aws-cdk.cx-api 2.175.0__tar.gz → 2.229.0__tar.gz

{aws_cdk_cx_api-2.175.0/src/aws_cdk.cx_api.egg-info → aws_cdk_cx_api-2.229.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: aws-cdk.cx-api
-Version: 2.175.0
+Version: 2.229.0
 Summary: Cloud executable protocol
 Home-page: https://github.com/aws/aws-cdk
 Author: Amazon Web Services
@@ -10,7 +10,6 @@ Classifier: Intended Audience :: Developers
 Classifier: Operating System :: OS Independent
 Classifier: Programming Language :: JavaScript
 Classifier: Programming Language :: Python :: 3 :: Only
-Classifier: Programming Language :: Python :: 3.8
 Classifier: Programming Language :: Python :: 3.9
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
@@ -19,12 +18,12 @@ Classifier: Development Status :: 5 - Production/Stable
 Classifier: License :: OSI Approved
 Classifier: Framework :: AWS CDK
 Classifier: Framework :: AWS CDK :: 2
-Requires-Python: ~=3.8
+Requires-Python: ~=3.9
 Description-Content-Type: text/markdown
 License-File: LICENSE
 License-File: NOTICE
-Requires-Dist: aws-cdk.cloud-assembly-schema<40.0.0,>=39.0.0
-Requires-Dist: jsii<2.0.0,>=1.104.0
+Requires-Dist: aws-cdk.cloud-assembly-schema>=45.0.0
+Requires-Dist: jsii<2.0.0,>=1.119.0
 Requires-Dist: publication>=0.0.3
 Requires-Dist: typeguard<4.3.0,>=2.13.3
 
@@ -48,7 +47,7 @@ and error indicating that a bucket policy already exists.
 In cases where we know what the required policy is we can go ahead and create the policy so we can
 remain in control of it.
 
-https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-S3
+[https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-S3](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-S3)
 
 *cdk.json*
 
@@ -151,7 +150,7 @@ enabled on the bucket.
 This flag uses a Bucket Policy statement to allow Server Access Log delivery, following best
 practices for S3.
 
-https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html
+[https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html)
 
 ```json
 {
@@ -201,7 +200,7 @@ Enable this feature flag to use the `AmazonEMRServicePolicy_v2` managed policies
 This is a feature flag as the old behavior will be deprecated, but some resources may require manual
 intervention since they might not have the appropriate tags propagated automatically.
 
-https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-managed-iam-policies.html
+[https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-managed-iam-policies.html](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-managed-iam-policies.html)
 
 *cdk.json*
 
@@ -340,6 +339,20 @@ When this feature flag is enabled and calling KMS key grant method, the created
 }
 ```
 
+* `@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal`
+
+Enable grant methods on imported KMS Aliases to apply permissions scoped by the alias using the `kms:ResourceAliases` condition key. When this flag is disabled, grant* methods on `Alias.fromAliasName` remain no-ops to preserve existing behavior.
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": true
+  }
+}
+```
+
 * `@aws-cdk/aws-eks:nodegroupNameAttribute`
 
 When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix.
@@ -394,7 +407,7 @@ When this featuer flag is enabled, remove the default deployment alarm settings
 When enabled, IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN.
 
 When this feature flag is enabled, the IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN.
-The revision ARN is more specific than the task definition ARN. See https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html
+The revision ARN is more specific than the task definition ARN. See [https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html](https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html)
 for more details.
 
