Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: aws/aws-cdk-cli
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: @aws-cdk/toolkit-lib@v1.5.0
Choose a base ref
...
head repository: aws/aws-cdk-cli
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: @aws-cdk/toolkit-lib@v1.6.0
Choose a head ref
  • 12 commits
  • 56 files changed
  • 10 contributors

Commits on Aug 13, 2025

  1. fix(cli): acknowledge produces duplicate entries (#793) 

    Fixes #767 

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license

---------

Signed-off-by: github-actions <github-actions@github.com>
Co-authored-by: github-actions <github-actions@github.com>
    @kaizencc
    kaizencc and github-actions authored Aug 13, 2025
    Configuration menu
    Copy the full SHA
    17ebf86 View commit details
    Browse the repository at this point in the history

Commits on Aug 14, 2025

  1. docs: update README for cdk flags command (#789) 

    This PR adds information about the `cdk flags` command to the README.

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
    @vivian12300
    vivian12300 authored Aug 14, 2025
    Configuration menu
    Copy the full SHA
    add2ae7 View commit details
    Browse the repository at this point in the history

  2. fix(cli): when CDK library is too old, an empty flags table is displa… 

    …yed (#797)

Returns an error message for users if they run the `cdk flags` command
with an incompatible version of `aws-cdk-lib`.

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
    @vivian12300
    vivian12300 authored Aug 14, 2025
    Configuration menu
    Copy the full SHA
    98a1bfa View commit details
    Browse the repository at this point in the history

Commits on Aug 15, 2025

  1. fix(cli): deprecate "bootstrap-stack-name" in favor of "toolkit-stack… 

    …-name" for gc command (#795)

Fixes #385

Elsewhere we are consistently naming this property `toolkit-stack-name`,
so this PR aligns `gc` with the rest of the CLI world. We may have
better options here, like making `toolkit-stack-name` a global option,
but this is an easy fix for now.

Does not break users by maintaining `bootstrap-stack-name` as an alias
of `toolkit-stack-name` for `gc`. However `bootstrap-stack-name` is
marked as deprecated and will be removed when we GA garbage collection.

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
    @kaizencc
    kaizencc authored Aug 15, 2025
    Configuration menu
    Copy the full SHA
    c6585ad View commit details
    Browse the repository at this point in the history

  2. fix(cli-integ): add retry for iam eventual consistency issue and migr… 

    …ation tests for java (#788)

### Background
The CDK pipelines have been experiencing intermittent failures due to
flaky tests that typically pass on retry. This pull request addresses
the investigation of the two most frequent failing tests.

<img width="1307" height="530" alt="image (1)"
src="https://github.com/user-attachments/assets/c03da25a-6921-4358-8a12-81db8722d437"
/>


### AWS IAM Eventual Consistency Issue
Test: `docker-credential-cdk-assets can assume role and fetch ECR
credentials`

Issue: Docker credential fetching fails with AccessDenied errors because
newly created IAM roles and policies require time to propagate across
AWS regions.

Fix: Implemented a 60-second retry mechanism for
`fetchDockerLoginCredentials()` when encountering AccessDenied errors.

### CDK Migration Test Instability
Test: `cdk migrate java deploys successfully`

Issue: Java CDK migration tests fail sporadically due to Maven Central
repository rate limiting errors & dependency resolution failure

Fix: Implemented full test retry logic as these transient
network-related issues could not be reproduced in local environments.

### Impact
These changes should improve pipeline stability and reduce the need for
manual intervention.


---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license

---------

Signed-off-by: github-actions <github-actions@github.com>
Co-authored-by: github-actions <github-actions@github.com>
    @abidhasan-aws
    abidhasan-aws and github-actions authored Aug 15, 2025
    Configuration menu
    Copy the full SHA
    093e5a6 View commit details
    Browse the repository at this point in the history

  3. fix: skipLibCheck is not turned on for all init templates (#800) 

    This makes TypeScript check whether all provided type files are
coherent, which is taking more and more time as the CDK is growing.

Turning this off greatly decreases type checking and compilation times.

See:
https://devblogs.microsoft.com/typescript/announcing-typescript-5-9/#minimal-and-updated-tsc---init

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
    @rix0rrr
    rix0rrr authored Aug 15, 2025
    Configuration menu
    Copy the full SHA
    455c017 View commit details
    Browse the repository at this point in the history

Commits on Aug 21, 2025

  1. chore: allow "bootstrap" as PR scope (#812) 

    Motivation: #811

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
    @rix0rrr
    rix0rrr authored Aug 21, 2025
    Configuration menu
    Copy the full SHA
    4667c43 View commit details
    Browse the repository at this point in the history

  2. chore(deps): upgrade dependencies (#779) 

    Upgrades project dependencies. See details in [workflow run].

