See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.147.0/CHANGELOG.md)

### Reason for this change

missing property

### Description of changes

https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_codebuild.CfnProjectProps.html#visibility

### Description of how you validated changes

done test and integ-test

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable)

N/A

### Reason for this change
The `defaulrRedirectUri` property missing in the current `UserPoolClient` class,

The DefaultRedirectURI setting is essential when using Amazon Cognito Hosted UI because it specifies the primary destination where users will be redirected after successful authentication, ensuring a seamless and secure OAuth 2.0 or OpenID Connect flow.


### Description of changes
Add missing property.


### Description of how you validated changes
Add unit tests and integ tests.


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…30358)

### Issue # (if applicable)

Closes #30353 .

### Reason for this change
At the moment, L2 Construct does not support a custom auto scaling configuration for the AppRunner Service.


### Description of changes
* Add `AutoScalingConfiguration` Class
* Add `autoScalingConfiguration` property to the `Service` Class



### Description of how you validated changes
Add unit tests and integ tests.


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… from instanceType (#30558)

### Issue # (if applicable)
n/a

### Reason for this change

When configuring NAT instance v2, currently we have to set machineImage manually when we want to use a graviton instance.

Like this:

```ts
const vpc = new Vpc(this, 'Vpc', {
  natGatewayProvider: NatProvider.instanceV2({
    instanceType: InstanceType.of(InstanceClass.T4G, InstanceSize.NANO),
    // we should be able to omit this line!
    machineImage: MachineImage.latestAmazonLinux2023({ cpuType: AmazonLinuxCpuType.ARM_64 }),
  }),
});
```

This can be easily avoided if Nat instance v2 construct decides which cpu type to use for the given instance type.

### Description of changes

Use `instanceType.architecture` to choose cpu type of a machine image.

Now we can remove the redundant code:

```ts
const vpc = new Vpc(this, 'Vpc', {
  natGatewayProvider: NatProvider.instanceV2({
    instanceType: InstanceType.of(InstanceClass.T4G, InstanceSize.NANO),
  }),
});
```

### Description of how you validated changes

Added an integ test.
### Checklist
- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…pes (#30495)

### Issue # (if applicable)

Closes #29385.

### Reason for this change
To use Step Functions state machine enrichment for eventbrige pipes



### Description of changes
Add `StepFunctionsEnrichment` class.



### Description of how you validated changes
Add unit test and integ tests.


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…time with imported `delegatedZone` (#30440)" (#30606)

This reverts commit a3d9b10.

### Issue # (if applicable)

Closes #30600.

### Reason for this change

Reverting #30440 so that `cdk synth` succeed when using imported `delegatedZone`

### Description of changes

Removed the `throw new Error()`

### Description of how you validated changes



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ty (#30614)

### Issue # (if applicable)
Closes #30613.

### Reason for this change
Documentation for `KubernetesVersion.V1_30` property incorrectly refers to `KubectlV29Layer`.


### Description of changes
Corrected documentation for KubernetesVersion.V1_30 property to refer to `KubectlV30Layer`.

### Description of how you validated changes
N/A
### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…moved from roadmap (#30572)

### Issue # (if applicable)

Closes #<issue number here>.

### Reason for this change



### Description of changes



### Description of how you validated changes



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… system (#30343)

### Issue # (if applicable)

Closes  #30340.

### Reason for this change
Current LustreFileSystem class does not support automatic backups.


### Description of changes
Add properties equivalent to those of the L1 construct to the L2 construct.

* [automaticBackupRetentionDays](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws%5C_fsx.CfnFileSystem.LustreConfigurationProperty.html#automaticbackupretentiondays)
* [copyTagsToBackups](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws%5C_fsx.CfnFileSystem.LustreConfigurationProperty.html#copytagstobackups)
* [dailyAutomaticBackupStartTime](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws%5C_fsx.CfnFileSystem.LustreConfigurationProperty.html#dailyautomaticbackupstarttime)

Segregated the `dailyAutomaticBackupStartTime` as a class to enable its usage in another file system's L2 construct (for example, Ontap) in the future.



### Description of how you validated changes
Add unit tests and integ tests.


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`

**L1 CloudFormation resource definition changes:**
```
├[+] service aws-apptest
│ ├  capitalized: AppTest
│ │  cloudFormationNamespace: AWS::AppTest
│ │  name: aws-apptest
│ │  shortName: apptest
│ └ resources
│    └resource AWS::AppTest::TestCase
│     ├  name: TestCase
│     │  cloudFormationType: AWS::AppTest::TestCase
│     │  documentation: Represents a Test Case that can be captured and executed
│     │  tagInformation: {"tagPropertyName":"Tags","variant":"map"}
│     ├ properties
│     │  ├Description: string
│     │  ├Name: string (required, immutable)
│     │  ├Steps: Array<Step> (required)
│     │  └Tags: Map<string, string>
│     ├ attributes
│     │  ├CreationTime: string
│     │  ├LastUpdateTime: string
│     │  ├LatestVersion: TestCaseLatestVersion
│     │  ├Status: string
│     │  ├TestCaseArn: string
│     │  ├TestCaseId: string
│     │  └TestCaseVersion: number
│     └ types
│        ├type TestCaseLatestVersion
│        │├  name: TestCaseLatestVersion
│        │└ properties
│        │   ├Version: number (required)
│        │   └Status: string (required)
│        ├type Step
│        │├  name: Step
│        │└ properties
│        │   ├Name: string (required)
│        │   ├Description: string
│        │   └Action: StepAction (required)
│        ├type StepAction
│        │├  name: StepAction
│        │└ properties
│        │   ├ResourceAction: ResourceAction
│        │   ├MainframeAction: MainframeAction
│        │   └CompareAction: CompareAction
│        ├type ResourceAction
│        │├  name: ResourceAction
│        │└ properties
│        │   ├M2ManagedApplicationAction: M2ManagedApplicationAction
│        │   ├M2NonManagedApplicationAction: M2NonManagedApplicationAction
│        │   └CloudFormationAction: CloudFormationAction
│        ├type M2ManagedApplicationAction
│        │├  name: M2ManagedApplicationAction
│        │└ properties
│        │   ├Resource: string (required)
│        │   ├ActionType: string (required)
│        │   └Properties: M2ManagedActionProperties
│        ├type M2ManagedActionProperties
│        │├  name: M2ManagedActionProperties
│        │└ properties
│        │   ├ForceStop: boolean
│        │   └ImportDataSetLocation: string
│        ├type M2NonManagedApplicationAction
│        │├  name: M2NonManagedApplicationAction
│        │└ properties
│        │   ├Resource: string (required)
│        │   └ActionType: string (required)
│        ├type CloudFormationAction
│        │├  name: CloudFormationAction
│        │└ properties
│        │   ├Resource: string (required)
│        │   └ActionType: string
│        ├type MainframeAction
│        │├  name: MainframeAction
│        │└ properties
│        │   ├Resource: string (required)
│        │   ├ActionType: MainframeActionType (required)
│        │   └Properties: MainframeActionProperties
│        ├type MainframeActionType
│        │├  name: MainframeActionType
│        │└ properties
│        │   ├Batch: Batch
│        │   └Tn3270: TN3270
│        ├type Batch
│        │├  name: Batch
│        │└ properties
│        │   ├BatchJobName: string (required)
│        │   ├BatchJobParameters: Map<string, string>
│        │   └ExportDataSetNames: Array<string>
│        ├type TN3270
│        │├  name: TN3270
│        │└ properties
│        │   ├Script: Script (required)
│        │   └ExportDataSetNames: Array<string>
│        ├type Script
│        │├  name: Script
│        │└ properties
│        │   ├ScriptLocation: string (required)
│        │   └Type: string (required)
│        ├type MainframeActionProperties
│        │├  name: MainframeActionProperties
│        │└ properties
│        │   └DmsTaskArn: string
│        ├type CompareAction
│        │├  name: CompareAction
│        │└ properties
│        │   ├Input: Input (required)
│        │   └Output: Output
│        ├type Input
│        │├  name: Input
│        │└ properties
│        │   └File: InputFile (required)
│        ├type InputFile
│        │├  name: InputFile
│        │└ properties
│        │   ├SourceLocation: string (required)
│        │   ├TargetLocation: string (required)
│        │   └FileMetadata: FileMetadata (required)
│        ├type FileMetadata
│        │├  name: FileMetadata
│        │└ properties
│        │   ├DataSets: Array<DataSet>
│        │   └DatabaseCDC: DatabaseCDC
│        ├type DataSet
│        │├  name: DataSet
│        │└ properties
│        │   ├Type: string (required)
│        │   ├Name: string (required)
│        │   ├Ccsid: string (required)
│        │   ├Format: string (required)
│        │   └Length: number (required)
│        ├type DatabaseCDC
│        │├  name: DatabaseCDC
│        │└ properties
│        │   ├SourceMetadata: SourceDatabaseMetadata (required)
│        │   └TargetMetadata: TargetDatabaseMetadata (required)
│        ├type SourceDatabaseMetadata
│        │├  name: SourceDatabaseMetadata
│        │└ properties
│        │   ├Type: string (required)
│        │   └CaptureTool: string (required)
│        ├type TargetDatabaseMetadata
│        │├  name: TargetDatabaseMetadata
│        │└ properties
│        │   ├Type: string (required)
│        │   └CaptureTool: string (required)
│        ├type Output
│        │├  name: Output
│        │└ properties
│        │   └File: OutputFile (required)
│        └type OutputFile
│         ├  name: OutputFile
│         └ properties
│            └FileLocation: string
├[~] service aws-batch
│ └ resources
│    └[~] resource AWS::Batch::JobDefinition
│      └ types
│         └[~] type NodeRangeProperty
│           └ properties
│              └[-] EksProperties: EksProperties
├[~] service aws-kinesisfirehose
│ └ resources
│    └[~] resource AWS::KinesisFirehose::DeliveryStream
│      └ types
│         ├[~] type HttpEndpointDestinationConfiguration
│         │ └ properties
│         │    └[+] SecretsManagerConfiguration: SecretsManagerConfiguration
│         ├[~] type RedshiftDestinationConfiguration
│         │ └ properties
│         │    ├ Password: - string (required)
│         │    │           + string
│         │    ├[+] SecretsManagerConfiguration: SecretsManagerConfiguration
│         │    └ Username: - string (required)
│         │                + string
│         ├[+] type SecretsManagerConfiguration
│         │ ├  name: SecretsManagerConfiguration
│         │ └ properties
│         │    ├Enabled: boolean (required)
│         │    ├RoleARN: string
│         │    └SecretARN: string
│         ├[~] type SnowflakeDestinationConfiguration
│         │ └ properties
│         │    ├ PrivateKey: - string (required)
│         │    │             + string
│         │    ├[+] SecretsManagerConfiguration: SecretsManagerConfiguration
│         │    └ User: - string (required)
│         │            + string
│         └[~] type SplunkDestinationConfiguration
│           └ properties
│              ├ HECToken: - string (required)
│              │           + string
│              └[+] SecretsManagerConfiguration: SecretsManagerConfiguration
└[~] service aws-mediapackagev2
  └ resources
     ├[~] resource AWS::MediaPackageV2::Channel
     │ └ attributes
     │    └[+] IngestEndpointUrls: Array<string>
     └[~] resource AWS::MediaPackageV2::OriginEndpoint
       └ attributes
          ├[+] DashManifestUrls: Array<string>
          ├[+] HlsManifestUrls: Array<string>
          └[+] LowLatencyHlsManifestUrls: Array<string>
```

…PI call (#30061)

### Issue # (if applicable)

Closes #29918.

### Reason for this change

It would be useful if we could call AWS API across regions from a Step Functions state machine. Currently it is not officially supported even with AWS SDK integration tasks.

Our usecase is to automate a cross-region failover scenario in a multi-region application. This requires you to orchestrate multiple API calls for both active and standby regions (e.g. failover Aurora DB cluster, rewrite AppConfig parameter, etc), and it would be great if we can manage these operations in a single state machine.

