Merge branch 'main' into feat/eks-cluster-oidc-provider-36684

Author: pahud

CHANGELOG.v2.alpha.md

@@ -2,6 +2,21 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.236.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.235.1-alpha.0...v2.236.0-alpha.0) (2026-01-23)
+
+
+### Features
+
+* **bedrock-agentcore-alpha:** added episodic memory strategy ([#36591](https://github.com/aws/aws-cdk/issues/36591)) ([21dcfc6](https://github.com/aws/aws-cdk/commit/21dcfc6807a3876e2275bdac6f1e4f7564a66100))
+* **bedrock-agentcore-alpha:** added gateway interceptors ([#36604](https://github.com/aws/aws-cdk/issues/36604)) ([ba8aa48](https://github.com/aws/aws-cdk/commit/ba8aa48a33b1e008194d6b6b13d10c41019f56b4))
+* **bedrock-agentcore-alpha:** make physical name properties optional for AgentCore resources ([#36354](https://github.com/aws/aws-cdk/issues/36354)) ([5137d81](https://github.com/aws/aws-cdk/commit/5137d811a92eb63f52d2bfa0713a660f5476839e)), closes [#36341](https://github.com/aws/aws-cdk/issues/36341)
+* **mixins-preview:** expose `BucketPolicyStatementsMixin` publicly ([#36771](https://github.com/aws/aws-cdk/issues/36771)) ([458156d](https://github.com/aws/aws-cdk/commit/458156dd43ced89c893687415d7c2a2fce141653))
+* **sagemaker:** add containerStartupHealthCheckTimeoutInSeconds support for EndpointConfig ([#35626](https://github.com/aws/aws-cdk/issues/35626)) ([47d707a](https://github.com/aws/aws-cdk/commit/47d707aac809fda8ec5302bf927380e8060d380a)), closes [#35566](https://github.com/aws/aws-cdk/issues/35566)
+
+### Bug Fixes
+
+* **eks-v2-alpha:** ensure kubectl provider access entry is depended upon by downstream resources ([#36734](https://github.com/aws/aws-cdk/issues/36734)) ([e104f45](https://github.com/aws/aws-cdk/commit/e104f45654177e87e2fb46510f77d02fcf20c499)), closes [#34898](https://github.com/aws/aws-cdk/issues/34898) [#34897](https://github.com/aws/aws-cdk/issues/34897)
+
 ## [2.235.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.235.0-alpha.0...v2.235.1-alpha.0) (2026-01-19)
 
