Bump Amazon.CDK.Lib and Constructs

[dependabot]

Updated Amazon.CDK.Lib from 2.221.1 to 2.233.0.

Release notes

Sourced from Amazon.CDK.Lib's releases.

2.233.0

⚠ BREAKING CHANGES

CHANGES TO L1 RESOURCES: L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

aws-ec2: AWS::EC2::EC2Fleet: DefaultTargetCapacityType property is now immutable.
aws-ec2: AWS::EC2::EC2Fleet: TargetCapacityUnitType property is now immutable.

Features

• update L1 CloudFormation resource definitions (#​36390) (a6077a2)
• events-targets: support messageGroupId for standard SQS queues (#​36068) (95d4ed5)
• update L1 CloudFormation resource definitions (#​36367) (e551afe)
• codebuild: add support for macOS 15 runners (#​35836) (1b8b4e3)
• route53-patterns: HttpsRedirect use Distribution as the default CloudFront distribution (under feature flag) (#​34312) (e2987eb), closes #​31546
• update L1 CloudFormation resource definitions (#​36326) (cb82627)
• ec2: add Interface VPC Endpoints for ACM and ACM-PCA (#​35890) (06e6b25)
• route53: support failover routing policy for record sets (#​35909) (9395467), closes #​35910

Bug Fixes

• aws-cdk-lib: make grants factory methods public (#​36317) (7dde625)
• ci: checkout the pr head instead of the default main head (#​36311) (a1cbcf9), closes /github.com/aws/aws-cdk/blob/main/.github/workflows/integration-test-deployment.yml#L39C11-L39C57
• cloudtrail: do not attach s3 bucket permission when orgId is not set for organization trail (#​30778) (61ee074), closes #​30490
• custom-resources: waiter state machine retry fails with ExecutionAlreadyExists (#​35988) (36ea606), closes #​35957
• ecs: removal of canContainersAccessInstanceRole instance role (#​36362) (7395b41)
• pipelines: propagate CodeBuild fleet and certificate (#​35673) (71cfd60), closes #​35664
• region-info: standalone use of @​aws-cdk/region-info throws an Cannot find module 'aws-cdk-lib/core/lib/errors' error (#​36414) (01c7d2e), closes #​36399
• ci fix for spec updater workflow (#​36364) (a0b42cc)
• re-export of ResourceEnvironment is not an alias (#​36370) (ba8e194)

---

Alpha modules (2.233.0-alpha.0)

⚠ BREAKING CHANGES

• bedrock-agentcore-alpha: Runtime constructs will no longer automatically include lifecycleConfiguration with default values when not explicitly specified by users.
• elasticache-alpha: The engine property in NoPasswordUserProps has been removed.

Bug Fixes

• bedrock-agentcore-alpha: runtime construct incorrectly forces default lifecycleConfiguration values (#​36379) (7954354), closes #​36376
• elasticache-alpha: the default engine for NoPasswordUser contradict in the docs (#​35920) (495fa37), closes #​35847
• mixins-preview: improving delivery source and delivery destination creation (#​36314) (86092ab)

2.232.2

Bug Fixes

• re-export of ResourceEnvironment is not an alias (#​36370) (6178d32)

---

Alpha modules (2.232.2-alpha.0)

2.232.1

Bug Fixes

• core: TypeScript properties missing for types which extend internal interfaces (#​36313) (3e7e17c), closes #​36310

---

Alpha modules (2.232.1-alpha.0)

2.232.0

Features

• update L1 CloudFormation resource definitions (#​36299) (0945692)
• bedrock-agentcore: add fromImageUri method to AgentRuntimeArtifact (#​36263) (ad25aba)
• lambda: add support for durable functions (#​36282) (599a1d3)
• update L1 CloudFormation resource definitions (#​36277) (c4fa99b)

Bug Fixes

• core: temp cleanup does not work with jest (#​36238) (1f4a224), closes #​36226

---

Alpha modules (2.232.0-alpha.0)

Bug Fixes

• bedrock-agentcore-alpha: use static construct ID for asset-based runtime artifacts (#​36241) (e2bdddd), closes #​35968
• mixins-preview: service exports are different then in aws-cdk-lib (#​36201) (5858006), closes #​36210
• mixins-preview: strongly-typed ConstructSelector interface (#​36266) (1d2f473)

2.231.0

Features

• lambda: support for capacity providers (#​36255) (2e4c1cf)
• update L1 CloudFormation resource definitions (#​36253) (8410b13)
• aws-cdk-lib: add arnFor<ResourceName> for 47 more resources (#​36231) (5a8be4f)
• aws-cdk-lib: all L1s now have a isCfn<ResourceName> static helper to check if a value is this L1 resource (#​36243) (dc9db9b)
• ec2: expose EC2 instance MetadataOptions (#​35369) (4056e14), closes #​35357