 *cdk.json*
@@ -585,3 +598,251 @@ guarantee the correct execution of the feature in all platforms. See [Github dis
   },
 }
 ```
+
+* `@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault`
+
+When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere,
+For internet facing ALBs with `dualstack-without-public-ipv4` IP address type, the default security group rules
+will allow IPv6 ingress from anywhere (::/0). Previously, the default security group rules would only allow IPv4 ingress.
+
+Using a feature flag to make sure existing customers who might be relying
+on the overly restrictive permissions are not broken.,
+
+If the flag is set to false then the default security group rules will only allow IPv4 ingress.
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true
+  }
+}
+```
+
+* `@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections`
+
+When this feature flag is enabled, the default behaviour of OIDC Provider's custom resource handler will
+default to reject unauthorized connections when downloading CA Certificates.
+
+When this feature flag is disabled, the behaviour will be the same as current and will allow downloading
+thumbprints from unsecure connnections.
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": true
+  }
+}
+```
+
+* `@aws-cdk/core:enableAdditionalMetadataCollection`
+
+When this feature flag is enabled, CDK expands the scope of usage data collection to include the:
+
+* L2 construct property keys - Collect which property keys you use from the L2 constructs in your app. This includes property keys nested in dictionary objects.
+* L2 construct property values of BOOL and ENUM types - Collect property key values of only BOOL and ENUM types. All other types, such as string values or construct references will be redacted.
+* L2 construct method usage - Collection method name, parameter keys and parameter values of BOOL and ENUM type.
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/core:enableAdditionalMetadataCollection": true
+  }
+}
+```
+
+* `@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy`
+
+[Deprecated default feature] When this feature flag is enabled, Lambda will create new inline policies with AddToRolePolicy.
+The purpose of this is to prevent lambda from creating a dependency on the Default Policy Statement.
+This solves an issue where a circular dependency could occur if adding lambda to something like a Cognito Trigger, then adding the User Pool to the lambda execution role permissions.
+However in the current implementation, we have removed a dependency of the lambda function on the policy. In addition to this, a Role will be attached to the Policy instead of an inline policy being attached to the role.
+This will create a data race condition in the CloudFormation template because the creation of the Lambda function no longer waits for the policy to be created. Having said that, we are not deprecating the feature (we are defaulting the feature flag to false for new stacks) since this feature can still be used to get around the circular dependency issue (issue-7016) particularly in cases where the lambda resource creation doesnt need to depend on the policy resource creation.
+We recommend to unset the feature flag if already set which will restore the original behavior.
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": false
+  }
+}
+```
+
+* `@aws-cdk/aws-s3:setUniqueReplicationRoleName`
+
+When this feature flag is enabled, a unique role name is specified only when performing cross-account replication.
+When disabled, 'CDKReplicationRole' is always specified.
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-s3:setUniqueReplicationRoleName": true
+  }
+}
+```
+
+* `@aws-cdk/pipelines:reduceStageRoleTrustScope`
+
+When this feature flag is enabled, the root account principal will not be added to the trust policy of stage role.
+When this feature flag is disabled, it will keep the root account principal in the trust policy.
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/pipelines:reduceStageRoleTrustScope": true
+  }
+}
+```
+
+* `@aws-cdk/aws-events:requireEventBusPolicySid`
+
+When this flag is enabled:
+
+* Resource policies will be created with Statement IDs for service principals
+* The operation will succeed as expected
+
+When this flag is disabled:
+
+* A warning will be emitted
+* The grant operation will be dropped
+* No permissions will be added
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-events:requireEventBusPolicySid": true
+  }
+}
+```
+
+* `@aws-cdk/aws-dynamodb:retainTableReplica`
+
+Currently, table replica will always be deleted when stack deletes regardless of source table's deletion policy.
+When enabled, table replica will be default to the removal policy of source table unless specified otherwise.
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-dynamodb:retainTableReplica": true
+  }
+}
+```
+
+* `@aws-cdk/cognito:logUserPoolClientSecretValue`
+
+When this feature flag is enabled, the SDK API call response to desribe user pool client values will be logged in the custom
+resource lambda function logs.
+
+When this feature flag is disabled, the SDK API call response to describe user pool client values will not be logged in the custom
+resource lambda function logs.
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/cognito:logUserPoolClientSecretValue": true
+  }
+}
+```
+
+* `@aws-cdk/aws-s3:publicAccessBlockedByDefault`
+
+When BlockPublicAccess is not set at all, s3's default behavior will be to set all options to true in aws console.
+The previous behavior in cdk before this feature was; if only some of the BlockPublicAccessOptions were set (not all 4), then the ones undefined would default to false.
+This is counter intuitive to the console behavior where the options would start in true state and a user would uncheck the boxes as needed.
+The new behavior from this feature will allow a user, for example, to set 1 of the 4 BlockPublicAccessOpsions to false, and on deployment the other 3 will remain true.
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-s3:publicAccessBlockedByDefault": true
+  }
+}
+```
+
+* `@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway`
+
+When this feature flag is enabled, EgressOnlyGateway is created only for dual-stack VPC with private subnets
+
+When this feature flag is disabled, EgressOnlyGateway resource is created for all dual-stack VPC regardless of subnet type
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": true
+  }
+}
+```
+
+* `@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint`
+
+When this feature flag is enabled, the JSONPath apiEndpoint value will be resolved dynamically at runtime, while slightly increasing the size of the state machine definition.
+When disabled, the JSONPath apiEndpoint property will only support a static string value.
+
+_cdk.json
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint": true
+  }
+}
+```
+
+* `@aws-cdk/aws-signer:signingProfileNamePassedToCfn`
+
+When this feature flag is enabled, the `signingProfileName` property is passed to the L1 `CfnSigningProfile` construct,
+which ensures that the AWS Signer profile is created with the specified name.
+
+When this feature flag is disabled, the `signingProfileName` is not passed to CloudFormation, maintaining backward
+compatibility with existing deployments where CloudFormation auto-generated profile names.
+
+This feature flag is needed because enabling it can cause existing signing profiles to be
+replaced during deployment if a `signingProfileName` was specified but not previously used
+in the CloudFormation template.
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-signer:signingProfileNamePassedToCfn": true
+  }
+}
+```
+
+* `@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId`
+
+When enabled, ECS patterns will generate unique target group IDs that include the load balancer name and type (public/private). This prevents CloudFormation conflicts when switching between public and private load balancers.
+
+Without this flag, switching an ApplicationLoadBalancedFargateService from public to private (or vice versa) fails with "target group cannot be associated with more than one load balancer" error.
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId": true
+  }
+}
+```

{aws_cdk_cx_api-2.175.0 → aws_cdk_cx_api-2.229.0}/README.md

@@ -18,7 +18,7 @@ and error indicating that a bucket policy already exists.
 In cases where we know what the required policy is we can go ahead and create the policy so we can
 remain in control of it.
 
-https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-S3
+[https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-S3](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-S3)
 
 *cdk.json*
 
@@ -121,7 +121,7 @@ enabled on the bucket.
 This flag uses a Bucket Policy statement to allow Server Access Log delivery, following best
 practices for S3.
 
-https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html
+[https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html)
 
