Merge branch 'main' into fix-https-alb-listener

Author: aemada-aws

packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/aws-cdk-ses-receipt.template.json

@@ -86,7 +86,7 @@
        "Action": "s3:PutObject",
        "Condition": {
         "StringEquals": {
-         "aws:Referer": {
+         "aws:SourceAccount": {
           "Ref": "AWS::AccountId"
          }
         }

packages/aws-cdk-lib/aws-ec2/lib/instance-types.ts

@@ -858,6 +858,16 @@ export enum InstanceClass {
    */
   I7IE = 'i7ie',
 
+  /**
+   * I/O-optimized instances with local NVME drive powered by 5th generation Intel Xeon Scalable processors, 7th generation
+   */
+  IO7_INTEL = 'io7_intel',
+
+  /**
+   * I/O-optimized instances with local NVME drive powered by 5th generation Intel Xeon Scalable processors, 7th generation
+   */
+  I7I = 'i7i',
+
   /**
    * Storage optimized instances powered by Graviton4 processor, 8th generation
    */
@@ -1845,6 +1855,8 @@ export class InstanceType {
       [InstanceClass.IS4GEN]: 'is4gen',
       [InstanceClass.STORAGE7_INTEL_STORAGE_OPTIMIZED]: 'i7ie',
       [InstanceClass.I7IE]: 'i7ie',
+      [InstanceClass.IO7_INTEL]: 'i7i',
+      [InstanceClass.I7I]: 'i7i',
       [InstanceClass.STORAGE8_GRAVITON]: 'i8g',
       [InstanceClass.I8G]: 'i8g',
       [InstanceClass.BURSTABLE2]: 't2',

packages/aws-cdk-lib/aws-ecs-patterns/lib/base/application-load-balanced-service-base.ts

@@ -219,8 +219,8 @@ export interface ApplicationLoadBalancedServiceBaseProps {
   readonly cloudMapOptions?: CloudMapOptions;
 
   /**
-   * Specifies whether the load balancer should redirect traffic on port 80 to port 443 to support HTTP->HTTPS redirects
-   * This is only valid if the protocol of the ALB is HTTPS
+   * Specifies whether the load balancer should redirect traffic on port 80 to the {@link listenerPort} to support HTTP->HTTPS redirects.
+   * This is only valid if the protocol of the ALB is HTTPS.
    *
    * @default false
    */

packages/aws-cdk-lib/aws-rds/lib/instance-engine.ts

@@ -371,7 +371,10 @@ export class MariaDbEngineVersion {
    */
   public static readonly VER_10_3_39 = MariaDbEngineVersion.of('10.3.39', '10.3');
 
-  /** Version "10.4" (only a major version, without a specific minor version). */
+  /**
+   * Version "10.4" (only a major version, without a specific minor version)
+   * @deprecated MariaDB 10.4 is no longer supported by Amazon RDS.
+   */
   public static readonly VER_10_4 = MariaDbEngineVersion.of('10.4', '10.4');
   /**
    * Version "10.4.8"
@@ -423,17 +426,35 @@ export class MariaDbEngineVersion {
    * @deprecated MariaDB 10.4.28 is no longer supported by Amazon RDS.
    */
   public static readonly VER_10_4_28 = MariaDbEngineVersion.of('10.4.28', '10.4');
-  /** Version "10.4.29". */
+  /**
+   * Version "10.4.29"
+   * @deprecated MariaDB 10.4.29 is no longer supported by Amazon RDS.
+   */
   public static readonly VER_10_4_29 = MariaDbEngineVersion.of('10.4.29', '10.4');
-  /** Version "10.4.30". */
+  /**
+   * Version "10.4.30"
+   * @deprecated MariaDB 10.4.30 is no longer supported by Amazon RDS.
+   */
   public static readonly VER_10_4_30 = MariaDbEngineVersion.of('10.4.30', '10.4');
-  /** Version "10.4.31". */
+  /**
+   * Version "10.4.31"
+   * @deprecated MariaDB 10.4.31 is no longer supported by Amazon RDS.
+   */
   public static readonly VER_10_4_31 = MariaDbEngineVersion.of('10.4.31', '10.4');
-  /** Version "10.4.32". */
+  /**
+   * Version "10.4.32"
+   * @deprecated MariaDB 10.4.32 is no longer supported by Amazon RDS.
+   */
   public static readonly VER_10_4_32 = MariaDbEngineVersion.of('10.4.32', '10.4');
-  /** Version "10.4.33". */
+  /**
+   * Version "10.4.33"
+   * @deprecated MariaDB 10.4.33 is no longer supported by Amazon RDS.
+   */
   public static readonly VER_10_4_33 = MariaDbEngineVersion.of('10.4.33', '10.4');
-  /** Version "10.4.34". */
+  /**
+   * Version "10.4.34"
+   * @deprecated MariaDB 10.4.34 is no longer supported by Amazon RDS.
+   */
   public static readonly VER_10_4_34 = MariaDbEngineVersion.of('10.4.34', '10.4');
 
   /** Version "10.5" (only a major version, without a specific minor version). */

packages/aws-cdk-lib/aws-ses-actions/lib/s3.ts

@@ -55,7 +55,7 @@ export class S3 implements ses.IReceiptRuleAction {
       resources: [this.props.bucket.arnForObjects(`${keyPattern}*`)],
       conditions: {
         StringEquals: {
-          'aws:Referer': cdk.Aws.ACCOUNT_ID,
+          'aws:SourceAccount': cdk.Aws.ACCOUNT_ID,
         },
       },
     });

packages/aws-cdk-lib/aws-ses-actions/test/actions.test.ts

@@ -190,7 +190,7 @@ test('add s3 action', () => {
           Action: 's3:PutObject',
           Condition: {
             StringEquals: {
-              'aws:Referer': {
+              'aws:SourceAccount': {
                 Ref: 'AWS::AccountId',
               },
             },

packages/aws-cdk-lib/aws-ses/README.md

@@ -103,6 +103,12 @@ new ses.AllowListReceiptFilter(this, 'AllowList', {
 
 This will first create a block all filter and then create allow filters for the listed ip addresses.
 
+### AWS Service Principal permissions
+
+When adding an s3 action to a receipt rule, the CDK will automatically create a policy statement that allows the ses service principal to get write access to the bucket. This is done with the `SourceAccount` condition key, which is automatically added to the policy statement.
+Previously, the policy used the `Referer` condition key, which caused confused deputy problems when the bucket policy allowed access to the bucket for all principals.
+See more information in [this github issue](https://github.com/aws/aws-cdk/issues/29811)
+
 ## Email sending
 
 ### Dedicated IP pools

tools/@aws-cdk/enum-updater/lib/exclude-values.json

@@ -65,6 +65,10 @@
         },
         "FunctionEventType": {
             "comment": "The origin-X events are only available to Lambda@Edge functions"
+        },
+        "PriceClass": {
+            "values": ["None"],
+            "comment": "NONE is not supported"
         }
     },
     "iot": {