Bug Fixes

• dynamodb: unsupported actions added to table resource policy (#​36228) (10de047), closes #​32230

---

Alpha modules (2.231.0-alpha.0)

Features

• glue-alpha: support Glue Version 5.1 (#​36223) (b956492)
• imagebuilder-alpha: add support for Image Construct (#​36154) (eee3ae6), closes aws/aws-cdk-rfcs#​789 aws/aws-cdk-rfcs#​789

2.230.0

Features

• apigateway: support response streaming with response transfer mode (#​36155) (f431021), closes #​36156
• update L1 CloudFormation resource definitions (f203b8e)
• update L1 CloudFormation resource definitions (#​36193) (d074024)
• events: the L2 EventPattern interfaces can be used with CfnRule (#​36191) (efc135e)
• update L1 CloudFormation resource definitions (#​36180) (5cddd7e)

Bug Fixes

• ecs: wrong ARN generated in Cluster.grantTaskProtection method (#​36207) (9b337df)
• ecs-patterns: target group ID changes without setting feature flag (#​36199) (b7ca082), closes #​36149
• scheduler: wrong ARN generated in ScheduleGroup.grant* methods (#​36175) (eae8838)

---

Alpha modules (2.230.0-alpha.0)

Features

• bedrock-agentcore-alpha: update resources on grantInvokeXXX for runtime (#​35864) (5dad62f)
• imagebuilder-alpha: add support for Image Pipeline Construct (#​36153) (d8c324a), closes aws/aws-cdk-rfcs#​789 aws/aws-cdk-rfcs#​789
• imagebuilder-alpha: add support for Lifecycle Policy Construct (#​36152) (7e31eb6), closes aws/aws-cdk-rfcs#​789 aws/aws-cdk-rfcs#​789
• mixins-preview: adds LogDelivery Mixins for 47 resources (#​36158) (6607ce9)
• mixins-preview: vended log deliveries (#​36138) (69442a8)
• mixins-preview: helpers to generate EventBridge event patterns for 26 services (#​36121) (073185d)

Bug Fixes

• mixins-preview: AutoDeleteObjects mixin fails with cannot find file error (#​36188) (3ef337d), closes aws-cdk/mixins-preview/lib/custom-resource-handlers/aws-s3/auto-delete-objects-provider.ts#L21
• mixins-preview: ResourcePolicy with this name already exists error when setting up LogDelivery (#​36195) (f9aa31d)
• mixins-preview: cannot use string literal types for S3LogsDeliveryProps.permissionsVersion (#​36197) (cc491df)

2.229.1

Bug Fixes

• scheduler: wrong ARN generated in ScheduleGroup.grant* methods (#​36175) (ca9fbdd)

---

Alpha modules (2.229.1-alpha.0)

2.229.0

Features

• agentcore: add new properties for runtime, browser (#​36003) (439495f)
• route53: add HostedZoneGrants (#​36109) (d24305c)

Bug Fixes

• stepfunctions: allow multiline jsonata strings (#​35985) (8805e13), closes #​35912 #​35912

---

Alpha modules (2.229.0-alpha.0)

Features

• imagebuilder-alpha: add support for Container Recipe Construct (#​36091) (875e0e7), closes aws/aws-cdk-rfcs#​789 aws/aws-cdk-rfcs#​789
• imagebuilder-alpha: add support for Image Recipe Construct (#​36092) (4361f8b), closes aws/aws-cdk-rfcs#​789 aws/aws-cdk-rfcs#​789
• imagebuilder-alpha: add support for Workflow Construct (#​36007) (616d32a), closes aws/aws-cdk-rfcs#​789 aws/aws-cdk-rfcs#​789
• mixins-preview: developer preview of CDK Mixins (#​36136) (0c6ee1d)

Bug Fixes

• bedrock-agentcore-alpha: empty submodule accidentally exposed and runtime validation fix (#​36148) (72d3e6f)

2.228.0

Features

• lambda: add new lambda/kafka esm properties and on failure desitination (65f9c35)

Bug Fixes

• cloudformation-include: TypeError when including template with intrinsic functions (#​36157) (f2a384b), closes #​36140 #​35838

---

Alpha modules (2.228.0-alpha.0)

2.227.0

CHANGES TO L1 RESOURCES: L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

• aws-backup: AWS::Backup::LogicallyAirGappedBackupVault: EncryptionKeyArn attribute removed.

