Merge branch 'main' into ICapacityProvider-update

Author: kumvprat

.github/workflows/integration-test-deployment.yml

@@ -25,6 +25,7 @@ concurrency:
 jobs:
   integration_test_deployment:
     runs-on: codebuild-aws-cdk-github-actions-deployment-integ-runner-${{ github.run_id }}-${{ github.run_attempt }}
+    timeout-minutes: 7200 # Maximum limit for self-hosted runners, job can still be limited by our runner timeout (which is set at 36 hours).
     environment: deployment-integ-test # Do not change or remove this without discussing with Appsec
     if: contains(github.event.pull_request.labels.*.name, 'pr/needs-integration-tests-deployment')
     name: 'Deploy integration test snapshots (requires `pr/needs-integration-tests-deployment` label)'

CHANGELOG.v2.alpha.md

@@ -2,6 +2,22 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.238.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.237.1-alpha.0...v2.238.0-alpha.0) (2026-02-09)
+
+
+### Features
+
+* **eks-v2-alpha:** add support for bootstrapSelfManagedAddons ([#36740](https://github.com/aws/aws-cdk/issues/36740)) ([1ffe38d](https://github.com/aws/aws-cdk/commit/1ffe38dc950a096cb5e1c1ee20f2c49899dc0a23))
+* **eks-v2-alpha:** add support for EKS hybrid nodes ([#36749](https://github.com/aws/aws-cdk/issues/36749)) ([48ace56](https://github.com/aws/aws-cdk/commit/48ace56d82537630fc339cb41962473a97375aea))
+
+
+### Bug Fixes
+
+* **eks-v2-alpha:** ensure kubectl provider and handler functions use the same vpc configuration  ([#36735](https://github.com/aws/aws-cdk/issues/36735)) ([4e02f08](https://github.com/aws/aws-cdk/commit/4e02f0896069105dae83c46f19f1b346a546ad57)), closes [#34878](https://github.com/aws/aws-cdk/issues/34878) [#34877](https://github.com/aws/aws-cdk/issues/34877)
+* **ivs-alpha:** add region constraints to integration tests ([#36851](https://github.com/aws/aws-cdk/issues/36851)) ([d55fec4](https://github.com/aws/aws-cdk/commit/d55fec42357410b8263b814b931daf5dccc5c5e3))
+* **mixins-preview:** apply mixins in order ([#36847](https://github.com/aws/aws-cdk/issues/36847)) ([726060c](https://github.com/aws/aws-cdk/commit/726060c0ea9f57de4c6e13c1f50c330e4fc2608e))
+* **mixins-preview:** apply mixins in order in `MixinApplicator` ([#36877](https://github.com/aws/aws-cdk/issues/36877)) ([09db1c9](https://github.com/aws/aws-cdk/commit/09db1c99710c9f8e91774e767de93fff1a0d2650)), closes [#36847](https://github.com/aws/aws-cdk/issues/36847)
+
 ## [2.237.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.237.0-alpha.0...v2.237.1-alpha.0) (2026-02-03)
 