 ```json
 {
@@ -171,7 +171,7 @@ Enable this feature flag to use the `AmazonEMRServicePolicy_v2` managed policies
 This is a feature flag as the old behavior will be deprecated, but some resources may require manual
 intervention since they might not have the appropriate tags propagated automatically.
 
-https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-managed-iam-policies.html
+[https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-managed-iam-policies.html](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-managed-iam-policies.html)
 
 *cdk.json*
 
@@ -310,6 +310,20 @@ When this feature flag is enabled and calling KMS key grant method, the created
 }
 ```
 
+* `@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal`
+
+Enable grant methods on imported KMS Aliases to apply permissions scoped by the alias using the `kms:ResourceAliases` condition key. When this flag is disabled, grant* methods on `Alias.fromAliasName` remain no-ops to preserve existing behavior.
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": true
+  }
+}
+```
+
 * `@aws-cdk/aws-eks:nodegroupNameAttribute`
 
 When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix.
@@ -364,7 +378,7 @@ When this featuer flag is enabled, remove the default deployment alarm settings
 When enabled, IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN.
 
 When this feature flag is enabled, the IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN.
-The revision ARN is more specific than the task definition ARN. See https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html
+The revision ARN is more specific than the task definition ARN. See [https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html](https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html)
 for more details.
 
 *cdk.json*
@@ -555,3 +569,251 @@ guarantee the correct execution of the feature in all platforms. See [Github dis
   },
 }
 ```
+
+* `@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault`
+
+When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere,
+For internet facing ALBs with `dualstack-without-public-ipv4` IP address type, the default security group rules
+will allow IPv6 ingress from anywhere (::/0). Previously, the default security group rules would only allow IPv4 ingress.
+
+Using a feature flag to make sure existing customers who might be relying
+on the overly restrictive permissions are not broken.,
+
+If the flag is set to false then the default security group rules will only allow IPv4 ingress.
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true
+  }
+}
+```
+
+* `@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections`
+
+When this feature flag is enabled, the default behaviour of OIDC Provider's custom resource handler will
+default to reject unauthorized connections when downloading CA Certificates.
+
+When this feature flag is disabled, the behaviour will be the same as current and will allow downloading
+thumbprints from unsecure connnections.
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": true
+  }
+}
+```
+
+* `@aws-cdk/core:enableAdditionalMetadataCollection`
+
+When this feature flag is enabled, CDK expands the scope of usage data collection to include the:
+
+* L2 construct property keys - Collect which property keys you use from the L2 constructs in your app. This includes property keys nested in dictionary objects.
+* L2 construct property values of BOOL and ENUM types - Collect property key values of only BOOL and ENUM types. All other types, such as string values or construct references will be redacted.
+* L2 construct method usage - Collection method name, parameter keys and parameter values of BOOL and ENUM type.
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/core:enableAdditionalMetadataCollection": true
+  }
+}
+```
+
+* `@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy`
+
+[Deprecated default feature] When this feature flag is enabled, Lambda will create new inline policies with AddToRolePolicy.
+The purpose of this is to prevent lambda from creating a dependency on the Default Policy Statement.
+This solves an issue where a circular dependency could occur if adding lambda to something like a Cognito Trigger, then adding the User Pool to the lambda execution role permissions.
+However in the current implementation, we have removed a dependency of the lambda function on the policy. In addition to this, a Role will be attached to the Policy instead of an inline policy being attached to the role.
+This will create a data race condition in the CloudFormation template because the creation of the Lambda function no longer waits for the policy to be created. Having said that, we are not deprecating the feature (we are defaulting the feature flag to false for new stacks) since this feature can still be used to get around the circular dependency issue (issue-7016) particularly in cases where the lambda resource creation doesnt need to depend on the policy resource creation.
+We recommend to unset the feature flag if already set which will restore the original behavior.
