Skip to content

feat: update L1 CloudFormation resource definitions#37530

Merged
vishaalmehrishi merged 1 commit intomainfrom
automation/spec-update
Apr 9, 2026
Merged

feat: update L1 CloudFormation resource definitions#37530
vishaalmehrishi merged 1 commit intomainfrom
automation/spec-update

Conversation

@aws-cdk-automation
Copy link
Copy Markdown
Collaborator

@aws-cdk-automation aws-cdk-automation commented Apr 6, 2026
edited by vishaalmehrishi
Loading

Updates the L1 CloudFormation resource definitions with the latest changes from @aws-cdk/aws-service-spec

L1 CloudFormation resource definition changes:

├[~] service aws-appstream
│ └ resources
│    └[~]  resource AWS::AppStream::Stack
│       ├      - primaryIdentifier: ["Id"]
│       │      + primaryIdentifier: ["Name"]
│       └ attributes
│          └[-] Id: string
├[~] service aws-appsync
│ └ resources
│    └[~]  resource AWS::AppSync::GraphQLApi
│       └ types
│          └[~] type LogConfig
│            └ properties
│               ├ CloudWatchLogsRoleArn: - string
│               │                        + string (required)
│               └ FieldLogLevel: - string
│                                + string (required)
├[~] service aws-bedrockagentcore
│ └ resources
│    ├[~]  resource AWS::BedrockAgentCore::Evaluator
│    │  └ types
│    │     ├[+]  type CodeBasedEvaluatorConfig
│    │     │  ├      documentation: The configuration for code-based evaluation using a Lambda function.
│    │     │  │      name: CodeBasedEvaluatorConfig
│    │     │  └ properties
│    │     │     └ LambdaConfig: LambdaEvaluatorConfig (required)
│    │     ├[~] type EvaluatorConfig
│    │     │ └ properties
│    │     │    ├[+] CodeBased: CodeBasedEvaluatorConfig
│    │     │    └ LlmAsAJudge: - LlmAsAJudgeEvaluatorConfig (required)
│    │     │                   + LlmAsAJudgeEvaluatorConfig
│    │     └[+]  type LambdaEvaluatorConfig
│    │        ├      documentation: The Lambda function configuration for code-based evaluation.
│    │        │      name: LambdaEvaluatorConfig
│    │        └ properties
│    │           ├ LambdaArn: string (required)
│    │           └ LambdaTimeoutInSeconds: integer
│    └[~]  resource AWS::BedrockAgentCore::Memory
│       └ types
│          ├[~] type CustomMemoryStrategy
│          │ └ properties
│          │    └[+] NamespaceTemplates: Array<string>
│          ├[~] type EpisodicMemoryStrategy
│          │ └ properties
│          │    └[+] NamespaceTemplates: Array<string>
│          ├[~] type EpisodicOverrideReflectionConfigurationInput
│          │ └ properties
│          │    └[+] NamespaceTemplates: Array<string>
│          ├[~] type EpisodicReflectionConfigurationInput
│          │ └ properties
│          │    └[+] NamespaceTemplates: Array<string>
│          ├[~] type SemanticMemoryStrategy
│          │ └ properties
│          │    └[+] NamespaceTemplates: Array<string>
│          ├[~] type SummaryMemoryStrategy
│          │ └ properties
│          │    └[+] NamespaceTemplates: Array<string>
│          └[~] type UserPreferenceMemoryStrategy
│            └ properties
│               └[+] NamespaceTemplates: Array<string>
├[~] service aws-customerprofiles
│ └ resources
│    └[~]  resource AWS::CustomerProfiles::SegmentDefinition
│       ├ properties
│       │  └[+] SegmentSort: SegmentSort
│       └ types
│          ├[+]  type SegmentSort
│          │  ├      documentation: Defines how segments should be sorted and ordered in the results.
│          │  │      name: SegmentSort
│          │  └ properties
│          │     └ Attributes: Array<SortAttribute> (required)
│          └[+]  type SortAttribute
│             ├      documentation: Defines the characteristics and rules for sorting by a specific attribute.
│             │      name: SortAttribute
│             └ properties
│                ├ Name: string (required)
│                ├ Order: string<ASC|DESC> (required)
│                ├ DataType: string<STRING|NUMBER|DATE>
│                └ Type: string<PROFILE|CALCULATED>
├[~] service aws-datazone
│ └ resources
│    ├[~]  resource AWS::DataZone::Connection
│    │  └ types
│    │     ├[~] type ConnectionPropertiesInput
│    │     │ └ properties
│    │     │    ├[+] WorkflowsMwaaProperties: WorkflowsMwaaPropertiesInput
│    │     │    └[+] WorkflowsServerlessProperties: json
│    │     └[+]  type WorkflowsMwaaPropertiesInput
│    │        ├      documentation: Workflows MWAA Properties Input
│    │        │      name: WorkflowsMwaaPropertiesInput
│    │        └ properties
│    │           └ MwaaEnvironmentName: string
│    ├[~]  resource AWS::DataZone::Project
│    │  ├ properties
│    │  │  └[+] ResourceTags: Array<ResourceTag>
│    │  └ types
│    │     └[+]  type ResourceTag
│    │        ├      name: ResourceTag
│    │        └ properties
│    │           ├ Key: string (required)
│    │           └ Value: string (required)
│    └[~]  resource AWS::DataZone::ProjectProfile
│       ├ properties
│       │  ├[+] AllowCustomProjectResourceTags: boolean
│       │  ├[+] ProjectResourceTags: Array<ResourceTagParameter>
│       │  └[+] ProjectResourceTagsDescription: string
│       └ types
│          └[+]  type ResourceTagParameter
│             ├      name: ResourceTagParameter
│             └ properties
│                ├ Key: string (required)
│                ├ Value: string (required)
│                └ IsValueEditable: boolean (required)
├[~] service aws-devopsagent
│ └ resources
│    ├[~]  resource AWS::DevOpsAgent::AgentSpace
│    │  ├      - tagInformation: undefined
│    │  │      + tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│    │  └ properties
│    │     ├[+] KmsKeyArn: string (immutable)
│    │     └[+] Tags: Array<tag>
│    └[~]  resource AWS::DevOpsAgent::Service
│       ├      - tagInformation: undefined
│       │      + tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│       ├ properties
│       │  ├[+] KmsKeyArn: string (immutable)
│       │  └[+] Tags: Array<tag>
│       └ attributes
│          └[+] Arn: string
├[~] service aws-directoryservice
│ └ resources
│    └[~]  resource AWS::DirectoryService::MicrosoftAD
│       └      - arnTemplate: arn:${Partition}:ds:${Region}:${Account}:directory/${DirectoryId}
│              + arnTemplate: arn:${Partition}:ds:${Region}:${Account}:${DirectoryId}
├[~] service aws-dlm
│ └ resources
│    └[~]  resource AWS::DLM::LifecyclePolicy
│       └ types
│          └[~] type FastRestoreRule
│            └ properties
│               └[+] AvailabilityZoneIds: Array<string>
├[~] service aws-ec2
│ └ resources
│    └[~]  resource AWS::EC2::Instance
│       ├      - vendedLogs: undefined
│       │      + vendedLogs: [{"permissionsVersion":"V2","logType":"CONSOLE_LOGS","destinations":[{"destinationType":"S3","outputFormats":["json","plain","w3c","parquet"]},{"destinationType":"CWL","outputFormats":["plain","json"]},{"destinationType":"FH","outputFormats":["json","plain","raw"]}],"mandatoryFields":["resource_arn","event_timestamp","message"]}]