 ## [2.235.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.234.1-alpha.0...v2.235.0-alpha.0) (2026-01-15)

CHANGELOG.v2.md

@@ -2,6 +2,26 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.236.0](https://github.com/aws/aws-cdk/compare/v2.235.1...v2.236.0) (2026-01-23)
+
+
+### Features
+
+* update L1 CloudFormation resource definitions ([#36721](https://github.com/aws/aws-cdk/issues/36721)) ([7a4a443](https://github.com/aws/aws-cdk/commit/7a4a44329d7b71a12ba566885aa5fd730c0c2475))
+* **ecs:** add capacityOptionType (Spot support) to ManagedInstancesCapacityProvider L2 construct ([#36497](https://github.com/aws/aws-cdk/issues/36497)) ([e8ad85b](https://github.com/aws/aws-cdk/commit/e8ad85b3122e8c84e19adf0ffdfd71d79ba090f9)), closes [#35648](https://github.com/aws/aws-cdk/issues/35648)
+* **ecs:** add built-in Linear and Canary deployments  ([#35981](https://github.com/aws/aws-cdk/issues/35981)) ([67ac5e7](https://github.com/aws/aws-cdk/commit/67ac5e7685e6eb8993e49aa010e43d8002998498)), closes [#35986](https://github.com/aws/aws-cdk/issues/35986) [#35987](https://github.com/aws/aws-cdk/issues/35987)
+* **logs:** add support for deletion protection configuration ([#36583](https://github.com/aws/aws-cdk/issues/36583)) ([c4d1389](https://github.com/aws/aws-cdk/commit/c4d13895339ef44ffc4cd6f86d80014a8d33a3f6)), closes [#36554](https://github.com/aws/aws-cdk/issues/36554) [#36554](https://github.com/aws/aws-cdk/issues/36554)
+
+
+### Bug Fixes
+
+* **apigatewayv2:** use custom domain name instead of regional domain name when importing domain name via fromDomainNameAttributes ([#36710](https://github.com/aws/aws-cdk/issues/36710)) ([fe6eb0b](https://github.com/aws/aws-cdk/commit/fe6eb0b9130953d5ff35bd05b643253f9b6c3247))
+* **batch:**  undeprecate useOptimalInstanceClasses   property ([#36353](https://github.com/aws/aws-cdk/issues/36353)) ([3485d53](https://github.com/aws/aws-cdk/commit/3485d5399b6cfebc3461247643d4866242311152)), closes [#36291](https://github.com/aws/aws-cdk/issues/36291) [#36291](https://github.com/aws/aws-cdk/issues/36291)
+* **core:** resources allocate unnecessary string tokens upon instantiation ([#36692](https://github.com/aws/aws-cdk/issues/36692)) ([59d4928](https://github.com/aws/aws-cdk/commit/59d49286f656a5341e907d298f30decbc8959bcf))
+* **core:** tree.json unintentionally includes telemetry metadata ([#36748](https://github.com/aws/aws-cdk/issues/36748)) ([87fd86b](https://github.com/aws/aws-cdk/commit/87fd86be736b24ab18ea2ee7a2c96b724a67c903))
+* **scheduler:** scheduleName returns undefined when imported from ARN ([#36400](https://github.com/aws/aws-cdk/issues/36400)) ([752bd9b](https://github.com/aws/aws-cdk/commit/752bd9b7c31d027be6918cd7c8ebddb4b3d29e77)), closes [#36361](https://github.com/aws/aws-cdk/issues/36361)
+* recent change to IAlarmAction breaks too many implementors ([#36695](https://github.com/aws/aws-cdk/issues/36695)) ([0c5b0db](https://github.com/aws/aws-cdk/commit/0c5b0dbb08bd1bc965067e1fbe7b2ec7e82e697b))
+
 ## [2.235.1](https://github.com/aws/aws-cdk/compare/v2.235.0...v2.235.1) (2026-01-19)
 
 

CONTRIBUTING.md

@@ -988,37 +988,37 @@ finalized, will be added to the AWS CDK with a specific suffix: `BetaX`. APIs
 with the preview suffix will never be removed, instead they will be deprecated
 and replaced by either the stable version (without the suffix), or by a newer
 preview version. For example, assume we add the method
-`grantAwesomePowerBeta1`:
+`addSecondaryResourceBeta1()` to a class:
 
 ```ts
 /**
- * This method grants awesome powers
+ * This method adds a secondary resource to the main one
  */
-grantAwesomePowerBeta1();
+addSecondaryResourceBeta1(res: SomeResource);
 ```
 
 Times goes by, we get feedback that this method will actually be much better
-if it accepts a `Principal`. Since adding a required property is a breaking
-change, we will add `grantAwesomePowerBeta2()` and deprecate
-`grantAwesomePowerBeta1`:
+if it accepts an additional required `options` parameter. Since adding a required 
+parameter to a method is a breaking change, we will add `addSecondaryResourceBeta2()`
+and deprecate `addSecondaryResourceBeta1`:
 
 ```ts
 /**
-* This method grants awesome powers to the given principal
+* This method adds a secondary resource, with more options
 *
 * @param grantee The principal to grant powers to
 */
-grantAwesomePowerBeta2(grantee: iam.IGrantable)
+addSecondaryResourceBeta2(res: SomeResource, options: SecondaryResourceOptions);
 
 /**
-* This method grants awesome powers
-* @deprecated use grantAwesomePowerBeta2
+ * This method adds a secondary resource to the main one
+* @deprecated use addSecondaryResourceBeta1
 */
-grantAwesomePowerBeta1()
+addSecondaryResourceBeta1(res: SomeResource);
 ```
 
 When we decide it's time to graduate the API, the latest preview version will
-be deprecated and the final version - `grantAwesomePower` will be added.
+be deprecated and the final version - `addSecondaryResource` will be added.
 
