neptune::EventSubscription: SnsTopicArn property is now required.
• aws-neptune: AWS::Neptune::EventSubscription: Id attribute removed.
• aws-servicecatalog: AWS::ServiceCatalog::PortfolioShare: Id attribute removed.
• aws-lex: AWS::Lex::ResourcePolicy: ResourceArn property is now immutable.

Co-authored-by: aws-cdk-automation [email protected]

---

Features

• batch: ec2 Managed Compute Environment support default instance classes, deprecate useOptimalInstanceClasses (#35537) (9d59dd8), closes #35515
• kinesis: shard-level metrics for stream (#34963) (ce9b3a8)
• lambda: refactor Function URL permissions (#35725) (d38d015)
• update L1 CloudFormation resource definitions (#35679) (dec6e6a)
• update L1 CloudFormation resource definitions (#35695) (8a6cf46)
• update L1 CloudFormation resource definitions (#35712) (27a8760)
• amplify: support build compute type (#34796) (a02c656)
• cloudfront-origins: add ipAddressType property to Lambda Function URL origins (#35458) (6cf6dc8), closes #35450
• ec2: add BEDROCK_AGENTCORE and BEDROCK_AGENTCORE_GATEWAY to InterfaceVpcEndpointAwsService (#35667) (6966c03)
• ec2: support for automatic VPN session reconnect on client VPN endpoint (#35538) (9536472)
• eks: add removal policy support for EKS cluster construct (#35560) (4b4e322), closes #25544
• logs: add parameter to allow metric filter on transformed logs (#35359) (effa46d)
• opensearch: add OpenSearch 3.1 engine version (#35477) (3bd7cf9), closes #35471
• route53: add fromPrivateHostedZoneAttributes function to PrivateHostedZone (#35552) (c8d7a79), closes #23268
• synthetics: allow root level canary scripts files for Puppeteer versions 11 and greater (#35426) (46fb2dc)

Bug Fixes

• cloudwatch: metric period in AnomalyDetectionAlarm is not being respected (#35319) (c7d8004), closes #34614 /github.com/aws/aws-cdk/blob/6966c03b1a7aece0846f5a91bbeb825cd7491689/packages/aws-cdk-lib/aws-cloudwatch/lib/private/alarm-options.ts#L16-L18 /github.com/aws/aws-cdk/blob/86638f6daca6ead382d0b9c1cf65bb04f70d4b3d/packages/aws-cdk-lib/package.json#L32 /github.com/aws/aws-cdk/pull/35319#discussion_r2407134489
• ecs: update task definition validations for managed instances (#35684) (8638a78), closes #35644
• lambda-nodejs: bump bun to 1.2.23 for ARM64 support (#35702) (3aa186c), closes #35534
• s3: resolve synthesis error in BucketPolicy.fromCfnBucketPolicy() (#35633) (d9085cc), closes #34322
• s3tables: s3 table bucket read access role uses incorrect permission for s3tables:ListNamespaces (#35420) (eb949bb)

---

Alpha modules (2.220.0-alpha.0)

Bug Fixes

• amplify-alpha: handle empty customResponseHeaders array (#35700) (57f9068), closes #35693

v2.214.1

Features

• introduce reference interfaces, but don't require them yet (09fc592)

---

Alpha modules (2.214.1-alpha.0)

v2.219.0

⚠ BREAKING CHANGES

• ** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

aws-servicecatalog: AWS::ServiceCatalog::PortfolioPrincipalAssociation: PortfolioId property is now required.
aws-servicecatalog: AWS::ServiceCatalog::PortfolioPrincipalAssociation: PrincipalARN property is now required.
aws-servicecatalog: AWS::ServiceCatalog::PortfolioProductAssociation: Id attribute removed.

Co-authored-by: aws-cdk-automation [email protected]

Features

• ecs: new L2 construct for ManagedInstances CapacityProvider (#35648) (c72a09b)
• update L1 CloudFormation resource definitions (#35646) (860ce0d)
• codebuild: add custom instance type and VPC to Fleets (#34572) (5c2781b)
• codebuild: support overflow behavior of fleet (#35480) (e4113b0)
• update L1 CloudFormation resource definitions (#35614) (fb0a114)

Bug Fixes

• cloudfront: edgefunction does not propagate stack tags correctly (#35518) (63088e8)

---

Alpha modules (2.219.0-alpha.0)

v2.218.0

Features

• cloudfront-origins: ip address type for http origin (#35445) (196c7ae), closes #35427
• docdb: support for serverless clusters (#35574) (89bfef7), closes #35199
• pipelines: CodeBuildFactory support Docker server (#35584) (c62d996)
• spec2cdk: generate from<Resource>Arn and from<Resource><Prop> in every L1 (#35470) (c588061)