### Description of changes

This PR adds a new construct `CallAwsServiceCrossRegion` that deploys 1. a Lambda function to call AWS API in different regions 2. SFn task to call the function.

Because most properties are compatible with the existing `CallAwsService` construct, you can use the new construct by just adding the `region` property.

Additionally, it also allows to set `endpoint` to override AWS API endpoint, because some AWS APIs requires you to override it. (e.g. [Route53 ARC](https://docs.aws.amazon.com/r53recovery/latest/dg/getting-started-cli-routing.control-state.html))

### Description of how you validated changes

Added unit tests and integ tests.

### Checklist
- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Add Anthropic's Claude 3.5 Sonnet model.

Ref
* https://aws.amazon.com/about-aws/whats-new/2024/06/anthropic-claude-3-5-sonnet-model-bedrock/
* https://docs.aws.amazon.com/bedrock/latest/userguide/model-ids.html

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…#30359)

### Issue # (if applicable)

Closes #22985 .

### Reason for this change
At the moment, L2 Construct does not support a tracing setting for the AppRunner Service.


### Description of changes
* Add `ObservabilityConfiguration` Class
* Add `observabilityConfiguration` property to the `Service` Class



### Description of how you validated changes
Add unit tests and integ tests.


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)
----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…bled` is broken (#30624)

### Issue # (if applicable)

None

### Reason for this change

The documentation link of `crossZoneEnabled` is broken due to unnecessary hyphen.

https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.NetworkLoadBalancer.html#crosszoneenabled

<img width="732" alt="スクリーンショット 2024-06-23 0 33 20" src="https://github.com/aws/aws-cdk/assets/64848616/5096bf05-4e6e-4e72-a882-1e8d1a817ff5">

### Description of changes

Removed unnecessary hyphen.

### Description of how you validated changes

None

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Add new minor version.
Ref: https://aws.amazon.com/about-aws/whats-new/2024/06/amazon-rds-mysql-new-minor-version-8-0-37/

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ture flag) (#30389)

Closes #30368. 

Doc: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security_iam_id-based-policy-examples.html#IAM_run_policies

…aged Termination Protection is disable (#30335)

Let AsgCapacityProvider use IAutoScalingGroup only when Managed Termination Protection is disable.

The code will throw an exception with a clear message when the user specify a self managed ASG using `AutoScalingGroup.fromAutoScalingGroupName` and let the Managed Termination Protection enabled.

It will also throw a clear exception when calling `Cluster.addAsgCapacityProvider` with an `AsgCapacityProvider` created with an imported ASG.

### Issue # (if applicable)

Closes #29174.

### Reason for this change

As there is no clear fix to the original issue, this change's purpose it to bring clarity to the users about what is not allowed when using the L2 Constructs `AsgCapacityProvider` and `Cluster` with an imported ASG.

### Description of changes

This change will replace non explicit exception, caused by missing methods, by clear error messages.

### Description of how you validated changes

Added unit tests.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Removed unnecessary hyphens before links in the @see section of the document.
Unnecessary hyphens are breaking the links in the document.

Same as #30624.

Ref:

https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.BaseServiceProps.html#launchtype

https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_eks.NodegroupOptions.html#instancetypes

https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_eks.NodegroupOptions.html#launchtemplatespec

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…d due to lack of a permission (#30630)

### Issue # (if applicable)

Closes #26640

### Reason for this change
According to the [docs](https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html#security_iam_service-with-iam-roles), required permissions for an App Runner's AccessRole to access images in ECR repository are the followings:

1. "ecr:GetDownloadUrlForLayer",
2. "ecr:BatchCheckLayerAvailability",
3. "ecr:BatchGetImage",
4. "ecr:DescribeImages",
5. "ecr:GetAuthorizationToken"

No.1~3 are granted by the [grantPull](https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-ecr/lib/repository.ts#L385) method of `ecr.Repository`.

https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-apprunner-alpha/lib/service.ts#L1303

Permission for No.5 is granted by the following.
**Note** : It is correct that the resources here is set to `*`(Ref: [docs](https://docs.aws.amazon.com/apprunner/latest/dg/security_iam_service-with-iam.html#security_iam_service-with-iam-roles))
> If you create your own custom policy for your access role, be sure to specify "Resource": "*" for the ecr:GetAuthorizationToken action. Tokens can be used to access any Amazon ECR registry that you have access to.

https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-apprunner-alpha/lib/service.ts#L1368

At the moment, No.4 permission is missing. So we need to add.


### Description of changes
Add a `ecr:DescribeImages` permisison to the AccessRole.



### Description of how you validated changes
Update a unit test and a integ test.



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.

We were seeing build failures (most likely) caused by nx version mismatches. This PR aligns those versions.

### Checklist
- [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…M_3 (#30670)

### Description of changes

Fixed typo in the comment at CodeBuildImage.AMAZON_LINUX_2_ARM_3.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.147.1/CHANGELOG.md)