│       └ vendedLogs
│          └[+] logType: CONSOLE_LOGS
│            ├permissionsVersion: V2
│            ├destinations: [S3, CWL, FH]
│            └mandatoryFields: [resource_arn, event_timestamp, message]
├[~] service aws-ecs
│ └ resources
│    ├[~]  resource AWS::ECS::CapacityProvider
│    │  └ types
│    │     ├[~] type InstanceLaunchTemplate
│    │     │ └ properties
│    │     │    └[+] LocalStorageConfiguration: ManagedInstancesLocalStorageConfiguration
│    │     └[+]  type ManagedInstancesLocalStorageConfiguration
│    │        ├      name: ManagedInstancesLocalStorageConfiguration
│    │        └ properties
│    │           └ UseLocalStorage: boolean
│    ├[+]  resource AWS::ECS::Daemon
│    │  ├      name: Daemon
│    │  │      cloudFormationType: AWS::ECS::Daemon
│    │  │      documentation: Resource schema for AWS ECS Daemon
│    │  │      tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│    │  │      primaryIdentifier: ["DaemonArn"]
│    │  ├ properties
│    │  │  ├ ClusterArn: string (immutable)
│    │  │  ├ DaemonTaskDefinitionArn: string
│    │  │  ├ DaemonName: string (immutable)
│    │  │  ├ EnableECSManagedTags: boolean
│    │  │  ├ EnableExecuteCommand: boolean
│    │  │  ├ PropagateTags: string<DAEMON|NONE>
│    │  │  ├ CapacityProviderArns: Array<string>
│    │  │  ├ DeploymentConfiguration: DaemonDeploymentConfiguration
│    │  │  └ Tags: Array<tag>
│    │  ├ attributes
│    │  │  ├ DaemonArn: string
│    │  │  ├ DeploymentArn: string
│    │  │  ├ CreatedAt: string
│    │  │  ├ UpdatedAt: string
│    │  │  └ DaemonStatus: string<ACTIVE|DELETE_IN_PROGRESS>
│    │  └ types
│    │     ├ type DaemonAlarmConfiguration
│    │     │ ├      name: DaemonAlarmConfiguration
│    │     │ └ properties
│    │     │    ├ AlarmNames: Array<string>
│    │     │    └ Enable: boolean
│    │     └ type DaemonDeploymentConfiguration
│    │       ├      name: DaemonDeploymentConfiguration
│    │       └ properties
│    │          ├ DrainPercent: number
│    │          ├ BakeTimeInMinutes: integer
│    │          └ Alarms: DaemonAlarmConfiguration
│    └[+]  resource AWS::ECS::DaemonTaskDefinition
│       ├      name: DaemonTaskDefinition
│       │      cloudFormationType: AWS::ECS::DaemonTaskDefinition
│       │      documentation: Resource Schema describing various properties for ECS DaemonTaskDefinition
│       │      tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│       │      primaryIdentifier: ["DaemonTaskDefinitionArn"]
│       ├ properties
│       │  ├ ExecutionRoleArn: string (immutable)
│       │  ├ TaskRoleArn: string (immutable)
│       │  ├ Volumes: Array<Volume> (immutable)
│       │  ├ Memory: string (immutable)
│       │  ├ ContainerDefinitions: Array<DaemonContainerDefinition> (immutable)
│       │  ├ Family: string (immutable)
│       │  ├ Cpu: string (immutable)
│       │  └ Tags: Array<tag>
│       ├ attributes
│       │  └ DaemonTaskDefinitionArn: string
│       └ types
│          ├ type ContainerDependency
│          │ ├      name: ContainerDependency
│          │ └ properties
│          │    ├ Condition: string
│          │    └ ContainerName: string
│          ├ type DaemonContainerDefinition
│          │ ├      documentation: Container definition for daemon task definition
│          │ │      name: DaemonContainerDefinition
│          │ └ properties
│          │    ├ User: string
│          │    ├ Secrets: Array<Secret>
│          │    ├ Memory: integer
│          │    ├ Privileged: boolean
│          │    ├ StartTimeout: integer
│          │    ├ HealthCheck: HealthCheck
│          │    ├ Cpu: integer
│          │    ├ EntryPoint: Array<string>
│          │    ├ ReadonlyRootFilesystem: boolean
│          │    ├ Image: string (required)
│          │    ├ Essential: boolean
│          │    ├ LogConfiguration: LogConfiguration
│          │    ├ EnvironmentFiles: Array<EnvironmentFile>
│          │    ├ Name: string (required)
│          │    ├ FirelensConfiguration: FirelensConfiguration
│          │    ├ SystemControls: Array<SystemControl>
│          │    ├ Interactive: boolean
│          │    ├ Ulimits: Array<Ulimit>
│          │    ├ StopTimeout: integer
│          │    ├ WorkingDirectory: string
│          │    ├ MemoryReservation: integer
│          │    ├ RepositoryCredentials: RepositoryCredentials
│          │    ├ LinuxParameters: LinuxParameters
│          │    ├ RestartPolicy: RestartPolicy
│          │    ├ PseudoTerminal: boolean
│          │    ├ MountPoints: Array<MountPoint>
│          │    ├ DependsOn: Array<ContainerDependency>
│          │    ├ Command: Array<string>
│          │    └ Environment: Array<KeyValuePair>
│          ├ type Device
│          │ ├      name: Device
│          │ └ properties
│          │    ├ HostPath: string
│          │    ├ Permissions: Array<string>
│          │    └ ContainerPath: string
│          ├ type EnvironmentFile
│          │ ├      name: EnvironmentFile
│          │ └ properties
│          │    ├ Type: string
│          │    └ Value: string
│          ├ type FirelensConfiguration
│          │ ├      name: FirelensConfiguration
│          │ └ properties
│          │    ├ Options: Map<string, string>
│          │    └ Type: string
│          ├ type HealthCheck
│          │ ├      name: HealthCheck
│          │ └ properties
│          │    ├ Command: Array<string>
│          │    ├ Timeout: integer
│          │    ├ Retries: integer
│          │    ├ Interval: integer
│          │    └ StartPeriod: integer
│          ├ type HostVolumeProperties
│          │ ├      name: HostVolumeProperties
│          │ └ properties
│          │    └ SourcePath: string
│          ├ type KernelCapabilities
│          │ ├      name: KernelCapabilities
│          │ └ properties
│          │    ├ Add: Array<string>
│          │    └ Drop: Array<string>
│          ├ type KeyValuePair
│          │ ├      name: KeyValuePair
│          │ └ properties
│          │    ├ Value: string
│          │    └ Name: string
│          ├ type LinuxParameters
│          │ ├      name: LinuxParameters
│          │ └ properties
│          │    ├ Capabilities: KernelCapabilities
│          │    ├ Tmpfs: Array<Tmpfs>
│          │    ├ Devices: Array<Device>
│          │    └ InitProcessEnabled: boolean
│          ├ type LogConfiguration
│          │ ├      name: LogConfiguration
│          │ └ properties
│          │    ├ SecretOptions: Array<Secret>
│          │    ├ Options: Map<string, string>
│          │    └ LogDriver: string (required)
│          ├ type MountPoint
│          │ ├      name: MountPoint
│          │ └ properties
│          │    ├ ReadOnly: boolean
│          │    ├ SourceVolume: string
│          │    └ ContainerPath: string
│          ├ type RepositoryCredentials
│          │ ├      name: RepositoryCredentials
│          │ └ properties
│          │    └ CredentialsParameter: string
