chore(release): 2.134.0 #29570
Merged
chore(release): 2.134.0 #29570
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ck is different region (#29315) ### Issue # (if applicable) Closes #29308 ### Reason for this change This problem is grant() determines the region of a Key using Stack.of(key).region, however the enclosing Stack's region may differ to that of the actual resource. When this happens, the IAM policy generated allows a `*` resource which is against the least privilege rule. ### Description of changes KMS key already has `env` value on account and region, use this first. If not exist, use stack account and region. ### Description of how you validated changes New unit test ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --------- Co-authored-by: paulhcsun <[email protected]>
…okes when using DataAPI with Aurora cluster (#29399) ### Issue # (if applicable) Closes #29362. ### Reason for this change As discussed [there](#29338 (comment)), we should invoke `secret.grantRead()` explicitly when using DataAPI with Aurora cluster. Because it's inconvenient for users, I made `secret.grantRead()` be invoked within `cluster.grantDataApiAccess()`. ### Description of changes - move `cluster.secret` from `DatabaseClusterNew` to `DatabaseClusterBase` to use it within `DatabaseClusterBase.grantDataApiAccess()` - add `secret.grantRead()` in `cluster.grantDataApiAccess()` - add `secret` property to `DatabaseClusterAttributes` #### Points of concern `DatabaseClusterBase` class is extended by `ImportedDatabaseCluster` class. Therefore, it is necessary to define `ImportedDatabaseCluster.secret`. I simply added `secret` props to `DatabaseClusterAttributes` but I cannot believe this is the best way. Other ways are.. - add `secretArn` to `DatabaseClusterAttributes` - don't add secret info and `ImportedDatabaseCluster.secret` becomes always undefined ### Description of how you validated changes ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…results in error (#29364) ### Issue # (if applicable) Closes #29331 ### Reason for this change While trying to create a Custom Metric with multiple dimension, and adding EC2 action, the CDK synth fails. ### Description of changes As long as there's instance id in dimension, we should accept it instead of raising exception. ### Description of how you validated changes new tests and existing tests pass. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Per this [doc](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_Library.html#CloudWatch_Synthetics_Canaries_runtime_support), these 5 runtimes were deprecated on March 8, 2024. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…tack (#29277) ### Issue # (if applicable) Closes #29260 ### Reason for this change CloudWatch log groups created by the integ tests are set to never expire, so end up cluttering up your aws account and need manual cleanup. ### Description of changes Added custom log group with log group retention ### Description of how you validated changes All existing tests and new tests pass. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Closes #29398. @abdulkadirdere – Let me know if this clarifies things. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable)
Could not find any in the backlog
### Reason for this change
Update the CDK listed Synthetics runtimes to match the current availability, as well as add missing deprecated versions
### Description of changes
* Added new runtimes
* Marked existing runtimes as deprecated
* Add previously deprecated runtimes
* For the sake of consistency and readability, the static fields for `syn-1.0` and `syn-nodejs-2.*` were still named `SYNTHETICS_NODEJS_PUPPETEER_*`
* Fix documented versions for existing runtimes
* Added `{@link}` tags to match the web documentation
### Description of how you validated changes
I compared the current CDK versions to live SDK data, using the `synthetics:DescribeRuntimeVersions` API results. Deprecated versions were established using the `DeprecationDate` field
### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…Rank statistic in Stats helper (#29498) ### Issue # (if applicable) Closes #29465. ### Reason for this change There shouldn't be a warning when `Stats.percentileRank` ### Description of changes Add a new parser for percentileRank statistic ### Description of how you validated changes unit test ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes D122674750. ### Reason for this change This Lambda does not work in new regions. ### Description of changes Current S3BucketNotifications Custom Resource Lambda `python3.9` uses `botocore` version `1.29.90` which does not have S3 endpoint information for new regions. Upgrading to `python3.11` which has `botocore` version `1.30.1`. See more in D122674750. Note that we cannot upgrade to `python3.12` because it's not available in all regions yet. ### Description of how you validated changes N/A. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.5 to 1.15.6. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/follow-redirects/follow-redirects/commit/35a517c5861d79dc8bff7db8626013d20b711b06"><code>35a517c</code></a> Release version 1.15.6 of the npm package.</li> <li><a href="https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b"><code>c4f847f</code></a> Drop Proxy-Authorization across hosts.</li> <li><a href="https://github.com/follow-redirects/follow-redirects/commit/8526b4a1b2ab3a2e4044299377df623a661caa76"><code>8526b4a</code></a> Use GitHub for disclosure.</li> <li>See full diff in <a href="https://github.com/follow-redirects/follow-redirects/compare/v1.15.5...v1.15.6">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/aws/aws-cdk/network/alerts). </details>
### Issue # (if applicable) None ### Reason for this change Follow up to #29427. Added a missing instance type, and minor fixes to the `IntanceType` class ### Description of changes I'd missed an instance type, [`dl2q`](https://aws.amazon.com/ec2/instance-types/dl2q/), which was neither in `us-east-1` or `us-east-2`, but in `us-west-2`. I've also added a couple of missing symbolic names, as well as fixed some differing comments between the key and its symbolic value (e.g. `M3` and `STANDARD3`) I also re-ordered a couple of enum values, when the symbolic value was separated from its match ### Description of how you validated changes Compared the CDK to the SDK to find the missing instance. Programmatically iterated over the comments of `IntanceType` to make sure the comments of the symbolic keys matched the one below. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…get CFN types resolved in exports (#28768) Issue still persists after #28680. ``` node_modules/@aws-cdk/cloudformation-diff/lib/diff-template.d.ts:1:37 - error TS2307: Cannot find module 'aws-sdk' or its corresponding type declarations. 1 import type { CloudFormation } from 'aws-sdk'; ~~~~~~~~~ Found 1 error in node_modules/@aws-cdk/cloudformation-diff/lib/diff-template.d.ts:1 ``` Types are still required as a direct dependency in package.json. Closes #28679 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 42.1.0 to 43.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tj-actions/changed-files/releases">tj-actions/changed-files's releases</a>.</em></p> <blockquote> <h2>v43.0.0</h2> <h2>🔥🔥 BREAKING CHANGE 🔥🔥</h2> <ul> <li><code>any_{changed, modified, deleted}</code> outputs now return <code>true</code> when no file/directory patterns are specified.</li> </ul> <h2>What's Changed</h2> <ul> <li>Upgraded to v42.1.0 by <a href="https://github.com/tj-actions-bot"><code>@tj-actions-bot</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/1977">tj-actions/changed-files#1977</a></li> <li>chore(deps): lock file maintenance by <a href="https://github.com/renovate"><code>@renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/1979">tj-actions/changed-files#1979</a></li> <li>chore(deps): update dependency <code>@typescript-eslint/parser</code> to v7.2.0 by <a href="https://github.com/renovate"><code>@renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/1980">tj-actions/changed-files#1980</a></li> <li>chore(deps): update dependency <code>@types/node</code> to v20.11.26 by <a href="https://github.com/renovate"><code>@renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/1981">tj-actions/changed-files#1981</a></li> <li>chore(deps): update dependency <code>@typescript-eslint/eslint-plugin</code> to v7.2.0 by <a href="https://github.com/renovate"><code>@renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/1982">tj-actions/changed-files#1982</a></li> <li>chore(deps): update dependency <code>@types/lodash</code> to v4.17.0 by <a href="https://github.com/renovate"><code>@renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/1983">tj-actions/changed-files#1983</a></li> <li>chore(deps): update peter-evans/create-pull-request action to v6.0.2 by <a href="https://github.com/renovate"><code>@renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/1984">tj-actions/changed-files#1984</a></li> <li>chore(deps): update dependency <code>@types/node</code> to v20.11.27 by <a href="https://github.com/renovate"><code>@renovate</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/1987">tj-actions/changed-files#1987</a></li> <li>feat: add support for returning true for <code>any_{changed, modified, deleted}</code> outputs when no patterns are specified by <a href="https://github.com/jackton1"><code>@jackton1</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/1988">tj-actions/changed-files#1988</a></li> <li>Updated README.md by <a href="https://github.com/tj-actions-bot"><code>@tj-actions-bot</code></a> in <a href="https://redirect.github.com/tj-actions/changed-files/pull/1989">tj-actions/changed-files#1989</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/tj-actions/changed-files/compare/v42...v43.0.0">https://github.com/tj-actions/changed-files/compare/v42...v43.0.0</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/tj-actions/changed-files/blob/main/HISTORY.md">tj-actions/changed-files's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <h1><a href="https://github.com/tj-actions/changed-files/compare/v42.1.0...v43.0.0">43.0.0</a> - (2024-03-13)</h1> <h2>🚀 Features</h2> <ul> <li>Add support for returning true for <code>any_{changed, modified, deleted}</code> outputs when no patterns are specified (<a href="https://redirect.github.com/tj-actions/changed-files/issues/1988">#1988</a>) (<a href="https://github.com/tj-actions/changed-files/commit/a5cf6aa30cfbe1e0764d2aa5e9f42edb847b6d55">a5cf6aa</a>) - (Tonye Jack)</li> </ul> <h2>🔄 Update</h2> <ul> <li>Updated README.md (<a href="https://redirect.github.com/tj-actions/changed-files/issues/1989">#1989</a>)</li> </ul> <p>Co-authored-by: repo-ranger[bot] (<a href="https://github.com/tj-actions/changed-files/commit/77af4bed286740ef1a6387dc4e4e4dec39f96054">77af4be</a>) - (tj-actions[bot])</p> <h2>⚙️ Miscellaneous Tasks</h2> <ul> <li><strong>deps:</strong> Update dependency <code>@types/node</code> to v20.11.27 (<a href="https://github.com/tj-actions/changed-files/commit/15807c9c84ec7ff092c52f2f9fecc600e81420f1">15807c9</a>) - (renovate[bot])</li> <li><strong>deps:</strong> Update peter-evans/create-pull-request action to v6.0.2 (<a href="https://github.com/tj-actions/changed-files/commit/dc458cf7531fd39dcf942beb39ef6bdcaddc9715">dc458cf</a>) - (renovate[bot])</li> <li><strong>deps:</strong> Update dependency <code>@types/lodash</code> to v4.17.0 (<a href="https://github.com/tj-actions/changed-files/commit/92ca3eebd01cb3fc4d88a4cbd10f344ea4a116d3">92ca3ee</a>) - (renovate[bot])</li> <li><strong>deps:</strong> Update dependency <code>@typescript-eslint/eslint-plugin</code> to v7.2.0 (<a href="https://github.com/tj-actions/changed-files/commit/f591d0c7f0b790ca8c139ce92ff4e8c238cb8940">f591d0c</a>) - (renovate[bot])</li> <li><strong>deps:</strong> Update dependency <code>@types/node</code> to v20.11.26 (<a href="https://github.com/tj-actions/changed-files/commit/35023362e2b0ff1cd9b970167a1603614e1ad854">3502336</a>) - (renovate[bot])</li> <li><strong>deps:</strong> Update dependency <code>@typescript-eslint/parser</code> to v7.2.0 (<a href="https://github.com/tj-actions/changed-files/commit/e436cb6d85bcd4aecab64c542f2268998a1cdd2f">e436cb6</a>) - (renovate[bot])</li> <li><strong>deps:</strong> Lock file maintenance (<a href="https://github.com/tj-actions/changed-files/commit/257d47dfba22be3e0a17f6bad47ff07f7e76747c">257d47d</a>) - (renovate[bot])</li> </ul> <h2>⬆️ Upgrades</h2> <ul> <li>Upgraded to v42.1.0 (<a href="https://redirect.github.com/tj-actions/changed-files/issues/1977">#1977</a>)</li> </ul> <p>Co-authored-by: jackton1 <a href="mailto:[email protected]">[email protected]</a> (<a href="https://github.com/tj-actions/changed-files/commit/4918e1183080b35a085c91c8abc9e6adc4de61a1">4918e11</a>) - (tj-actions[bot])</p> <h1><a href="https://github.com/tj-actions/changed-files/compare/v42.0.7...v42.1.0">42.1.0</a> - (2024-03-09)</h1> <h2>🚀 Features</h2> <ul> <li>Add matrix alias to simplify using outputs for matrix jobs (<a href="https://redirect.github.com/tj-actions/changed-files/issues/1975">#1975</a>) (<a href="https://github.com/tj-actions/changed-files/commit/008ba8ceec9f1757264e0512542d5ecab6d87ae6">008ba8c</a>) - (Tonye Jack)</li> </ul> <h2>🔄 Update</h2> <ul> <li>Updated README.md (<a href="https://redirect.github.com/tj-actions/changed-files/issues/1976">#1976</a>)</li> </ul> <p>Co-authored-by: repo-ranger[bot] (<a href="https://github.com/tj-actions/changed-files/commit/aa08304bd477b800d468db44fe10f6c61f7f7b11">aa08304</a>) - (tj-actions[bot])</p> <h2>⬆️ Upgrades</h2> <ul> <li>Upgraded to v42.0.7 (<a href="https://redirect.github.com/tj-actions/changed-files/issues/1974">#1974</a>)</li> </ul> <p>Co-authored-by: jackton1 <a href="mailto:[email protected]">[email protected]</a> (<a href="https://github.com/tj-actions/changed-files/commit/fe6c3ea0ca88f25e4ba51fa00c27bb5dd06cb08a">fe6c3ea</a>) - (tj-actions[bot])</p> <h1><a href="https://github.com/tj-actions/changed-files/compare/v42.0.6...v42.0.7">42.0.7</a> - (2024-03-07)</h1> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/tj-actions/changed-files/commit/77af4bed286740ef1a6387dc4e4e4dec39f96054"><code>77af4be</code></a> Updated README.md (<a href="https://redirect.github.com/tj-actions/changed-files/issues/1989">#1989</a>)</li> <li><a href="https://github.com/tj-actions/changed-files/commit/a5cf6aa30cfbe1e0764d2aa5e9f42edb847b6d55"><code>a5cf6aa</code></a> feat: add support for returning true for <code>any_{changed, modified, deleted}</code> o...</li> <li><a href="https://github.com/tj-actions/changed-files/commit/15807c9c84ec7ff092c52f2f9fecc600e81420f1"><code>15807c9</code></a> chore(deps): update dependency <code>@types/node</code> to v20.11.27</li> <li><a href="https://github.com/tj-actions/changed-files/commit/dc458cf7531fd39dcf942beb39ef6bdcaddc9715"><code>dc458cf</code></a> chore(deps): update peter-evans/create-pull-request action to v6.0.2</li> <li><a href="https://github.com/tj-actions/changed-files/commit/92ca3eebd01cb3fc4d88a4cbd10f344ea4a116d3"><code>92ca3ee</code></a> chore(deps): update dependency <code>@types/lodash</code> to v4.17.0</li> <li><a href="https://github.com/tj-actions/changed-files/commit/f591d0c7f0b790ca8c139ce92ff4e8c238cb8940"><code>f591d0c</code></a> chore(deps): update dependency <code>@typescript-eslint/eslint-plugin</code> to v7.2.0</li> <li><a href="https://github.com/tj-actions/changed-files/commit/35023362e2b0ff1cd9b970167a1603614e1ad854"><code>3502336</code></a> chore(deps): update dependency <code>@types/node</code> to v20.11.26</li> <li><a href="https://github.com/tj-actions/changed-files/commit/e436cb6d85bcd4aecab64c542f2268998a1cdd2f"><code>e436cb6</code></a> chore(deps): update dependency <code>@typescript-eslint/parser</code> to v7.2.0</li> <li><a href="https://github.com/tj-actions/changed-files/commit/257d47dfba22be3e0a17f6bad47ff07f7e76747c"><code>257d47d</code></a> chore(deps): lock file maintenance</li> <li><a href="https://github.com/tj-actions/changed-files/commit/4918e1183080b35a085c91c8abc9e6adc4de61a1"><code>4918e11</code></a> Upgraded to v42.1.0 (<a href="https://redirect.github.com/tj-actions/changed-files/issues/1977">#1977</a>)</li> <li>See full diff in <a href="https://github.com/tj-actions/changed-files/compare/aa08304bd477b800d468db44fe10f6c61f7f7b11...77af4bed286740ef1a6387dc4e4e4dec39f96054">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec` **L1 CloudFormation resource definition changes:** ``` ├[~] service aws-appconfig │ └ resources │ ├[~] resource AWS::AppConfig::Deployment │ │ ├ properties │ │ │ └[+] DynamicExtensionParameters: Array<DynamicExtensionParameters> (immutable) │ │ └ types │ │ └[+] type DynamicExtensionParameters │ │ ├ name: DynamicExtensionParameters │ │ └ properties │ │ ├ExtensionReference: string │ │ ├ParameterName: string │ │ └ParameterValue: string │ ├[~] resource AWS::AppConfig::Extension │ │ ├ - documentation: Creates an AWS AppConfig extension. An extension augments your ability to inject logic or behavior at different points during the AWS AppConfig workflow of creating or deploying a configuration. │ │ │ You can create your own extensions or use the AWS authored extensions provided by AWS AppConfig . For an AWS AppConfig extension that uses AWS Lambda , you must create a Lambda function to perform any computation and processing defined in the extension. If you plan to create custom versions of the AWS authored notification extensions, you only need to specify an Amazon Resource Name (ARN) in the `Uri` field for the new extension version. │ │ │ - For a custom EventBridge notification extension, enter the ARN of the EventBridge default events in the `Uri` field. │ │ │ - For a custom Amazon SNS notification extension, enter the ARN of an Amazon SNS topic in the `Uri` field. │ │ │ - For a custom Amazon SQS notification extension, enter the ARN of an Amazon SQS message queue in the `Uri` field. │ │ │ For more information about extensions, see [Working with AWS AppConfig extensions](https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html) in the *AWS AppConfig User Guide* . │ │ │ + documentation: Creates an AWS AppConfig extension. An extension augments your ability to inject logic or behavior at different points during the AWS AppConfig workflow of creating or deploying a configuration. │ │ │ You can create your own extensions or use the AWS authored extensions provided by AWS AppConfig . For an AWS AppConfig extension that uses AWS Lambda , you must create a Lambda function to perform any computation and processing defined in the extension. If you plan to create custom versions of the AWS authored notification extensions, you only need to specify an Amazon Resource Name (ARN) in the `Uri` field for the new extension version. │ │ │ - For a custom EventBridge notification extension, enter the ARN of the EventBridge default events in the `Uri` field. │ │ │ - For a custom Amazon SNS notification extension, enter the ARN of an Amazon SNS topic in the `Uri` field. │ │ │ - For a custom Amazon SQS notification extension, enter the ARN of an Amazon SQS message queue in the `Uri` field. │ │ │ For more information about extensions, see [Extending workflows](https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html) in the *AWS AppConfig User Guide* . │ │ └ types │ │ └[~] type Parameter │ │ ├ - documentation: A value such as an Amazon Resource Name (ARN) or an Amazon Simple Notification Service topic entered in an extension when invoked. Parameter values are specified in an extension association. For more information about extensions, see [Working with AWS AppConfig extensions](https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html) in the *AWS AppConfig User Guide* . │ │ │ + documentation: A value such as an Amazon Resource Name (ARN) or an Amazon Simple Notification Service topic entered in an extension when invoked. Parameter values are specified in an extension association. For more information about extensions, see [Extending workflows](https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html) in the *AWS AppConfig User Guide* . │ │ └ properties │ │ └[+] Dynamic: boolean │ └[~] resource AWS::AppConfig::ExtensionAssociation │ └ - documentation: When you create an extension or configure an AWS authored extension, you associate the extension with an AWS AppConfig application, environment, or configuration profile. For example, you can choose to run the `AWS AppConfig deployment events to Amazon SNS` AWS authored extension and receive notifications on an Amazon SNS topic anytime a configuration deployment is started for a specific application. Defining which extension to associate with an AWS AppConfig resource is called an *extension association* . An extension association is a specified relationship between an extension and an AWS AppConfig resource, such as an application or a configuration profile. For more information about extensions and associations, see [Working with AWS AppConfig extensions](https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html) in the *AWS AppConfig User Guide* . │ + documentation: When you create an extension or configure an AWS authored extension, you associate the extension with an AWS AppConfig application, environment, or configuration profile. For example, you can choose to run the `AWS AppConfig deployment events to Amazon SNS` AWS authored extension and receive notifications on an Amazon SNS topic anytime a configuration deployment is started for a specific application. Defining which extension to associate with an AWS AppConfig resource is called an *extension association* . An extension association is a specified relationship between an extension and an AWS AppConfig resource, such as an application or a configuration profile. For more information about extensions and associations, see [Extending workflows](https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html) in the *AWS AppConfig User Guide* . ├[~] service aws-applicationinsights │ └ resources │ └[~] resource AWS::ApplicationInsights::Application │ └ properties │ └ AttachMissingPermission: (documentation changed) ├[~] service aws-backup │ └ resources │ └[~] resource AWS::Backup::ReportPlan │ └ types │ └[~] type ReportSetting │ └ properties │ ├ Accounts: (documentation changed) │ └ Regions: (documentation changed) ├[~] service aws-batch │ └ resources │ ├[~] resource AWS::Batch::JobDefinition │ │ ├ properties │ │ │ └ EcsProperties: (documentation changed) │ │ └ types │ │ ├[~] type EcsProperties │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: An object that contains the properties for the Amazon ECS resources of a job. │ │ │ └ properties │ │ │ └ TaskProperties: (documentation changed) │ │ ├[~] type EcsTaskProperties │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: The properties for a task definition that describes the container and volume definitions of an Amazon ECS task. You can specify which Docker images to use, the required resources, and other configurations related to launching the task definition through an Amazon ECS service or task. │ │ │ └ properties │ │ │ ├ Containers: (documentation changed) │ │ │ ├ EphemeralStorage: (documentation changed) │ │ │ ├ ExecutionRoleArn: (documentation changed) │ │ │ ├ IpcMode: (documentation changed) │ │ │ ├ NetworkConfiguration: (documentation changed) │ │ │ ├ PidMode: (documentation changed) │ │ │ ├ PlatformVersion: (documentation changed) │ │ │ ├ RuntimePlatform: (documentation changed) │ │ │ ├ TaskRoleArn: (documentation changed) │ │ │ └ Volumes: (documentation changed) │ │ ├[~] type NodeRangeProperty │ │ │ └ properties │ │ │ ├ EcsProperties: (documentation changed) │ │ │ └ InstanceTypes: (documentation changed) │ │ ├[~] type PodProperties │ │ │ └ properties │ │ │ ├ InitContainers: (documentation changed) │ │ │ └ ShareProcessNamespace: (documentation changed) │ │ ├[~] type TaskContainerDependency │ │ │ ├ - documentation: undefined │ │ │ │ + documentation: A list of containers that this task depends on. │ │ │ └ properties │ │ │ ├ Condition: (documentation changed) │ │ │ └ ContainerName: (documentation changed) │ │ └[~] type TaskContainerProperties │ │ ├ - documentation: undefined │ │ │ + documentation: Container properties are used for Amazon ECS-based job definitions. These properties to describe the container that's launched as part of a job. │ │ └ properties │ │ ├ Command: (documentation changed) │ │ ├ DependsOn: (documentation changed) │ │ ├ Environment: (documentation changed) │ │ ├ Essential: (documentation changed) │ │ ├ Image: (documentation changed) │ │ ├ LinuxParameters: (documentation changed) │ │ ├ LogConfiguration: (documentation changed) │ │ ├ MountPoints: (documentation changed) │ │ ├ Name: (documentation changed) │ │ ├ Privileged: (documentation changed) │ │ ├ ReadonlyRootFilesystem: (documentation changed) │ │ ├ RepositoryCredentials: (documentation changed) │ │ ├ ResourceRequirements: (documentation changed) │ │ ├ Secrets: (documentation changed) │ │ ├ Ulimits: (documentation changed) │ │ └ User: (documentation changed) │ └[~] resource AWS::Batch::JobQueue │ ├ properties │ │ └[+] JobStateTimeLimitActions: Array<JobStateTimeLimitAction> │ └ types │ └[+] type