v63.1.0

Minor Changes

• 3b98fea: Minor improvements to the GuDeveloperPolicy class to make it more intuitive for users.
  • path includes source repo name to help map the policy back from AWS to its source codebase.
  • path includes stack and stage as we have nowhere else to find it and this can help with identification.
  • friendlyName is now a required attribute that maps to the managed policy's description.
  • The policy must have at least one statement.
  • permission attribute is now called grantId to match with the corresponding Janus structure.

v63.0.1

Patch Changes

• 1ff04c8: Introduce a withoutPolicyChecks flag to GuDeveloperPolicy properties so that the check can be turned off.

  Provide instructions for use of that flag in the "overbroad" action/resource error text.

  This enables teams to use fully wildcarded actions and resources when needed, but also provides information in
  cloudformation metadata to allow us to track the usage of that switch in order to study how often this is
  needed.

v63.0.0

Major Changes

• c6e30e1: Support generating multiple riff-raff.yaml files. To do this, set the riffRaffProjectName property of a GuStack.
  This is helpful in a few scenarios, for example if you have a singleton (INFRA) stack, and CODE/PROD application stacks.

  In the following, two files will be produced:

  • /path/to/cdk.out/deploy::core-infra/riff-raff.yaml
  • /path/to/cdk.out/deploy::my-app/riff-raff.yaml

  class MyCoreInfraStack extends GuStack {}
  class MyApplicationStack extends GuStack {}
  
  new MyCoreInfraStack(app, "MyCoreInfra", {
    stack: "deploy",
    stage: "INFRA",
    env: { region: "eu-west-1" },
    riffRaffProjectName: "deploy::core-infra",
  });
  
  new MyApplicationStack(app, "MyApp-CODE", {
    stack: "deploy",
    stage: "CODE",
    env: { region: "eu-west-1" },
    riffRaffProjectName: "deploy::my-app",
  });
  
  new MyApplicationStack(app, "MyApp-PROD", {
    stack: "deploy",
    stage: "PROD",
    env: { region: "eu-west-1" },
    riffRaffProjectName: "deploy::my-app",
  });

  BREAKING CHANGE: Within RiffRaffYamlFile the riffRaffYaml property has been removed.
  NOTE: If you're using GuRoot, this change should not impact you.

  To migrate, use the configuration property:

  // BEFORE
  const app = new App();
  const riffRaff = new RiffRaffYamlFile(app);
  const deployments = riffRaff.riffRaffYaml.deployments;
  
  const myStack = new MyStack(app, "my-stack", {
    stack: "playground",
    stage: "PROD",
    env: { region: "eu-west-1" },
    riffRaffProjectName: "playground::my-stack",
  });
  
  deployments.set("additional-deployment", {
    type: "aws-s3",
    ...
  });
  
  // AFTER
  const app = new App();
  const riffRaff = new RiffRaffYamlFile(app);
  const { configuration } = riffRaff;
  
  configuration.get("playground::my-stack")?.deployments.set("additional-deployment", {
    type: "aws-s3",
    ...
  });

Minor Changes

• 59367ec: Add optional riffRaffProjectName property to GuStackProps representing the name of the Riff-Raff project used to deploy these resources.
  If provided, it is used as the value of the gu:riff-raff-project tag on all resources.

  See also https://github.com/guardian/riffraff-platform.

Patch Changes

• a02c318: Correctly validate stack existence when instantiating a RiffRaffYamlFile to generate riff-raff.yaml.

  Given the below set of stacks, an Error will now be thrown as there is a missing instance of MyDatabaseStack for CODE.

  new MyApplicationStack(app, "App-CODE-deploy", {
    env: {
      region: "eu-west-1",
    },
    stack: "deploy",
    stage: "CODE",
  });
  new MyApplicationStack(app, "App-PROD-deploy", {
    env: {
      region: "eu-west-1",
    },
    stack: "deploy",
    stage: "PROD",
  });
  
  new MyDatabaseStack(app, "Database-PROD-deploy", {
    env: {
      region: "eu-west-1",
    },
    stack: "deploy",
    stage: "PROD",
  });

  Previously, the validation would incorrectly pass.