│          ├ type RestartPolicy
│          │ ├      name: RestartPolicy
│          │ └ properties
│          │    ├ IgnoredExitCodes: Array<integer>
│          │    ├ RestartAttemptPeriod: integer
│          │    └ Enabled: boolean
│          ├ type Secret
│          │ ├      name: Secret
│          │ └ properties
│          │    ├ ValueFrom: string (required)
│          │    └ Name: string (required)
│          ├ type SystemControl
│          │ ├      name: SystemControl
│          │ └ properties
│          │    ├ Value: string
│          │    └ Namespace: string
│          ├ type Tmpfs
│          │ ├      name: Tmpfs
│          │ └ properties
│          │    ├ Size: integer (required)
│          │    ├ ContainerPath: string
│          │    └ MountOptions: Array<string>
│          ├ type Ulimit
│          │ ├      name: Ulimit
│          │ └ properties
│          │    ├ SoftLimit: integer (required)
│          │    ├ HardLimit: integer (required)
│          │    └ Name: string (required)
│          └ type Volume
│            ├      name: Volume
│            └ properties
│               ├ Host: HostVolumeProperties
│               └ Name: string
├[~] service aws-eks
│ └ resources
│    └[~]  resource AWS::EKS::Nodegroup
│       ├ properties
│       │  └[+] WarmPoolConfig: WarmPoolConfig
│       └ types
│          └[+]  type WarmPoolConfig
│             ├      documentation: The warm pool configuration for the node group.
│             │      name: WarmPoolConfig
│             └ properties
│                ├ Enabled: boolean
│                ├ MaxGroupPreparedCapacity: integer
│                ├ MinSize: integer
│                ├ PoolState: string
│                └ ReuseOnScaleIn: boolean
├[~] service aws-elasticloadbalancing
│ └ resources
│    └[~]  resource AWS::ElasticLoadBalancing::LoadBalancer
│       ├ attributes
│       │  └[+] SourceSecurityGroup: SourceSecurityGroup
│       └ types
│          ├[~] type Policies
│          │ └ properties
│          │    └ Attributes: - Array<json> (required)
│          │                  + Array<PolicyItem> ⇐ Array<json> (required)
│          ├[+]  type PolicyItem
│          │  ├      name: PolicyItem
│          │  └ properties
│          │     ├ Name: string
│          │     └ Value: string
│          └[+]  type SourceSecurityGroup
│             ├      name: SourceSecurityGroup
│             └ properties
│                ├ GroupName: string
│                └ OwnerAlias: string
├[~] service aws-emr
│ └ resources
│    └[~]  resource AWS::EMR::Cluster
│       ├ properties
│       │  ├ AdditionalInfo: - json | string ⇐ json (immutable)
│       │  │                 + json (immutable)
│       │  ├ MonitoringConfiguration: (documentation changed)
│       │  ├ PlacementGroupConfigs: (documentation changed)
│       │  ├ ScaleDownBehavior: - string<TERMINATE_AT_INSTANCE_HOUR|TERMINATE_AT_TASK_COMPLETION> (immutable)
│       │  │                    + string (immutable)
│       │  └ VisibleToAllUsers: - boolean (deprecated=WARN)
│       │                       + boolean
│       └ types
│          ├[~] type CloudWatchAlarmDefinition
│          │ └ properties
│          │    ├ ComparisonOperator: - string<GREATER_THAN_OR_EQUAL|GREATER_THAN|LESS_THAN|LESS_THAN_OR_EQUAL> (required)
│          │    │                     + string (required)
│          │    ├ Statistic: - string<SAMPLE_COUNT|AVERAGE|SUM|MINIMUM|MAXIMUM>
│          │    │            + string
│          │    └ Unit: - string<NONE|SECONDS|MICRO_SECONDS|MILLI_SECONDS|BYTES|KILO_BYTES|MEGA_BYTES|GIGA_BYTES|TERA_BYTES|BITS|KILO_BITS|MEGA_BITS|GIGA_BITS|TERA_BITS|PERCENT|COUNT|BYTES_PER_SECOND|KILO_BYTES_PER_SECOND|MEGA_BYTES_PER_SECOND|GIGA_BYTES_PER_SECOND|TERA_BYTES_PER_SECOND|BITS_PER_SECOND|KILO_BITS_PER_SECOND|MEGA_BITS_PER_SECOND|GIGA_BITS_PER_SECOND|TERA_BITS_PER_SECOND|COUNT_PER_SECOND>
│          │            + string
│          ├[~] type CloudWatchLogConfiguration
│          │ ├      - documentation: Holds CloudWatch log configuration settings and metadata that specify settings like log files to monitor and where to send them.
│          │ │      + documentation: undefined
│          │ └ properties
│          │    ├ Enabled: (documentation changed)
│          │    ├ EncryptionKeyArn: (documentation changed)
│          │    ├ LogGroupName: (documentation changed)
│          │    ├ LogStreamNamePrefix: (documentation changed)
│          │    └ LogTypes: - Map<string, Array<string>>
│          │                + json
│          │                (documentation changed)
│          ├[~] type ComputeLimits
│          │ └ properties
│          │    └ UnitType: - string<InstanceFleetUnits|Instances|VCPU> (required)
│          │                + string (required)
│          ├[~] type EMRConfiguration
│          │ └ properties
│          │    └ Classification: (documentation changed)
│          ├[~] type InstanceGroupConfig
│          │ └ properties
│          │    └ Market: - string<ON_DEMAND|SPOT> (immutable)
│          │              + string (immutable)
│          ├[~] type MonitoringConfiguration
│          │ ├      - documentation: Contains CloudWatch log configuration metadata and settings.
│          │ │      + documentation: undefined
│          │ └ properties
│          │    └ CloudWatchLogConfiguration: (documentation changed)
│          ├[~] type PlacementGroupConfig
│          │ └ properties
│          │    ├ InstanceRole: - string<MASTER|CORE|TASK> (required)
│          │    │               + string (required)
│          │    └ PlacementStrategy: - string<SPREAD|PARTITION|CLUSTER|NONE>
│          │                         + string
│          ├[~] type ScalingAction
│          │ └ properties
│          │    └ Market: - string<ON_DEMAND|SPOT>
│          │              + string
│          ├[~] type SimpleScalingPolicyConfiguration
│          │ └ properties
│          │    └ AdjustmentType: - string<CHANGE_IN_CAPACITY|EXACT_CAPACITY|PERCENT_CHANGE_IN_CAPACITY>
│          │                      + string
│          ├[~] type SpotProvisioningSpecification
│          │ └ properties
│          │    └ TimeoutAction: - string<SWITCH_TO_ON_DEMAND|TERMINATE_CLUSTER> (required)
│          │                     + string (required)
│          └[~] type StepConfig
│            └ properties
│               └ ActionOnFailure: - string<CANCEL_AND_WAIT|CONTINUE|TERMINATE_CLUSTER|TERMINATE_JOB_FLOW>
│                                  + string
├[~] service aws-fsx
│ └ resources
│    └[~]  resource AWS::FSx::FileSystem
│       └ types
│          ├[+]  type FsrmConfiguration
│          │  ├      name: FsrmConfiguration
│          │  └ properties
│          │     ├ FsrmServiceEnabled: boolean (required)
│          │     └ EventLogDestination: string
│          └[~] type WindowsConfiguration
│            └ properties
│               └[+] FsrmConfiguration: FsrmConfiguration
├[~] service aws-glue
│ └ resources
│    └[~]  resource AWS::Glue::Partition