 ## Documentation
 

allowed-breaking-changes.txt

@@ -4142,3 +4142,12 @@ changed-type:aws-cdk-lib.aws_ses.EventDestination.bus
 # CloudFormation has always required SecurityGroups for ManagedInstancesCapacityProvider.
 # Making it required in TypeScript catches the error at compile time instead of deploy time.
 strengthened:aws-cdk-lib.aws_ecs.ManagedInstancesCapacityProviderProps
+
+# IEncryptedResource was too strongly typed for practical use.
+# We need to weaken it and align with other traits.
+# See: https://github.com/aws/aws-cdk/pull/36787
+incompatible-argument:aws-cdk-lib.aws_iam.GrantableResources.isEncryptedResource
+base-types:aws-cdk-lib.aws_iam.IEncryptedResource
+removed:aws-cdk-lib.aws_iam.IEncryptedResource.applyRemovalPolicy
+removed:aws-cdk-lib.aws_iam.IEncryptedResource.node
+removed:aws-cdk-lib.aws_iam.IEncryptedResource.stack

packages/@aws-cdk/aws-elasticache-alpha/README.md

@@ -397,7 +397,7 @@ declare const role: iam.Role;
 
 // grant "elasticache:Connect" action permissions to role
 user.grantConnect(role);
-serverlessCache.grantConnect(role);
+serverlessCache.grants.connect(role);
 ```
 
 ### Import an existing user and user group

packages/@aws-cdk/mixins-preview/lib/mixins/private/reflections.ts

@@ -1,6 +1,6 @@
 import type { IConstruct } from 'constructs';
 import { CfnResource } from 'aws-cdk-lib/core';
-import type { IBucketRef, CfnBucketPolicy } from 'aws-cdk-lib/aws-s3';
+import { type IBucketRef, type CfnBucketPolicy, CfnBucket } from 'aws-cdk-lib/aws-s3';
 import { CfnDeliverySource } from 'aws-cdk-lib/aws-logs';
 import { CfnKey, IKeyRef } from 'aws-cdk-lib/aws-kms';
 
@@ -99,6 +99,24 @@ export function tryFindDeliverySourceForResource(source: IConstruct, sourceArn:
   );
 }
 
+export function tryFindKmsKeyforBucket(bucket: IBucketRef): CfnKey | undefined {
+  const cfnBucket = tryFindBucketConstruct(bucket);
+  const kmsMasterKeyId = cfnBucket && Array.isArray((cfnBucket.bucketEncryption as
+        CfnBucket.BucketEncryptionProperty)?.serverSideEncryptionConfiguration) ?
+    (((cfnBucket.bucketEncryption as CfnBucket.BucketEncryptionProperty).serverSideEncryptionConfiguration as
+        CfnBucket.ServerSideEncryptionRuleProperty[])[0]?.serverSideEncryptionByDefault as
+        CfnBucket.ServerSideEncryptionByDefaultProperty)?.kmsMasterKeyId
+    : undefined;
+  if (!kmsMasterKeyId) {
+    return undefined;
+  }
+  return findClosestRelatedResource<IConstruct, CfnKey>(
+    bucket,
+    'AWS::KMS::Key',
+    (_, key) => key.ref === kmsMasterKeyId || key.attrKeyId === kmsMasterKeyId || key.attrArn === kmsMasterKeyId,
+  );
+}
+
 /**
  * Attempts to find the L1 CfnResource for a given Ref interface.
  * Searches children first (for L2 wrappers), then the construct tree.
@@ -144,3 +162,11 @@ export function tryFindKmsKeyConstruct(kmsKey: IKeyRef): CfnKey | undefined {
     (cfn, ref) => ref.keyRef === cfn.keyRef,
   );
 }
+
+export function tryFindBucketConstruct(bucket: IBucketRef): CfnBucket | undefined {
+  return findL1FromRef<IBucketRef, CfnBucket>(
+    bucket,
+    'AWS::S3::Bucket',
+    (cfn, ref) => ref.bucketRef == cfn.bucketRef,
+  );
+}

packages/@aws-cdk/mixins-preview/lib/services/aws-logs/logs-delivery.ts

@@ -1,13 +1,14 @@
-import { Names, Stack, Tags } from 'aws-cdk-lib/core';
+import { Aws, Names, Stack, Tags } from 'aws-cdk-lib/core';
 import { Effect, PolicyStatement, ServicePrincipal } from 'aws-cdk-lib/aws-iam';
 import * as logs from 'aws-cdk-lib/aws-logs';
 import * as s3 from 'aws-cdk-lib/aws-s3';
 import { Construct, type IConstruct } from 'constructs';