)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 44.5.2 to 44.5.5.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/tj-actions/changed-files/releases">tj-actions/changed-files's releases</a>.</em></p>
<blockquote>
<h2>v44.5.5</h2>
<h2>What's Changed</h2>
<ul>
<li>Upgraded to v44.5.4 by <a href="https://github.com/tj-actions-bot"><code>@​tj-actions-bot</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2165">tj-actions/changed-files#2165</a></li>
<li>chore: remove debug lines by <a href="https://github.com/jackton1"><code>@​jackton1</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2166">tj-actions/changed-files#2166</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a href="https://github.com/tj-actions/changed-files/compare/v44...v44.5.5">https://github.com/tj-actions/changed-files/compare/v44...v44.5.5</a></p>
<h2>v44.5.4</h2>
<h2>What's Changed</h2>
<ul>
<li>chore(deps): update dependency <code>@​types/node</code> to v20.14.7 by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2156">tj-actions/changed-files#2156</a></li>
<li>fix(deps): update dependency <code>@​octokit/rest</code> to v21 by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2158">tj-actions/changed-files#2158</a></li>
<li>Upgraded to v44.5.3 by <a href="https://github.com/tj-actions-bot"><code>@​tj-actions-bot</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2154">tj-actions/changed-files#2154</a></li>
<li>chore(deps-dev): bump <code>@​types/uuid</code> from 9.0.8 to 10.0.0 by <a href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2160">tj-actions/changed-files#2160</a></li>
<li>chore(deps): update dependency <code>@​types/node</code> to v20.14.8 by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2162">tj-actions/changed-files#2162</a></li>
<li>fix: error using since_last_remote_commit with the first PR commit by <a href="https://github.com/jackton1"><code>@​jackton1</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2163">tj-actions/changed-files#2163</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a href="https://github.com/tj-actions/changed-files/compare/v44...v44.5.4">https://github.com/tj-actions/changed-files/compare/v44...v44.5.4</a></p>
<h2>v44.5.3</h2>
<h2>What's Changed</h2>
<ul>
<li>Upgraded to v44.5.2 by <a href="https://github.com/tj-actions-bot"><code>@​tj-actions-bot</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2116">tj-actions/changed-files#2116</a></li>
<li>chore(deps): update dependency <code>@​types/node</code> to v20.12.14 by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2118">tj-actions/changed-files#2118</a></li>
<li>chore(deps): update dependency prettier to v3.3.0 by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2119">tj-actions/changed-files#2119</a></li>
<li>chore(deps): update dependency <code>@​types/node</code> to v20.14.0 by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2121">tj-actions/changed-files#2121</a></li>
<li>fix(deps): update dependency yaml to v2.4.3 by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2120">tj-actions/changed-files#2120</a></li>
<li>chore: downgrade tj-actions/eslint-changed-files pending move to eslint 9 by <a href="https://github.com/jackton1"><code>@​jackton1</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2124">tj-actions/changed-files#2124</a></li>
<li>chore(deps): update tj-actions/eslint-changed-files action to v25 by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2125">tj-actions/changed-files#2125</a></li>
<li>chore(deps): lock file maintenance by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2122">tj-actions/changed-files#2122</a></li>
<li>chore(deps): update dependency eslint-plugin-github to v5 by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2126">tj-actions/changed-files#2126</a></li>
<li>chore(deps): update typescript-eslint monorepo to v7.12.0 by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2127">tj-actions/changed-files#2127</a></li>
<li>chore(deps): update dependency <code>@​types/node</code> to v20.14.1 by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2128">tj-actions/changed-files#2128</a></li>
<li>chore(deps): update dependency eslint-plugin-github to v5.0.1 by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2129">tj-actions/changed-files#2129</a></li>
<li>chore(deps): update dependency <code>@​types/node</code> to v20.14.2 by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2130">tj-actions/changed-files#2130</a></li>
<li>chore(deps): update dependency prettier to v3.3.1 by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2131">tj-actions/changed-files#2131</a></li>
<li>chore(deps): update dependency eslint-plugin-jest to v28.6.0 by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2132">tj-actions/changed-files#2132</a></li>
<li>chore(deps): update dependency <code>@​types/lodash</code> to v4.17.5 by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2134">tj-actions/changed-files#2134</a></li>
<li>fix(deps): update dependency yaml to v2.4.4 by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2135">tj-actions/changed-files#2135</a></li>
<li>fix(deps): update dependency yaml to v2.4.5 by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2136">tj-actions/changed-files#2136</a></li>
<li>chore(deps): lock file maintenance by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2137">tj-actions/changed-files#2137</a></li>
<li>chore(deps): update typescript-eslint monorepo to v7.13.0 by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2138">tj-actions/changed-files#2138</a></li>
<li>chore: Update README.md by <a href="https://github.com/jackton1"><code>@​jackton1</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2139">tj-actions/changed-files#2139</a></li>
<li>chore(deps): update dependency prettier to v3.3.2 by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2141">tj-actions/changed-files#2141</a></li>
<li>chore(deps): update dependency ts-jest to v29.1.5 by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2142">tj-actions/changed-files#2142</a></li>
<li>chore(deps): lock file maintenance by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2143">tj-actions/changed-files#2143</a></li>
<li>chore(deps): update typescript-eslint monorepo to v7.13.1 by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2144">tj-actions/changed-files#2144</a></li>
<li>chore(deps): update dependency <code>@​types/node</code> to v20.14.3 by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2145">tj-actions/changed-files#2145</a></li>
<li>chore(deps): update dependency <code>@​types/node</code> to v20.14.4 by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2147">tj-actions/changed-files#2147</a></li>
<li>chore(deps): update dependency <code>@​types/node</code> to v20.14.5 by <a href="https://github.com/renovate"><code>@​renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/2149">tj-actions/changed-files#2149</a></li>
</ul>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/tj-actions/changed-files/blob/main/HISTORY.md">tj-actions/changed-files's changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<h1><a href="https://github.com/tj-actions/changed-files/compare/v44.5.4...v44.5.5">44.5.5</a> - (2024-06-24)</h1>
<h2>⚙️ Miscellaneous Tasks</h2>
<ul>
<li>Remove debug lines (<a href="https://redirect.github.com/tj-actions/changed-files/issues/2166">#2166</a>) (<a href="https://github.com/tj-actions/changed-files/commit/cc733854b1f224978ef800d29e4709d5ee2883e4">cc73385</a>)  - (Tonye Jack)</li>
</ul>
<h2>⬆️ Upgrades</h2>
<ul>
<li>Upgraded to v44.5.4 (<a href="https://redirect.github.com/tj-actions/changed-files/issues/2165">#2165</a>)</li>
</ul>
<p>Co-authored-by: jackton1 <a href="mailto:17484350+jackton1@users.noreply.github.com">17484350+jackton1@users.noreply.github.com</a> (<a href="https://github.com/tj-actions/changed-files/commit/0b99ecfd4efe684550ba7ef222cdf6b36964c890">0b99ecf</a>)  - (tj-actions[bot])</p>
<h1><a href="https://github.com/tj-actions/changed-files/compare/v44.5.3...v44.5.4">44.5.4</a> - (2024-06-23)</h1>
<h2>🐛 Bug Fixes</h2>
<ul>
<li>Error using since_last_remote_commit with the first PR commit (<a href="https://redirect.github.com/tj-actions/changed-files/issues/2163">#2163</a>) (<a href="https://github.com/tj-actions/changed-files/commit/cc3bbb0c526f8ee1d282f8c5f9f4e50745a5b457">cc3bbb0</a>)  - (Tonye Jack)</li>
<li><strong>deps:</strong> Update dependency <code>@​octokit/rest</code> to v21 (<a href="https://redirect.github.com/tj-actions/changed-files/issues/2158">#2158</a>) (<a href="https://github.com/tj-actions/changed-files/commit/7891350b8e5530e6284113b15f753f9673276d1c">7891350</a>)  - (renovate[bot])</li>
</ul>
<h2>⚙️ Miscellaneous Tasks</h2>
<ul>
<li><strong>deps:</strong> Update dependency <code>@​types/node</code> to v20.14.8 (<a href="https://github.com/tj-actions/changed-files/commit/373db58d9d98a3002e86f6881421378d7be4de26">373db58</a>)  - (renovate[bot])</li>
<li><strong>deps-dev:</strong> Bump <code>@​types/uuid</code> from 9.0.8 to 10.0.0 (<a href="https://redirect.github.com/tj-actions/changed-files/issues/2160">#2160</a>) (<a href="https://github.com/tj-actions/changed-files/commit/9161a8dcde05a2a3b845745c47574885a33fd5e5">9161a8d</a>)  - (dependabot[bot])</li>
<li><strong>deps:</strong> Update dependency <code>@​types/node</code> to v20.14.7 (<a href="https://github.com/tj-actions/changed-files/commit/457e041909e8e6db7872dbc85f43d3fea4a72f72">457e041</a>)  - (renovate[bot])</li>
</ul>
<h2>⬆️ Upgrades</h2>
<ul>
<li>Upgraded to v44.5.3 (<a href="https://redirect.github.com/tj-actions/changed-files/issues/2154">#2154</a>)</li>
</ul>
<p>Co-authored-by: jackton1 <a href="mailto:17484350+jackton1@users.noreply.github.com">17484350+jackton1@users.noreply.github.com</a> (<a href="https://github.com/tj-actions/changed-files/commit/e13fb92d451df65cea1041a85dd4a3b24153d155">e13fb92</a>)  - (tj-actions[bot])</p>
<h1><a href="https://github.com/tj-actions/changed-files/compare/v44.5.2...v44.5.3">44.5.3</a> - (2024-06-19)</h1>
<h2>🐛 Bug Fixes</h2>
<ul>
<li><strong>deps:</strong> Update dependency yaml to v2.4.5 (<a href="https://github.com/tj-actions/changed-files/commit/57a81a39f3c336e860a2312a2487a8a2e6d495ce">57a81a3</a>)  - (renovate[bot])</li>
<li><strong>deps:</strong> Update dependency yaml to v2.4.4 (<a href="https://github.com/tj-actions/changed-files/commit/3de07763cf5f7eb991d59ca7894be8df0f36c80c">3de0776</a>)  - (renovate[bot])</li>
<li><strong>deps:</strong> Update dependency yaml to v2.4.3 (<a href="https://redirect.github.com/tj-actions/changed-files/issues/2120">#2120</a>) (<a href="https://github.com/tj-actions/changed-files/commit/60268df189b72237cfcbe6ec2937367ef2b2b75d">60268df</a>)  - (renovate[bot])</li>
</ul>
<h2>➕ Add</h2>
<ul>
<li>Added missing changes and modified dist assets.
(<a href="https://github.com/tj-actions/changed-files/commit/2972fe4d6b07bd6de22186555c2046a94a3aa302">2972fe4</a>)  - (GitHub Action)</li>
<li>Added missing changes and modified dist assets.
(<a href="https://github.com/tj-actions/changed-files/commit/1d8732f877032fb30b668e90ed6e4256ce87e263">1d8732f</a>)  - (GitHub Action)</li>
</ul>
<h2>⚙️ Miscellaneous Tasks</h2>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/tj-actions/changed-files/commit/cc733854b1f224978ef800d29e4709d5ee2883e4"><code>cc73385</code></a> chore: remove debug lines (<a href="https://redirect.github.com/tj-actions/changed-files/issues/2166">#2166</a>)</li>
<li><a href="https://github.com/tj-actions/changed-files/commit/0b99ecfd4efe684550ba7ef222cdf6b36964c890"><code>0b99ecf</code></a> Upgraded to v44.5.4 (<a href="https://redirect.github.com/tj-actions/changed-files/issues/2165">#2165</a>)</li>
<li><a href="https://github.com/tj-actions/changed-files/commit/cc3bbb0c526f8ee1d282f8c5f9f4e50745a5b457"><code>cc3bbb0</code></a> fix: error using since_last_remote_commit with the first PR commit (<a href="https://redirect.github.com/tj-actions/changed-files/issues/2163">#2163</a>)</li>
<li><a href="https://github.com/tj-actions/changed-files/commit/373db58d9d98a3002e86f6881421378d7be4de26"><code>373db58</code></a> chore(deps): update dependency <code>@​types/node</code> to v20.14.8</li>
<li><a href="https://github.com/tj-actions/changed-files/commit/9161a8dcde05a2a3b845745c47574885a33fd5e5"><code>9161a8d</code></a> chore(deps-dev): bump <code>@​types/uuid</code> from 9.0.8 to 10.0.0 (<a href="https://redirect.github.com/tj-actions/changed-files/issues/2160">#2160</a>)</li>
<li><a href="https://github.com/tj-actions/changed-files/commit/e13fb92d451df65cea1041a85dd4a3b24153d155"><code>e13fb92</code></a> Upgraded to v44.5.3 (<a href="https://redirect.github.com/tj-actions/changed-files/issues/2154">#2154</a>)</li>
<li><a href="https://github.com/tj-actions/changed-files/commit/7891350b8e5530e6284113b15f753f9673276d1c"><code>7891350</code></a> fix(deps): update dependency <code>@​octokit/rest</code> to v21 (<a href="https://redirect.github.com/tj-actions/changed-files/issues/2158">#2158</a>)</li>
<li><a href="https://github.com/tj-actions/changed-files/commit/457e041909e8e6db7872dbc85f43d3fea4a72f72"><code>457e041</code></a> chore(deps): update dependency <code>@​types/node</code> to v20.14.7</li>
<li><a href="https://github.com/tj-actions/changed-files/commit/eaf854ef0c266753e1abec356dcf17d92695b251"><code>eaf854e</code></a> chore(deps): update dependency <code>@​types/node</code> to v20.14.6</li>
<li><a href="https://github.com/tj-actions/changed-files/commit/681bf9250661435d933b9a002c1e488cb0b36392"><code>681bf92</code></a> chore(deps): update peter-evans/create-pull-request action to v6.1.0</li>
<li>Additional commits viewable in <a href="https://github.com/tj-actions/changed-files/compare/d6babd6899969df1a11d14c368283ea4436bca78...cc733854b1f224978ef800d29e4709d5ee2883e4">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=tj-actions/changed-files&package-manager=github_actions&previous-version=44.5.2&new-version=44.5.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)


</details>

Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.

…e docs (#30685)

Remove unnecessary `for more details` which break the formatting from the `@see` docs.

<img width="740" alt="スクリーンショット 2024-06-27 1 37 03" src="https://github.com/aws/aws-cdk/assets/13781813/9595aaf1-6345-4b07-9e70-c7e0a532a888">

Ref:
* https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_codebuild.Project.html#subnetselection
* https://docs.aws.amazon.com/cdk/api/v2/docs/@aws-cdk_aws-apprunner-alpha.ImageRepository.html#imageidentifierspan-classapi-icon-api-icon-experimental-titlethis-api-element-is-experimental-it-may-change-without-noticespan

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable)

None

### Reason for this change

Deployment group supports a termination hook for EC2 compute type but CDK L2 construct does not support this.

### Description of changes

Added `terminationHook` to `ServerDeploymentGroupProps`

```ts
    new codedeploy.ServerDeploymentGroup(stack, 'DeploymentGroup', {
      autoScalingGroups: [
        new autoscaling.AutoScalingGroup(stack, 'ASG', {
          instanceType: ec2.InstanceType.of(ec2.InstanceClass.STANDARD3, ec2.InstanceSize.SMALL),
          machineImage: new ec2.AmazonLinuxImage(),
          vpc: new ec2.Vpc(stack, 'VPC'),
        }),
      ],
      terminationHook: true, // add
    });
```

### Description of how you validated changes

Added both unit and integ tests

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable)

None

### Reason for this change

Update the CDK RDS engine versions to match the current availability, as well as facilitate automated alerts for updates in the future

### Description of changes

* Added missing engine version for all RDS engines
* Added missing `@deprecated` TSDoc tags


### Description of how you validated changes

The available versions were compared to live AWS API data. See #29422 for more details.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable) N/A

### Reason for this change
Update issue-label-assign.yml to add `aws-location-alpha`.

### Description of changes
Update issue-label-assign.yml to add `aws-location-alpha`.

### Description of how you validated changes

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ations (under feature flag) (#30610)

### Issue # (if applicable)

Closes #28915 

### Reason for this change

Fix to address the issues deleting the existing S3 event notifications and adding new event notifications on top of existing notifications.

### Description of changes
We fixed the hashing logic used to identify old vs external S3 event notifications

### Description of how you validated changes
Manually tested, integration and unit tested the changes

yes
### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Add missing models.

```ts
ai21.j2-ultra-v1:0:8k
ai21.jamba-instruct-v1:0
amazon.titan-embed-text-v2:0:8k
anthropic.claude-3-5-sonnet-20240620-v1:0
cohere.embed-english-v3:0:512
cohere.embed-multilingual-v3:0:512
mistral.mistral-small-2402-v1:0
```

Also, fix typo.
`ccohere.command-r-v1:0` -> `cohere.command-r-v1:0`


Ref:
* https://docs.aws.amazon.com/bedrock/latest/userguide/model-ids.html

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable)

Closes #28778.

### Reason for this change

There are issues with SSM `StringParameter` where the parameter ARN would have missing `/` or duplicate `/` depending on the setup of `simpleName` with unresolved tokens in the parameter name.

### Description of changes

Update README and docstring to explain to users when and how to correctly use `simpleName` parameter.

### Description of how you validated changes

No code changes made.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Reverts #29708 due to #30669

Closes #30669

### Issue # (if applicable)

Closes #22640.

### Reason for this change

Customers could not imported S3 bucket that has a legacy name (contains underscore in the name) and use it in CDK Apps.

### Description of changes

This change allowed customer to use S3 buckets legacy names for only the imported S3 buckets, but not for the new ones.

### Description of how you validated changes

Added unit test cases, and integration test cases.

### Checklist
- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This PR introduces [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) support.

Amazon EKS introduced [IRSA](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/) in 2019 for fine grained iam roles service accounts support. In aws-eks, we have ServiceAccount construct that implements IRSA under the hood and creates [OpenIdConnectProvider](https://github.com/aws/aws-cdk/blob/b196b13b0b8a54dcacadf87fdbe744772a6e6c4d/packages/aws-cdk-lib/aws-eks/lib/oidc-provider.ts#L36) for the cluster. In 2023, Amazon EKS [introduced](https://aws.amazon.com/blogs/containers/amazon-eks-pod-identity-a-new-way-for-applications-on-eks-to-obtain-iam-credentials/) EKS Pod Identities as a new way for applications on EKS to obtain IAM credentials.