│       └      - arnTemplate: arn:${Partition}:glue:${Region}:${Account}:partition/${PartitionName}
│              + arnTemplate: undefined
├[~] service aws-interconnect
│ └ resources
│    └[~]  resource AWS::Interconnect::Connection
│       └      - arnTemplate: undefined
│              + arnTemplate: arn:${Partition}:interconnect:${Region}:${Account}:connection/${Id}
├[~] service aws-kafkaconnect
│ └ resources
│    └[~]  resource AWS::KafkaConnect::Connector
│       └ types
│          └[~] type ProvisionedCapacity
│            └ properties
│               └ McuCount: - integer<1|2|4|8>
│                           + integer<1|2|4|8> (required)
├[+] service aws-novaact
│ ├      capitalized: NovaAct
│ │      cloudFormationNamespace: AWS::NovaAct
│ │      name: aws-novaact
│ │      shortName: novaact
│ └ resources
│    └ resource AWS::NovaAct::WorkflowDefinition
│      ├      name: WorkflowDefinition
│      │      cloudFormationType: AWS::NovaAct::WorkflowDefinition
│      │      documentation: Definition of AWS::NovaAct::WorkflowDefinition Resource Type
│      │      primaryIdentifier: ["Arn"]
│      ├ properties
│      │  ├ Description: string (immutable)
│      │  ├ ExportConfig: WorkflowExportConfig (immutable)
│      │  └ Name: string (required, immutable)
│      ├ attributes
│      │  ├ Arn: string
│      │  ├ CreatedAt: string
│      │  └ Status: string<ACTIVE|DELETING>
│      └ types
│         └ type WorkflowExportConfig
│           ├      documentation: Configuration settings for exporting workflow execution data and logs to Amazon S3.
│           │      name: WorkflowExportConfig
│           └ properties
│              ├ S3BucketName: string (required)
│              └ S3KeyPrefix: string
├[~] service aws-observabilityadmin
│ └ resources
│    ├[~]  resource AWS::ObservabilityAdmin::OrganizationTelemetryRule
│    │  └ types
│    │     └[~] type TelemetryRule
│    │       └ properties
│    │          ├ ResourceType: - string<AWS::EC2::VPC|AWS::WAFv2::WebACL|AWS::CloudTrail|AWS::EKS::Cluster|AWS::ElasticLoadBalancingV2::LoadBalancer> (required)
│    │          │               + string<AWS::EC2::VPC|AWS::WAFv2::WebACL|AWS::CloudTrail|AWS::EKS::Cluster|AWS::ElasticLoadBalancingV2::LoadBalancer|AWS::EC2::Instance> (required)
│    │          └ TelemetryType: - string<Logs> (required)
│    │                           + string<Logs|Metrics> (required)
│    └[~]  resource AWS::ObservabilityAdmin::TelemetryRule
│       └ types
│          └[~] type TelemetryRule
│            └ properties
│               ├ ResourceType: - string<AWS::EC2::VPC|AWS::WAFv2::WebACL|AWS::CloudTrail|AWS::EKS::Cluster|AWS::ElasticLoadBalancingV2::LoadBalancer|AWS::BedrockAgentCore::Runtime|AWS::BedrockAgentCore::Browser|AWS::BedrockAgentCore::CodeInterpreter> (required)
│               │               + string<AWS::EC2::VPC|AWS::WAFv2::WebACL|AWS::CloudTrail|AWS::EKS::Cluster|AWS::ElasticLoadBalancingV2::LoadBalancer|AWS::EC2::Instance|AWS::BedrockAgentCore::Runtime|AWS::BedrockAgentCore::Browser|AWS::BedrockAgentCore::CodeInterpreter> (required)
│               └ TelemetryType: - string<Logs|Traces> (required)
│                                + string<Logs|Traces|Metrics> (required)
├[~] service aws-omics
│ └ resources
│    └[+]  resource AWS::Omics::Configuration
│       ├      name: Configuration
│       │      cloudFormationType: AWS::Omics::Configuration
│       │      documentation: Resource schema for AWS::Omics::Configuration
│       │      tagInformation: {"tagPropertyName":"Tags","variant":"map"}
│       │      arnTemplate: arn:${Partition}:omics:${Region}:${Account}:configuration/${Name}
│       │      primaryIdentifier: ["Name"]
│       ├ properties
│       │  ├ Name: string (required, immutable)
│       │  ├ Description: string
│       │  ├ RunConfigurations: RunConfigurations (required, immutable)
│       │  └ Tags: Map<string, string>
│       ├ attributes
│       │  ├ Arn: string
│       │  ├ Uuid: string
│       │  ├ Status: string<CREATING|ACTIVE|UPDATING|DELETING|DELETED|FAILED>
│       │  └ CreationTime: string
│       └ types
│          ├ type RunConfigurations
│          │ ├      name: RunConfigurations
│          │ └ properties
│          │    └ VpcConfig: VpcConfig
│          └ type VpcConfig
│            ├      name: VpcConfig
│            └ properties
│               ├ SecurityGroupIds: Array<string>
│               └ SubnetIds: Array<string>
├[~] service aws-pcs
│ └ resources
│    └[~]  resource AWS::PCS::Cluster
│       ├      - vendedLogs: [{"permissionsVersion":"V2","logType":"PCS_JOBCOMP_LOGS","destinations":[{"destinationType":"S3","outputFormats":["json","plain","w3c","parquet"]},{"destinationType":"CWL","outputFormats":["plain","json"]},{"destinationType":"FH","outputFormats":["json","plain","raw"]}],"mandatoryFields":["resource_id","resource_type","event_timestamp","scheduler_type","scheduler_major_version","fields"]},{"permissionsVersion":"V2","logType":"PCS_SCHEDULER_LOGS","destinations":[{"destinationType":"S3","outputFormats":["json","plain","w3c","parquet"]},{"destinationType":"CWL","outputFormats":["plain","json"]},{"destinationType":"FH","outputFormats":["json","plain","raw"]}],"mandatoryFields":["resource_id","resource_type","event_timestamp","log_level","log_name","scheduler_type","scheduler_major_version","scheduler_patch_version","node_type","message"]},{"permissionsVersion":"V2","logType":"PCS_SCHEDULER_AUDIT_LOGS","destinations":[{"destinationType":"S3","outputFormats":["json","plain","w3c","parquet"]},{"destinationType":"CWL","outputFormats":["plain","json"]},{"destinationType":"FH","outputFormats":["json","plain","raw"]}],"optionalFields":["resource_id","resource_type","event_timestamp","log_level","scheduler_type","scheduler_patch_version","node_type","message"],"mandatoryFields":["log_name","scheduler_major_version","log_type"]}]
│       │      + vendedLogs: [{"permissionsVersion":"V2","logType":"PCS_JOBCOMP_LOGS","destinations":[{"destinationType":"S3","outputFormats":["json","plain","w3c","parquet"]},{"destinationType":"CWL","outputFormats":["plain","json"]},{"destinationType":"FH","outputFormats":["json","plain","raw"]}],"mandatoryFields":["resource_id","resource_type","event_timestamp","scheduler_type","scheduler_major_version","fields"]},{"permissionsVersion":"V2","logType":"PCS_SCHEDULER_LOGS","destinations":[{"destinationType":"S3","outputFormats":["json","plain","w3c","parquet"]},{"destinationType":"CWL","outputFormats":["plain","json"]},{"destinationType":"FH","outputFormats":["json","plain","raw"]}],"mandatoryFields":["resource_id","resource_type","event_timestamp","log_level","log_name","scheduler_type","scheduler_major_version","scheduler_patch_version","node_type","message"]},{"permissionsVersion":"V2","logType":"PCS_SCHEDULER_AUDIT_LOGS","destinations":[{"destinationType":"S3","outputFormats":["json","plain","w3c","parquet"]},{"destinationType":"CWL","outputFormats":["plain","json"]},{"destinationType":"FH","outputFormats":["json","plain","raw"]}],"mandatoryFields":["resource_id","resource_type","event_timestamp","log_level","log_name","scheduler_type","scheduler_major_version","scheduler_patch_version","node_type","log_type","message"]}]
