v2.167.1

Bug Fixes

• cli: failure to get credentials when session token is not set (#32134) (425efbc), closes #32120
• cli: region specified in ~/.aws/credentials is ignored (#32133) (9859f33), closes #32130

---

Alpha modules (2.167.1-alpha.0)

v2.167.0

Features

• cli: upgrade aws-sdk to sdkv3 (#31702) (5bc0662), closes #25870 #26292 #20956 #24744 #27265
• elasticloadbalancingv2: enable zonal shift for network load balancer (#31990) (497abdc), closes #31983
• kms: support KEY_AGREEMENT for keyUsage (#30993) (2323877), closes #30989
• lambda: add Python 3.13 runtime (#32054) (e0ebcfe)
• lambda: add supportsSnapStart config to dotnet8 and python 3.12 (#32112) (53f4713)
• lambda: support for customer managed encryption (CMCMK) (#32072) (2f16415)
• update L1 CloudFormation resource definitions (#32090) (6303b72)
• rds: support minor engine versions for oracle (#32058) (3d72b63)
• rds: support minor versions for RDS for SQL Server (#32055) (8c80bf8)
• service-catalog: allow Product Stack to override analytics reporting and stack descriptions (#31985) (d8ad02a), closes #31924

Bug Fixes

• ecr: allow creating repository uri to use tokens like cfn params (#32053) (5648199), closes #31860

---

Alpha modules (2.167.0-alpha.0)

Features

• ivs: support recording configuration for channel (#31899) (8a3734d), closes #31780
• redshift: relocating a cluster (#31993) (b763d86)

Bug Fixes

• scheduler-targets-alpha: add dlq policy to execution role instead of queue policy (#32032) (b953b2a), closes #31785

v2.166.0

Features

• cli: automatically roll back stacks if necessary (#31920) (2f9fb1e), closes #30546
• kinesis: support resource policy for a data stream (#31909) (18fbd6d), closes #28814
• rds: configure autoMinorVersionUpgrade for a database cluster (#31962) (0fb6106)
• route53: support HTTPS, SSHFP, SVCB, and TLSA DNS resource record (#31955) (afc2b0d), closes /docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-route53-recordset.html#cfn-route53
• synthetics: add artifactS3Encryption property to the Canary Construct. (#30197) (1f39cb9), closes #30190
• update L1 CloudFormation resource definitions (#32007) (be6a964)

Bug Fixes

• deploy-time stack tags cause synthesis to fail (#32041) (18c19fd), closes #32040
• aws_route53: cannot use CfnParameter.valueAsNumber for L2 RecordSet weight (#31823) (14561ac), closes #31810
• cli: asset uploads fail if Object Lock is enabled on access bucket (#31937) (ab1e91d)
• dynamoDB: make TableV2 taggable (#31867) (796c6d1), closes #30631
• opensearch: add I4G to list of OpenSearch nodes not requiring EBS volumes (#31948) (73378f2)

---

Alpha modules (2.166.0-alpha.0)

⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES

• scheduler-targets-alpha: Schedule Target will reuse role if target is re-used across schedules. This change triggered replacement of existing roles for Schedule as logical ID of the roles are changed.

Features

• glue-alpha: add job run queuing to Glue job (#31830) (5fca268), closes #31826

Bug Fixes

• scheduler-targets-alpha: create a role per target instead of singleton schedule target role (#31895) (aee1b30), closes #31785

v2.165.0

Features

• bootstrap: add lifecycle rule to abort multipart uploads after 7 days (#31956) (b800da8), closes #29045
• bootstrap: delete noncurrent versions after 30 days (#31949) (579041e)
• cli: garbage collect ecr assets (under --unstable flag) (#31841) (da85e54), closes #31611
• codebuild: add support of organization webhook in github source (#31740) (8c15b5f), closes #31736
• cognito: support UserPoolGroup (#31351) (408b20f), closes #21026
• update L1 CloudFormation resource definitions (#31917) (8c93291)

Bug Fixes

• assertions: throw error or warn when synth is called multiple times on mutated construct tree (#31865) (a261c9d), closes #24689
• cli: ecr garbage collection hangs when repository has no images (#31951) (a235a9f)
• cli: garbage collection ignores review_in_progress stacks (#31906) (cb3ecfe)
• s3-assets: cannot publish a file without extension (#30597) (ccab485), closes #30471
• sqs: queue with fifo: false does not deploy (#31922) (a9d3b02), closes #8550
• enable node-fips compatible body checksums for S3 (#31883) (4f29c1d)