 import type { IDeliveryStreamRef } from 'aws-cdk-lib/aws-kinesisfirehose';
-import { tryFindBucketPolicyForBucket, tryFindDeliverySourceForResource } from '../../mixins/private/reflections';
+import { tryFindBucketPolicyForBucket, tryFindDeliverySourceForResource, tryFindKmsKeyConstruct, tryFindKmsKeyforBucket } from '../../mixins/private/reflections';
 import { ConstructSelector, Mixins } from '../../core';
 import * as xray from '../aws-xray/policy';
 import { BucketPolicyStatementsMixin } from '../aws-s3/bucket-policy';
+import { CfnKey, IKeyRef } from 'aws-cdk-lib/aws-kms';
 
 /**
  * The individual elements of a logs delivery integration.
@@ -55,6 +56,18 @@ export enum S3LogsDeliveryPermissionsVersion {
   V2 = 'V2',
 }
 
+/**
+ * Properties for S3 logs destination configuration.
+ */
+export interface IS3LogsDestinationProps {
+  /**
+   * KMS key to use for encrypting logs in the S3 bucket.
+   *
+   * @default - No encryption key is configured
+   */
+  readonly encryptionKey?: IKeyRef;
+}
+
 /**
  * Props for S3LogsDelivery
  */
@@ -66,6 +79,13 @@ export interface S3LogsDeliveryProps {
    * @default "V2"
    */
   readonly permissionsVersion?: S3LogsDeliveryPermissionsVersion;
+  /**
+   * KMS key to use for encrypting logs in the S3 bucket.
+   * When provided, grants the logs delivery service permissions to use the key.
+   *
+   * @default - No encryption key is configured
+   */
+  readonly kmsKey?: IKeyRef;
 }
 
 /**
@@ -74,13 +94,15 @@ export interface S3LogsDeliveryProps {
 export class S3LogsDelivery implements ILogsDelivery {
   private readonly bucket: s3.IBucketRef;
   private readonly permissions: S3LogsDeliveryPermissionsVersion;
+  private readonly kmsKey: IKeyRef | undefined;
 
   /**
    * Creates a new S3 Bucket delivery.
    */
   constructor(bucket: s3.IBucketRef, props: S3LogsDeliveryProps = {}) {
     this.bucket = bucket;
     this.permissions = props.permissionsVersion ?? S3LogsDeliveryPermissionsVersion.V2;
+    this.kmsKey = props.kmsKey;
   }
 
   /**
@@ -95,6 +117,11 @@ export class S3LogsDelivery implements ILogsDelivery {
     const deliverySource = getOrCreateDeliverySource(logType, scope, sourceResourceArn);
     const deliverySourceRef = deliverySource.deliverySourceRef;
 
+    const kmsKey = this.findEncryptionKey();
+    if (kmsKey) {
+      this.addToEncryptionKeyPolicy(kmsKey);
+    }
+
     const deliveryDestination = new logs.CfnDeliveryDestination(container, 'Dest', {
       destinationResourceArn: this.bucket.bucketRef.bucketArn,
       name: deliveryDestName('s3', logType, container),
@@ -181,6 +208,40 @@ export class S3LogsDelivery implements ILogsDelivery {
     Mixins.of(policy, ConstructSelector.onlyItself())
       .apply(new BucketPolicyStatementsMixin(statements));
   }
+
+  private findEncryptionKey(): CfnKey | undefined {
+    if (this.kmsKey) {
+      return tryFindKmsKeyConstruct(this.kmsKey);
+    }
+    return tryFindKmsKeyforBucket(this.bucket);
+  }
+
+  private addToEncryptionKeyPolicy(key: CfnKey) {
+    const existingKeyPolicy = key.keyPolicy;
+    const sourceArnPostfix = this.permissions === S3LogsDeliveryPermissionsVersion.V1 ? '*' : 'delivery-source:*';
+    const sid = 'AWS CDK: Allow Logs Delivery to use the key';
+    // Check if a statement with this SID already exists
+    const hasDuplicateSid = existingKeyPolicy.statements.some((stmt: PolicyStatement) => stmt.sid === sid);
+    if (hasDuplicateSid) {
+      return;
+    }
+
+    existingKeyPolicy.addStatements(new PolicyStatement({