│       └ vendedLogs
│          └[~] logType: PCS_SCHEDULER_AUDIT_LOGS
│            ├mandatoryFields:
│            │├- [log_name, scheduler_major_version, log_type]
│            │└+ [resource_id, resource_type, event_timestamp, log_level, log_name, scheduler_type, scheduler_major_version, scheduler_patch_version, node_type, log_type, message]
│            └optionalFields:
│             └- [resource_id, resource_type, event_timestamp, log_level, scheduler_type, scheduler_patch_version, node_type, message]
├[~] service aws-pinpoint
│ └ resources
│    └[~]  resource AWS::Pinpoint::InAppTemplate
│       └      - arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/VOICE
│              + arnTemplate: arn:${Partition}:mobiletargeting:${Region}:${Account}:templates/${TemplateName}/EMAIL
├[~] service aws-quicksight
│ └ resources
│    ├[~]  resource AWS::QuickSight::DataSet
│    │  ├ properties
│    │  │  ├ FolderArns: (documentation changed)
│    │  │  └ RowLevelPermissionDataSet: (documentation changed)
│    │  └ types
│    │     └[~] type RowLevelPermissionConfiguration
│    │       └ properties
│    │          └ RowLevelPermissionDataSet: (documentation changed)
│    └[~]  resource AWS::QuickSight::DataSource
│       ├ properties
│       │  └ Type: - string<ADOBE_ANALYTICS|AMAZON_ELASTICSEARCH|AMAZON_OPENSEARCH|ATHENA|AURORA|AURORA_POSTGRESQL|AWS_IOT_ANALYTICS|DATABRICKS|DENODO|DREMIO|DYNAMODB|SAPHANA|DB2_AS400|EXASOL|FILE|GITHUB|INTERNATIONAL_DATA_CORPORATION|JIRA|MARIADB|MYSQL|ORACLE|POSTGRESQL|PRESTO|QBUSINESS|REDSHIFT|S3|S3_TABLES|S3_KNOWLEDGE_BASE|SALESFORCE|SERVICENOW|SNOWFLAKE|SPARK|SPICE|SQLSERVER|TERADATA|TIMESTREAM|TWITTER|BIGQUERY|GOOGLE_ANALYTICS|TRINO|STARBURST|MONGO|MONGO_ATLAS|DOCUMENTDB|APPFLOW|IMPALA|GLUE|GOOGLE_DRIVE|CONFLUENCE|SHAREPOINT|ONE_DRIVE|WEB_CRAWLER> (required, immutable)
│       │          + string<ADOBE_ANALYTICS|AMAZON_ELASTICSEARCH|AMAZON_OPENSEARCH|ATHENA|AURORA|AURORA_POSTGRESQL|AWS_IOT_ANALYTICS|DATABRICKS|DENODO|DREMIO|DYNAMODB|SAPHANA|DB2_AS400|EXASOL|FILE|GITHUB|INTERNATIONAL_DATA_CORPORATION|JIRA|MARIADB|MYSQL|ORACLE|POSTGRESQL|PRESTO|QBUSINESS|REDSHIFT|S3|S3_TABLES|S3_KNOWLEDGE_BASE|SALESFORCE|SERVICENOW|SNOWFLAKE|SPARK|SPICE|SQLSERVER|TERADATA|TIMESTREAM|TWITTER|BIGQUERY|GOOGLE_ANALYTICS|TRINO|STARBURST|MONGO|MONGO_ATLAS|DOCUMENTDB|APPFLOW|IMPALA|GLUE|GOOGLE_DRIVE|CONFLUENCE|SHAREPOINT|ONE_DRIVE|WEB_CRAWLER|BOX> (required, immutable)
│       └ types
│          ├[~] type DataSourceParameters
│          │ └ properties
│          │    └[+] S3TablesParameters: S3TablesParameters
│          └[+]  type S3TablesParameters
│             ├      name: S3TablesParameters
│             └ properties
│                └ TableBucketArn: string
├[~] service aws-rds
│ └ resources
│    └[~]  resource AWS::RDS::DBCluster
│       └ attributes
│          └[+] StorageEncryptionType: string
├[~] service aws-sagemaker
│ └ resources
│    └[~]  resource AWS::SageMaker::Model
│       ├      - primaryIdentifier: ["Id"]
│       │      + primaryIdentifier: ["ModelArn"]
│       ├ attributes
│       │  └[+] ModelArn: string
│       └ types
│          ├[~] type ContainerDefinition
│          │ └ properties
│          │    └ Mode: - string (immutable)
│          │            + string<SingleModel|MultiModel> (immutable)
│          ├[~] type ImageConfig
│          │ └ properties
│          │    └ RepositoryAccessMode: - string (required, immutable)
│          │                            + string<Platform|Vpc> (required, immutable)
│          ├[~] type InferenceExecutionConfig
│          │ └ properties
│          │    └ Mode: - string (required, immutable)
│          │            + string<Serial|Direct> (required, immutable)
│          ├[~] type MultiModelConfig
│          │ └ properties
│          │    └ ModelCacheSetting: - string (immutable)
│          │                         + string<Enabled|Disabled> (immutable)
│          └[~] type S3DataSource
│            └ properties
│               ├ CompressionType: - string (required)
│               │                  + string<None|Gzip> (required)
│               │                  (documentation changed)
│               ├ ModelAccessConfig: (documentation changed)
│               └ S3DataType: - string (required)
│                             + string<S3Prefix|S3Object> (required)
├[+] service aws-securityagent
│ ├      capitalized: SecurityAgent
│ │      cloudFormationNamespace: AWS::SecurityAgent
│ │      name: aws-securityagent
│ │      shortName: securityagent
│ └ resources
│    ├ resource AWS::SecurityAgent::AgentSpace
│    │ ├      name: AgentSpace
│    │ │      cloudFormationType: AWS::SecurityAgent::AgentSpace
│    │ │      documentation: Resource Type definition for AWS::SecurityAgent::AgentSpace
│    │ │      tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│    │ │      arnTemplate: arn:${Partition}:securityagent:${Region}:${Account}:agent-space/${AgentId}
│    │ │      primaryIdentifier: ["AgentSpaceId"]
│    │ ├ properties
│    │ │  ├ Name: string (required)
│    │ │  ├ Description: string
│    │ │  ├ AwsResources: AWSResources
│    │ │  ├ CodeReviewSettings: CodeReviewSettings
│    │ │  ├ KmsKeyId: string (immutable)
│    │ │  ├ IntegratedResources: Array<IntegratedResource>
│    │ │  ├ TargetDomainIds: Array<string>
│    │ │  └ Tags: Array<tag>
│    │ ├ attributes
│    │ │  ├ AgentSpaceId: string
│    │ │  ├ CreatedAt: string
│    │ │  └ UpdatedAt: string
│    │ └ types
│    │    ├ type AWSResources
│    │    │ ├      documentation: AWS resource configuration
│    │    │ │      name: AWSResources
│    │    │ └ properties
│    │    │    ├ Vpcs: Array<VpcConfig>
│    │    │    ├ LogGroups: Array<string>
│    │    │    ├ S3Buckets: Array<string>
│    │    │    ├ SecretArns: Array<string>
│    │    │    ├ LambdaFunctionArns: Array<string>
│    │    │    └ IamRoles: Array<string>
│    │    ├ type CodeReviewSettings
│    │    │ ├      documentation: Details of code review settings
│    │    │ │      name: CodeReviewSettings
│    │    │ └ properties
│    │    │    ├ ControlsScanning: boolean (required)
│    │    │    └ GeneralPurposeScanning: boolean (required)
│    │    ├ type IntegratedResource
│    │    │ ├      documentation: Integrated Resource details
│    │    │ │      name: IntegratedResource
│    │    │ └ properties
│    │    │    └ Integration: string (required)
│    │    └ type VpcConfig
│    │      ├      documentation: Customer VPC configuration that the security testing environment accesses
│    │      │      name: VpcConfig
│    │      └ properties
│    │         ├ VpcArn: string
│    │         ├ SecurityGroupArns: Array<string>
│    │         └ SubnetArns: Array<string>
│    ├ resource AWS::SecurityAgent::Application