Features

• stepfunctions: add StateMachineGrants (#​36094) (59ef00d)
• update L1 CloudFormation resource definitions (#​36122) (51d805e)
• core: cfn constructs (L1s) can now accept constructs as parameters for known resource relationships (#​35838) (6be7b4b)
• factory methods for Grants made public (#​36123) (f9a894f)
• dynamodb: add TableGrants and StreamGrants (#​36093) (d0b074a)
• rds: support instance and iam-db-auth-error CloudWatch log exports (#​35058) (e71a8b1), closes #​35018
• s3: add BucketGrants (#​36102) (5891172)
• grants are now available through a separate class (#​35782) (21fd959)

---

Alpha modules (2.227.0-alpha.0)

Features

• bedrock-agentcore-alpha: agentcore gateway L2 construct (#​35771) (07c4a0d)
• imagebuilder-alpha: add support for Component Construct (#​36107) (93a76e4), closes #​36006 #​36104
• imagebuilder-alpha: add support for Distribution Configuration Construct (#​36108) (6051039), closes #​36005

Bug Fixes

• bedrock-agentcore-alpha: fix unexpected validation error when properties are Token (#​35978) (084b736)

2.226.0

Features

• dynamodb: compound keys for global secondary indexes (046b06d)
• lambda: add multi-tenancy support with TenancyConfig (5f384db)

---

Alpha modules (2.226.0-alpha.0)

2.225.0

⚠ BREAKING CHANGES

• ** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

  • aws-dynamodb: AWS::DynamoDB::GlobalTable: ResourcePolicy property is now required.

Features

• update L1 CloudFormation resource definitions (#​36082) (3df1d81)
• custom-resource: add External ID support for AwsCustomResource (#​35252) (9f6c02b), closes #​34018
• route53: support restricting delegated zone names when using grantDelegation (#​35129) (d832aca)

Bug Fixes

• aws-cdk-lib: temporary Cloud Assemblies are not cleaned up (#​36043) (1ace1ef), closes #​802
• cognito: remove overly strict validation for threat protection on non-PLUS plans (#​36027) (172c65f), closes #​36023
• s3-deployment: Source.jsonData() fails with null JSON values (#​36054) (67b85f2), closes #​36052

Reverts

• (dynamodb) revert Table.table field to private to fix .NET naming (#​36029) (d84fce8), closes #​36025 #​35554

---

Alpha modules (2.225.0-alpha.0)

2.224.0

⚠ BREAKING CHANGES

• aws-cdk-lib: Reference interfaces (such as IBucketRef, IRoleRef, etc.) were moved to a new aws-cdk-lib.interfaces submodule to prevent cyclic dependencies between service modules. If you are importing reference interfaces, you have to update import statements accordingly. See #​36060 for full details.
• Amazon.CDK.Lib (.NET): The .NET namespace for multiple submodules has changed. If you are using any of the renamed submodules, you have to update using statements for these submodules. See #​36037 for full details.
• L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

aws-opensearchserverless: AWS::OpenSearchServerless::Collection: StandbyReplicas property is now immutable.
aws-servicecatalog: AWS::ServiceCatalog::PortfolioPrincipalAssociation: Id attribute removed.

Features

• apigateway: add option for consolidating lambda permissions for rest and http lambda integrations (#​36021) (35f8e46), closes #​9327 #​19535 #​35705
• update L1 CloudFormation resource definitions (#​35994) (47a9a20)
• core: add methods to SecretValue and aws-secretsmanager Secret to obtain a literal (unresolved by CloudFormation) dynamic reference key (#​34397) (#​35105) (457aa99), closes /github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/core/lib/secret-value.ts#L98C17-L98C31 /github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-secretsmanager/lib/secret.ts#L499
• eks: add support for Kubernetes version 1.34 (#​36016) (60096ac), closes #​35717
• lambda: add nodejs24.x runtime for Lambda (#​36001) (404bf1a)
• sagemaker: add support for serverless inference endpoints (#​35557) (3f5c5ac), closes #​23148 #​23148
• stepfunctions-tasks: add architecture support to EvaluateExpression (#​35468) (771ea13), closes #​34974

Bug Fixes

• aws-cdk-lib: move reference interfaces to their own submodules (#​35971) (1e4dfe6)
• aws-cdk-lib: multiple submodules use an incorrect namespace for .NET (#​36002) (e48e584)
• dynamodb: resolve circular dependency with AccountRootPrincipal grants (#​35983) (24d2adf), closes #​35967
• ecs: allow empty placementStrategies on EC2Service (#​35580) (0d773b1), closes #​30382 /github.com/aws/aws-cdk/pull/27572#issuecomment-1766287866

---

Alpha modules (2.224.0-alpha.0)

Features

• imagebuilder-alpha: add support for EC2 Image Builder L2 Constructs - Infrastructure Configuration (#​35882) (db1d964), closes aws/aws-cdk-rfcs#​789 aws/aws-cdk-rfcs#​789

2.223.0

⚠ BREAKING CHANGES

L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

• aws-dynamodb: AWS::DynamoDB::GlobalTable: GlobalTableSettingsReplicationMode property removed.
• aws-dynamodb: AWS::DynamoDB::GlobalTable: GlobalTableSourceArn property removed.
• aws-dynamodb: AWS::DynamoDB::Table: GlobalTableSettingsReplicationMode property removed.
• aws-events: AWS::Events::EventBusPolicy: Id attribute removed.