 ## [2.237.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.236.0-alpha.0...v2.237.0-alpha.0) (2026-02-02)

CHANGELOG.v2.md

@@ -2,6 +2,42 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.238.0](https://github.com/aws/aws-cdk/compare/v2.237.1...v2.238.0) (2026-02-09)
+
+
+### ⚠ BREAKING CHANGES
+
+* **bedrock-agentcore:** Interface extensions require new property implementations
+* **aws-bedrock-agentcore-alpha:** 
+*  - IGateway now requires gatewayRef getter
+*  - IGatewayTarget now requires gatewayTargetRef getter
+*  - IMemory now requires memoryRef getter
+*  - IBedrockAgentRuntime now requires runtimeRef getter
+*  - IRuntimeEndpoint now requires runtimeEndpointRef getter
+*  - IBrowserCustom now requires browserCustomRef getter
+*  - ICodeInterpreterCustom now requires codeInterpreterCustomRef getter
+
+### Features
+
+* update L1 CloudFormation resource definitions ([#36834](https://github.com/aws/aws-cdk/issues/36834)) ([5143fdf](https://github.com/aws/aws-cdk/commit/5143fdfb57024ced8d9a2988216c78690f6121b0))
+* **core:** allow indentation suppression in nested stacks ([#35122](https://github.com/aws/aws-cdk/issues/35122)) ([d629b15](https://github.com/aws/aws-cdk/commit/d629b15954bd313876de2df055265e27569af5a4)), closes [#32798](https://github.com/aws/aws-cdk/issues/32798) [/github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/core/lib/stack.ts#L207](https://github.com/aws//github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/core/lib/stack.ts/issues/L207) [/github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/core/lib/stack.ts#L207](https://github.com/aws//github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/core/lib/stack.ts/issues/L207) [/github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/core/lib/nested-stack.ts#L25C18-L25C34](https://github.com/aws//github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/core/lib/nested-stack.ts/issues/L25C18-L25C34)
+* **ec2:** support Firehose `IDeliveryStreamRef` as flow log destination ([#36278](https://github.com/aws/aws-cdk/issues/36278)) ([cd73498](https://github.com/aws/aws-cdk/commit/cd73498af34fcc150c1290c5bd1f21c272239802)), closes [#33883](https://github.com/aws/aws-cdk/issues/33883) [#34596](https://github.com/aws/aws-cdk/issues/34596) [#33757](https://github.com/aws/aws-cdk/issues/33757)
+* **eks:** add removal policy for all constructs ([#35835](https://github.com/aws/aws-cdk/issues/35835)) ([875d9b8](https://github.com/aws/aws-cdk/commit/875d9b8f7dc4e3e1a5187b89303de3645485e3cf))
+* **eks:** add support for EC2, HYBRID_LINUX, and HYPERPOD_LINUX access entry types ([#36350](https://github.com/aws/aws-cdk/issues/36350)) ([cc059c6](https://github.com/aws/aws-cdk/commit/cc059c6dcfe12240057f5fc58bd076083fd77acd)), closes [#34394](https://github.com/aws/aws-cdk/issues/34394)
+* **glue:** typed partition projection ([#35660](https://github.com/aws/aws-cdk/issues/35660)) ([cb1658f](https://github.com/aws/aws-cdk/commit/cb1658f42522ad9abaec4de6ce0c0d43292e73a1)), closes [#35428](https://github.com/aws/aws-cdk/issues/35428)
+
+
+### Bug Fixes
+
+* **core:** intrinsic cfn function tokens are not detected as such in java ([#36843](https://github.com/aws/aws-cdk/issues/36843)) ([3f29f11](https://github.com/aws/aws-cdk/commit/3f29f11d942b3f005732f17c3f606d081b8ba0d7))
+* **events:** restore `Match.anyOf` support for raw strings ([#36908](https://github.com/aws/aws-cdk/issues/36908)) ([6804c7c](https://github.com/aws/aws-cdk/commit/6804c7c75c7e67f1c61dac4aea43af5fa54969e2)), closes [#36902](https://github.com/aws/aws-cdk/issues/36902) [#36602](https://github.com/aws/aws-cdk/issues/36602) [#36602](https://github.com/aws/aws-cdk/issues/36602)
+* **iam:** undeprecate openIdConnectProviderArn and openIdConnectProviderIssuer in IOidcProvider ([#36859](https://github.com/aws/aws-cdk/issues/36859)) ([cbf0b03](https://github.com/aws/aws-cdk/commit/cbf0b03d58559574752b3ebe80e9cb596e0ef6b0))
+
+
+### Miscellaneous Chores
+
+* **bedrock-agentcore:** reference interface ([#36803](https://github.com/aws/aws-cdk/issues/36803)) ([87f1087](https://github.com/aws/aws-cdk/commit/87f1087060e7c15616500e31de6a0603c37b8843))
+
 ## [2.237.1](https://github.com/aws/aws-cdk/compare/v2.237.0...v2.237.1) (2026-02-03)
 
 

allowed-breaking-changes.txt

@@ -8,6 +8,9 @@ change-return-type:@aws-cdk/cloud-assembly-schema.Manifest.load
 # of the `properties` field is already unreliable for exhaustive checking.
 weakened:aws-cdk-lib.cloud_assembly_schema.ArtifactManifest
 