JobStateTimeLimitAction │ ├ name: JobStateTimeLimitAction │ └ properties │ ├Action: string (required) │ ├MaxTimeSeconds: integer (required) │ ├Reason: string (required) │ └State: string (required) ├[~] service aws-cloudformation │ └ resources │ └[~] resource AWS::CloudFormation::TypeActivation │ └ - documentation: Activates a public third-party extension, making it available for use in stack templates. For more information, see [Using public extensions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry-public.html) in the *AWS CloudFormation User Guide* . │ Once you have activated a public third-party extension in your account and Region, use [SetTypeConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_SetTypeConfiguration.html) to specify configuration properties for the extension. For more information, see [Configuring extensions at the account level](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry-register.html#registry-set-configuration) in the *CloudFormation User Guide* . │ + documentation: Activates a public third-party extension, making it available for use in stack templates. For more information, see [Using public extensions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry-public.html) in the *AWS CloudFormation User Guide* . │ Once you have activated a public third-party extension in your account and Region, use [`SetTypeConfiguration`](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_SetTypeConfiguration.html) to specify configuration properties for the extension. For more information, see [Configuring extensions at the account level](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry-register.html#registry-set-configuration) in the *CloudFormation User Guide* . ├[~] service aws-cloudfront │ └ resources │ └[~] resource AWS::CloudFront::ContinuousDeploymentPolicy │ └ types │ └[~] type SingleWeightConfig │ └ properties │ └ Weight: (documentation changed) ├[~] service aws-cloudtrail │ └ resources │ ├[~] resource AWS::CloudTrail::EventDataStore │ │ └ types │ │ └[~] type AdvancedFieldSelector │ │ └ properties │ │ └ Field: (documentation changed) │ └[~] resource AWS::CloudTrail::Trail │ └ types │ └[~] type AdvancedFieldSelector │ └ properties │ └ Field: (documentation changed) ├[~] service aws-codepipeline │ └ resources │ └[~] resource AWS::CodePipeline::Pipeline │ └ types │ └[~] type ActionDeclaration │ └ properties │ └[+] TimeoutInMinutes: integer ├[~] service aws-cognito │ └ resources │ ├[~] resource AWS::Cognito::UserPool │ │ └ properties │ │ └ DeletionProtection: (documentation changed) │ └[~] resource AWS::Cognito::UserPoolIdentityProvider │ └ properties │ └ ProviderDetails: (documentation changed) ├[~] service aws-dlm │ └ resources │ └[~] resource AWS::DLM::LifecyclePolicy │ └ types │ └[~] type CreateRule │ └ properties │ └ CronExpression: (documentation changed) ├[~] service aws-ec2 │ └ resources │ ├[~] resource AWS::EC2::DHCPOptions │ │ └ properties │ │ └[+] Ipv6AddressPreferredLeaseTime: integer (immutable) │ ├[~] resource AWS::EC2::FlowLog │ │ └ properties │ │ └ DeliverLogsPermissionArn: (documentation changed) │ ├[~] resource AWS::EC2::Instance │ │ ├ attributes │ │ │ ├ Id: (documentation changed) │ │ │ ├[+] InstanceId: string │ │ │ └[+] VpcId: string │ │ └ types │ │ └[~] type HibernationOptions │ │ └ properties │ │ └ Configured: - boolean │ │ + boolean (default=false) │ ├[~] resource AWS::EC2::SecurityGroup │ │ └ types │ │ ├[~] type Egress │ │ │ ├ - documentation: Adds the specified outbound (egress) rule to a security group. │ │ │ │ An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 address range, the IP address ranges that are specified by a prefix list, or the instances that are associated with a destination security group. For more information, see [Security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html) . │ │ │ │ You must specify exactly one of the following destinations: an IPv4 or IPv6 address range, a prefix list, or a security group. Otherwise, the stack launches successfully but the rule is not added to the security group. │ │ │ │ You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code. │ │ │ │ Rule changes are propagated to instances associated with the security group as quickly as possible. However, a small delay might occur. │ │ │ │ + documentation: Adds the specified outbound (egress) rule to a security group. │ │ │ │ An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 address range, the IP address ranges that are specified by a prefix list, or the instances that are associated with a destination security group. For more information, see [Security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html) . │ │ │ │ You must specify exactly one of the following destinations: an IPv4 address range, an IPv6 address range, a prefix list, or a security group. │ │ │ │ You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code. │ │ │ │ Rule changes are propagated to instances associated with the security group as quickly as possible. However, a small delay might occur. │ │ │ └ properties │ │ │ ├ CidrIp: (documentation changed) │ │ │ ├ CidrIpv6: (documentation changed) │ │ │ ├ DestinationPrefixListId: (documentation changed) │ │ │ └ DestinationSecurityGroupId: (documentation changed) │ │ └[~] type Ingress │ │ ├ - documentation: Adds an inbound (ingress) rule to a security group. │ │ │ An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 address range, the IP address ranges that are specified by a prefix list, or the instances that are associated with a source security group. For more information, see [Security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html) . │ │ │ You must specify exactly one of the following sources: an IPv4 or IPv6 address range, a prefix list, or a security group. Otherwise, the stack launches successfully, but the rule is not added to the security group. │ │ │ You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code. │ │ │ Rule changes are propagated to instances associated with the security group as quickly as possible. However, a small delay might occur. │ │ │ + documentation: Adds an inbound (ingress) rule to a security group. │ │ │ An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 address range, the IP address ranges that are specified by a prefix list, or the instances that are associated with a source security group. For more information, see [Security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html) . │ │ │ You must specify exactly one of the following sources: an IPv4 address range, an IPv6 address range, a prefix list, or a security group. │ │ │ You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code. │ │ │ Rule changes are propagated to instances associated with the security group as quickly as possible. However, a small delay might occur. │ │ └ properties │ │ ├ CidrIp: (documentation changed) │ │ └ CidrIpv6: (documentation changed) │ ├[~] resource AWS::EC2::SecurityGroupEgress │ │ ├ - documentation: Adds the specified outbound (egress) rule to a security group. │ │ │ An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 address range, the IP addresses that are specified by a prefix list, or the instances that are associated with a destination security group. For more information, see [Security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html) . │ │ │ You must specify exactly one of the following destinations: an IPv4 or IPv6 address range, a prefix list, or a security group. Otherwise, the stack launches successfully but the rule is not added to the security group. │ │ │ You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code. To specify all types or all codes, use -1. │ │ │ Rule changes are propagated to instances associated with the security group as quickly as possible. However, a small delay might occur. │ │ │ + documentation: Adds the specified outbound (egress) rule to a security group. │ │ │ An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 address range, the IP addresses that are specified by a prefix list, or the instances that are associated with a destination security group. For more information, see [Security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html) . │ │ │ You must specify exactly one of the following destinations: an IPv4 address range, an IPv6 address range, a prefix list, or a security group. │ │ │ You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code. To specify all types or all codes, use -1. │ │ │ Rule changes are propagated to instances associated with the security group as quickly as possible. However, a small delay might occur. │ │ └ properties │ │ ├ CidrIp: (documentation changed) │ │ ├ CidrIpv6: (documentation changed) │ │ ├ DestinationPrefixListId: (documentation changed) │ │ └ DestinationSecurityGroupId: (documentation changed) │ ├[~] resource AWS::EC2::SecurityGroupIngress │ │ ├ - documentation: Adds an inbound (ingress) rule to a security group. │ │ │ An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 address range, the IP addresses that are specified by a prefix list, or the instances that are associated with a source security group. For more information, see [Security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html) . │ │ │ You must specify only one of the following sources: an IPv4 or IPv6 address range, a prefix list, or a security group. Otherwise, the stack launches successfully, but the rule is not added to the security group. │ │ │ You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code. │ │ │ Rule changes are propagated to instances associated with the security group as quickly as possible. However, a small delay might occur. │ │ │ + documentation: Adds an inbound (ingress) rule to a security group. │ │ │ An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 address range, the IP addresses that are specified by a prefix list, or the instances that are associated with a source security group. For more information, see [Security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html) . │ │ │ You must specify exactly one of the following sources: an IPv4 address range, an IPv6 address range, a prefix list, or a security group. │ │ │ You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code. │ │ │ Rule changes are propagated to instances associated with the security group as quickly as possible. However, a small delay might occur. │ │ └ properties │ │ ├ CidrIp: (documentation changed) │ │ └ CidrIpv6: (documentation changed) │ └[~] resource AWS::EC2::VPCCidrBlock ├[~] service aws-ecs │ └ resources │ ├[~] resource AWS::ECS::Service │ │ └ properties │ │ └ PropagateTags: (documentation changed) │ └[~] resource AWS::ECS::TaskDefinition │ └ types │ └[~] type EphemeralStorage │ └ properties │ └ SizeInGiB: (documentation changed) ├[~] service aws-glue │ └ resources │ └[~] resource AWS::Glue::TableOptimizer │ └ properties │ └ TableOptimizerConfiguration: (documentation changed) ├[~] service aws-internetmonitor │ └ resources │ └[~] resource AWS::InternetMonitor::Monitor │ └ properties │ ├[+] IncludeLinkedAccounts: boolean │ └[+] LinkedAccountId: string ├[~] service aws-iotsitewise │ └ resources │ ├[~] resource AWS::IoTSiteWise::Asset │ │ ├ properties │ │ │ └ AssetExternalId: (documentation changed) │ │ └ types │ │ ├[~] type AssetHierarchy │ │ │ └ properties │ │ │ ├ ExternalId: (documentation changed) │ │ │ └ Id: (documentation changed) │ │ └[~] type AssetProperty │ │ └ properties │ │ ├ ExternalId: (documentation changed) │ │ └ Id: (documentation changed) │ └[~] resource AWS::IoTSiteWise::AssetModel │ ├ properties │ │ ├ AssetModelExternalId: (documentation changed) │ │ └ AssetModelType: (documentation changed) │ └ types │ ├[~] type AssetModelCompositeModel │ │ └ properties │ │ ├ ComposedAssetModelId: (documentation changed) │ │ ├ ExternalId: (documentation changed) │ │ ├ Id: (documentation changed) │ │ ├ ParentAssetModelCompositeModelExternalId: (documentation changed) │ │ └ Path: (documentation changed) │ ├[~] type AssetModelHierarchy │ │ └ properties │ │ ├ ExternalId: (documentation changed) │ │ └ Id: (documentation changed) │ ├[~] type AssetModelProperty │ │ └ properties │ │ ├ ExternalId: (documentation changed) │ │ └ Id: (documentation changed) │ ├[~] type PropertyPathDefinition │ │ ├ - documentation: The definition for property path which is used to reference properties in transforms/metrics │ │ │ + documentation: Represents one level between a composite model and the root of the asset model. │ │ └ properties │ │ └ Name: (documentation changed) │ └[~] type VariableValue │ └ properties │ ├ HierarchyExternalId: (documentation changed) │ ├ HierarchyId: (documentation changed) │ ├ PropertyExternalId: (documentation changed) │ ├ PropertyId: (documentation changed) │ └ PropertyPath: (documentation changed) ├[~] service aws-kinesisfirehose │ └ resources │ └[~] resource AWS::KinesisFirehose::DeliveryStream │ └ properties │ └ Tags: (documentation changed) ├[~] service aws-msk │ └ resources │ └[~] resource AWS::MSK::Replicator │ └ types │ ├[+] type ReplicationStartingPosition │ │ ├ documentation: Configuration for specifying the position in the topics to start replicating from. │ │ │ name: ReplicationStartingPosition │ │ └ properties │ │ └Type: string │ └[~] type TopicReplication │ └ properties │ └[+] StartingPosition: ReplicationStartingPosition ├[~] service aws-opensearchservice │ └ resources │ └[~] resource AWS::OpenSearchService::Domain │ └ types │ └[~] type MasterUserOptions │ └ - documentation: Specifies information about the master user. │ Required if if `InternalUserDatabaseEnabled` is true in [AdvancedSecurityOptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-opensearchservice-domain-advancedsecurityoptionsinput.html) . │ + documentation: Specifies information about the master user. │ Required if `InternalUserDatabaseEnabled` is true in [AdvancedSecurityOptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-opensearchservice-domain-advancedsecurityoptionsinput.html) . ├[~] service aws-rds │ └ resources │ └[~] resource AWS::RDS::DBInstance │ └ properties │ └ Engine: (documentation changed) ├[~] service aws-sagemaker │ └ resources │ └[~] resource AWS::SageMaker::Model │ └ types │ └[~] type ContainerDefinition │ └ properties │ └ Environment: (documentation changed) ├[~] service aws-ssm │ └ resources │ └[~] resource AWS::SSM::PatchBaseline │ └ properties │ └ RejectedPatchesAction: (documentation changed) ├[~] service aws-transfer │ └ resources │ └[~] resource AWS::Transfer::Connector │ └ types │ └[~] type As2Config │ └ properties │ └ EncryptionAlgorithm: (documentation changed) └[~] service aws-wafv2 └ resources ├[~] resource AWS::WAFv2::LoggingConfiguration │ └ properties │ └ RedactedFields: (documentation changed) ├[~] resource AWS::WAFv2::RuleGroup │ └ types │ ├[~] type Body │ │ └ properties │ │ └ OversizeHandling: (documentation changed) │ ├[~] type FieldToMatch │ │ ├ - documentation: Specifies a web request component to be used in a rule match statement or in a logging configuration. │ │ │ - In a rule statement, this is the part of the web request that you want AWS WAF to inspect. Include the single `FieldToMatch` type that you want to inspect, with additional specifications as needed, according to the type. You specify a single request component in `FieldToMatch` for each rule statement that requires it. To inspect more than one component of the web request, create a separate rule statement for each component. │ │ │ Example JSON for a `QueryString` field to match: │ │ │ `"FieldToMatch": { "QueryString": {} }` │ │ │ Example JSON for a `Method` field to match specification: │ │ │ `"FieldToMatch": { "Method": { "Name": "DELETE" } }` │ │ │ - In a logging configuration, this is used in the `RedactedFields` property to specify a field to redact from the logging records. For this use case, note the following: │ │ │ - Even though all `FieldToMatch` settings are available, the only valid settings for field redaction are `UriPath` , `QueryString` , `SingleHeader` , and `Method` . │ │ │ - In this documentation, the descriptions of the individual fields talk about specifying the web request component to inspect, but for field redaction, you are specifying the component type to redact from the logs. │ │ │ + documentation: Specifies a web request component to be used in a rule match statement or in a logging configuration. │ │ │ - In a rule statement, this is the part of the web request that you want AWS WAF to inspect. Include the single `FieldToMatch` type that you want to inspect, with additional specifications as needed, according to the type. You specify a single request component in `FieldToMatch` for each rule statement that requires it. To inspect more than one component of the web request, create a separate rule statement for each component. │ │ │ Example JSON for a `QueryString` field to match: │ │ │ `"FieldToMatch": { "QueryString": {} }` │ │ │ Example JSON for a `Method` field to match specification: │ │ │ `"FieldToMatch": { "Method": { "Name": "DELETE" } }` │ │ │ - In a logging configuration, this is used in the `RedactedFields` property to specify a field to redact from the logging records. For this use case, note the following: │ │ │ - Even though all `FieldToMatch` settings are available, the only valid settings for field redaction are `UriPath` , `QueryString` , `SingleHeader` , and `Method` . │ │ │ - In this documentation, the descriptions of the individual fields talk about specifying the web request component to inspect, but for field redaction, you are specifying the component type to redact from the logs. │ │ │ - If you have request sampling enabled, the redacted fields configuration for logging has no impact on sampling. The only way to exclude fields from request sampling is by disabling sampling in the web ACL visibility configuration. │ │ └ properties │ │ ├ Body: (documentation changed) │ │ └ JsonBody: (documentation changed) │ ├[~] type JsonBody │ │ └ properties │ │ └ OversizeHandling: (documentation changed) │ ├[~] type RateBasedStatement │ │ └ properties │ │ └ EvaluationWindowSec: (documentation changed) │ ├[~] type SizeConstraintStatement │ │ └ - documentation: A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes. │ │ If you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 bytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 bytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size. │ │ If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long. │ │ + documentation: A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes. │ │ If you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes in the body up to the limit for the web ACL and protected resource type. If you know that the request body for your web requests should never exceed the inspection limit, you can use a size constraint statement to block requests that have a larger request body size. For more information about the inspection limits, see `Body` and `JsonBody` settings for the `FieldToMatch` data type. │ │ If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long. │ ├[~] type Statement │ │ └ properties │ │ └ SizeConstraintStatement: (documentation changed) │ └[~] type VisibilityConfig │ └ properties │ └ SampledRequestsEnabled: (documentation changed) └[~] resource AWS::WAFv2::WebACL ├ properties │ └ AssociationConfig: (documentation changed) └ types ├[~] type AssociationConfig │ ├ - documentation: Specifies custom configurations for the associations between the web ACL and protected resources. │ │ Use this to customize the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default is 16 KB (16,384 bytes). │ │ > You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) . │ │ + documentation: Specifies custom configurations for the associations between the web ACL and protected resources. │ │ Use this to customize the maximum size of the request body that your protected resources forward to AWS WAF for inspection. You can customize this setting for CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access resources. The default setting is 16 KB (16,384 bytes). │ │ > You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) . │ │ For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes). │ └ properties │ └ RequestBody: (documentation changed) ├[~] type Body │ └ properties │ └ OversizeHandling: (documentation changed) ├[~] type FieldToMatch │ ├ - documentation: Specifies a web request component to be used in a rule match statement or in a logging configuration. │ │ - In a rule statement, this is the part of the web request that you want AWS WAF to inspect. Include the single `FieldToMatch` type that you want to inspect, with additional specifications as needed, according to the type. You specify a single request component in `FieldToMatch` for each rule statement that requires it. To inspect more than one component of the web request, create a separate rule statement for each component. │ │ Example JSON for a `QueryString` field to match: │ │ `"FieldToMatch": { "QueryString": {} }` │ │ Example JSON for a `Method` field to match specification: │ │ `"FieldToMatch": { "Method": { "Name": "DELETE" } }` │ │ - In a logging configuration, this is used in the `RedactedFields` property to specify a field to redact from the logging records. For this use case, note the following: │ │ - Even though all `FieldToMatch` settings are available, the only valid settings for field redaction are `UriPath` , `QueryString` , `SingleHeader` , and `Method` . │ │ - In this documentation, the descriptions of the individual fields talk about specifying the web request component to inspect, but for field redaction, you are specifying the component type to redact from the logs. │ │ + documentation: Specifies a web request component to be used in a rule match statement or in a logging configuration. │ │ - In a rule statement, this is the part of the web request that you want AWS WAF to inspect. Include the single `FieldToMatch` type that you want to inspect, with additional specifications as needed, according to the type. You specify a single request component in `FieldToMatch` for each rule statement that requires it. To inspect more than one component of the web request, create a separate rule statement for each component. │ │ Example JSON for a `QueryString` field to match: │ │ `"FieldToMatch": { "QueryString": {} }` │ │ Example JSON for a `Method` field to match specification: │ │ `"FieldToMatch": { "Method": { "Name": "DELETE" } }` │ │ - In a logging configuration, this is used in the `RedactedFields` property to specify a field to redact from the logging records. For this use case, note the following: │ │ - Even though all `FieldToMatch` settings are available, the only valid settings for field redaction are `UriPath` , `QueryString` , `SingleHeader` , and `Method` . │ │ - In this documentation, the descriptions of the individual fields talk about specifying the web request component to inspect, but for field redaction, you are specifying the component type to redact from the logs. │ │ - If you have request sampling enabled, the redacted fields configuration for logging has no impact on sampling. The only way to exclude fields from request sampling is by disabling sampling in the web ACL visibility configuration. │ └ properties │ ├ Body: (documentation changed) │ └ JsonBody: (documentation changed) ├[~] type JsonBody │ └ properties │ └ OversizeHandling: (documentation changed) ├[~] type RateBasedStatement │ └ properties │ └ EvaluationWindowSec: (documentation changed) ├[~] type RequestBodyAssociatedResourceTypeConfig │ ├ - documentation: Customizes the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default size is 16 KB (16,384 bytes). │ │ > You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) . │ │ This is used in the `AssociationConfig` of the web ACL. │ │ + documentation: Customizes the maximum size of the request body that your protected CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access resources forward to AWS WAF for inspection. The default size is 16 KB (16,384 bytes). You can change the setting for any of the available resource types. │ │ > You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) . │ │ Example JSON: `{ "API_GATEWAY": "KB_48", "APP_RUNNER_SERVICE": "KB_32" }` │ │ For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes). │ │ This is used in the `AssociationConfig` of the web ACL. │ └ properties │ └ DefaultSizeInspectionLimit: (documentation changed) ├[~] type SizeConstraintStatement │ └ - documentation: A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes. │ If you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 bytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 bytes). For CloudFront web ACLs, you can increase the limit in the web ACL `AssociationConfig` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size. │ If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long. │ + documentation: A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes. │ If you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes in the body up to the limit for the web ACL and protected resource type. If you know that the request body for your web requests should never exceed the inspection limit, you can use a size constraint statement to block requests that have a larger request body size. For more information about the inspection limits, see `Body` and `JsonBody` settings for the `FieldToMatch` data type. │ If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI `/logo.jpg` is nine characters long. ├[~] type Statement │ └ properties │ └ SizeConstraintStatement: (documentation changed) └[~] type VisibilityConfig └ properties └ SampledRequestsEnabled: (documentation changed) ```
…lApi (#29182) ### Issue # (if applicable) No open issue. Cr was based on #28500 ### Reason for this change Appsync added two additional fields documented in their CFN [here](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-appsync-graphqlapi.html#cfn-appsync-graphqlapi-resolvercountlimit) that were not previously supported in the L1 construct. ### Description of changes Addition of field `queryDepthLimit` and `resolverCountLimit` ### Description of how you validated changes Unit tests and integration tests were run locally. Additionally a sample app was deployed to validate these features. ### Checklist - [ x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) #29294 ### Reason for this change Currently cannot disable opensearch logging ### Description of changes If log parameters are explicitly set to false rather than undefined, it populates the logPublishingOptions with config to disable that logging ### Description of how you validated changes I added unit tests, although to be honest jest is giving me lots of trouble and I'm out of time for the day so I'll just create this pR and see what happens. Fingers crossed the PR test check is clean and I can pretend I know what I'm doing. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --------- Co-authored-by: GZ <[email protected]>