  Invalid `riff-raff.yaml`

  allowedStages:
    - CODE
    - PROD
  deployments:
    cfn-eu-west-1-deploy-my-application-stack:
      type: cloud-formation
      regions:
        - eu-west-1
      stacks:
        - deploy
      app: my-application-stack
      contentDirectory: /private/var/folders/0_/pvjwppsx5cl19t4n6_rmm_y80000gp/T/cdk.out9xIUJu
      parameters:
        templateStagePaths:
          CODE: App-CODE-deploy.template.json
          PROD: App-PROD-deploy.template.json
    cfn-eu-west-1-deploy-my-database-stack:
      type: cloud-formation
      regions:
        - eu-west-1
      stacks:
        - deploy
      app: my-database-stack
      contentDirectory: /private/var/folders/0_/pvjwppsx5cl19t4n6_rmm_y80000gp/T/cdk.out9xIUJu
      parameters:
        templateStagePaths:
          PROD: Database-PROD-deploy.template.json

v62.6.1

Patch Changes

• 0f9611e: Correctly add minInstancesInServiceParameters to a generated riff-raff.yaml file.

  The following experimental classes have an API change:

  • GuAutoScalingRollingUpdateTimeoutExperimental
  • GuHorizontallyScalingDeploymentPropertiesExperimental

  Specifically, they are no longer implemented as singletons. This means they're now instantiated differently:

  declare const stack: GuStack;
  
  // Before
  Aspects.of(stack).add(GuAutoScalingRollingUpdateTimeoutExperimental.getInstance(stack));
  Aspects.of(stack).add(GuHorizontallyScalingDeploymentPropertiesExperimental.getInstance(stack));
  
  // Now
  Aspects.of(stack).add(new GuAutoScalingRollingUpdateTimeoutExperimental());
  Aspects.of(stack).add(new GuHorizontallyScalingDeploymentPropertiesExperimental());

  NOTE: It is important to instantiate GuAutoScalingRollingUpdateTimeoutExperimental only once per GuStack to avoid incorrectly updating resources multiple times.
  To do this, either instantiate it in the constructor of your GuStack. Alternatively, check if it is present in the stack's aspects before adding it:

  declare const stack: GuStack;
  
  const allAspects = Aspects.of(stack).all;
  
  const maybeRollingUpdateTimeoutAspect = allAspects.find(
    (_) => _ instanceof GuAutoScalingRollingUpdateTimeoutExperimental,
  );
  if (!maybeRollingUpdateTimeoutAspect) {
    Aspects.of(stack).add(new GuAutoScalingRollingUpdateTimeoutExperimental());
  }

v62.6.0

Minor Changes

• 87b8f74: Remove redundant GuJanusAssumableRole now that it has been superseded by GuDeveloperPolicy. In principle a breaking change but this role is not in use anywhere so there needs to be no change to consuming code.

Patch Changes

• 4c43c08: Update fast-xml-parser and @aws-sdk/xml-builder transitive dependencies to address security vulnerabilities (CVE-2026-33036).

v62.5.4

Patch Changes

• d41f682: Add Aspects and Annotations to Developer Policy: Aspects and Annotations provide a mechanism for additional validation or classes. In our Gu Developer Policy objects we do not want any wildcarded actions or resources; all of these should be as tightly scoped as possible.

• 9111df3: Developer Policy has been updated to

  • enforce reasonable checks that the allow policies do not provide overly wildcarded actions or resources.
  • Remove the use of GuAllow and GuDeny, as they do not offer sufficient benefit for maintenance cost.

  Developer Policy remains "experimental" pending some real world usage testing, but is not expected to change structure again.

v62.5.3

Patch Changes

• c573651: Update aws-cdk to ^2.1110.0, aws-cdk-lib to ^2.241.0, constructs to ^10.5.1

v62.5.2

Patch Changes

• b2f227f: Updating @aws-sdk/* dependencies.

v62.5.1

Patch Changes

• 6c73caa: Update aws-cdk to ^2.1108.0, aws-cdk-lib to ^2.241.0, constructs to ^10.5.1

v62.5.0

Minor Changes

• 6a41012: Remove dependency @oclif/core.

  We were using @oclif/core to create a spinner with the new project CLI. See https://github.com/oclif/core/tree/main/src/ux#action.
  We currently have some open vulnerabilities with minimatch, which @oclif/core adds transitively.
  This change removes @oclif/core in favour of console.log statements.