Features

• update L1 CloudFormation resource definitions (#​35926) (3f4d585)
• ec2: support for Cloud Wan Core Network routes (#​35008) (fba027b)
• s3-deployment: support securityGroups in BucketDeploymentProps (#​33233) (f2a3166), closes #​33229

Bug Fixes

• stepfunctions: DistributedMap ResultWriter correct query language selection (#​35834) (75b8ead), closes #​35403
• onEvent function to pass all the options to rule resource (#​35829) (3d7023d)

---

Alpha modules (2.223.0-alpha.0)

2.222.0

⚠ BREAKING CHANGES

• bedrock-agentcore: The signature of RuntimeAuthorizerConfiguration.usingCognito() has changed to accept IUserPool and IUserPoolClient constructs instead of string parameters, and now supports multiple clients.

Features

• apigateway: add binaryMediaTypes property to SpecRestApi (#​35502) (bf10d94), closes #​35498
• apigatewayv2: WebSocketStage support accessLogSettings (#​34766) (dad112e), closes #​21935
• bedrock-agentcore: use IUserPool and IUserPoolClient interfaces instead of string identifiers (#​35860) (a38afc9), closes #​35854
• core: IEnvironmentAware interface to retrieve a construct's environment (#​35817) (8ee5d4b)
• elasticloadbalancingv2: create security group settings for NLB by default (under feature flag) (#​34675) (ff83cfd), closes #​34606 /github.com/aws/aws-cdk/issues/34606#issuecomment-2931313249
• events-targets: support Amazon Data Firehose target using Firehose's IDeliveryStream (#​33798) (a374b6b), closes #​33757 #​33758
• kinesisfirehose: add built-in data processors to decompress CloudWatch logs and extract messages (#​33749) (5dec21e), closes #​33691 #​20242 /github.com/aws/aws-cdk/issues/33691#issuecomment-2713012245
• lambda: add Java25 runtime for Lambda (#​35867) (db71fac)
• lambda: add Python 3.14 runtime for Lambda (#​35869) (ebef303)
• memory: add agentcore memory l2 construct (#​35757) (6a2e17e)
• msk: support Express brokers (#​34741) (0a69e5f), closes #​32923

Bug Fixes

• agentcore: addToRolePolicy for runtime with imported role destroys and recreates policies on every deployment (#​35842) (92525e4), closes #​35844 40aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-base.ts#L253
• agentcore: custom execution role policy for runtime lacks proper permissions (#​35849) (ee94b63), closes #​35852 40aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-artifact.ts#L65 40aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime.ts#L252-L259 /github.com/aws/aws-cdk/blob/v2.221.0/packages/aws-cdk-lib/aws-codepipeline/lib/pipeline.ts#L693 /github.com/aws/aws-cdk/blob/v2.221.0/packages/aws-cdk-lib/aws-lambda/lib/function.ts#L1468 /github.com/aws/aws-cdk/blob/v2.221.0/packages/aws-cdk-lib/aws-ecs/lib/base/base-service.ts#L1161
• dynamodb: addToResourcePolicy has no effect (#​35554) (94d7e34), closes #​35062
• ecs: remove empty CfnClusterCapacityProviderAssociations resource (#​35783) (c8a131b), closes #​35699 #​35742
• iam: cannot grant lambda:InvokeFunction on ManagedPolicy or Policy via grantInvoke() method (#​32984) (a07d75a), closes #​32980 /github.com/aws/aws-cdk/pull/32984#pullrequestreview-2863553504
• compilation failure in Go (#​35871) (5e4f603), closes aws/aws-cdk#​35770 #​35862
• ec2: remove PassRole policy emitted by cloudwatch vpc flow destination (#​35762) (c4b80df), closes #​35729

---

Alpha modules (2.222.0-alpha.0)

Features

• eks-v2-alpha: eks-v2-alpha is now in developer preview (#​35801) (32afc0f)

Bug Fixes

• bedrock-alpha: apply permission dependency to existing and non-existing roles (#​35123) (b39ccf3), closes #​35120
• eks-v2-alpha: remove hyphen from Go package name (#​35927) (2cdfc8a)

Commits viewable in compare view.

Updated Constructs from 10.4.2 to 10.4.4.

Release notes

Sourced from Constructs's releases.

10.4.4

10.4.4 (2025-12-11)

Bug Fixes

• python: only allow Typeguard 2.x (#​2831) (04ca69c)

10.4.3

10.4.3 (2025-11-06)

Bug Fixes

• deps: upgrade to jsii & typescript 5.9 (#​2823) (02796b2)

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Superseded by #585.