│    │ ├      name: Application
│    │ │      cloudFormationType: AWS::SecurityAgent::Application
│    │ │      documentation: Resource Type definition for AWS::SecurityAgent::Application
│    │ │      tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│    │ │      arnTemplate: arn:${Partition}:securityagent:${Region}:${Account}:application/${ApplicationId}
│    │ │      primaryIdentifier: ["ApplicationId"]
│    │ ├ properties
│    │ │  ├ IdCConfiguration: IdCConfiguration (immutable)
│    │ │  ├ RoleArn: string
│    │ │  ├ DefaultKmsKeyId: string
│    │ │  └ Tags: Array<tag>
│    │ ├ attributes
│    │ │  ├ ApplicationName: string
│    │ │  ├ ApplicationId: string
│    │ │  ├ Domain: string
│    │ │  └ IdCConfiguration.IdCApplicationArn: string
│    │ └ types
│    │    └ type IdCConfiguration
│    │      ├      name: IdCConfiguration
│    │      └ properties
│    │         ├ IdCApplicationArn: string
│    │         └ IdCInstanceArn: string (immutable)
│    ├ resource AWS::SecurityAgent::Pentest
│    │ ├      name: Pentest
│    │ │      cloudFormationType: AWS::SecurityAgent::Pentest
│    │ │      documentation: Resource Type definition for AWS::SecurityAgent::Pentest
│    │ │      primaryIdentifier: ["PentestId","AgentSpaceId"]
│    │ ├ properties
│    │ │  ├ AgentSpaceId: string (required, immutable)
│    │ │  ├ Title: string
│    │ │  ├ Assets: Assets (required)
│    │ │  ├ ExcludeRiskTypes: Array<string<CROSS_SITE_SCRIPTING|DEFAULT_CREDENTIALS|INSECURE_DIRECT_OBJECT_REFERENCE|PRIVILEGE_ESCALATION|SERVER_SIDE_TEMPLATE_INJECTION|COMMAND_INJECTION|CODE_INJECTION|SQL_INJECTION|ARBITRARY_FILE_UPLOAD|INSECURE_DESERIALIZATION|LOCAL_FILE_INCLUSION|INFORMATION_DISCLOSURE|PATH_TRAVERSAL|SERVER_SIDE_REQUEST_FORGERY|JSON_WEB_TOKEN_VULNERABILITIES|XML_EXTERNAL_ENTITY|FILE_DELETION|OTHER|GRAPHQL_VULNERABILITIES|BUSINESS_LOGIC_VULNERABILITIES|CRYPTOGRAPHIC_VULNERABILITIES|DENIAL_OF_SERVICE|FILE_ACCESS|FILE_CREATION|DATABASE_MODIFICATION|DATABASE_ACCESS|OUTBOUND_SERVICE_REQUEST|UNKNOWN>>
│    │ │  ├ ServiceRole: string (required)
│    │ │  ├ LogConfig: CloudWatchLog
│    │ │  ├ VpcConfig: VpcConfig
│    │ │  ├ NetworkTrafficConfig: NetworkTrafficConfig
│    │ │  └ CodeRemediationStrategy: string<AUTOMATIC|DISABLED>
│    │ ├ attributes
│    │ │  ├ PentestId: string
│    │ │  ├ CreatedAt: string
│    │ │  └ UpdatedAt: string
│    │ └ types
│    │    ├ type Actor
│    │    │ ├      name: Actor
│    │    │ └ properties
│    │    │    ├ Identifier: string
│    │    │    ├ Uris: Array<string>
│    │    │    ├ Authentication: Authentication
│    │    │    └ Description: string
│    │    ├ type Assets
│    │    │ ├      name: Assets
│    │    │ └ properties
│    │    │    ├ Endpoints: Array<Endpoint>
│    │    │    ├ Actors: Array<Actor>
│    │    │    ├ Documents: Array<DocumentInfo>
│    │    │    ├ SourceCode: Array<SourceCodeRepository>
│    │    │    └ IntegratedRepositories: Array<IntegratedRepository>
│    │    ├ type Authentication
│    │    │ ├      name: Authentication
│    │    │ └ properties
│    │    │    ├ ProviderType: string<SECRETS_MANAGER|AWS_LAMBDA|AWS_IAM_ROLE|AWS_INTERNAL>
│    │    │    └ Value: string
│    │    ├ type CloudWatchLog
│    │    │ ├      name: CloudWatchLog
│    │    │ └ properties
│    │    │    ├ LogGroup: string
│    │    │    └ LogStream: string
│    │    ├ type CustomHeader
│    │    │ ├      name: CustomHeader
│    │    │ └ properties
│    │    │    ├ Name: string
│    │    │    └ Value: string
│    │    ├ type DocumentInfo
│    │    │ ├      name: DocumentInfo
│    │    │ └ properties
│    │    │    ├ S3Location: string
│    │    │    └ ArtifactId: string
│    │    ├ type Endpoint
│    │    │ ├      name: Endpoint
│    │    │ └ properties
│    │    │    └ Uri: string
│    │    ├ type IntegratedRepository
│    │    │ ├      name: IntegratedRepository
│    │    │ └ properties
│    │    │    ├ IntegrationId: string (required)
│    │    │    └ ProviderResourceId: string (required)
│    │    ├ type NetworkTrafficConfig
│    │    │ ├      name: NetworkTrafficConfig
│    │    │ └ properties
│    │    │    ├ Rules: Array<NetworkTrafficRule>
│    │    │    └ CustomHeaders: Array<CustomHeader>
│    │    ├ type NetworkTrafficRule
│    │    │ ├      name: NetworkTrafficRule
│    │    │ └ properties
│    │    │    ├ Effect: string<ALLOW|DENY>
│    │    │    ├ Pattern: string
│    │    │    └ NetworkTrafficRuleType: string<URL>
│    │    ├ type SourceCodeRepository
│    │    │ ├      name: SourceCodeRepository
│    │    │ └ properties
│    │    │    └ S3Location: string
│    │    └ type VpcConfig
│    │      ├      name: VpcConfig
│    │      └ properties
│    │         ├ VpcArn: string
│    │         ├ SecurityGroupArns: Array<string>
│    │         └ SubnetArns: Array<string>
│    └ resource AWS::SecurityAgent::TargetDomain
│      ├      name: TargetDomain
│      │      cloudFormationType: AWS::SecurityAgent::TargetDomain
│      │      documentation: Resource Type definition for AWS::SecurityAgent::TargetDomain
│      │      tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│      │      arnTemplate: arn:${Partition}:securityagent:${Region}:${Account}:target-domain/${TargetDomainId}
│      │      primaryIdentifier: ["TargetDomainId"]
│      ├ properties
│      │  ├ TargetDomainName: string (required, immutable)
│      │  ├ VerificationMethod: string<DNS_TXT|HTTP_ROUTE> (required)
│      │  └ Tags: Array<tag>
│      ├ attributes
│      │  ├ TargetDomainId: string
│      │  ├ VerificationStatus: string<PENDING|VERIFIED|FAILED|UNREACHABLE>
│      │  ├ VerificationDetails: VerificationDetails
│      │  ├ CreatedAt: string
│      │  └ VerifiedAt: string
│      └ types
│         ├ type DnsVerification
│         │ ├      documentation: Represents DNS TXT verification details
│         │ │      name: DnsVerification
│         │ └ properties
│         │    ├ Token: string
│         │    ├ DnsRecordName: string
│         │    └ DnsRecordType: string<TXT>
│         ├ type HttpVerification
│         │ ├      documentation: Represents HTTP route verification details
│         │ │      name: HttpVerification
│         │ └ properties
│         │    ├ Token: string
│         │    └ RoutePath: string
│         └ type VerificationDetails
│           ├      documentation: Verification details to verify registered target domain
│           │      name: VerificationDetails
│           └ properties
│              ├ Method: string<DNS_TXT|HTTP_ROUTE>
│              ├ DnsTxt: DnsVerification
│              └ HttpRoute: HttpVerification
├[~] service aws-servicediscovery
│ └ resources
│    └[~]  resource AWS::ServiceDiscovery::Service
│       └ properties
│          └ ServiceAttributes: - Map<string, string> ⇐ json
│                               + json
└[~] service aws-stepfunctions
  └ resources
     └[~]  resource AWS::StepFunctions::StateMachineAlias
        └ properties
           └[+] StateMachineArn: string