+      sid,
+      effect: Effect.ALLOW,
+      principals: [new ServicePrincipal('delivery.logs.amazonaws.com')],
+      actions: ['kms:Encrypt', 'kms:Decrypt', 'kms:ReEncrypt*', 'kms:GenerateDataKey*', 'kms:DescribeKey'],
+      resources: ['*'],
+      conditions: {
+        StringEquals: {
+          'aws:SourceAccount': [key.env.account],
+        },
+        ArnLike: {
+          'aws:SourceArn': [`arn:${Aws.PARTITION}:logs:${key.env.region}:${key.env.account}:${sourceArnPostfix}`],
+        },
+      },
+    }));
+  }
 }
 
 /**

packages/@aws-cdk/mixins-preview/scripts/spec2logs/builder.ts

@@ -153,11 +153,17 @@ class LogsHelper extends ClassType {
             type: CDK_INTERFACES.IBucketRef,
           });
 
+          toS3.addParameter({
+            name: 'props',
+            type: MIXINS_LOGS_DELIVERY.S3LogsDestinationProps,
+            optional: true,
+          });
+
           const permissions = this.log.permissionsVersion === 'V2' ? MIXINS_LOGS_DELIVERY.S3LogsDeliveryPermissionsVersion.V2 : MIXINS_LOGS_DELIVERY.S3LogsDeliveryPermissionsVersion.V1;
           toS3.addBody(stmt.block(
             stmt.ret(
               mixin.newInstance(expr.str(this.log.logType), new NewExpression(MIXINS_LOGS_DELIVERY.S3LogsDelivery, paramS3,
-                expr.object({ permissionsVersion: permissions }))),
+                expr.object({ permissionsVersion: permissions, kmsKey: expr.directCode('(props && props.encryptionKey) ? props.encryptionKey : undefined') }))),
             ),
           ));
           break;

packages/@aws-cdk/mixins-preview/scripts/spec2logs/helpers.ts

@@ -7,6 +7,7 @@ class MixinsLogsDelivery extends ExternalModule {
   public readonly XRayLogsDelivery = Type.fromName(this, 'XRayLogsDelivery');
   public readonly ILogsDelivery = Type.fromName(this, 'ILogsDelivery');
   public readonly S3LogsDeliveryPermissionsVersion = $T(Type.fromName(this, 'S3LogsDeliveryPermissionsVersion'));
+  public readonly S3LogsDestinationProps = Type.fromName(this, 'IS3LogsDestinationProps');
 }
 
 export const MIXINS_LOGS_DELIVERY = new MixinsLogsDelivery('@aws-cdk/mixins-preview/services/aws-logs');

packages/@aws-cdk/mixins-preview/test/codegen/__snapshots__/logs-delivery.test.ts.snap

@@ -20,10 +20,11 @@ export class CfnThingApplicationLogs {
   /**
    * Send logs to an S3 Bucket
    */
-  public toS3(bucket: interfaces.aws_s3.IBucketRef): CfnThingLogsMixin {
+  public toS3(bucket: interfaces.aws_s3.IBucketRef, props?: logsDelivery.IS3LogsDestinationProps): CfnThingLogsMixin {
     {
       return new CfnThingLogsMixin("APPLICATION_LOGS", new logsDelivery.S3LogsDelivery(bucket, {
-        permissionsVersion: logsDelivery.S3LogsDeliveryPermissionsVersion.V2
+        permissionsVersion: logsDelivery.S3LogsDeliveryPermissionsVersion.V2,
+        kmsKey: (props && props.encryptionKey) ? props.encryptionKey : undefined
       }));
     }
   }
@@ -58,10 +59,11 @@ export class CfnThingAccessLogs {
   /**
    * Send logs to an S3 Bucket
    */
-  public toS3(bucket: interfaces.aws_s3.IBucketRef): CfnThingLogsMixin {
+  public toS3(bucket: interfaces.aws_s3.IBucketRef, props?: logsDelivery.IS3LogsDestinationProps): CfnThingLogsMixin {
     {
       return new CfnThingLogsMixin("ACCESS_LOGS", new logsDelivery.S3LogsDelivery(bucket, {
-        permissionsVersion: logsDelivery.S3LogsDeliveryPermissionsVersion.V2
+        permissionsVersion: logsDelivery.S3LogsDeliveryPermissionsVersion.V2,
+        kmsKey: (props && props.encryptionKey) ? props.encryptionKey : undefined
       }));
     }
   }