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": false
+  }
+}
+```
+
+* `@aws-cdk/aws-s3:setUniqueReplicationRoleName`
+
+When this feature flag is enabled, a unique role name is specified only when performing cross-account replication.
+When disabled, 'CDKReplicationRole' is always specified.
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-s3:setUniqueReplicationRoleName": true
+  }
+}
+```
+
+* `@aws-cdk/pipelines:reduceStageRoleTrustScope`
+
+When this feature flag is enabled, the root account principal will not be added to the trust policy of stage role.
+When this feature flag is disabled, it will keep the root account principal in the trust policy.
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/pipelines:reduceStageRoleTrustScope": true
+  }
+}
+```
+
+* `@aws-cdk/aws-events:requireEventBusPolicySid`
+
+When this flag is enabled:
+
+* Resource policies will be created with Statement IDs for service principals
+* The operation will succeed as expected
+
+When this flag is disabled:
+
+* A warning will be emitted
+* The grant operation will be dropped
+* No permissions will be added
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-events:requireEventBusPolicySid": true
+  }
+}
+```
+
+* `@aws-cdk/aws-dynamodb:retainTableReplica`
+
+Currently, table replica will always be deleted when stack deletes regardless of source table's deletion policy.
+When enabled, table replica will be default to the removal policy of source table unless specified otherwise.
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-dynamodb:retainTableReplica": true
+  }
+}
+```
+
+* `@aws-cdk/cognito:logUserPoolClientSecretValue`
+
+When this feature flag is enabled, the SDK API call response to desribe user pool client values will be logged in the custom
+resource lambda function logs.
+
+When this feature flag is disabled, the SDK API call response to describe user pool client values will not be logged in the custom
+resource lambda function logs.
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/cognito:logUserPoolClientSecretValue": true
+  }
+}
+```
+
+* `@aws-cdk/aws-s3:publicAccessBlockedByDefault`
+
+When BlockPublicAccess is not set at all, s3's default behavior will be to set all options to true in aws console.
+The previous behavior in cdk before this feature was; if only some of the BlockPublicAccessOptions were set (not all 4), then the ones undefined would default to false.
+This is counter intuitive to the console behavior where the options would start in true state and a user would uncheck the boxes as needed.
+The new behavior from this feature will allow a user, for example, to set 1 of the 4 BlockPublicAccessOpsions to false, and on deployment the other 3 will remain true.
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-s3:publicAccessBlockedByDefault": true
+  }
+}
+```
+
+* `@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway`
+
+When this feature flag is enabled, EgressOnlyGateway is created only for dual-stack VPC with private subnets
+
+When this feature flag is disabled, EgressOnlyGateway resource is created for all dual-stack VPC regardless of subnet type
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": true
+  }
+}
+```
+
+* `@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint`
+
+When this feature flag is enabled, the JSONPath apiEndpoint value will be resolved dynamically at runtime, while slightly increasing the size of the state machine definition.
+When disabled, the JSONPath apiEndpoint property will only support a static string value.
+
+_cdk.json
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint": true
+  }
+}
+```
+
+* `@aws-cdk/aws-signer:signingProfileNamePassedToCfn`
+
+When this feature flag is enabled, the `signingProfileName` property is passed to the L1 `CfnSigningProfile` construct,
+which ensures that the AWS Signer profile is created with the specified name.
+
+When this feature flag is disabled, the `signingProfileName` is not passed to CloudFormation, maintaining backward
+compatibility with existing deployments where CloudFormation auto-generated profile names.
+
+This feature flag is needed because enabling it can cause existing signing profiles to be
+replaced during deployment if a `signingProfileName` was specified but not previously used
+in the CloudFormation template.
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-signer:signingProfileNamePassedToCfn": true
+  }
+}
+```
+
+* `@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId`
+
+When enabled, ECS patterns will generate unique target group IDs that include the load balancer name and type (public/private). This prevents CloudFormation conflicts when switching between public and private load balancers.
+
+Without this flag, switching an ApplicationLoadBalancedFargateService from public to private (or vice versa) fails with "target group cannot be associated with more than one load balancer" error.
+
+*cdk.json*
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId": true
+  }
+}
+```