---

Alpha modules (2.165.0-alpha.0)

⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES

• ec2-alpha: The new VpcCidrBlock L2 construct replaces CfnVPCCidrBlock. This change alters the logical ID of AWS::EC2::VPCCidrBlock resources in CloudFormation templates. Existing deployments will see errors like CIDR range conflicts with x.xx.xx.xx/xx with association ID vpc-cidr-assoc-ABCD. To resolve this, you must recreate your existing stacks to use the new module.

Features

• apprunner: support vpc ingress connection (#30623) (048e753), closes #22850
• ec2-alpha: adding imports for SubnetV2 and VpcV2 (#31765) (d108a80)
• location: support Tracker and TrackerConsumer (#31268) (046f041), closes #30712
• pipes-enrichments: support API Gateway enrichment (#31794) (09052c2), closes #29384
• pipes-targets: add SageMaker (#30696) (a5fdf57)
• redshift-alpha: query execution timeout setting during table creation (#31818) (40f07ae), closes #31329
• kinesisfirehose-alpha: kinesis firehose and kinesis firehose destinations modules are now in Developer Preview (#31952)

Bug Fixes

• location: remove base class from PlaceIndex class (#31287) (bc67866), closes #30711 #30682
• scheduler-alpha: scheduler input always get transformed to string with extra double quotes (#31894) (186b8ab)
• scheduler-alpha: too many KMS permissions granted (#31923) (06678a3), closes #31785

v2.164.1

Bug Fixes

• enable node-fips compatible body checksums for S3 (#31883) (290a499)

---

Alpha modules (2.164.1-alpha.0)

v2.164.0

Features

• cli: add ability to configure hotswap properties for ECS (#30511) (fee2cf8), closes #29618
• cognito: support email based MFA (#31816) (f9d6eef), closes #31815
• cognito: the Cognito Identity Pools module is now in Developer Preview (#31854) (b22899f)

Bug Fixes

• cli: cross-account asset publishing doesn't work without bootstrap stack (#31876) (427bf63), closes #31866
• cli: deploy-role is not authorized to perform DescribeStackResources (#31878) (8d06824)
• core: fix policy synthesizer logic for precreated roles (#31710) (aae03c9)
• dynamodb: replication regions are incompatible with resource policies in TableV2 and feature flag (#31513) (0b03eb0), closes #30705
• events-targets: kinesis Stream target with Customer-Managed KMS key causes EventBridge FailedInvocations (#31836) (58dfda0), closes #10996

---

Alpha modules (2.164.0-alpha.0)

Features

• iot: scheduled audit (#31776) (366b492), closes #31779

Bug Fixes

• ec2: allow NAT instance to associate public IP (#31812) (e96b4ce), closes #31711
• scheduler-targets-alpha: imported lambda function as schedule target throws synth error (#31837) (d1d179f), closes #29284

v2.163.1

Bug Fixes

• 'Need to perform AWS calls for account' when doing cross-account deployments (#31846) (5aa63d1), closes #31845

---

Alpha modules (2.163.1-alpha.0)

v2.163.0

Features

• cli: garbage collect s3 assets (under --unstable flag) (#31611) (0a0e4ad)
• cognito: support emailVerified for AttributeMapping interface (#31632) (5de7835), closes #30467 #30467
• dynamodb: enable contributor insights for global secondary index (#30560) (799b541), closes #15671
• ecs-patterns: support NLB with TLS listener and target group (#30611) (f4f8abc), closes #8517
• efs: allow AccessPoint to set client token (#31184) (8208774)
• events: dead letter queue for an Event Bus (#30628) (318eae6), closes #30531
• fsx: specify file system type version for the Lustre file system (#31136) (252cca9), closes #31130
• fsx: support HDD storage type for a Lustre file systems (#30207) (2d9aefb), closes #30206
• iam: allow creating service principal using custom name (#31793) (3d650c3), closes #31767
• kms: allow fromLookup method to return dummy key if target key was not found (#31676) (34bdeca), closes #31574 /github.com/aws/aws-cdk/blob/v2.161.0/packages/aws-cdk-lib/aws-kms/lib/key.ts#L686 /github.com/aws/aws-cdk/issues/31574#issuecomment-2399080697
• rds: support local write forwarding for an aurora PostgreSQL cluster (#31803) (a32436a), closes #31802
• s3: support transitionDefaultMinimumObjectSize for life cycle (#31778) (4aa117b), closes #31777 /docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-lifecycleconfiguration.html#cfn-s3
• update L1 CloudFormation resource definitions (#31752) (8067294)
• update L1 CloudFormation resource definitions (#31800) (fccb006)
• rds: support performance insights configuration at cluster level (#31385) (7d6bf77), closes #31375
• disallow cross account asset publishing in some scenarios (#31623) (edd031d)
• step-functions: add bucketNamePath in item reader (#31619) (97130d8), closes #29409