CHANGES TO L1 RESOURCES: L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

aws-appstream: AWS::AppStream::Stack: Id attribute removed.
aws-appsync: AWS::AppSync::GraphQLApi: LogConfig.CloudWatchLogsRoleArn property is now required.
aws-appsync: AWS::AppSync::GraphQLApi: LogConfig.FieldLogLevel property is now required.
aws-kafkaconnect: AWS::KafkaConnect::Connector: ProvisionedCapacity.McuCount property is now required.

@aws-cdk-automation aws-cdk-automation added contribution/core This is a PR that came from AWS. dependencies This issue is a problem in a dependency or a pull request that updates a dependency file. pr-linter/exempt-readme The PR linter will not require README changes pr-linter/exempt-test The PR linter will not require test changes pr-linter/exempt-integ-test The PR linter will not require integ test changes labels Apr 6, 2026
@aws-cdk-automation aws-cdk-automation requested a review from a team April 6, 2026 10:42
@github-actions github-actions bot added the p2 label Apr 6, 2026
@aws-cdk-automation aws-cdk-automation requested a review from a team April 6, 2026 10:42
@pahud pahud mentioned this pull request Apr 6, 2026
Open
@vishaalmehrishi vishaalmehrishi force-pushed the automation/spec-update branch from 8f06d84 to 5264a03 Compare April 9, 2026 08:01
@vishaalmehrishi vishaalmehrishi mentioned this pull request Apr 9, 2026
Merged
1 task
@vishaalmehrishi
Copy link
Copy Markdown
Contributor

vishaalmehrishi commented Apr 9, 2026
edited
Loading

The PR build is failing due to an "uncommitted changes" error. The fix is in #37556. Once that PR is merged and this one is rebased, I will re-trigger the spec update and that should succeed.