This PR introduces a new `identityType` prop for ServiceAccount to allow users to opt in the EKS Pod Identities. When you opt in `POD_IDENTITY`:

1. `ServiceAccount` would NOT create any [OpenIdConnectProvider](https://github.com/aws/aws-cdk/blob/b196b13b0b8a54dcacadf87fdbe744772a6e6c4d/packages/aws-cdk-lib/aws-eks/lib/oidc-provider.ts#L36).
2. An IAM role with trust policy for `pods.eks.amazonaws.com` service principal would be created.
3. EKS Pod Identity Agent for the cluster would be provisioned as an `Addon` if not exist.
4. `CfnPodIdentityAssociation` would be created for the role and service account.

### Sample

```ts
declare const cluster: eks.Cluster;

new eks.ServiceAccount(this, 'ServiceAccount', {
  cluster,
  name: 'test-sa',
  namespace: 'default',
  identityType: eks.IdentityType.POD_IDENTITY,
});

// deploy a sample pod
const pod = cluster.addManifest('demopod', {
  apiVersion: 'v1',
  kind: 'Pod',
  metadata: { name: 'demo' },
  spec: {
    serviceAccountName: sa.serviceAccountName,
    containers: [
      {
        name: 'demo',
        image: 'public.ecr.aws/amazonlinux/amazonlinux:2023',
        command: ['/bin/bash', '-c', 'yum update -y && yum install -y awscli && aws sts get-caller-identity'],
      },
    ],
  },
});
pod.node.addDependency(sa);
```

### Todo Checklist

- [x] Addon L2 construct
- [x] Update ServiceAccount construct
- [x] unit tests
- [x] integ test(s)
- [x] update README

### Callout

1. According to the [doc](https://docs.aws.amazon.com/eks/latest/userguide/pod-id-association.html#pod-id-association-create), the assume role policy of the role is having both `sts:AssumeRole` and `sts:TagSession` but the iam.Role construct only allows `sts:AssumeRole` assumeRoleAction and no way to [customize](https://github.com/aws/aws-cdk/blob/b196b13b0b8a54dcacadf87fdbe744772a6e6c4d/packages/aws-cdk-lib/aws-iam/lib/role.ts#L373) it on Role creation. 
```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowEksAuthToAssumeRoleForPodIdentity",
            "Effect": "Allow",
            "Principal": {
                "Service": "pods.eks.amazonaws.com"
            },
            "Action": [
                "sts:AssumeRole",
                "sts:TagSession"
            ]
        }
    ]
}
```

As a workaround, this PR `assumeRolePolicy.addStatements()` to create a new statement for the assumeRolePolicy. Definitely should improve this if we have a better solution.

```ts
role.assumeRolePolicy!.addStatements(new PolicyStatement({
        actions: ['sts:AssumeRole', 'sts:TagSession'],
        principals: [new ServicePrincipal('pods.eks.amazonaws.com')],
      }));
```

2. We should scope down the trust policy with conditions for `sts:TagSession` but it's not clear to me what is the recommended conditions for that. Need to discuss with EKS team. Per [doc](https://docs.aws.amazon.com/eks/latest/userguide/pod-id-association.html) describes:

>EKS Pod Identity uses TagSession to include session tags in the requests to AWS STS.
You can use these tags in the condition keys in the trust policy to restrict which service accounts, namespaces, and clusters can use this role.
>For a list of Amazon EKS condition keys, see [Conditions defined by Amazon Elastic Kubernetes Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-policy-keys) in the Service Authorization Reference. To learn which actions and resources you can use a condition key with, see [Actions defined by Amazon Elastic Kubernetes Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelastickubernetesservice.html#amazonelastickubernetesservice-actions-as-permissions).


### Issue # (if applicable)

Closes #30519 

### Reason for this change

Allow users to opt in EKS Pod Identities.

### Description of changes



### Description of how you validated changes

Unit tests and integ test.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

### Issue # (if applicable)

Closes #30270.

### Reason for this change
Lambda Function target is not supported yet by pipes-targets.


### Description of changes
- Added LambdaFunction as a pipes target.
- Default LambdaFunctionInvocationType to `LambdaFunctionInvocationType.REQUEST_RESPONSE`
- Allowed grant Invoke on Lambda by Pipes


### Description of how you validated changes



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

… notifications (under feature flag) (#30699)

Reverts #30610 due to Feature flags issues

### Issue # (if applicable)

None.

### Reason for this change

https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-extension-versionsx86-64.html
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-extension-versionsARM.html

### Description of changes

- adding region
   - ap-southeast-4
   - il-central-1
- adding version
   * Version 1.0.273.0
   * Version 1.0.275.0
   * Version 1.0.295.0
   * Version 1.0.317.0

### Description of how you validated changes

no

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

I saw these errors when working on #30696.

Automated changes by [create-pull-request](https://github.com/peter-evans/create-pull-request) GitHub action

Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`

**L1 CloudFormation resource definition changes:**
```
├[~] service aws-applicationsignals
│ └ resources
│    └[~] resource AWS::ApplicationSignals::ServiceLevelObjective
│      ├  - documentation: Resource Type definition for AWS::ApplicationSignals::ServiceLevelObjective
│      │  + documentation: Creates or updates a service level objective (SLO), which can help you ensure that your critical business operations are meeting customer expectations. Use SLOs to set and track specific target levels for the reliability and availability of your applications and services. SLOs use service level indicators (SLIs) to calculate whether the application is performing at the level that you want.
│      │  Create an SLO to set a target for a service or operation’s availability or latency. CloudWatch measures this target frequently you can find whether it has been breached.
│      │  When you create an SLO, you set an *attainment goal* for it. An *attainment goal* is the ratio of good periods that meet the threshold requirements to the total periods within the interval. For example, an attainment goal of 99.9% means that within your interval, you are targeting 99.9% of the periods to be in healthy state.
│      │  After you have created an SLO, you can retrieve error budget reports for it. An *error budget* is the number of periods or amount of time that your service can accumulate during an interval before your overall SLO budget health is breached and the SLO is considered to be unmet. for example, an SLO with a threshold that 99.95% of requests must be completed under 2000ms every month translates to an error budget of 21.9 minutes of downtime per month.
│      │  When you call this operation, Application Signals creates the *AWSServiceRoleForCloudWatchApplicationSignals* service-linked role, if it doesn't already exist in your account. This service- linked role has the following permissions:
│      │  - `xray:GetServiceGraph`
│      │  - `logs:StartQuery`
│      │  - `logs:GetQueryResults`
│      │  - `cloudwatch:GetMetricData`
│      │  - `cloudwatch:ListMetrics`
│      │  - `tag:GetResources`
│      │  - `autoscaling:DescribeAutoScalingGroups`
│      │  You can easily set SLO targets for your applications that are discovered by Application Signals, using critical metrics such as latency and availability. You can also set SLOs against any CloudWatch metric or math expression that produces a time series.
│      │  For more information about SLOs, see [Service level objectives (SLOs)](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-ServiceLevelObjectives.html) .
│      ├ properties
│      │  ├ Description: (documentation changed)
│      │  ├ Goal: (documentation changed)
│      │  ├ Name: (documentation changed)
│      │  ├ Sli: (documentation changed)
│      │  └ Tags: (documentation changed)
│      ├ attributes
│      │  ├ CreatedTime: (documentation changed)
│      │  └ LastUpdatedTime: (documentation changed)
│      └ types
│         ├[~] type CalendarInterval
│         │ └ properties
│         │    ├ Duration: (documentation changed)
│         │    └ StartTime: (documentation changed)
│         ├[~] type Dimension
│         │ ├  - documentation: A dimension is a name/value pair that is part of the identity of a metric. Because dimensions are part of the unique identifier for a metric, whenever you add a unique name/value pair to one of your metrics, you are creating a new variation of that metric. For example, many Amazon EC2 metrics publish `InstanceId` as a dimension name, and the actual instance ID as the value for that dimension. You can assign up to 30 dimensions to a metric.
│         │ │  + documentation: A dimension is a name/value pair that is part of the identity of a metric. Because dimensions are part of the unique identifier for a metric, whenever you add a unique name/value pair to one of your metrics, you are creating a new variation of that metric. For example, many Amazon EC2 metrics publish `InstanceId` as a dimension name, and the actual instance ID as the value for that dimension.
│         │ │  You can assign up to 30 dimensions to a metric.
│         │ └ properties
│         │    ├ Name: (documentation changed)
│         │    └ Value: (documentation changed)
│         ├[~] type Goal
│         │ ├  - documentation: A structure that contains the attributes that determine the goal of the SLO. This includes the time period for evaluation and the attainment threshold.
│         │ │  + documentation: This structure contains the attributes that determine the goal of an SLO. This includes the time period for evaluation and the attainment threshold.
│         │ └ properties
│         │    ├ AttainmentGoal: (documentation changed)
│         │    └ Interval: (documentation changed)
│         ├[~] type Interval
│         │ ├  - documentation: The time period used to evaluate the SLO. It can be either a calendar interval or rolling interval.
│         │ │  If you omit this parameter, a rolling interval of 7 days is used.
│         │ │  + documentation: The time period used to evaluate the SLO. It can be either a calendar interval or rolling interval.
│         │ └ properties
│         │    ├ CalendarInterval: (documentation changed)
│         │    └ RollingInterval: (documentation changed)
│         ├[~] type Metric
│         │ ├  - documentation: This structure defines the metric used for a service level indicator, including the metric name, namespace, and dimensions.
│         │ │  + documentation: This structure defines the metric used for a service level indicator, including the metric name, namespace, and dimensions
│         │ └ properties
│         │    ├ Dimensions: (documentation changed)
│         │    └ Namespace: (documentation changed)
│         ├[~] type MetricDataQuery
│         │ ├  - documentation: Use this structure to define a metric or metric math expression that you want to use as for a service level objective.
│         │ │  Each `MetricDataQuery` in the `MetricDataQueries` array specifies either a metric to retrieve, or a metric math expression to be performed on retrieved metrics. A single `MetricDataQueries` array can include as many as 20 `MetricDataQuery` structures in the array. The 20 structures can include as many as 10 structures that contain a `MetricStat` parameter to retrieve a metric, and as many as 10 structures that contain the `Expression` parameter to perform a math expression. Of those Expression structures, exactly one must have true as the value for `ReturnData`. The result of this expression used for the SLO.
│         │ │  + documentation: Use this structure to define a metric or metric math expression that you want to use as for a service level objective.
│         │ │  Each `MetricDataQuery` in the `MetricDataQueries` array specifies either a metric to retrieve, or a metric math expression to be performed on retrieved metrics. A single `MetricDataQueries` array can include as many as 20 `MetricDataQuery` structures in the array. The 20 structures can include as many as 10 structures that contain a `MetricStat` parameter to retrieve a metric, and as many as 10 structures that contain the `Expression` parameter to perform a math expression. Of those `Expression` structures, exactly one must have true as the value for `ReturnData` . The result of this expression used for the SLO.
│         │ │  For more information about metric math expressions, see [Use metric math](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/using-metric-math.html) .
│         │ │  Within each `MetricDataQuery` object, you must specify either `Expression` or `MetricStat` but not both.
│         │ └ properties
│         │    ├ AccountId: (documentation changed)
│         │    ├ Expression: (documentation changed)
│         │    ├ Id: (documentation changed)
│         │    ├ MetricStat: (documentation changed)
│         │    └ ReturnData: (documentation changed)
│         ├[~] type MetricStat
│         │ ├  - documentation: A metric to be used directly for the SLO, or to be used in the math expression that will be used for the SLO. Within one MetricDataQuery object, you must specify either Expression or MetricStat but not both.
│         │ │  + documentation: This structure defines the metric to be used as the service level indicator, along with the statistics, period, and unit.
│         │ └ properties
│         │    ├ Metric: (documentation changed)
│         │    ├ Period: (documentation changed)
│         │    ├ Stat: (documentation changed)
│         │    └ Unit: (documentation changed)
│         ├[~] type RollingInterval
│         │ ├  - documentation: If the interval is a calendar interval, this structure contains the interval specifications.
│         │ │  + documentation: If the interval for this SLO is a rolling interval, this structure contains the interval specifications.
│         │ └ properties
│         │    ├ Duration: (documentation changed)
│         │    └ DurationUnit: (documentation changed)
│         ├[~] type Sli
│         │ ├  - documentation: This structure contains information about the performance metric that an SLO monitors.
│         │ │  + documentation: This structure specifies the information about the service and the performance metric that an SLO is to monitor.
│         │ └ properties
│         │    ├ ComparisonOperator: (documentation changed)
│         │    └ SliMetric: (documentation changed)
│         └[~] type SliMetric
│           ├  - documentation: A structure that contains information about the metric that the SLO monitors.
│           │  + documentation: Use this structure to specify the metric to be used for the SLO.
│           └ properties
│              ├ KeyAttributes: (documentation changed)
│              ├ MetricDataQueries: (documentation changed)
│              ├ MetricType: (documentation changed)
│              ├ OperationName: (documentation changed)
│              └ Statistic: (documentation changed)
├[~] service aws-apptest
│ └ resources
│    └[~] resource AWS::AppTest::TestCase
│      ├  - documentation: Represents a Test Case that can be captured and executed
│      │  + documentation: Creates a test case for an application.
│      │  For more information about test cases, see [Test cases](https://docs.aws.amazon.com/m2/latest/userguide/testing-test-cases.html) and [Application Testing concepts](https://docs.aws.amazon.com/m2/latest/userguide/concepts-apptest.html) in the *AWS Mainframe Modernization User Guide* .
│      ├ properties
│      │  ├ Description: (documentation changed)
│      │  ├ Name: (documentation changed)
│      │  ├ Steps: (documentation changed)
│      │  └ Tags: (documentation changed)
│      ├ attributes
│      │  ├ CreationTime: (documentation changed)
│      │  ├ LastUpdateTime: (documentation changed)
│      │  ├ Status: (documentation changed)
│      │  ├ TestCaseArn: (documentation changed)
│      │  ├ TestCaseId: (documentation changed)
│      │  └ TestCaseVersion: (documentation changed)
│      └ types
│         ├[~] type Batch
│         │ ├  - documentation: undefined
│         │ │  + documentation: Defines a batch.
│         │ └ properties
│         │    ├ BatchJobName: (documentation changed)
│         │    ├ BatchJobParameters: (documentation changed)
│         │    └ ExportDataSetNames: (documentation changed)
│         ├[~] type CloudFormationAction
│         │ ├  - documentation: undefined
│         │ │  + documentation: Specifies the CloudFormation action.
│         │ └ properties
│         │    ├ ActionType: (documentation changed)
│         │    └ Resource: (documentation changed)
│         ├[~] type CompareAction
│         │ ├  - documentation: undefined
│         │ │  + documentation: Compares the action.
│         │ └ properties
│         │    ├ Input: (documentation changed)
│         │    └ Output: (documentation changed)
│         ├[~] type DatabaseCDC
│         │ ├  - documentation: undefined
│         │ │  + documentation: Defines the Change Data Capture (CDC) of the database.
│         │ └ properties
│         │    ├ SourceMetadata: (documentation changed)
│         │    └ TargetMetadata: (documentation changed)
│         ├[~] type DataSet
│         │ ├  - documentation: undefined
│         │ │  + documentation: Defines a data set.
│         │ └ properties
│         │    ├ Ccsid: (documentation changed)
│         │    ├ Format: (documentation changed)
│         │    ├ Length: (documentation changed)
│         │    ├ Name: (documentation changed)
│         │    └ Type: (documentation changed)
│         ├[~] type FileMetadata
│         │ ├  - documentation: undefined
│         │ │  + documentation: Specifies a file metadata.
│         │ └ properties
│         │    ├ DatabaseCDC: (documentation changed)
│         │    └ DataSets: (documentation changed)
│         ├[~] type Input
│         │ ├  - documentation: undefined
│         │ │  + documentation: Specifies the input.
│         │ └ properties
│         │    └ File: (documentation changed)
│         ├[~] type InputFile
│         │ ├  - documentation: undefined
│         │ │  + documentation: Specifies the input file.
│         │ └ properties
│         │    ├ FileMetadata: (documentation changed)
│         │    ├ SourceLocation: (documentation changed)
│         │    └ TargetLocation: (documentation changed)
│         ├[~] type M2ManagedActionProperties
│         │ ├  - documentation: undefined
│         │ │  + documentation: Specifies the AWS Mainframe Modernization managed action properties.
│         │ └ properties
│         │    ├ ForceStop: (documentation changed)
│         │    └ ImportDataSetLocation: (documentation changed)
│         ├[~] type M2ManagedApplicationAction
│         │ ├  - documentation: undefined
│         │ │  + documentation: Specifies the AWS Mainframe Modernization managed application action.
│         │ └ properties
│         │    ├ ActionType: (documentation changed)
│         │    ├ Properties: (documentation changed)
│         │    └ Resource: (documentation changed)
│         ├[~] type M2NonManagedApplicationAction
│         │ ├  - documentation: undefined
│         │ │  + documentation: Specifies the AWS Mainframe Modernization non-managed application action.
│         │ └ properties
│         │    ├ ActionType: (documentation changed)
│         │    └ Resource: (documentation changed)
│         ├[~] type MainframeAction
│         │ ├  - documentation: undefined
│         │ │  + documentation: Specifies the mainframe action.
│         │ └ properties
│         │    ├ ActionType: (documentation changed)
│         │    ├ Properties: (documentation changed)
│         │    └ Resource: (documentation changed)
│         ├[~] type MainframeActionProperties
│         │ ├  - documentation: undefined
│         │ │  + documentation: Specifies the mainframe action properties.
│         │ └ properties
│         │    └ DmsTaskArn: (documentation changed)
│         ├[~] type MainframeActionType
│         │ ├  - documentation: undefined
│         │ │  + documentation: Specifies the mainframe action type.
│         │ └ properties
│         │    ├ Batch: (documentation changed)
│         │    └ Tn3270: (documentation changed)
│         ├[~] type Output
│         │ ├  - documentation: undefined
│         │ │  + documentation: Specifies an output.
│         │ └ properties
│         │    └ File: (documentation changed)
│         ├[~] type OutputFile
│         │ ├  - documentation: undefined
│         │ │  + documentation: Specifies an output file.
│         │ └ properties
│         │    └ FileLocation: (documentation changed)
│         ├[~] type ResourceAction
│         │ ├  - documentation: undefined
│         │ │  + documentation: Specifies a resource action.
│         │ └ properties
│         │    ├ CloudFormationAction: (documentation changed)
│         │    ├ M2ManagedApplicationAction: (documentation changed)
│         │    └ M2NonManagedApplicationAction: (documentation changed)
│         ├[~] type Script
│         │ ├  - documentation: undefined
│         │ │  + documentation: Specifies the script.
│         │ └ properties
│         │    ├ ScriptLocation: (documentation changed)
│         │    └ Type: (documentation changed)
│         ├[~] type SourceDatabaseMetadata
│         │ ├  - documentation: undefined
│         │ │  + documentation: Specifies the source database metadata.
│         │ └ properties
│         │    ├ CaptureTool: (documentation changed)
│         │    └ Type: (documentation changed)
│         ├[~] type Step
│         │ ├  - documentation: undefined
│         │ │  + documentation: Defines a step.
│         │ └ properties
│         │    ├ Action: (documentation changed)
│         │    ├ Description: (documentation changed)
│         │    └ Name: (documentation changed)
│         ├[~] type StepAction
│         │ ├  - documentation: undefined
│         │ │  + documentation: Specifies a step action.
│         │ └ properties
│         │    ├ CompareAction: (documentation changed)
│         │    ├ MainframeAction: (documentation changed)
│         │    └ ResourceAction: (documentation changed)
│         ├[~] type TargetDatabaseMetadata
│         │ ├  - documentation: undefined
│         │ │  + documentation: Specifies a target database metadata.
│         │ └ properties
│         │    ├ CaptureTool: (documentation changed)
│         │    └ Type: (documentation changed)
│         ├[~] type TestCaseLatestVersion
│         │ ├  - documentation: undefined
│         │ │  + documentation: Specifies the latest version of a test case.
│         │ └ properties
│         │    ├ Status: (documentation changed)
│         │    └ Version: (documentation changed)
│         └[~] type TN3270
│           ├  - documentation: undefined
│           │  + documentation: Specifies the TN3270 protocol.
│           └ properties
│              ├ ExportDataSetNames: (documentation changed)
│              └ Script: (documentation changed)
├[~] service aws-backup
│ └ resources
│    ├[~] resource AWS::Backup::BackupVault
│    │ └ properties
│    │    └ BackupVaultName: (documentation changed)
│    └[~] resource AWS::Backup::RestoreTestingSelection
│      └ types
│         └[~] type ProtectedResourceConditions
│           └  - documentation: The conditions that you define for resources in your restore testing plan using tags.
│              For example, `"StringEquals": { "Key": "aws:ResourceTag/CreatedByCryo", "Value": "true" },` . Condition operators are case sensitive.
│              + documentation: The conditions that you define for resources in your restore testing plan using tags.
├[~] service aws-bedrock
│ └ resources
│    └[~] resource AWS::Bedrock::Agent
│      ├ properties
│      │  └[+] GuardrailConfiguration: GuardrailConfiguration
│      └ types
│         └[+] type GuardrailConfiguration
│           ├  documentation: Configuration information for a guardrail that you use with the `Converse` action.
│           │  name: GuardrailConfiguration
│           └ properties
│              ├GuardrailIdentifier: string
│              └GuardrailVersion: string
