### Issue #29637

Closes #29637

### Reason for this change
Allow setting the enableExecuteCommand for ECSRunTask in sfn

### Description of changes
Add the enableExecuteCommand property to the EcsRunTaskProps, to start the task from step functions with execution command enabled.

### Description of how you validated changes
Unit-test added. Existing ones passed.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable)

Closes #27504 

### Reason for this change

The current validation of `repoString` in constructor of `CodeStarConnectionSource` does not support nested repository that can appear in GitLab.

### Description of changes

The validation is fixed to accept nested repository.

### Description of how you validated changes

I added unit tests and confirmed all tests passed.

### Checklist
- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.135.0/CHANGELOG.md)

Some customers have typo'd `--no-changeset` where `--no-change-set` was expected. Make these two aliases of each other since they're easy to mix up, and this flag being valid changes the permissions used by diff, which will cause errors in certain environments. 

tested manually.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…tion types (#29515)

Closes. #29514


### Reason for this change

Adding the same lambda as the action for multiple status changes (alarm, ok, insufficient data) causes an error because of logical id conflicts.

### Description of changes

Before adding the `lambda:InvokeFunction` permission to the lambda's resource policy, it checks to see if one already exists.

I considered not including this change under the `LAMBDA_PERMISSION_LOGICAL_ID_FOR_LAMBDA_ACTION` feature flag but, it breaks the `throws when multiple alarms are created for the same lambda if feature flag is set to false` test because it no longer throws. I understand that a major goal of the project is to keep behavior consistent however, it seems like it would be beneficial to fix an undesirable behavior without the need of configuring a feature flag.

This is my first contribution so I am new to this, could my change warrant its own feature flag?

### Description of how you validated changes

Expanded upon existing unit tests. 

### Checklist
- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ncipals (#29452)

### Issue #24507

### Reason for this change

grantAssumeRole silently fails if a Service Principal or Account Principal is used which led me to a false assumption about the correctness of a role's permission scope

### Description of changes

This change will throw an error if a Service Principal is used.  I was unable to find a way to accomplish the same behavior for Account Principals.

Documentation was updated to help guide a user to the appropriate function usage for Service and Account Principals.

### Description of how you validated changes

* Added a unit test
* This change required me to re-run two unrelated snapshot tests which were throwing errors outside of the scope of this change.

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…roups (under feature flag) (#29513)

### Issue ELBv2 logicalId inconsistency of ApplicationListenerRule logicalIds

Mitigates #29496

### Reason for this change

People using ALBs who need to migrate from the `addTargetGroups()` convenience method to the lower level `addAction()` method should not be blocked due to inconsistent logicalId's. Further, the logicalIds should be consistent going forward.

### Description of changes

There are two feature flags, one which sets a migration compat mode and another which fixed the behaviour to be consistent.

### Description of how you validated changes

Unit testing.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ddTargetGroups (under feature flag)" (#29716)

Reverts #29513

We will want to use a property to achieve the desired behavior instead of a feature flag since we are not changing the default behavior.

Bumps [undici](https://github.com/nodejs/undici) from 5.28.3 to 5.28.4.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/nodejs/undici/releases">undici's releases</a>.</em></p>
<blockquote>
<h2>v5.28.4</h2>
<h2>:warning: Security Release :warning:</h2>
<ul>
<li>Fixes <a href="https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7">https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7</a> CVE-2024-30260</li>
<li>Fixes <a href="https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672">https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672</a> CVE-2024-30261</li>
</ul>
<p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4">https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/nodejs/undici/commit/fb983069071f52e0a7ea0e71078459c765aae172"><code>fb98306</code></a> Bumped v5.28.4</li>
<li><a href="https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055"><code>2b39440</code></a> Merge pull request from GHSA-9qxr-qj54-h672</li>
<li><a href="https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f"><code>64e3402</code></a> Merge pull request from GHSA-m4v8-wqvr-p9f7</li>
<li><a href="https://github.com/nodejs/undici/commit/723c4e728051aefd5eb5ae7193dfb18046009f83"><code>723c4e7</code></a> Revert &quot;build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 (<a href="https://redirect.github.com/nodejs/undici/issues/2389">#2389</a>)&quot;</li>
<li><a href="https://github.com/nodejs/undici/commit/0e9d54b2c2a5ec0b58937114c857a9ed9fe22d5b"><code>0e9d54b</code></a> skip failing test due to Node.js changes</li>
<li>See full diff in <a href="https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=undici&package-manager=npm_and_yarn&previous-version=5.28.3&new-version=5.28.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts).

</details>

By default, stickiness is disabled. The duration _is_ one day if stickiness is enabled,
but we don't surface that option to users. If `stickinessCookieDuration` is not 
supplied, stickiness will not be enabled so the 1 day default doesn't make sense here.

Closes #29725.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable)

Closes #29410.

### Reason for this change

It was reported that a `Code.fromAsset('')` was creating an infinite loop by including itself through `cdk.out`. This is caused by the following line:

https://github.com/aws/aws-cdk/blob/730fe63efc461c14f6e2b4aa9206c10f9b0f4cd9/packages/aws-cdk-lib/aws-s3-assets/lib/asset.ts#L145

If an empty string is given to `path.resolve()`, the current working directory is returned.

### Description of changes

I've added a check that verifies that the given `path` property is not empty.

### Description of how you validated changes

I've added a test for both the `aws-lambda` package, where the issue was originally reported, and `aws-s3-assets`, where the fix was implemented

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ps (#29686)

### Issue #29687 

Closes ##29687 

### Reason for this change

Since `instanceProps` is deprecated it is better to allow setting `PreferredMaintenanceWindow` using writer and readers props.

### Description of changes

Added optional preferredMaintenanceWindow field to ClusterInstanceOptions and added a unit test.

### Description of how you validated changes

- Add a single unit test

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…29718)

Closes #29650

### Description of changes

This addresses the issue in two ways:

1. If the describeStacks call errors out, we now catch it and default to classic diff behavior.
2. The describeStacks call now tries to use the lookup role rather than the deploy role.

### Description of how you validated changes

Manual testing with a user that could only assume lookup roles.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*