@vishaalmehrishi vishaalmehrishi added the pr/do-not-merge This PR should not be merged at this time. label Apr 9, 2026
vishaalmehrishi added a commit that referenced this pull request Apr 9, 2026
@vishaalmehrishi
chore: include cfn-property-mixins in spec-update workflow gen step (#…
6a3dc69 
…37556)

### Issue

Fixes the recurring build failure on L1 spec update PRs (e.g. #37530)
where `git diff-index` detects uncommitted changes in
`packages/@aws-cdk/cfn-property-mixins/package.json`.

### Reason for this change

When `@aws-cdk/cfn-property-mixins` graduated from `mixins-preview` to a
standalone package in #37215, it gained its own `gen` script that
regenerates `package.json` exports from the service spec database.
However, the `spec-update.yml` workflow was never updated to include it
in the gen step.

When new CloudFormation services are added (e.g. `AWS::NovaAct`,
`AWS::SecurityAgent`), the gen script adds export entries to
`cfn-property-mixins/package.json`. Since these changes aren't included
in the automation commit, the PR build fails the `git diff-index` check.

This is the same class of issue previously fixed in #36300 for
`@aws-cdk/mixins-preview`.

### Description of changes

Added `--scope @aws-cdk/cfn-property-mixins` to the gen step in
`.github/workflows/spec-update.yml`, and added a comment explaining why
all three scopes are required.

### Description of how you validated changes

Confirmed the root cause by examining the [build logs for PR
#37530](https://github.com/aws/aws-cdk/actions/runs/24179400660/job/70568296044)
which show exactly `cfn-property-mixins/package.json` with 2 uncommitted
insertions.

### Checklist
- [x] My code adheres to the [CONTRIBUTING
GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and
[DESIGN
GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license*
@vishaalmehrishi vishaalmehrishi mentioned this pull request Apr 9, 2026
Merged
1 task
mergify bot pushed a commit that referenced this pull request Apr 9, 2026
@vishaalmehrishi
chore: run aws-cdk-lib gen before mixins gen in spec-update workflow (#…
2928e23 
…37558)

### Issue

Fixes the recurring build failure on L1 spec update PRs (e.g. #37530) where `git diff-index` detects uncommitted changes in `packages/@aws-cdk/cfn-property-mixins/package.json`.

Supersedes #37556 which added `cfn-property-mixins` to the gen step but didn't fix the ordering issue.

### Root Cause: Race Condition in Parallel Gen

The spec-update workflow runs `lerna run gen` for all three packages (`aws-cdk-lib`, `@aws-cdk/mixins-preview`, `@aws-cdk/cfn-property-mixins`) in a single command. Lerna executes them **in parallel**. This creates a race condition:

1. **`aws-cdk-lib` gen** writes new service entries (e.g. `aws-novaact`, `aws-securityagent`) to [`scope-map.json`](https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/scripts/scope-map.json) via [`writeModuleMap()`](https://github.com/aws/aws-cdk/blob/main/tools/%40aws-cdk/spec2cdk/lib/module-topology.ts#L126)

2. **`cfn-property-mixins` gen** reads `scope-map.json` via [`loadModuleMap()`](https://github.com/aws/aws-cdk/blob/main/tools/%40aws-cdk/spec2cdk/lib/module-topology.ts#L119-L121) to determine which services to generate exports for — see the [filter at line 23](https://github.com/aws/aws-cdk/blob/main/tools/%40aws-cdk/spec2cdk/lib/cfn-prop-mixins/generate.ts#L23): `if (moduleMap[service.name])`

3. **`mixins-preview` gen** has the [same dependency](https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/mixins-preview/scripts/spec2logs/generate.ts#L6) on `scope-map.json`

### Evidence from workflow run [#354](https://github.com/aws/aws-cdk/actions/runs/24186251521/job/70591637015)

The gen step logs show `cfn-property-mixins` finished **before** `aws-cdk-lib`:

```
10:53:00 @aws-cdk/cfn-property-mixins:   Services: 278    ← finished first, read stale scope-map.json
10:53:05 aws-cdk-lib:                     Services: 282    ← finished second, wrote updated scope-map.json
```

`cfn-property-mixins` generated for 278 services because it read `scope-map.json` before `aws-cdk-lib` added the 4 new service entries. During the CI build, `cdk-build` runs gen again with the updated `scope-map.json`, producing 2 new export entries in `package.json` that weren't in the commit → `git diff-index` fails.

### Description of changes

Split the single `lerna run gen` command into two sequential steps:
1. **Generate L1 code** — runs gen for `aws-cdk-lib` only, which updates `scope-map.json`
2. **Generate mixins** — runs gen for `mixins-preview` and `cfn-property-mixins`, which now read the updated `scope-map.json`

### Description of how you validated changes

- Traced the full dependency chain through the codebase (links above)
- Confirmed the race condition from [workflow run #354 logs](https://github.com/aws/aws-cdk/actions/runs/24186251521/job/70591637015) showing 278 vs 282 services
- Confirmed the [CI build failure logs](https://github.com/aws/aws-cdk/actions/runs/24186453052/job/70592307695) show the same `cfn-property-mixins/package.json | 2 ++` after the workflow re-run

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@aws-cdk-automation @github-actions
feat: update L1 CloudFormation resource definitions
f28bb0e 
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`
@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Apr 9, 2026
@vishaalmehrishi
Copy link
Copy Markdown
Contributor

vishaalmehrishi commented Apr 9, 2026

CHANGES TO L1 RESOURCES: L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:

aws-appstream: AWS::AppStream::Stack: Id attribute removed.
aws-appsync: AWS::AppSync::GraphQLApi: LogConfig.CloudWatchLogsRoleArn property is now required.
aws-appsync: AWS::AppSync::GraphQLApi: LogConfig.FieldLogLevel property is now required.
aws-kafkaconnect: AWS::KafkaConnect::Connector: ProvisionedCapacity.McuCount property is now required.

@vishaalmehrishi vishaalmehrishi removed the pr/do-not-merge This PR should not be merged at this time. label Apr 9, 2026
@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Apr 9, 2026
@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Apr 9, 2026

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Apr 9, 2026
edited
Loading

Merge Queue Status

  • Entered queue2026-04-09 13:37 UTC · Rule: default-squash
  • 🚫 Left the queue2026-04-09 13:43 UTC · at f28bb0ea65e6cd777299e14c364d33f8cd4a7af9

This pull request spent 5 minutes 20 seconds in the queue, with no time running CI.

Reason

Pull request #37530 has been merged manually at 117562c

Hint

You were too fast!

@vishaalmehrishi vishaalmehrishi merged commit 117562c into main Apr 9, 2026
45 of 46 checks passed
@vishaalmehrishi vishaalmehrishi deleted the automation/spec-update branch April 9, 2026 13:42
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 9, 2026

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 9, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@vishaalmehrishi vishaalmehrishi vishaalmehrishi approved these changes

Assignees

No one assigned

Labels

contribution/core This is a PR that came from AWS. dependencies This issue is a problem in a dependency or a pull request that updates a dependency file. p2 pr-linter/exempt-integ-test The PR linter will not require integ test changes pr-linter/exempt-readme The PR linter will not require README changes pr-linter/exempt-test The PR linter will not require test changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aws-cdk-automation @vishaalmehrishi @ShadowCat567