├[~] service aws-cloudtrail
│ └ resources
│    └[~] resource AWS::CloudTrail::Trail
│      ├ properties
│      │  ├ CloudWatchLogsLogGroupArn: (documentation changed)
│      │  └ CloudWatchLogsRoleArn: (documentation changed)
│      └ types
│         └[~] type DataResource
│           ├  - documentation: Data events provide information about the resource operations performed on or within a resource itself. These are also known as data plane operations. You can specify up to 250 data resources for a trail.
│           │  Configure the `DataResource` to specify the resource type and resource ARNs for which you want to log data events.
│           │  You can specify the following resource types in your event selectors for your trail:
│           │  - `AWS::DynamoDB::Table`
│           │  - `AWS::Lambda::Function`
│           │  - `AWS::S3::Object`
│           │  > The total number of allowed data resources is 250. This number can be distributed between 1 and 5 event selectors, but the total cannot exceed 250 across all selectors for the trail.
│           │  > 
│           │  > If you are using advanced event selectors, the maximum total number of values for all conditions, across all advanced event selectors for the trail, is 500. 
│           │  The following example demonstrates how logging works when you configure logging of all data events for an S3 bucket named `bucket-1` . In this example, the CloudTrail user specified an empty prefix, and the option to log both `Read` and `Write` data events.
│           │  - A user uploads an image file to `bucket-1` .
│           │  - The `PutObject` API operation is an Amazon S3 object-level API. It is recorded as a data event in CloudTrail. Because the CloudTrail user specified an S3 bucket with an empty prefix, events that occur on any object in that bucket are logged. The trail processes and logs the event.
│           │  - A user uploads an object to an Amazon S3 bucket named `arn:aws:s3:::bucket-2` .
│           │  - The `PutObject` API operation occurred for an object in an S3 bucket that the CloudTrail user didn't specify for the trail. The trail doesn’t log the event.
│           │  The following example demonstrates how logging works when you configure logging of AWS Lambda data events for a Lambda function named *MyLambdaFunction* , but not for all Lambda functions.
│           │  - A user runs a script that includes a call to the *MyLambdaFunction* function and the *MyOtherLambdaFunction* function.
│           │  - The `Invoke` API operation on *MyLambdaFunction* is an Lambda API. It is recorded as a data event in CloudTrail. Because the CloudTrail user specified logging data events for *MyLambdaFunction* , any invocations of that function are logged. The trail processes and logs the event.
│           │  - The `Invoke` API operation on *MyOtherLambdaFunction* is an Lambda API. Because the CloudTrail user did not specify logging data events for all Lambda functions, the `Invoke` operation for *MyOtherLambdaFunction* does not match the function specified for the trail. The trail doesn’t log the event.
│           │  + documentation: Data events provide information about the resource operations performed on or within a resource itself. These are also known as data plane operations. You can specify up to 250 data resources for a trail.
│           │  Configure the `DataResource` to specify the resource type and resource ARNs for which you want to log data events.
│           │  You can specify the following resource types in your event selectors for your trail:
│           │  - `AWS::DynamoDB::Table`
│           │  - `AWS::Lambda::Function`
│           │  - `AWS::S3::Object`
│           │  > The total number of allowed data resources is 250. This number can be distributed between 1 and 5 event selectors, but the total cannot exceed 250 across all selectors for the trail.
│           │  > 
│           │  > If you are using advanced event selectors, the maximum total number of values for all conditions, across all advanced event selectors for the trail, is 500. 
│           │  The following example demonstrates how logging works when you configure logging of all data events for an S3 bucket named `DOC-EXAMPLE-BUCKET1` . In this example, the CloudTrail user specified an empty prefix, and the option to log both `Read` and `Write` data events.
│           │  - A user uploads an image file to `DOC-EXAMPLE-BUCKET1` .
│           │  - The `PutObject` API operation is an Amazon S3 object-level API. It is recorded as a data event in CloudTrail. Because the CloudTrail user specified an S3 bucket with an empty prefix, events that occur on any object in that bucket are logged. The trail processes and logs the event.
│           │  - A user uploads an object to an Amazon S3 bucket named `arn:aws:s3:::DOC-EXAMPLE-BUCKET1` .
│           │  - The `PutObject` API operation occurred for an object in an S3 bucket that the CloudTrail user didn't specify for the trail. The trail doesn’t log the event.
│           │  The following example demonstrates how logging works when you configure logging of AWS Lambda data events for a Lambda function named *MyLambdaFunction* , but not for all Lambda functions.
│           │  - A user runs a script that includes a call to the *MyLambdaFunction* function and the *MyOtherLambdaFunction* function.
│           │  - The `Invoke` API operation on *MyLambdaFunction* is an Lambda API. It is recorded as a data event in CloudTrail. Because the CloudTrail user specified logging data events for *MyLambdaFunction* , any invocations of that function are logged. The trail processes and logs the event.
│           │  - The `Invoke` API operation on *MyOtherLambdaFunction* is an Lambda API. Because the CloudTrail user did not specify logging data events for all Lambda functions, the `Invoke` operation for *MyOtherLambdaFunction* does not match the function specified for the trail. The trail doesn’t log the event.
│           └ properties
│              └ Values: (documentation changed)
├[~] service aws-codeartifact
│ └ resources
│    ├[~] resource AWS::CodeArtifact::Domain
│    │ └ properties
│    │    └ EncryptionKey: (documentation changed)
│    └[~] resource AWS::CodeArtifact::Repository
│      └ properties
│         └ DomainOwner: (documentation changed)
├[~] service aws-codebuild
│ └ resources
│    └[~] resource AWS::CodeBuild::Project
│      └ types
│         ├[~] type ProjectTriggers
│         │ └ properties
│         │    └[+] ScopeConfiguration: ScopeConfiguration
│         ├[+] type ScopeConfiguration
│         │ ├  name: ScopeConfiguration
│         │ └ properties
│         │    └Name: string (required)
│         └[~] type WebhookFilter
│           └ properties
│              └ Type: (documentation changed)
├[~] service aws-cognito
│ └ resources
│    ├[~] resource AWS::Cognito::UserPoolClient
│    │ └ properties
│    │    └ DefaultRedirectURI: (documentation changed)
│    └[~] resource AWS::Cognito::UserPoolResourceServer
│      └ attributes
│         └[-] Id: string
├[~] service aws-datasync
│ └ resources
│    └[~] resource AWS::DataSync::Agent
│      └ properties
│         ├ ActivationKey: (documentation changed)
│         ├ AgentName: (documentation changed)
│         └ SubnetArns: (documentation changed)
├[~] service aws-deadline
│ └ resources
│    └[~] resource AWS::Deadline::Monitor
│      └ attributes
│         └ Arn: (documentation changed)
├[~] service aws-dms
│ └ resources
│    └[~] resource AWS::DMS::ReplicationConfig
│      └ attributes
│         └ ReplicationConfigArn: (documentation changed)
├[~] service aws-ec2
│ └ resources
│    ├[~] resource AWS::EC2::EC2Fleet
│    │ ├  - documentation: Specifies the configuration information to launch a fleet--or group--of instances. An EC2 Fleet can launch multiple instance types across multiple Availability Zones, using the On-Demand Instance, Reserved Instance, and Spot Instance purchasing models together. Using EC2 Fleet, you can define separate On-Demand and Spot capacity targets, specify the instance types that work best for your applications, and specify how Amazon EC2 should distribute your fleet capacity within each purchasing model. For more information, see [Launching an EC2 Fleet](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet.html) in the *Amazon EC2 User Guide for Linux Instances* .
│    │ │  + documentation: Specifies the configuration information to launch a fleet--or group--of instances. An EC2 Fleet can launch multiple instance types across multiple Availability Zones, using the On-Demand Instance, Reserved Instance, and Spot Instance purchasing models together. Using EC2 Fleet, you can define separate On-Demand and Spot capacity targets, specify the instance types that work best for your applications, and specify how Amazon EC2 should distribute your fleet capacity within each purchasing model. For more information, see [Launching an EC2 Fleet](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet.html) in the *Amazon EC2 User Guide* .
│    │ └ types
│    │    └[~] type InstanceRequirementsRequest
│    │      └ properties
│    │         └ MaxSpotPriceAsPercentageOfOptimalOnDemandPrice: (documentation changed)
│    ├[~] resource AWS::EC2::Host
│    │ └  - documentation: Allocates a fully dedicated physical server for launching EC2 instances. Because the host is fully dedicated for your use, it can help you address compliance requirements and reduce costs by allowing you to use your existing server-bound software licenses. For more information, see [Dedicated Hosts](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-hosts-overview.html) in the *Amazon EC2 User Guide for Linux Instances* .
│    │    + documentation: Allocates a fully dedicated physical server for launching EC2 instances. Because the host is fully dedicated for your use, it can help you address compliance requirements and reduce costs by allowing you to use your existing server-bound software licenses. For more information, see [Dedicated Hosts](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-hosts-overview.html) in the *Amazon EC2 User Guide* .
│    ├[~] resource AWS::EC2::Instance
│    │ └ types
│    │    └[~] type ElasticGpuSpecification
│    │      └  - documentation: > Amazon Elastic Graphics reached end of life on January 8, 2024. For workloads that require graphics acceleration, we recommend that you use Amazon EC2 G4ad, G4dn, or G5 instances. 
│    │         Specifies the type of Elastic GPU. An Elastic GPU is a GPU resource that you can attach to your Amazon EC2 instance to accelerate the graphics performance of your applications. For more information, see [Amazon EC2 Elastic GPUs](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/elastic-graphics.html) in the *Amazon EC2 User Guide for Windows Instances* .
│    │         `ElasticGpuSpecification` is a property of the [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html) resource.
│    │         + documentation: > Amazon Elastic Graphics reached end of life on January 8, 2024. For workloads that require graphics acceleration, we recommend that you use Amazon EC2 G4ad, G4dn, or G5 instances. 
│    │         Specifies the type of Elastic GPU. An Elastic GPU is a GPU resource that you can attach to your Amazon EC2 instance to accelerate the graphics performance of your applications.
│    │         `ElasticGpuSpecification` is a property of the [AWS::EC2::Instance](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html) resource.
│    ├[~] resource AWS::EC2::InstanceConnectEndpoint
│    │ └ properties
│    │    └ PreserveClientIp: (documentation changed)
│    ├[~] resource AWS::EC2::LaunchTemplate
│    │ └ types
│    │    ├[~] type InstanceRequirements
│    │    │ └ properties
│    │    │    └ MaxSpotPriceAsPercentageOfOptimalOnDemandPrice: (documentation changed)
│    │    └[~] type LaunchTemplateData
│    │      └ properties
│    │         └ UserData: (documentation changed)
│    ├[~] resource AWS::EC2::SecurityGroup
│    │ └ attributes
│    │    ├ GroupId: (documentation changed)
│    │    └ VpcId: (documentation changed)
│    └[~] resource AWS::EC2::SpotFleet
│      └ types
│         ├[~] type InstanceRequirementsRequest
│         │ └ properties
│         │    └ MaxSpotPriceAsPercentageOfOptimalOnDemandPrice: (documentation changed)
│         └[~] type SpotFleetRequestConfigData
│           └ properties
│              └ IamFleetRole: (documentation changed)
├[~] service aws-ecs
│ └ resources
│    ├[~] resource AWS::ECS::Service
│    │ └ types
│    │    ├[~] type LogConfiguration
│    │    │ ├  - documentation: The log configuration for the container. This parameter maps to `LogConfig` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--log-driver` option to [`docker run`](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/commandline/run/) .
│    │    │ │  By default, containers use the same logging driver that the Docker daemon uses. However, the container might use a different logging driver than the Docker daemon by specifying a log driver configuration in the container definition. For more information about the options for different supported log drivers, see [Configure logging drivers](https://docs.aws.amazon.com/https://docs.docker.com/engine/admin/logging/overview/) in the Docker documentation.
│    │    │ │  Understand the following when specifying a log configuration for your containers.
│    │    │ │  - Amazon ECS currently supports a subset of the logging drivers available to the Docker daemon. Additional log drivers may be available in future releases of the Amazon ECS container agent.
│    │    │ │  For tasks on AWS Fargate , the supported log drivers are `awslogs` , `splunk` , and `awsfirelens` .
│    │    │ │  For tasks hosted on Amazon EC2 instances, the supported log drivers are `awslogs` , `fluentd` , `gelf` , `json-file` , `journald` , `logentries` , `syslog` , `splunk` , and `awsfirelens` .
│    │    │ │  - This parameter requires version 1.18 of the Docker Remote API or greater on your container instance.
│    │    │ │  - For tasks that are hosted on Amazon EC2 instances, the Amazon ECS container agent must register the available logging drivers with the `ECS_AVAILABLE_LOGGING_DRIVERS` environment variable before containers placed on that instance can use these log configuration options. For more information, see [Amazon ECS container agent configuration](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html) in the *Amazon Elastic Container Service Developer Guide* .
│    │    │ │  - For tasks that are on AWS Fargate , because you don't have access to the underlying infrastructure your tasks are hosted on, any additional software needed must be installed outside of the task. For example, the Fluentd output aggregators or a remote host running Logstash to send Gelf logs to.
│    │    │ │  + documentation: The log configuration for the container. This parameter maps to `LogConfig` in the [Create a container](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) section of the [Docker Remote API](https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/) and the `--log-driver` option to [`docker run`](https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/commandline/run/) .
│    │    │ │  By default, containers use the same logging driver that the Docker daemon uses. However, the container might use a different logging driver than the Docker daemon by specifying a log driver configuration in the container definition. For more information about the options for different supported log drivers, see [Configure logging drivers](https://docs.aws.amazon.com/https://docs.docker.com/engine/admin/logging/overview/) in the Docker documentation.
│    │    │ │  Understand the following when specifying a log configuration for your containers.
│    │    │ │  - Amazon ECS currently supports a subset of the logging drivers available to the Docker daemon. Additional log drivers may be available in future releases of the Amazon ECS container agent.
│    │    │ │  For tasks on AWS Fargate , the supported log drivers are `awslogs` , `splunk` , and `awsfirelens` .
│    │    │ │  For tasks hosted on Amazon EC2 instances, the supported log drivers are `awslogs` , `fluentd` , `gelf` , `json-file` , `journald` , `syslog` , `splunk` , and `awsfirelens` .
│    │    │ │  - This parameter requires version 1.18 of the Docker Remote API or greater on your container instance.
│    │    │ │  - For tasks that are hosted on Amazon EC2 instances, the Amazon ECS container agent must register the available logging drivers with the `ECS_AVAILABLE_LOGGING_DRIVERS` environment variable before containers placed on that instance can use these log configuration options. For more information, see [Amazon ECS container agent configuration](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html) in the *Amazon Elastic Container Service Developer Guide* .
│    │    │ │  - For tasks that are on AWS Fargate , because you don't have access to the underlying infrastructure your tasks are hosted on, any additional software needed must be installed outside of the task. For example, the Fluentd output aggregators or a remote host running Logstash to send Gelf logs to.
│    │    │ └ properties
│    │    │    └ LogDriver: (documentation changed)
│    │    └[~] type ServiceConnectConfiguration
│    │      └ properties
│    │         └ LogConfiguration: (documentation changed)
│    └[~] resource AWS::ECS::TaskDefinition
│      ├ properties
│      │  ├ ExecutionRoleArn: (documentation changed)
│      │  └ TaskRoleArn: (documentation changed)
│      └ types
│         ├[~] type ContainerDefinition
│         │ └ properties
│         │    └ Cpu: (documentation changed)
│         ├[~] type LogConfiguration
│         │ └ properties
│         │    └ LogDriver: (documentation changed)
│         └[~] type Ulimit
│           └  - documentation: The `ulimit` settings to pass to the container.
│              Amazon ECS tasks hosted on AWS Fargate use the default resource limit values set by the operating system with the exception of the `nofile` resource limit parameter which AWS Fargate overrides. The `nofile` resource limit sets a restriction on the number of open files that a container can use. The default `nofile` soft limit is `1024` and the default hard limit is `65535` .
│              You can specify the `ulimit` settings for a container in a task definition.
│              + documentation: The `ulimit` settings to pass to the container.
│              Amazon ECS tasks hosted on AWS Fargate use the default resource limit values set by the operating system with the exception of the `nofile` resource limit parameter which AWS Fargate overrides. The `nofile` resource limit sets a restriction on the number of open files that a container can use. The default `nofile` soft limit is `65535` and the default hard limit is `65535` .
│              You can specify the `ulimit` settings for a container in a task definition.
├[~] service aws-eks
│ └ resources
│    └[~] resource AWS::EKS::Cluster
│      └ properties