+# Manifest class became abstract in cloud-assembly-schema v50+
+made-abstract:aws-cdk-lib.cloud_assembly_schema.Manifest
+
 # Adding any new context queries will add to the ContextQueryProperties type,
 # which changes the signature of MissingContext.
 weakened:@aws-cdk/cloud-assembly-schema.MissingContext

docs/DESIGN_GUIDELINES.md

@@ -1340,6 +1340,47 @@ export abstract class TopicBase extends Resource implements ITopic, IEncryptedRe
 }
 ```
 
+#### Traits
+
+To enable grant methods to work with L1 constructs, the CDK uses factory interfaces that wrap L1 resources into objects 
+exposing higher-level interfaces:
+
+- `IResourcePolicyFactory` wraps an L1 into an object implementing `IResourceWithPolicyV2`, enabling resource policy 
+manipulation.
+- `IEncryptedResourceFactory` wraps an L1 into an object implementing `IEncryptedResource`, enabling KMS key grants.
+
+`IResourceWithPolicyV2` and `IEncryptedResource` are collectively called "traits". For now, these are the only two 
+traits we have, but we might add more in the future if we find other common patterns in L1 resources that can be 
+abstracted through this mechanism.
+
+The CDK provides default implementations for common L1 resources, but it's also possible to register custom factories
+for any CloudFormation resource type:
+
+```ts nofixture
+import { CfnResource } from 'aws-cdk-lib';
+import { IResourcePolicyFactory, IResourceWithPolicyV2, PolicyStatement, ResourceWithPolicies } from 'aws-cdk-lib/aws-iam';
+import { Construct, IConstruct } from 'constructs';
+
+declare const scope: Construct;
+class MyFactory implements IResourcePolicyFactory {
+  forResource(resource: CfnResource): IResourceWithPolicyV2 {
+    return {
+      env: resource.env,
+      addToResourcePolicy(statement: PolicyStatement) {
+        // custom implementation to add the statement to the resource policy
+        return { statementAdded: true, policyDependable: resource };
+      }
+    }
+  }
+}
+
+// After this, every time the Grants class encounters a CfnResource of type 'AWS::Some::Type', 
+// it will be able to use MyFactory to attempt to add statements to its resource policy.
+ResourceWithPolicies.register(scope, 'AWS::Some::Type', new MyFactory());
+```
+
+#### Auto-generation and manual implementation
+
 The `TopicGrants` class, and many others, are generated automatically from the `grants.json`
 file present at the root of each individual module (`packages/aws-sns` for SNS constructs and
 so on). The `grants.json` file has the following general structure:
@@ -1375,10 +1416,16 @@ where:
 * `docSummary` - the public documentation for the method.
 * `arnFormat` - In some cases, the policy applies to a specific ARN patterns, rather than just the ARN of the resource.
 
-In some cases, however, it might not be possible to specify the grant details using the `grants.json`
-file. This is usually the case when grants require additional logic, such as checking whether the
-resource is owned or unowned, or when the grant needs to modify the resource policy of the resource
-(if it has one). In these cases, you can implement the grants class manually.
+Code generated from the `grants.json` file will have a very basic logic: it will try to add the given statement to the
+principal's policy. If `hasResourcePolicy` is true, it will also attempt to add the statement to the resource policy.
+This will only work if the resource implements the `iam.IResourceWithPolicyV2` interface or -- in case of L1s -- if 
+there is a `IResourcePolicyFactory` registered for its type (see previous section). If `keyActions` are specified in the