### Reason for this change Links in the [opensearch doc](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_opensearchservice.CapacityConfig.html) are in invalid markdown. For example:  ### Description of changes Removed a newline character between `[]` and `()`. ### Description of how you validated changes Preview in VSCode. ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This PR for cli is to warn if stacks with wrong cases (=not exist) specified in `cdk destroy`. Closes #27179. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…with slash (#29357) ### Issue # (if applicable) Closes #29356. ### Reason for this change Currently S3 path specified in `--spark-event-logs-path` does not end with slash in case only bucket is provided but prefix is not provided. This parameter causes errors when viewing the event log through Spark UI / Spark history server. ### Description of changes Add trailing slash when it does not end with slash. ### Description of how you validated changes Completed unit test and integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…olicy` for NLB (#29521) ### Issue # (if applicable) Closes #29520. ### Reason for this change NLB supports `ipv6.deny_all_igw_traffic` and `dns_record.client_routing_policy` but these are not configurable from AWS CDK. ### Description of changes - add `zonalAffinity` props to `NetworkLoadBalancerProps` - add `denyAllIgwTraffic` props to `BaseLoadBalancerProps` - `ipv6.deny_all_igw_traffic` is also supported by ALB ### Description of how you validated changes I've added both unit and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --------- Co-authored-by: GZ <[email protected]>
*Co-authored by*: @scanlonp ### Issue # (if applicable) Closes #29265. ### Reason for this change Creating a changeset for a stack that has not been deployed yet causes CFN to create a stack in state `REVIEW_IN_PROGRESS`. Previously we deleted this empty stack, but did not wait for the stack status to be `DELETE_COMPLETE`. This allowed `cdk diff` to exit while the stack status was still `DELETE_IN_PROGRESS`, which can cause subsequent CDK commands to fail, because a stack deletion operation is still in progress. ### Description of changes No longer create the changeset if the stack doesn't exist. Only perform the existence check if the changeset parameter is specified, to avoid a permission error when looking up a stack. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change ### Description of changes ### Description of how you validated changes ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change Just a single diff between the SDK and the CDK this time, OpenSearch v2.10 was removed, unsure why ### Description of changes Marked `OPENSEARCH_2_10` as `@deprecated` ### Description of how you validated changes It is neither listed in the [docs](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/supported-operations.html), nor in the SDK/CLI output of `opensearch:ListVersions`: ```sh $ aws opensearch list-versions | jq '.Versions[] | select(.=="OpenSearch_2.10")' ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* Co-authored-by: GZ <[email protected]>
### Reason for this change Amazon Kinesis Data Analytics now supports Apache Flink v1.18 ([LINK](https://aws.amazon.com/about-aws/whats-new/2024/03/amazon-managed-service-apache-flink-support-1-18/)) This is also supported in Cloudformation ([LINK](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kinesisanalyticsv2-application.html#aws-resource-kinesisanalyticsv2-application-properties)) ### Description of changes - Added Flink 1.18 to `Runtime` type - Updated Readme to reference Flink 1.18 ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…iled change set executions (#29534) ### Reason for this change The CodePipeline ExecuteChangeSet action can now show a summary of why the change set execution failed. But, it needs an additional IAM permission: `cloudformation:DescribeStackEvents`. With the current action policy generated by CDK, I get the following message in the pipeline when a change set execution fails: ``` Additional Information: Failed to execute change set. Current stack status: UPDATE_ROLLBACK_COMPLETE. Status reason is not available because IAM role associated with the action does not have CloudFormation DescribeStackEvents permission ``` ### Description of changes Added `cloudformation:DescribeStackEvents` permission to the policy generated for the ChangeSetExecute pipeline action. ### Description of how you validated changes Updated unit tests and integ test with the new permission. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`
**L1 CloudFormation resource definition changes:**
```
├[~] service aws-appconfig
│ └ resources
│ ├[~] resource AWS::AppConfig::ConfigurationProfile
│ │ └ types
│ │ └[~] type Validators
│ │ └ - documentation: A validator provides a syntactic or semantic check to ensure the configuration that you want to deploy functions as intended. To validate your application configuration data, you provide a schema or an AWS Lambda function that runs against the configuration. The configuration deployment or update can only proceed when the configuration data is valid.
│ │ + documentation: A validator provides a syntactic or semantic check to ensure the configuration that you want to deploy functions as intended. To validate your application configuration data, you provide a schema or an AWS Lambda function that runs against the configuration. The configuration deployment or update can only proceed when the configuration data is valid. For more information, see [About validators](https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-creating-configuration-profile.html#appconfig-creating-configuration-and-profile-validators) in the *AWS AppConfig User Guide* .
│ └[~] resource AWS::AppConfig::Deployment
│ └ properties
│ └ DynamicExtensionParameters: (documentation changed)
├[~] service aws-appintegrations
│ └ resources
│ └[+] resource AWS::AppIntegrations::Application
│ ├ name: Application
│ │ cloudFormationType: AWS::AppIntegrations::Application
│ │ documentation: Resource Type definition for AWS:AppIntegrations::Application
│ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ ├ properties
│ │ ├Name: string (required)
│ │ ├Namespace: string
│ │ ├Description: string (required)
│ │ ├ApplicationSourceConfig: ApplicationSourceConfig (required)
│ │ └Tags: Array<tag>
│ ├ attributes
│ │ ├ApplicationArn: string
│ │ └Id: string
│ └ types
│ ├type ApplicationSourceConfig
│ │├ documentation: Application source config
│ ││ name: ApplicationSourceConfig
│ │└ properties
│ │ └ExternalUrlConfig: ExternalUrlConfig (required)
│ └type ExternalUrlConfig
│ ├ name: ExternalUrlConfig
│ └ properties
│ ├AccessUrl: string (required)
│ └ApprovedOrigins: Array<string> (required)
├[~] service aws-autoscaling
│ └ resources
│ └[~] resource AWS::AutoScaling::AutoScalingGroup
│ └ properties
│ └ NotificationConfiguration: (documentation changed)
├[~] service aws-backup
│ └ resources
│ ├[~] resource AWS::Backup::BackupPlan
│ │ └ types
│ │ └[~] type LifecycleResourceType
│ │ └ properties
│ │ └ OptInToArchiveForSupportedResources: (documentation changed)
│ ├[~] resource AWS::Backup::RestoreTestingPlan
│ │ └ properties
│ │ └ RestoreTestingPlanName: (documentation changed)
│ └[~] resource AWS::Backup::RestoreTestingSelection
│ └ properties
│ └ RestoreTestingPlanName: (documentation changed)
├[~] service aws-batch
│ └ resources
│ └[~] resource AWS::Batch::JobQueue
│ ├ properties
│ │ └ JobStateTimeLimitActions: (documentation changed)
│ └ types
│ └[~] type JobStateTimeLimitAction
│ ├ - documentation: undefined
│ │ + documentation: Specifies an action that AWS Batch will take after the job has remained at the head of the queue in the specified state for longer than the specified time.
│ └ properties
│ ├ Action: (documentation changed)
│ ├ MaxTimeSeconds: (documentation changed)
│ ├ Reason: (documentation changed)
│ └ State: (documentation changed)
├[~] service aws-cloudformation
│ └ resources
│ └[~] resource AWS::CloudFormation::TypeActivation
│ └ - documentation: Activates a public third-party extension, making it available for use in stack templates. For more information, see [Using public extensions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry-public.html) in the *AWS CloudFormation User Guide* .
│ Once you have activated a public third-party extension in your account and Region, use [`SetTypeConfiguration`](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_SetTypeConfiguration.html) to specify configuration properties for the extension. For more information, see [Configuring extensions at the account level](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry-register.html#registry-set-configuration) in the *CloudFormation User Guide* .
│ + documentation: Activates a public third-party extension, making it available for use in stack templates. For more information, see [Using public extensions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry-public.html) in the *AWS CloudFormation User Guide* .
│ Once you have activated a public third-party extension in your account and Region, use [SetTypeConfiguration](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_SetTypeConfiguration.html) to specify configuration properties for the extension. For more information, see [Configuring extensions at the account level](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry-private.html#registry-set-configuration) in the *CloudFormation User Guide* .
├[~] service aws-codeartifact
│ └ resources
│ └[+] resource AWS::CodeArtifact::PackageGroup
│ ├ name: PackageGroup
│ │ cloudFormationType: AWS::CodeArtifact::PackageGroup
│ │ documentation: The resource schema to create a CodeArtifact package group.
│ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ ├ properties
│ │ ├DomainName: string (required, immutable)
│ │ ├DomainOwner: string
│ │ ├Pattern: string (required, immutable)
│ │ ├ContactInfo: string
│ │ ├Description: string
│ │ ├OriginConfiguration: OriginConfiguration
│ │ └Tags: Array<tag>
│ ├ attributes
│ │ └Arn: string
│ └ types
│ ├type OriginConfiguration
│ │├ name: OriginConfiguration
│ │└ properties
│ │ └Restrictions: Restrictions (required)
│ ├type Restrictions
│ │├ name: Restrictions
│ │└ properties
│ │ ├Publish: RestrictionType
│ │ ├ExternalUpstream: RestrictionType
│ │ └InternalUpstream: RestrictionType
│ └type RestrictionType
│ ├ name: RestrictionType
│ └ properties
│ ├RestrictionMode: string (required)
│ └Repositories: Array<string>
├[~] service aws-codebuild
│ └ resources
│ └[~] resource AWS::CodeBuild::Project
│ └ types
│ └[~] type WebhookFilter
│ └ properties
│ └ Type: (documentation changed)
├[~] service aws-codepipeline
│ └ resources
│ └[~] resource AWS::CodePipeline::Pipeline
│ └ types
│ └[~] type ActionDeclaration
│ ├ - documentation: Represents information about an action declaration.