│         └[+] BootstrapSelfManagedAddons: boolean (immutable)
├[~] service aws-elasticache
│ └ resources
│    ├[~] resource AWS::ElastiCache::ReplicationGroup
│    │ └ properties
│    │    └ ReplicationGroupId: (documentation changed)
│    ├[~] resource AWS::ElastiCache::ServerlessCache
│    │ └ properties
│    │    ├ DailySnapshotTime: (documentation changed)
│    │    └ SnapshotRetentionLimit: (documentation changed)
│    ├[~] resource AWS::ElastiCache::User
│    │ └ properties
│    │    └ Tags: (documentation changed)
│    └[~] resource AWS::ElastiCache::UserGroup
│      └ properties
│         └ Tags: (documentation changed)
├[~] service aws-emrserverless
│ └ resources
│    └[~] resource AWS::EMRServerless::Application
│      └ types
│         └[~] type WorkerConfiguration
│           └ properties
│              └[+] DiskType: string
├[~] service aws-gamelift
│ └ resources
│    ├[~] resource AWS::GameLift::Build
│    │ └ properties
│    │    └ OperatingSystem: (documentation changed)
│    └[~] resource AWS::GameLift::ContainerGroupDefinition
│      └ properties
│         └ OperatingSystem: (documentation changed)
├[~] service aws-glue
│ └ resources
│    ├[~] resource AWS::Glue::Connection
│    │ └ types
│    │    ├[~] type ConnectionInput
│    │    │ └ properties
│    │    │    ├ ConnectionType: (documentation changed)
│    │    │    ├ Name: (documentation changed)
│    │    │    └ PhysicalConnectionRequirements: (documentation changed)
│    │    └[~] type PhysicalConnectionRequirements
│    │      ├  - documentation: Specifies the physical requirements for a connection.
│    │      │  + documentation: The OAuth client app in GetConnection response.
│    │      └ properties
│    │         └ AvailabilityZone: (documentation changed)
│    └[~] resource AWS::Glue::Job
│      └ properties
│         └ MaintenanceWindow: (documentation changed)
├[~] service aws-grafana
│ └ resources
│    └[~] resource AWS::Grafana::Workspace
│      └ properties
│         ├ AuthenticationProviders: (documentation changed)
│         └ NotificationDestinations: (documentation changed)
├[~] service aws-guardduty
│ └ resources
│    ├[~] resource AWS::GuardDuty::Detector
│    │ ├ attributes
│    │ │  └ Id: (documentation changed)
│    │ └ types
│    │    ├[~] type CFNFeatureConfiguration
│    │    │ └ properties
│    │    │    └ Name: (documentation changed)
│    │    └[~] type TagItem
│    │      └ properties
│    │         ├ Key: (documentation changed)
│    │         └ Value: (documentation changed)
│    ├[~] resource AWS::GuardDuty::Filter
│    │ ├ properties
│    │ │  ├ DetectorId: - string (immutable)
│    │ │  │             + string (required, immutable)
│    │ │  └ Name: - string (immutable)
│    │ │          + string (required, immutable)
│    │ └ types
│    │    ├[~] type FindingCriteria
│    │    │ └ properties
│    │    │    └ Criterion: (documentation changed)
│    │    └[~] type TagItem
│    │      ├  - documentation: undefined
│    │      │  + documentation: Describes a tag.
│    │      └ properties
│    │         ├ Key: (documentation changed)
│    │         └ Value: (documentation changed)
│    ├[~] resource AWS::GuardDuty::IPSet
│    │ └ types
│    │    └[~] type TagItem
│    │      ├  - documentation: undefined
│    │      │  + documentation: Contains information about a tag.
│    │      └ properties
│    │         ├ Key: (documentation changed)
│    │         └ Value: (documentation changed)
│    ├[~] resource AWS::GuardDuty::MalwareProtectionPlan
│    │ ├  - documentation: Resource Type definition for AWS::GuardDuty::MalwareProtectionPlan
│    │ │  + documentation: Creates a new Malware Protection plan for the protected resource.
│    │ │  When you create a Malware Protection plan, the [AWS service terms for GuardDuty Malware Protection](https://docs.aws.amazon.com/service-terms/#87._Amazon_GuardDuty) will apply.
│    │ ├ properties
│    │ │  ├ Actions: (documentation changed)
│    │ │  ├ ProtectedResource: (documentation changed)
│    │ │  ├ Role: (documentation changed)
│    │ │  └ Tags: (documentation changed)
│    │ ├ attributes
│    │ │  ├ Arn: (documentation changed)
│    │ │  ├ MalwareProtectionPlanId: (documentation changed)
│    │ │  ├ Status: (documentation changed)
│    │ │  └ StatusReasons: (documentation changed)
│    │ └ types
│    │    ├[~] type CFNActions
│    │    │ ├  - documentation: undefined
│    │    │ │  + documentation: Specifies the action that is to be applied to the Malware Protection plan resource.
│    │    │ └ properties
│    │    │    └ Tagging: (documentation changed)
│    │    ├[~] type CFNProtectedResource
│    │    │ └  - documentation: undefined
│    │    │    + documentation: Information about the protected resource. Presently, `S3Bucket` is the only supported protected resource.
│    │    ├[~] type CFNStatusReasons
│    │    │ ├  - documentation: undefined
│    │    │ │  + documentation: Information about the status code and status details associated with the status of the Malware Protection plan.
│    │    │ └ properties
│    │    │    ├ Code: (documentation changed)
│    │    │    └ Message: (documentation changed)
│    │    ├[~] type CFNTagging
│    │    │ ├  - documentation: undefined
│    │    │ │  + documentation: Contains information about tagging status of the Malware Protection plan resource.
│    │    │ └ properties
│    │    │    └ Status: (documentation changed)
│    │    ├[~] type S3Bucket
│    │    │ └ properties
│    │    │    └ ObjectPrefixes: (documentation changed)
│    │    └[~] type TagItem
│    │      ├  - documentation: undefined
│    │      │  + documentation: Contains information about a tag.
│    │      └ properties
│    │         ├ Key: (documentation changed)
│    │         └ Value: (documentation changed)
│    ├[~] resource AWS::GuardDuty::Master
│    │ └ properties
│    │    └ InvitationId: (documentation changed)
│    └[~] resource AWS::GuardDuty::ThreatIntelSet
│      ├  - documentation: The `AWS::GuardDuty::ThreatIntelSet` resource specifies a new `ThreatIntelSet` . A `ThreatIntelSet` consists of known malicious IP addresses. GuardDuty generates findings based on the `ThreatIntelSet` when it is activated.
│      │  + documentation: The `AWS::GuardDuty::ThreatIntelSet` resource specifies a new `ThreatIntelSet` . A `ThreatIntelSet` consists of known malicious IP addresses. GuardDuty generates findings based on the `ThreatIntelSet` after it is activated.
│      ├ attributes
│      │  └ Id: (documentation changed)
│      └ types
│         └[~] type TagItem
│           ├  - documentation: undefined
│           │  + documentation: Contains information about a tag.
│           └ properties
│              ├ Key: (documentation changed)
│              └ Value: (documentation changed)
├[~] service aws-kinesisanalyticsv2
│ └ resources
│    └[~] resource AWS::KinesisAnalyticsV2::Application
│      └ types
│         ├[~] type ApplicationConfiguration
│         │ └ properties
│         │    └[+] ApplicationSystemRollbackConfiguration: ApplicationSystemRollbackConfiguration
│         └[+] type ApplicationSystemRollbackConfiguration
│           ├  documentation: Describes whether system initiated rollbacks are enabled for a Flink-based Kinesis Data Analytics application.
│           │  name: ApplicationSystemRollbackConfiguration
│           └ properties
│              └RollbackEnabled: boolean (required)
├[~] service aws-kinesisfirehose
│ └ resources
│    └[~] resource AWS::KinesisFirehose::DeliveryStream
│      └ types
│         ├[~] type HttpEndpointDestinationConfiguration
│         │ └ properties
│         │    └ SecretsManagerConfiguration: (documentation changed)
│         ├[~] type RedshiftDestinationConfiguration
│         │ └ properties
│         │    └ SecretsManagerConfiguration: (documentation changed)
│         ├[~] type SecretsManagerConfiguration
│         │ ├  - documentation: undefined
│         │ │  + documentation: The structure that defines how Firehose accesses the secret.
│         │ └ properties
│         │    ├ Enabled: (documentation changed)
│         │    ├ RoleARN: (documentation changed)
│         │    └ SecretARN: (documentation changed)
│         ├[~] type SnowflakeDestinationConfiguration
│         │ └ properties
│         │    └ SecretsManagerConfiguration: (documentation changed)
│         └[~] type SplunkDestinationConfiguration
│           └ properties
│              └ SecretsManagerConfiguration: (documentation changed)
├[~] service aws-kms
│ └ resources
│    └[~] resource AWS::KMS::Key
│      └ properties
│         ├ KeySpec: (documentation changed)
│         └ KeyUsage: (documentation changed)
├[~] service aws-networkmanager
│ └ resources
│    ├[~] resource AWS::NetworkManager::ConnectAttachment
│    │ └ properties
│    │    └ Tags: (documentation changed)
│    ├[~] resource AWS::NetworkManager::CoreNetwork
│    │ └ attributes
│    │    └ OwnerAccount: (documentation changed)
│    └[~] resource AWS::NetworkManager::SiteToSiteVpnAttachment
│      └ properties
│         └ Tags: (documentation changed)
├[~] service aws-omics
│ └ resources
│    └[~] resource AWS::Omics::RunGroup
│      └  - documentation: Creates a run group.
│         + documentation: You can optionally create a run group to limit the compute resources for the runs that you add to the group.
├[~] service aws-opsworkscm
│ └ resources
│    └[~] resource AWS::OpsWorksCM::Server
│      └ properties
│         └ ServerName: (documentation changed)
├[~] service aws-rds
│ └ resources
│    ├[~] resource AWS::RDS::DBCluster
│    │ └ properties
│    │    ├[+] EnableLocalWriteForwarding: boolean
│    │    └[+] EngineLifecycleSupport: string
│    ├[~] resource AWS::RDS::DBInstance
│    │ └ properties
│    │    └[+] EngineLifecycleSupport: string
│    └[~] resource AWS::RDS::GlobalCluster
│      └ properties
│         └[+] EngineLifecycleSupport: string
├[~] service aws-redshift
│ └ resources
│    ├[~] resource AWS::Redshift::Cluster
│    │ └ properties
│    │    ├ NodeType: (documentation changed)
│    │    └ Port: (documentation changed)
│    └[~] resource AWS::Redshift::ScheduledAction
│      └ properties
│         └ TargetAction: (documentation changed)
├[~] service aws-s3
│ └ resources
│    └[~] resource AWS::S3::Bucket
│      └ types
│         ├[~] type EncryptionConfiguration
│         │ └  - documentation: Specifies encryption-related information for an Amazon S3 bucket that is a destination for replicated objects.
│         │    + documentation: Specifies encryption-related information for an Amazon S3 bucket that is a destination for replicated objects.
│         │    > If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner.
│         ├[~] type PartitionedPrefix
│         │ └ properties
│         │    └ PartitionDateSource: (documentation changed)
│         ├[~] type ServerSideEncryptionByDefault
│         │ └  - documentation: Describes the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. If you don't specify a customer managed key at configuration, Amazon S3 automatically creates an AWS KMS key in your AWS account the first time that you add an object encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS. For more information, see [PUT Bucket encryption](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html) in the *Amazon S3 API Reference* .
│         │    + documentation: Describes the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. If you don't specify a customer managed key at configuration, Amazon S3 automatically creates an AWS KMS key in your AWS account the first time that you add an object encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS. For more information, see [PUT Bucket encryption](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html) in the *Amazon S3 API Reference* .
│         │    > If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner.
│         └[~] type ServerSideEncryptionRule
│           └  - documentation: Specifies the default server-side encryption configuration.
│              + documentation: Specifies the default server-side encryption configuration.
│              > If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner.
├[~] service aws-servicediscovery
│ └ resources
│    └[~] resource AWS::ServiceDiscovery::Instance
│      └ properties
│         └ InstanceId: (documentation changed)
├[~] service aws-ses
│ └ resources
│    └[~] resource AWS::SES::ConfigurationSetEventDestination
│      └ types
│         ├[+] type EventBridgeDestination
│         │ ├  documentation: An object that contains Event bus ARN associated with the event bridge destination.
│         │ │  name: EventBridgeDestination
│         │ └ properties
│         │    └EventBusArn: string (required)
│         └[~] type EventDestination
│           └ properties
│              └[+] EventBridgeDestination: EventBridgeDestination
├[~] service aws-signer
│ └ resources
│    └[~] resource AWS::Signer::SigningProfile
│      └ properties
│         └[+] ProfileName: string (immutable)
├[~] service aws-sqs
│ └ resources
│    └[~] resource AWS::SQS::Queue
│      └ properties
│         └ RedrivePolicy: (documentation changed)
├[~] service aws-ssm
│ └ resources
│    └[~] resource AWS::SSM::ResourceDataSync
│      └ properties
│         └ SyncName: (documentation changed)
├[~] service aws-verifiedpermissions
│ └ resources
│    └[~] resource AWS::VerifiedPermissions::IdentitySource
│      └ types
│         ├[~] type IdentitySourceConfiguration
│         │ └ properties
│         │    ├ CognitoUserPoolConfiguration: - CognitoUserPoolConfiguration (required)
│         │    │                               + CognitoUserPoolConfiguration
│         │    └[+] OpenIdConnectConfiguration: OpenIdConnectConfiguration
│         ├[+] type OpenIdConnectAccessTokenConfiguration
│         │ ├  documentation: The configuration of an OpenID Connect (OIDC) identity source for handling access token claims. Contains the claim that you want to identify as the principal in an authorization request, and the values of the `aud` claim, or audiences, that you want to accept.
│         │ │  This data type is part of a [OpenIdConnectTokenSelection](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectTokenSelection.html) structure, which is a parameter of [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html) .
│         │ │  name: OpenIdConnectAccessTokenConfiguration
│         │ └ properties
│         │    ├PrincipalIdClaim: string (default="sub")
│         │    └Audiences: Array<string>
│         ├[+] type OpenIdConnectConfiguration
│         │ ├  documentation: Contains configuration details of an OpenID Connect (OIDC) identity provider, or identity source, that Verified Permissions can use to generate entities from authenticated identities. It specifies the issuer URL, token type that you want to use, and policy store entity details.
│         │ │  This data type is part of a [Configuration](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_Configuration.html) structure, which is a parameter to [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html) .
│         │ │  name: OpenIdConnectConfiguration
│         │ └ properties
│         │    ├Issuer: string (required)
│         │    ├EntityIdPrefix: string
│         │    ├GroupConfiguration: OpenIdConnectGroupConfiguration
│         │    └TokenSelection: OpenIdConnectTokenSelection (required)
│         ├[+] type OpenIdConnectGroupConfiguration
│         │ ├  documentation: The claim in OIDC identity provider tokens that indicates a user's group membership, and the entity type that you want to map it to. For example, this object can map the contents of a `groups` claim to `MyCorp::UserGroup` .
│         │ │  This data type is part of a [OpenIdConnectConfiguration](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectConfiguration.html) structure, which is a parameter of [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html) .
│         │ │  name: OpenIdConnectGroupConfiguration
│         │ └ properties
│         │    ├GroupClaim: string (required)
│         │    └GroupEntityType: string (required)
│         ├[+] type OpenIdConnectIdentityTokenConfiguration
│         │ ├  documentation: The configuration of an OpenID Connect (OIDC) identity source for handling identity (ID) token claims. Contains the claim that you want to identify as the principal in an authorization request, and the values of the `aud` claim, or audiences, that you want to accept.
│         │ │  This data type is part of a [OpenIdConnectTokenSelection](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectTokenSelection.html) structure, which is a parameter of [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html) .
│         │ │  name: OpenIdConnectIdentityTokenConfiguration
│         │ └ properties
│         │    ├PrincipalIdClaim: string (default="sub")
│         │    └ClientIds: Array<string>
│         └[+] type OpenIdConnectTokenSelection
│           ├  documentation: The token type that you want to process from your OIDC identity provider. Your policy store can process either identity (ID) or access tokens from a given OIDC identity source.
│           │  This data type is part of a [OpenIdConnectConfiguration](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectConfiguration.html) structure, which is a parameter of [CreateIdentitySource](https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html) .
│           │  name: OpenIdConnectTokenSelection
│           └ properties
│              ├AccessTokenOnly: OpenIdConnectAccessTokenConfiguration
│              └IdentityTokenOnly: OpenIdConnectIdentityTokenConfiguration
├[~] service aws-workspaces
│ └ resources
│    └[+] resource AWS::WorkSpaces::WorkspacesPool
│      ├  name: WorkspacesPool
│      │  cloudFormationType: AWS::WorkSpaces::WorkspacesPool
│      │  documentation: Resource Type definition for AWS::WorkSpaces::WorkspacesPool
│      │  tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│      ├ properties
│      │  ├Capacity: Capacity (required)
│      │  ├PoolName: string (required, immutable)
│      │  ├Description: string
│      │  ├BundleId: string (required)
│      │  ├DirectoryId: string (required)
│      │  ├ApplicationSettings: ApplicationSettings
│      │  ├TimeoutSettings: TimeoutSettings
│      │  └Tags: Array<tag>
│      ├ attributes
│      │  ├PoolId: string
│      │  ├PoolArn: string
│      │  └CreatedAt: string
│      └ types
│         ├type Capacity
│         │├  name: Capacity
│         │└ properties
│         │   └DesiredUserSessions: integer (required)
│         ├type ApplicationSettings
│         │├  name: ApplicationSettings
│         │└ properties
│         │   ├Status: string (required)
│         │   └SettingsGroup: string
│         └type TimeoutSettings
│          ├  name: TimeoutSettings
│          └ properties
│             ├DisconnectTimeoutInSeconds: integer
│             ├IdleDisconnectTimeoutInSeconds: integer
│             └MaxUserDurationInSeconds: integer
└[~] service aws-workspacesweb
  └ resources
     └[~] resource AWS::WorkSpacesWeb::IpAccessSettings
       └ properties
          └ Tags: (documentation changed)
```