[Workflow Run]:
https://github.com/aws/aws-cdk-cli/actions/runs/17027815733

------

*Automatically created by projen via the "upgrade" workflow*

---------

Signed-off-by: github-actions <github-actions@github.com>
Co-authored-by: github-actions <github-actions@github.com>
Co-authored-by: Momo Kornher <kornherm@amazon.co.uk>
    @aws-cdk-automation @mrgrain
    3 people authored Aug 21, 2025
    Configuration menu
    Copy the full SHA
    e042c55 View commit details
    Browse the repository at this point in the history

  3. feat(cli): add sts:TagSession permission to trusted accounts on boots… 

    …trap (#762)

## Description

Accounts bootstrapped with `--trust` or `--trust-for-lookup` need
`sts:TagSession` permissions in AssumeRolePolicy.

I got errors during `cdk deploy` run in CD pipelines executed on EKS
cluster on the trusted account.

Error message:
Could not assume role in target account using current credentials (which
are for account `<TRUSTED_ACCOUT>`) User:
`arn:aws:sts::<TRUSTED_ACCOUT>:assumed-role/<eks-pod-role>` is not
authorized to perform: `sts:TagSession` on resource:
`arn:aws:iam::<TARGET_ACCOUNT>:role/cdk-hnb659fds-lookup-role-<TARGET_ACCOUNT>-us-east-1`

Troubleshooting revealed that DeploymentActionRole, FilePublishingRole,
ImagePublishingRole, LookupRole don't have `sts:TagSession`. After
updating AssumeRolePolicy `cdk deploy` worked normally.

Fixes aws/aws-cdk#31557

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
    @antonu17
    antonu17 authored Aug 21, 2025
    Configuration menu
    Copy the full SHA
    4821d4e View commit details
    Browse the repository at this point in the history

  4. fix(cli): improve language selection logic in cliInit function (#806) 

    Fixes #660 

### Description Changes

When running `cdk init`, if the specified command type can only be
executed in a single language, allow the command to be executed without
selecting a language.

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
    @ren-yamanashi
    ren-yamanashi authored Aug 21, 2025
    Configuration menu
    Copy the full SHA
    80d4d15 View commit details
    Browse the repository at this point in the history

Commits on Aug 22, 2025

  1. fix(bootstrap): disallow AssumeRole with ExternalId by default (#811) 

    By default, CDK Bootstrap roles are not designed to be deputized.

(Deputized means that you give an external entity access to assume roles
on your behalf. They will supply an ExternalId to avoid [Confused Deputy
attacks](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html))

If a deputy system (i.e., a system that assumes IAM Roles on behalf of
its tenants) is using CDK and its policies are not configured carefully,
it can be tricked into assuming its own CDK roles.

Because CDK Roles are not intended to be used in this way, we are adding
a default security control that will make this misconfiguration less
likely: AssumeRole calls with ExternalIds will be denied by default.

What if I do want to use ExternalIds?
-------------------------------------

If you are currently passing `ExternalId`s in an `AssumeRole` call to
CDK bootstrap roles *inside your own trusted organization* (expecting
the ExternalId to be present but ignored), this protection can be
disabled by calling:

```
$ cdk bootstrap --no-deny-external-id
```

If you want to give permissions for other organizations to assume your
CDK bootstrap roles in a deputized way, customize the bootstrap template
and add a proper `ExternalId` condition.

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license

---------

Signed-off-by: github-actions <github-actions@github.com>
Co-authored-by: Ian Hou <45278651+iankhou@users.noreply.github.com>
Co-authored-by: github-actions <github-actions@github.com>
    @rix0rrr @iankhou
    3 people authored Aug 22, 2025
    Configuration menu
    Copy the full SHA
    ac7a24c View commit details
    Browse the repository at this point in the history

  2. chore: ensure bootstrap template changes go through correct checks (#813 

    )

Enforces:

- the bootstrap template version is incremented
- a security review is completed, attested by adding a specific label 

---
By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license
    @mrgrain
    mrgrain authored Aug 22, 2025
    Configuration menu
    Copy the full SHA
    ad1a7ce View commit details
    Browse the repository at this point in the history
Loading