│ │ > Documentation for the `timeoutInMinutes` parameter in the `ActionDeclaration` is not yet available for CloudFormation and CDK resources in CodePipeline. For more information about the configurable timeout for manual approval actions, see the [ActionDeclaration](https://docs.aws.amazon.com/codepipeline/latest/APIReference/API_ActionDeclaration.html) in the CodePipeline API Reference.
│ │ + documentation: Represents information about an action declaration.
│ └ properties
│ └ TimeoutInMinutes: (documentation changed)
├[~] service aws-connect
│ └ resources
│ └[~] resource AWS::Connect::SecurityProfile
│ ├ properties
│ │ ├[+] AllowedAccessControlHierarchyGroupId: string
│ │ ├[+] Applications: Array<Application>
│ │ └[+] HierarchyRestrictedResources: Array<string>
│ ├ attributes
│ │ ├[+] LastModifiedRegion: string
│ │ └[+] LastModifiedTime: number
│ └ types
│ └[+] type Application
│ ├ documentation: A third-party application's metadata.
│ │ name: Application
│ └ properties
│ ├ApplicationPermissions: Array<string> (required)
│ └Namespace: string (required)
├[~] service aws-datasync
│ └ resources
│ └[~] resource AWS::DataSync::Task
│ ├ properties
│ │ └[+] ManifestConfig: ManifestConfig
│ └ types
│ ├[~] type Destination
│ │ └ properties
│ │ └ S3: - S3
│ │ + TaskReportConfigDestinationS3 ⇐ S3
│ ├[+] type ManifestConfig
│ │ ├ documentation: Configures a manifest, which is a list of files or objects that you want AWS DataSync to transfer. For more information and configuration examples, see [Specifying what DataSync transfers by using a manifest](https://docs.aws.amazon.com/datasync/latest/userguide/transferring-with-manifest.html) .
│ │ │ name: ManifestConfig
│ │ └ properties
│ │ ├Action: string
│ │ ├Format: string
│ │ └Source: Source (required)
│ ├[+] type ManifestConfigSourceS3
│ │ ├ documentation: Specifies the S3 bucket where you're hosting the manifest that you want AWS DataSync to use. For more information and configuration examples, see [Specifying what DataSync transfers by using a manifest](https://docs.aws.amazon.com/datasync/latest/userguide/transferring-with-manifest.html) .
│ │ │ name: ManifestConfigSourceS3
│ │ └ properties
│ │ ├ManifestObjectPath: string
│ │ ├BucketAccessRoleArn: string
│ │ ├S3BucketArn: string
│ │ └ManifestObjectVersionId: string
│ ├[~] type S3
│ │ ├ - documentation: Specifies the Amazon S3 bucket where DataSync uploads your [task report](https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html) .
│ │ │ + documentation: undefined
│ │ └ properties
│ │ ├ BucketAccessRoleArn: (documentation changed)
│ │ ├ S3BucketArn: (documentation changed)
│ │ └ Subdirectory: (documentation changed)
│ ├[+] type Source
│ │ ├ documentation: Specifies the manifest that you want AWS DataSync to use and where it's hosted. For more information and configuration examples, see [Specifying what DataSync transfers by using a manifest](https://docs.aws.amazon.com/datasync/latest/userguide/transferring-with-manifest.html) .
│ │ │ name: Source
│ │ └ properties
│ │ └S3: ManifestConfigSourceS3
│ └[+] type TaskReportConfigDestinationS3
│ ├ documentation: Specifies the Amazon S3 bucket where DataSync uploads your [task report](https://docs.aws.amazon.com/datasync/latest/userguide/task-reports.html) .
│ │ name: TaskReportConfigDestinationS3
│ └ properties
│ ├Subdirectory: string
│ ├BucketAccessRoleArn: string
│ └S3BucketArn: string
├[~] service aws-dms
│ └ resources
│ └[~] resource AWS::DMS::DataProvider
│ └ types
│ └[~] type PostgreSqlSettings
│ ├ - documentation: Provides information that defines a PostgreSQL endpoint.
│ │ + documentation: undefined
│ └ properties
│ ├ DatabaseName: (documentation changed)
│ ├ Port: (documentation changed)
│ └ ServerName: (documentation changed)
├[~] service aws-dynamodb
│ └ resources
│ ├[~] resource AWS::DynamoDB::GlobalTable
│ │ └ types
│ │ ├[~] type ReplicaSpecification
│ │ │ └ properties
│ │ │ ├[+] ReplicaStreamSpecification: ReplicaStreamSpecification
│ │ │ └[+] ResourcePolicy: ResourcePolicy
│ │ ├[+] type ReplicaStreamSpecification
│ │ │ ├ documentation: Represents the DynamoDB Streams configuration for a global table replica.
│ │ │ │ name: ReplicaStreamSpecification
│ │ │ └ properties
│ │ │ └ResourcePolicy: ResourcePolicy (required)
│ │ └[+] type ResourcePolicy
│ │ ├ documentation: Creates or updates a resource-based policy document that contains the permissions for DynamoDB resources, such as a table, its indexes, and stream. Resource-based policies let you define access permissions by specifying who has access to each resource, and the actions they are allowed to perform on each resource.
│ │ │ In a CloudFormation template, you can provide the policy in JSON or YAML format because CloudFormation converts YAML to JSON before submitting it to DynamoDB . For more information about resource-based policies, see [Using resource-based policies for DynamoDB](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/access-control-resource-based.html) and [Resource-based policy examples](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/rbac-examples.html) .
│ │ │ While defining resource-based policies in your CloudFormation templates, the following considerations apply:
│ │ │ - The maximum size supported for a resource-based policy document in JSON format is 20 KB. DynamoDB counts whitespaces when calculating the size of a policy against this limit.
│ │ │ - Resource-based policies don't support [drift detection](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html#) . If you update a policy outside of the CloudFormation stack template, you'll need to update the CloudFormation stack with the changes.
│ │ │ - Resource-based policies don't support out-of-band changes. If you add, update, or delete a policy outside of the CloudFormation template, the change won't be overwritten if there are no changes to the policy within the template.
│ │ │ For example, say that your template contains a resource-based policy, which you later update outside of the template. If you don't make any changes to the policy in the template, the updated policy in DynamoDB won’t be synced with the policy in the template.
│ │ │ Conversely, say that your template doesn’t contain a resource-based policy, but you add a policy outside of the template. This policy won’t be removed from DynamoDB as long as you don’t add it to the template. When you add a policy to the template and update the stack, the existing policy in DynamoDB will be updated to match the one defined in the template.
│ │ │ - Within a resource-based policy, if the action for a DynamoDB service-linked role (SLR) to replicate data for a global table is denied, adding or deleting a replica will fail with an error.
│ │ │ - The [AWS ::DynamoDB::GlobalTable](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-globaltable.html) resource doesn't support creating a replica in the same stack update in Regions other than the Region where you deploy the stack update.
│ │ │ For a full list of all considerations, see [Resource-based policy considerations](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/rbac-considerations.html) .
│ │ │ name: ResourcePolicy
│ │ └ properties
│ │ └PolicyDocument: json (required)
│ └[~] resource AWS::DynamoDB::Table
│ ├ properties
│ │ └[+] ResourcePolicy: ResourcePolicy
│ └ types
│ ├[+] type ResourcePolicy
│ │ ├ documentation: Creates or updates a resource-based policy document that contains the permissions for DynamoDB resources, such as a table, its indexes, and stream. Resource-based policies let you define access permissions by specifying who has access to each resource, and the actions they are allowed to perform on each resource.
│ │ │ In a CloudFormation template, you can provide the policy in JSON or YAML format because CloudFormation converts YAML to JSON before submitting it to DynamoDB . For more information about resource-based policies, see [Using resource-based policies for DynamoDB](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/access-control-resource-based.html) and [Resource-based policy examples](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/rbac-examples.html) .
│ │ │ While defining resource-based policies in your CloudFormation templates, the following considerations apply:
│ │ │ - The maximum size supported for a resource-based policy document in JSON format is 20 KB. DynamoDB counts whitespaces when calculating the size of a policy against this limit.
│ │ │ - Resource-based policies don't support [drift detection](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html#) . If you update a policy outside of the CloudFormation stack template, you'll need to update the CloudFormation stack with the changes.
│ │ │ - Resource-based policies don't support out-of-band changes. If you add, update, or delete a policy outside of the CloudFormation template, the change won't be overwritten if there are no changes to the policy within the template.
│ │ │ For example, say that your template contains a resource-based policy, which you later update outside of the template. If you don't make any changes to the policy in the template, the updated policy in DynamoDB won’t be synced with the policy in the template.
│ │ │ Conversely, say that your template doesn’t contain a resource-based policy, but you add a policy outside of the template. This policy won’t be removed from DynamoDB as long as you don’t add it to the template. When you add a policy to the template and update the stack, the existing policy in DynamoDB will be updated to match the one defined in the template.
│ │ │ For a full list of all considerations, see [Resource-based policy considerations](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/rbac-considerations.html) .
│ │ │ name: ResourcePolicy
│ │ └ properties
│ │ └PolicyDocument: json (required)
│ └[~] type StreamSpecification
│ └ properties
│ └[+] ResourcePolicy: ResourcePolicy
├[~] service aws-ec2
│ └ resources
│ ├[~] resource AWS::EC2::FlowLog
│ │ └ properties
│ │ └ DestinationOptions: (documentation changed)
│ ├[~] resource AWS::EC2::Instance
│ │ └ attributes
│ │ ├ AvailabilityZone: (documentation changed)
│ │ ├ InstanceId: (documentation changed)
│ │ └ VpcId: (documentation changed)
│ └[~] resource AWS::EC2::NetworkInterface
│ ├ properties
│ │ ├ GroupSet: (documentation changed)
│ │ ├ Ipv6AddressCount: (documentation changed)
│ │ ├ Ipv6Addresses: (documentation changed)
│ │ ├ PrivateIpAddress: (documentation changed)
│ │ ├ PrivateIpAddresses: (documentation changed)
│ │ └ Tags: (documentation changed)
│ └ attributes
│ ├ PrimaryIpv6Address: (documentation changed)
│ └[+] VpcId: string
├[~] service aws-eks
│ └ resources
│ └[~] resource AWS::EKS::Nodegroup
│ ├ - documentation: Creates a managed node group for an Amazon EKS cluster.
│ │ You can only create a node group for your cluster that is equal to the current Kubernetes version for the cluster. All node groups are created with the latest AMI release version for the respective minor Kubernetes version of the cluster, unless you deploy a custom AMI using a launch template. For more information about using launch templates, see [Launch template support](https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html) .
│ │ An Amazon EKS managed node group is an Amazon EC2 Auto Scaling group and associated Amazon EC2 instances that are managed by AWS for an Amazon EKS cluster. For more information, see [Managed node groups](https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html) in the *Amazon EKS User Guide* .
│ │ > Windows AMI types are only supported for commercial AWS Regions that support Windows on Amazon EKS.
│ │ + documentation: Creates a managed node group for an Amazon EKS cluster.
│ │ You can only create a node group for your cluster that is equal to the current Kubernetes version for the cluster. All node groups are created with the latest AMI release version for the respective minor Kubernetes version of the cluster, unless you deploy a custom AMI using a launch template. For more information about using launch templates, see [Customizing managed nodes with launch templates](https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html) .
│ │ An Amazon EKS managed node group is an Amazon EC2 Auto Scaling group and associated Amazon EC2 instances that are managed by AWS for an Amazon EKS cluster. For more information, see [Managed node groups](https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html) in the *Amazon EKS User Guide* .