{aws_cdk_cx_api-2.175.0 → aws_cdk_cx_api-2.229.0}/pyproject.toml

@@ -1,9 +1,9 @@
 [build-system]
-requires = ["setuptools~=70.0.0", "wheel~=0.42"]
+requires = ["setuptools~=75.3.2", "build~=1.3.0"]
 build-backend = "setuptools.build_meta"
 
 [tool.pyright]
 defineConstant = { DEBUG = true }
-pythonVersion = "3.8"
+pythonVersion = "3.9"
 pythonPlatform = "All"
 reportSelfClsParameterName = false

{aws_cdk_cx_api-2.175.0 → aws_cdk_cx_api-2.229.0}/setup.py

@@ -5,7 +5,7 @@ kwargs = json.loads(
     """
 {
     "name": "aws-cdk.cx-api",
-    "version": "2.175.0",
+    "version": "2.229.0",
     "description": "Cloud executable protocol",
     "license": "Apache-2.0",
     "url": "https://github.com/aws/aws-cdk",
@@ -26,16 +26,16 @@ kwargs = json.loads(
     ],
     "package_data": {
         "aws_cdk.cx_api._jsii": [
-            "cx-api@2.175.0.jsii.tgz"
+            "cx-api@2.229.0.jsii.tgz"
         ],
         "aws_cdk.cx_api": [
             "py.typed"
         ]
     },
-    "python_requires": "~=3.8",
+    "python_requires": "~=3.9",
     "install_requires": [
-        "aws-cdk.cloud-assembly-schema>=39.0.0, <40.0.0",
-        "jsii>=1.104.0, <2.0.0",
+        "aws-cdk.cloud-assembly-schema>=45.0.0",
+        "jsii>=1.119.0, <2.0.0",
         "publication>=0.0.3",
         "typeguard>=2.13.3,<4.3.0"
     ],
@@ -44,7 +44,6 @@ kwargs = json.loads(
         "Operating System :: OS Independent",
         "Programming Language :: JavaScript",
         "Programming Language :: Python :: 3 :: Only",
-        "Programming Language :: Python :: 3.8",
         "Programming Language :: Python :: 3.9",
         "Programming Language :: Python :: 3.10",
         "Programming Language :: Python :: 3.11",