Bug Fixes

• cli: cdk import errors with 'S3 error: Access Denied' (#31727) (cd324d0), closes #31597 #31716
• lambda: filterRule.null() returns empty array (#31701) (5830ee1), closes #31458
• s3: add support for uppercase characters in legacy bucket names (#31813) (7bebf40), closes #31731
• stepfunctions-tasks: stateMachine construct doesn't generate a valid policy for default StateMachineRole (#31801) (efbbddb), closes #31714

---

Alpha modules (2.163.0-alpha.0)

Features

• ec2: disable api termination (#30620) (108737d)
• kinesisfirehose-alpha: refactor sourceStream property to support multiple types of sources (#31723) (0260046)
• pipes-enrichments: support API destination enrichment (#31312) (1557793), closes #29383
• pipes-targets: add CloudWatch Logs (#30665) (893769e)

Bug Fixes

• ec2: exposed userDataCausesReplacement in BastionHostLinuxProps (#31416) (029c298), closes #31348
• scheduler-alpha: remove targetOverrides prop from Schedule (#31799) (be4154b)

v2.162.1

Bug Fixes

• cli: cdk import errors with 'S3 error: Access Denied' (#31727) (5c2787a), closes #31597 #31716

---

Alpha modules (2.162.1-alpha.0)

v2.162.0

Features

• appsync: add ownerContact property to the GraphqlApi (#31585) (a8b2f01)
• cdk: expose authorizer id and authorization type (#31622) (daaf0aa), closes #31605
• cli: cdk rollback (#31684) (3e40edc), closes #31407
• ecs: add fargate ephemeral storage encryption to cluster settings (#30759) (642a944), closes #30721
• eks: support eks with k8s 1.31 (#31707) (fc09bc1)
• elasticloadbalancingv2: support TCP idle timeout for Network Load Balancer Listener (#31584) (8d851a9), closes #31310
• update L1 CloudFormation resource definitions (#31688) (b211189)
• rds: enable grantDataApiAccess method for imported database cluster (#31280) (3c92012), closes #31116 /github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-rds/lib/cluster.ts#L983 /github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-rds/lib/cluster.ts#L523-L526

Bug Fixes

• core: cdk diff on large templates fails when passing in toolkitStackName and qualifier (#31636) (f603c97), closes #29179
• ecs: ecs exec cannot be enabled for ECS Anywhere (ecs.ExternalService) (#31374) (cff1fcd), closes #31181
• elasticloadbalancingv2: http2Enabled with true is ignored in ApplicationLoadBalancer (#31675) (c1b240e), closes #31609
• event-targets: ecsTask uses invalid task definition arn in policy (#31615) (4ada3ea), closes #30390 #30484
• iam: override Role.applyRemovalPolicy for customizeRoles (#31652) (35ed5c6), closes #31651
• s3: unable to update the s3 event notifications on an existing S3 bucket (#31431) (0a56c0d), closes #31303

---

Alpha modules (2.162.0-alpha.0)

⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES

• kinesisfirehose-alpha: replaced destinations property with destination (singular) and changed the type from array of Destinations to a single Destination. Old behaviour would only allow an array with a single Destination to be passed in anyway.

Features

• iot-alpha: support for account audit configuration (#31661) (fc19571), closes #31663
• pipes-targets: add EventBridge (#30654) (842f49a)

Bug Fixes

• cli-lib: cannot bootstrap specific environment (#31713) (fec4bb1)

Miscellaneous Chores

• kinesisfirehose-alpha: replacedestinations property with destination and change type from array to single IDestination (#31630) (1e2cff1)