+JSON file, it will also attempt to grant the specified permissions on the associated KMS key, if the resource implements 
+the `iam.IEncryptedResource` interface (or, similarly to resource policies, if there is a `IEncryptedResourceFactory`
+registered for it).
+
+If your permission use case requires additional logic, such as combining multiple `Grant` instances or handling 
+additional parameters, you will need to implement the Grants class manually.
 
 Historically, grant methods were implemented directly on the resource construct interface (e.g.
 `sns.ITopic.grantPublish(principal)`). For backward compatibility reasons, these methods are still

package.json

@@ -23,17 +23,17 @@
     "@types/prettier": "2.6.0",
     "@yarnpkg/lockfile": "^1.1.0",
     "aws-sdk-js-codemod": "^2.4.5",
-    "cdk-generate-synthetic-examples": "^0.2.40",
+    "cdk-generate-synthetic-examples": "^0.2.42",
     "conventional-changelog-cli": "^2.2.2",
     "fs-extra": "^9.1.0",
     "graceful-fs": "^4.2.11",
     "jest-junit": "^13.2.0",
-    "jsii-diff": "1.125.0",
+    "jsii-diff": "1.126.0",
     "jsii-pacmak": "1.126.0",
-    "jsii-reflect": "1.125.0",
+    "jsii-reflect": "1.126.0",
     "lerna": "^8.2.4",
     "nx": "^20",
-    "semver": "^7.7.3",
+    "semver": "^7.7.4",
     "standard-version": "^9.5.0",
     "ts-jest": "^29.4.6",
     "ts-node": "^10.9.2",

packages/@aws-cdk-testing/framework-integ/package.json

@@ -30,13 +30,13 @@
   "license": "Apache-2.0",
   "devDependencies": {
     "@aws-cdk/cdk-build-tools": "0.0.0",
-    "@aws-cdk/integ-runner": "^2.193.5",
+    "@aws-cdk/integ-runner": "^2.195.0",
     "@aws-cdk/pkglint": "0.0.0",
     "@aws-sdk/client-acm": "3.632.0",
     "@aws-sdk/client-rds": "3.632.0",
     "@aws-sdk/client-s3": "3.632.0",
     "@aws-sdk/client-cognito-identity-provider": "3.632.0",
-    "axios": "^1.13.2",
+    "axios": "^1.13.5",
     "delay": "5.0.0"
   },
   "dependencies": {
@@ -50,7 +50,7 @@
     "@aws-cdk/lambda-layer-kubectl-v34": "^2.0.0",
     "@aws-cdk/region-info": "0.0.0",
     "aws-cdk-lib": "0.0.0",
-    "cdk8s": "2.70.43",
+    "cdk8s": "2.70.47",
     "cdk8s-plus-27": "2.9.5",
     "constructs": "^10.0.0"
   },

packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront/test/integ.cloudfront-bucket-logging.js.snapshot/aws-cdk-cloudfront-custom.assets.json

@@ -2,6 +2,15 @@
  "Resources": {
   "Bucket83908E77": {
    "Type": "AWS::S3::Bucket",
+   "Properties": {
+    "OwnershipControls": {
+     "Rules": [
+      {
+       "ObjectOwnership": "BucketOwnerPreferred"
+      }
+     ]
+    }
+   },
    "UpdateReplacePolicy": "Delete",
    "DeletionPolicy": "Delete"
   },
@@ -73,21 +82,19 @@
     }
    }
   },
-  "AnAmazingWebsiteProbably2LoggingBucket222F7CE9": {
+  "LoggingBucket2CD4C98D8": {
    "Type": "AWS::S3::Bucket",
    "Properties": {
-    "BucketEncryption": {
-     "ServerSideEncryptionConfiguration": [
+    "OwnershipControls": {
+     "Rules": [
       {
-       "ServerSideEncryptionByDefault": {
-        "SSEAlgorithm": "AES256"
-       }
+       "ObjectOwnership": "BucketOwnerPreferred"
       }
      ]
     }
    },
-   "UpdateReplacePolicy": "Retain",
-   "DeletionPolicy": "Retain"
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
   },
   "AnAmazingWebsiteProbably2CFDistribution7C1CCD12": {
    "Type": "AWS::CloudFront::Distribution",
@@ -119,7 +126,7 @@
      "Logging": {
       "Bucket": {
        "Fn::GetAtt": [
-        "AnAmazingWebsiteProbably2LoggingBucket222F7CE9",
+        "LoggingBucket2CD4C98D8",
         "RegionalDomainName"
        ]
       },