│ │ > Windows AMI types are only supported for commercial AWS Regions that support Windows on Amazon EKS.
│ ├ properties
│ │ ├ AmiType: (documentation changed)
│ │ ├ DiskSize: (documentation changed)
│ │ ├ InstanceTypes: (documentation changed)
│ │ ├ LaunchTemplate: (documentation changed)
│ │ ├ NodeRole: (documentation changed)
│ │ ├ RemoteAccess: (documentation changed)
│ │ └ Subnets: (documentation changed)
│ └ types
│ └[~] type LaunchTemplateSpecification
│ └ - documentation: An object representing a node group launch template specification. The launch template can't include [`SubnetId`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkInterface.html) , [`IamInstanceProfile`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_IamInstanceProfile.html) , [`RequestSpotInstances`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RequestSpotInstances.html) , [`HibernationOptions`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_HibernationOptionsRequest.html) , or [`TerminateInstances`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TerminateInstances.html) , or the node group deployment or update will fail. For more information about launch templates, see [`CreateLaunchTemplate`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateLaunchTemplate.html) in the Amazon EC2 API Reference. For more information about using launch templates with Amazon EKS, see [Launch template support](https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html) in the *Amazon EKS User Guide* .
│ You must specify either the launch template ID or the launch template name in the request, but not both.
│ + documentation: An object representing a node group launch template specification. The launch template can't include [`SubnetId`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkInterface.html) , [`IamInstanceProfile`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_IamInstanceProfile.html) , [`RequestSpotInstances`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RequestSpotInstances.html) , [`HibernationOptions`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_HibernationOptionsRequest.html) , or [`TerminateInstances`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TerminateInstances.html) , or the node group deployment or update will fail. For more information about launch templates, see [`CreateLaunchTemplate`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateLaunchTemplate.html) in the Amazon EC2 API Reference. For more information about using launch templates with Amazon EKS, see [Customizing managed nodes with launch templates](https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html) in the *Amazon EKS User Guide* .
│ You must specify either the launch template ID or the launch template name in the request, but not both.
├[~] service aws-elasticache
│ └ resources
│ └[~] resource AWS::ElastiCache::ParameterGroup
│ └ attributes
│ └[+] CacheParameterGroupName: string
├[~] service aws-elasticloadbalancingv2
│ └ resources
│ └[~] resource AWS::ElasticLoadBalancingV2::LoadBalancer
│ └ types
│ └[~] type LoadBalancerAttribute
│ └ properties
│ └ Key: (documentation changed)
├[~] service aws-fis
│ └ resources
│ └[~] resource AWS::FIS::ExperimentTemplate
│ └ types
│ └[~] type ExperimentTemplateExperimentOptions
│ └ properties
│ └ AccountTargeting: - string
│ + string (immutable)
├[~] service aws-kafkaconnect
│ └ resources
│ ├[~] resource AWS::KafkaConnect::Connector
│ │ ├ - tagInformation: undefined
│ │ │ + tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ │ └ properties
│ │ └[+] Tags: Array<tag>
│ ├[+] resource AWS::KafkaConnect::CustomPlugin
│ │ ├ name: CustomPlugin
│ │ │ cloudFormationType: AWS::KafkaConnect::CustomPlugin
│ │ │ documentation: An example resource schema demonstrating some basic constructs and validation rules.
│ │ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ │ ├ properties
│ │ │ ├Name: string (required, immutable)
│ │ │ ├Description: string (immutable)
│ │ │ ├ContentType: string (required, immutable)
│ │ │ ├Location: CustomPluginLocation (required, immutable)
│ │ │ └Tags: Array<tag>
│ │ ├ attributes
│ │ │ ├CustomPluginArn: string
│ │ │ ├Revision: integer
│ │ │ └FileDescription: CustomPluginFileDescription
│ │ └ types
│ │ ├type CustomPluginFileDescription
│ │ │├ documentation: Details about the custom plugin file.
│ │ ││ name: CustomPluginFileDescription
│ │ │└ properties
│ │ │ ├FileMd5: string
│ │ │ └FileSize: integer
│ │ ├type CustomPluginLocation
│ │ │├ documentation: Information about the location of a custom plugin.
│ │ ││ name: CustomPluginLocation
│ │ │└ properties
│ │ │ └S3Location: S3Location (required)
│ │ └type S3Location
│ │ ├ documentation: The S3 bucket Amazon Resource Name (ARN), file key, and object version of the plugin file stored in Amazon S3.
│ │ │ name: S3Location
│ │ └ properties
│ │ ├BucketArn: string (required)
│ │ ├FileKey: string (required)
│ │ └ObjectVersion: string
│ └[+] resource AWS::KafkaConnect::WorkerConfiguration
│ ├ name: WorkerConfiguration
│ │ cloudFormationType: AWS::KafkaConnect::WorkerConfiguration
│ │ documentation: The configuration of the workers, which are the processes that run the connector logic.
│ │ tagInformation: {"tagPropertyName":"Tags","variant":"standard"}
│ ├ properties
│ │ ├Name: string (required, immutable)
│ │ ├Description: string (immutable)
│ │ ├PropertiesFileContent: string (required, immutable)
│ │ └Tags: Array<tag>
│ └ attributes
│ ├WorkerConfigurationArn: string
│ └Revision: integer
├[~] service aws-kendra
│ └ resources
│ ├[~] resource AWS::Kendra::DataSource
│ │ └ types
│ │ └[~] type S3DataSourceConfiguration
│ │ └ properties
│ │ ├ ExclusionPatterns: (documentation changed)
│ │ └ InclusionPatterns: (documentation changed)
│ ├[~] resource AWS::Kendra::Faq
│ │ └ properties
│ │ └ LanguageCode: (documentation changed)
│ └[~] resource AWS::Kendra::Index
│ └ types
│ └[~] type Relevance
│ └ properties
│ ├ Freshness: (documentation changed)
│ └ RankOrder: (documentation changed)
├[~] service aws-kinesisanalyticsv2
│ └ resources
│ ├[~] resource AWS::KinesisAnalyticsV2::Application
│ │ └ types
│ │ ├[~] type ApplicationConfiguration
│ │ │ └ properties
│ │ │ └ SqlApplicationConfiguration: (documentation changed)
│ │ ├[~] type CSVMappingParameters
│ │ │ └ - documentation: For a SQL-based Managed Service for Apache Flink application, provides additional mapping information when the record format uses delimiters, such as CSV. For example, the following sample records use CSV format, where the records use the *'\n'* as the row delimiter and a comma (",") as the column delimiter:
│ │ │ `"name1", "address1"`
│ │ │ `"name2", "address2"`
│ │ │ + documentation: For a SQL-based Kinesis Data Analytics application, provides additional mapping information when the record format uses delimiters, such as CSV. For example, the following sample records use CSV format, where the records use the *'\n'* as the row delimiter and a comma (",") as the column delimiter:
│ │ │ `"name1", "address1"`
│ │ │ `"name2", "address2"`
│ │ ├[~] type Input
│ │ │ ├ - documentation: When you configure the application input for a SQL-based Managed Service for Apache Flink application, you specify the streaming source, the in-application stream name that is created, and the mapping between the two.
│ │ │ │ + documentation: When you configure the application input for a SQL-based Kinesis Data Analytics application, you specify the streaming source, the in-application stream name that is created, and the mapping between the two.
│ │ │ └ properties
│ │ │ └ NamePrefix: (documentation changed)
│ │ ├[~] type InputLambdaProcessor
│ │ │ └ - documentation: An object that contains the Amazon Resource Name (ARN) of the Amazon Lambda function that is used to preprocess records in the stream in a SQL-based Managed Service for Apache Flink application.
│ │ │ + documentation: An object that contains the Amazon Resource Name (ARN) of the Amazon Lambda function that is used to preprocess records in the stream in a SQL-based Kinesis Data Analytics application.
│ │ ├[~] type InputParallelism
│ │ │ └ - documentation: For a SQL-based Managed Service for Apache Flink application, describes the number of in-application streams to create for a given streaming source.
│ │ │ + documentation: For a SQL-based Kinesis Data Analytics application, describes the number of in-application streams to create for a given streaming source.
│ │ ├[~] type InputSchema
│ │ │ └ - documentation: For a SQL-based Managed Service for Apache Flink application, describes the format of the data in the streaming source, and how each data element maps to corresponding columns created in the in-application stream.
│ │ │ + documentation: For a SQL-based Kinesis Data Analytics application, describes the format of the data in the streaming source, and how each data element maps to corresponding columns created in the in-application stream.
│ │ ├[~] type JSONMappingParameters
│ │ │ └ - documentation: For a SQL-based Managed Service for Apache Flink application, provides additional mapping information when JSON is the record format on the streaming source.
│ │ │ + documentation: For a SQL-based Kinesis Data Analytics application, provides additional mapping information when JSON is the record format on the streaming source.
│ │ ├[~] type KinesisFirehoseInput
│ │ │ └ - documentation: For a SQL-based Managed Service for Apache Flink application, identifies a Kinesis Data Firehose delivery stream as the streaming source. You provide the delivery stream's Amazon Resource Name (ARN).
│ │ │ + documentation: For a SQL-based Kinesis Data Analytics application, identifies a Kinesis Data Firehose delivery stream as the streaming source. You provide the delivery stream's Amazon Resource Name (ARN).
│ │ ├[~] type MappingParameters
│ │ │ └ - documentation: When you configure a SQL-based Managed Service for Apache Flink application's input at the time of creating or updating an application, provides additional mapping information specific to the record format (such as JSON, CSV, or record fields delimited by some delimiter) on the streaming source.
│ │ │ + documentation: When you configure a SQL-based Kinesis Data Analytics application's input at the time of creating or updating an application, provides additional mapping information specific to the record format (such as JSON, CSV, or record fields delimited by some delimiter) on the streaming source.
│ │ ├[~] type RecordColumn
│ │ │ └ - documentation: For a SQL-based Managed Service for Apache Flink application, describes the mapping of each data element in the streaming source to the corresponding column in the in-application stream.
│ │ │ Also used to describe the format of the reference data source.
│ │ │ + documentation: For a SQL-based Kinesis Data Analytics application, describes the mapping of each data element in the streaming source to the corresponding column in the in-application stream.
│ │ │ Also used to describe the format of the reference data source.
│ │ ├[~] type RecordFormat
│ │ │ └ - documentation: For a SQL-based Managed Service for Apache Flink application, describes the record format and relevant mapping information that should be applied to schematize the records on the stream.
│ │ │ + documentation: For a SQL-based Kinesis Data Analytics application, describes the record format and relevant mapping information that should be applied to schematize the records on the stream.
│ │ └[~] type SqlApplicationConfiguration
│ │ └ - documentation: Describes the inputs, outputs, and reference data sources for a SQL-based Managed Service for Apache Flink application.
│ │ + documentation: Describes the inputs, outputs, and reference data sources for a SQL-based Kinesis Data Analytics application.
│ ├[~] resource AWS::KinesisAnalyticsV2::ApplicationOutput
│ │ ├ properties
│ │ │ └ Output: (documentation changed)
│ │ └ types
│ │ ├[~] type DestinationSchema
│ │ │ └ - documentation: Describes the data format when records are written to the destination in a SQL-based Managed Service for Apache Flink application.