…rror (#30726)

### Issue # (if applicable)

Closes #30717.

### Reason for this change

esbuild introduced a breaking change in v0.22 which caused the build error in `aws-lambda-nodejs` module.

### Description of changes

Pin the esbuild version to 0.21 in Dockerfile

### Description of how you validated changes



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.147.3/CHANGELOG.md)

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/merge-back/2.147.2/CHANGELOG.md)

…test function version (#29856)

### Issue # (if applicable)

Closes #20177

### Reason for this change



`fn.grantInvoke()` will grant invoke permission to invoke both the latest version and all pervious version of the lambda function. We can see this behavior could bring some security concern for some of our customers.

### Description of changes



We provides a new function `fn.grantInvokeLatestVersion()`  to grant invoke only to the Latest version of function and the unqualified lambda arn

Example:
```ts
// Grant permissions to a service
declare const fn: lambda.Function;
const principal = new iam.ServicePrincipal('my-service');

fn.grantInvokeLatestVersion(principal);

```

### Description of how you validated changes


Added unit tests and integration tests.
When using `fn.grantInvokeLatestVersion()` granted principle to invoke a function's past version, it will get the following error:
```
An error occurred (AccessDeniedException) when calling the Invoke operation: User: {$principle} is not authorized to perform: lambda:InvokeFunction on resource: {$LambdaArn:$version} because no identity-based policy allows the lambda:InvokeFunction action
```

### Alternative design (to discuss)
setup a `grantInvokeProp` including `grantVersionAccess` flag to pass in the `grantInvokeLatestVersion` instead using `grantVersionAccess` flag directly on `grantInvokeLatestVersion`
-> This is discussed in the comments, I agree having props will have future extensibility but usually for grant methods specifically we haven't seen before. So we will not add prop to the new function `grantInvokeLatestVersion`

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ations (under feature flag) (#30706)

### Issue # (if applicable)

Closes #28915 

### Reason for this change

Fix to address the issues deleting the existing S3 event notifications and adding new event notifications on top of existing notifications.

### Description of changes
We fixed the hashing logic used to identify old vs external S3 event notifications

### Description of how you validated changes
Manually tested, integration and unit tested the changes

yes

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.

This was causing integ test failures because 1.22 is no longer supported.


### Checklist
- [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This test was failing due to the solution stack version not being supported any longer.

### Issue # (if applicable)

Closes #<issue number here>.

### Reason for this change



### Description of changes



### Description of how you validated changes



### Checklist
- [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Note that the docstring in `aws-entities` states that the regions are
added in the order they went live. For several, that was not accurate so
I reordered them. This is unlikely to matter but I made the change so
that the documentation there would be factually correct.

Not all of these regions/partitions are live yet, but they have been
announced [here](https://aws.amazon.com/blogs/aws/category/regions/)

### Checklist
- [ ] My code adheres to the [CONTRIBUTING
GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and
[DESIGN
GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license*