---

Alpha modules (2.218.0-alpha.0)

• elasticache-alpha: implement Serverless ElastiCache L2 Construct (#35424) (0e08c8c)

v2.217.0

Features

• update L1 CloudFormation resource definitions (#35491) (d095f68)
• update L1 CloudFormation resource definitions (#35567) (b0ccf81)

Bug Fixes

• cloudfront: Function ARN reference changed from GetAtt to Ref (#35547) (8a26869), closes #35531
• core: negated gitignore patterns inside subdirectories are not including matched files (#35511) (44781ef), closes #9146 #22002
• kms: Alias reference incorrectly resolves to underlying Key (#35545) (43ffcff), closes #35543
• lambda: function.latestVersion points to wrong ARN (#35546) (761dde2), closes #35545
• rds: cannot use connections in rds.DatabaseInstance.fromLookup (#35193) (973d234), closes #35192

Reverts

• dynamodb: use keyId instead of keyArn for TableV2 replica encryption (#35568) (b1f7f78), closes aws/aws-cdk#35144 #35144 #35551

---

Alpha modules (2.217.0-alpha.0)

v2.216.0

Features

• apigatewayv2: add disableSchemaValidation for Websocket api (#35290) (bc391ce)
• cloudfront-origins: response completion timeout (#35485) (7d70bf4)
• elasticloadbalancingv2: support target group health attributes (#33351) (2de6e39), closes #31821
• events: add support for Event Bus Logging Configuration (#35201) (7ceaefb), closes #35000
• route53: add SVCB and HTTPS resource record classes (#34744) (8be219a), closes #34673
• stepfunctions-tasks: EmrCreateClusterOptions support ebsRootVolumeIops, ebsRootVolumeThroughput and managedScalingPolicy (#34677) (b3ad6f9), closes #33431

Bug Fixes

• cloudformation-include: aws::novalue type validation error for non-string properties (#35425) (ce76a56), closes #18420
• kinesisanalytics: deprecate using KinesisAnalyticsV2 from aws-kinesisanalytics, use aws-kinesisanalyticsv2 instead (#35519) (4255b23)
• kms: cannot access aliasTargetKey on an Alias imported by Alias.fromAliasName (#35521) (c0c9933), closes #35520
• secretsmanager: SecretRotationApplication creates lambda on python 3.9 which is EOL (#35528) (756b683), closes #34168
• secretsmanager: secret transformation (#35202) (f4b26af), closes #34168

---

Alpha modules (2.216.0-alpha.0)

v2.215.0

Features

• 33270: support new bun lock file (#34873) (0a55ed1), closes #33270
• codebuild: support remote Docker server (#34976) (eb8e74b), closes #34494
• update L1 CloudFormation resource definitions (#35435) (d7f211f)
• batch: ecs execute command (#35341) (30722f2)
• custom-resource: upgrade to python runtime 3.13 for custom resources (#35342) (3db140e)
• rds: add DatabaseProxyEndpoint L2 construct (#35064) (04d8a95), closes #14186
• stepfunctions-tasks: add Node.js 22 support to EvaluateExpression (#35370) (640821d), closes #35353
• synthetics: browser type for canary (#35423) (fe0708b)
• new resource interfaces shared by both L1s and L2s (#35032) (5e8c0d5)

Bug Fixes

• correct typo 'notfication' to 'notification' in Stack docstring (#35455) (bfb54b0), closes #35433
• ecr-assets: TarballImageAsset respects CDK_DOCKER environment variable (#35344) (8bf6b00), closes #35336
• s3: scope BucketNotificationsHandler IAM permissions to specific bucket ARNs (#35334) (c0300d2), closes #35331
• stepfunctions: incorrect/missing permissions to run/redrive DistributedMap in state machine (#34760) (bbebb79), closes #35390 /github.com/aws/aws-cdk/issues/28820#issuecomment-2065316882 /github.com/aws/aws-cdk/blob/aea1372ab7bc68c489cea5ee5e499233755910e8/packages/aws-cdk-lib/aws-stepfunctions/lib/state-graph.ts#L178-L180
• stepfunctions: unable to run distributed map when only defined in nested StateGraphs (#35417) (036b413), closes #35391 /github.com/aws/aws-cdk/pull/34760#discussion_r2313620609

---

Alpha modules (2.215.0-alpha.0)

Bug Fixes

• bedrock-alpha: added missing validation when prompt uses default variant (#35366) (cbd271e)