│ │ │ + documentation: Describes the data format when records are written to the destination in a SQL-based Kinesis Data Analytics application.
│ │ ├[~] type KinesisFirehoseOutput
│ │ │ └ - documentation: For a SQL-based Managed Service for Apache Flink application, when configuring application output, identifies a Kinesis Data Firehose delivery stream as the destination. You provide the stream Amazon Resource Name (ARN) of the delivery stream.
│ │ │ + documentation: For a SQL-based Kinesis Data Analytics application, when configuring application output, identifies a Kinesis Data Firehose delivery stream as the destination. You provide the stream Amazon Resource Name (ARN) of the delivery stream.
│ │ ├[~] type KinesisStreamsOutput
│ │ │ └ - documentation: When you configure a SQL-based Managed Service for Apache Flink application's output, identifies a Kinesis data stream as the destination. You provide the stream Amazon Resource Name (ARN).
│ │ │ + documentation: When you configure a SQL-based Kinesis Data Analytics application's output, identifies a Kinesis data stream as the destination. You provide the stream Amazon Resource Name (ARN).
│ │ ├[~] type LambdaOutput
│ │ │ └ - documentation: When you configure a SQL-based Managed Service for Apache Flink application's output, identifies an Amazon Lambda function as the destination. You provide the function Amazon Resource Name (ARN) of the Lambda function.
│ │ │ + documentation: When you configure a SQL-based Kinesis Data Analytics application's output, identifies an Amazon Lambda function as the destination. You provide the function Amazon Resource Name (ARN) of the Lambda function.
│ │ └[~] type Output
│ │ └ - documentation: Describes a SQL-based Managed Service for Apache Flink application's output configuration, in which you identify an in-application stream and a destination where you want the in-application stream data to be written. The destination can be a Kinesis data stream or a Kinesis Data Firehose delivery stream.
│ │ + documentation: Describes a SQL-based Kinesis Data Analytics application's output configuration, in which you identify an in-application stream and a destination where you want the in-application stream data to be written. The destination can be a Kinesis data stream or a Kinesis Data Firehose delivery stream.
│ └[~] resource AWS::KinesisAnalyticsV2::ApplicationReferenceDataSource
│ ├ - documentation: Adds a reference data source to an existing SQL-based Managed Service for Apache Flink application.
│ │ Managed Service for Apache Flink reads reference data (that is, an Amazon S3 object) and creates an in-application table within your application. In the request, you provide the source (S3 bucket name and object key name), name of the in-application table to create, and the necessary mapping information that describes how data in an Amazon S3 object maps to columns in the resulting in-application table.
│ │ + documentation: Adds a reference data source to an existing SQL-based Kinesis Data Analytics application.
│ │ Kinesis Data Analytics reads reference data (that is, an Amazon S3 object) and creates an in-application table within your application. In the request, you provide the source (S3 bucket name and object key name), name of the in-application table to create, and the necessary mapping information that describes how data in an Amazon S3 object maps to columns in the resulting in-application table.
│ ├ properties
│ │ └ ReferenceDataSource: (documentation changed)
│ └ types
│ ├[~] type CSVMappingParameters
│ │ └ - documentation: For a SQL-based Managed Service for Apache Flink application, provides additional mapping information when the record format uses delimiters, such as CSV. For example, the following sample records use CSV format, where the records use the *'\n'* as the row delimiter and a comma (",") as the column delimiter:
│ │ `"name1", "address1"`
│ │ `"name2", "address2"`
│ │ + documentation: For a SQL-based Kinesis Data Analytics application, provides additional mapping information when the record format uses delimiters, such as CSV. For example, the following sample records use CSV format, where the records use the *'\n'* as the row delimiter and a comma (",") as the column delimiter:
│ │ `"name1", "address1"`
│ │ `"name2", "address2"`
│ ├[~] type JSONMappingParameters
│ │ └ - documentation: For a SQL-based Managed Service for Apache Flink application, provides additional mapping information when JSON is the record format on the streaming source.
│ │ + documentation: For a SQL-based Kinesis Data Analytics application, provides additional mapping information when JSON is the record format on the streaming source.
│ ├[~] type MappingParameters
│ │ └ - documentation: When you configure a SQL-based Managed Service for Apache Flink application's input at the time of creating or updating an application, provides additional mapping information specific to the record format (such as JSON, CSV, or record fields delimited by some delimiter) on the streaming source.
│ │ + documentation: When you configure a SQL-based Kinesis Data Analytics application's input at the time of creating or updating an application, provides additional mapping information specific to the record format (such as JSON, CSV, or record fields delimited by some delimiter) on the streaming source.
│ ├[~] type RecordColumn
│ │ └ - documentation: For a SQL-based Managed Service for Apache Flink application, describes the mapping of each data element in the streaming source to the corresponding column in the in-application stream.
│ │ Also used to describe the format of the reference data source.
│ │ + documentation: For a SQL-based Kinesis Data Analytics application, describes the mapping of each data element in the streaming source to the corresponding column in the in-application stream.
│ │ Also used to describe the format of the reference data source.
│ ├[~] type RecordFormat
│ │ └ - documentation: For a SQL-based Managed Service for Apache Flink application, describes the record format and relevant mapping information that should be applied to schematize the records on the stream.
│ │ + documentation: For a SQL-based Kinesis Data Analytics application, describes the record format and relevant mapping information that should be applied to schematize the records on the stream.
│ ├[~] type ReferenceDataSource
│ │ └ - documentation: For a SQL-based Managed Service for Apache Flink application, describes the reference data source by providing the source information (Amazon S3 bucket name and object key name), the resulting in-application table name that is created, and the necessary schema to map the data elements in the Amazon S3 object to the in-application table.
│ │ + documentation: For a SQL-based Kinesis Data Analytics application, describes the reference data source by providing the source information (Amazon S3 bucket name and object key name), the resulting in-application table name that is created, and the necessary schema to map the data elements in the Amazon S3 object to the in-application table.
│ └[~] type ReferenceSchema
│ └ - documentation: For a SQL-based Managed Service for Apache Flink application, describes the format of the data in the streaming source, and how each data element maps to corresponding columns created in the in-application stream.
│ + documentation: For a SQL-based Kinesis Data Analytics application, describes the format of the data in the streaming source, and how each data element maps to corresponding columns created in the in-application stream.
├[~] service aws-pinpoint
│ └ resources
│ └[~] resource AWS::Pinpoint::EmailChannel
│ └ properties
│ └[+] OrchestrationSendingRoleArn: string
├[~] service aws-rds
│ └ resources
│ └[~] resource AWS::RDS::DBCluster
│ └ properties
│ └ EngineMode: (documentation changed)
├[~] service aws-resiliencehub
│ └ resources
│ └[~] resource AWS::ResilienceHub::ResiliencyPolicy
│ ├ properties
│ │ └ Policy: - Map<string, FailurePolicy> (required)
│ │ + PolicyMap ⇐ Map<string, FailurePolicy> (required)
│ └ types
│ └[+] type PolicyMap
│ ├ name: PolicyMap
│ └ properties
│ ├AZ: FailurePolicy (required)
│ ├Hardware: FailurePolicy (required)
│ ├Software: FailurePolicy (required)
│ └Region: FailurePolicy
├[~] service aws-securityhub
│ └ resources
│ ├[+] resource AWS::SecurityHub::DelegatedAdmin
│ │ ├ name: DelegatedAdmin
│ │ │ cloudFormationType: AWS::SecurityHub::DelegatedAdmin
│ │ │ documentation: The AWS::SecurityHub::DelegatedAdmin resource represents the AWS Security Hub delegated admin account in your organization. One delegated admin resource is allowed to create for the organization in each region in which you configure the AdminAccountId.
│ │ ├ properties
│ │ │ └AdminAccountId: string (required, immutable)
│ │ └ attributes
│ │ ├DelegatedAdminIdentifier: string
│ │ └Status: string
│ ├[+] resource AWS::SecurityHub::Insight
│ │ ├ name: Insight
│ │ │ cloudFormationType: AWS::SecurityHub::Insight
│ │ │ documentation: The AWS::SecurityHub::Insight resource represents the AWS Security Hub Insight in your account. An AWS Security Hub insight is a collection of related findings.
│ │ ├ properties
│ │ │ ├Name: string (required)
│ │ │ ├Filters: AwsSecurityFindingFilters (required)
│ │ │ └GroupByAttribute: string (required)
│ │ ├ attributes
│ │ │ └InsightArn: string
│ │ └ types
│ │ ├type AwsSecurityFindingFilters
│ │ │├ documentation: A collection of filters that are applied to all active findings aggregated by AWS Security Hub.
│ │ ││ name: AwsSecurityFindingFilters
│ │ │└ properties
│ │ │ ├ProductArn: Array<StringFilter>
│ │ │ ├AwsAccountId: Array<StringFilter>
│ │ │ ├AwsAccountName: Array<StringFilter>
│ │ │ ├Id: Array<StringFilter>
│ │ │ ├GeneratorId: Array<StringFilter>
│ │ │ ├Type: Array<StringFilter>
│ │ │ ├Region: Array<StringFilter>
│ │ │ ├SeverityLabel: Array<StringFilter>
│ │ │ ├Title: Array<StringFilter>
│ │ │ ├Description: Array<StringFilter>
│ │ │ ├RecommendationText: Array<StringFilter>
│ │ │ ├SourceUrl: Array<StringFilter>
│ │ │ ├ProductFields: Array<MapFilter>
│ │ │ ├ProductName: Array<StringFilter>
│ │ │ ├CompanyName: Array<StringFilter>
│ │ │ ├UserDefinedFields: Array<MapFilter>
│ │ │ ├MalwareName: Array<StringFilter>
│ │ │ ├MalwareType: Array<StringFilter>
│ │ │ ├MalwarePath: Array<StringFilter>
│ │ │ ├MalwareState: Array<StringFilter>
│ │ │ ├NetworkDirection: Array<StringFilter>
│ │ │ ├NetworkProtocol: Array<StringFilter>
│ │ │ ├NetworkSourceIpV4: Array<IpFilter>
│ │ │ ├NetworkSourceIpV6: Array<IpFilter>
│ │ │ ├NetworkSourceDomain: Array<StringFilter>
│ │ │ ├NetworkSourceMac: Array<StringFilter>
│ │ │ ├NetworkDestinationIpV4: Array<IpFilter>
│ │ │ ├NetworkDestinationIpV6: Array<IpFilter>
│ │ │ ├NetworkDestinationDomain: Array<StringFilter>
│ │ │ ├ProcessName: Array<StringFilter>
│ │ │ ├ProcessPath: Array<StringFilter>
│ │ │ ├ThreatIntelIndicatorType: Array<StringFilter>
│ │ │ ├ThreatIntelIndicatorValue: Array<StringFilter>
│ │ │ ├ThreatIntelIndicatorCategory: Array<StringFilter>
│ │ │ ├ThreatIntelIndicatorSource: Array<StringFilter>
│ │ │ ├ThreatIntelIndicatorSourceUrl: Array<StringFilter>
│ │ │ ├ResourceType: Array<StringFilter>
│ │ │ ├ResourceId: Array<StringFilter>
│ │ │ ├ResourcePartition: Array<StringFilter>
│ │ │ ├ResourceRegion: Array<StringFilter>
│ │ │ ├ResourceTags: Array<MapFilter>
│ │ │ ├ResourceAwsEc2InstanceType: Array<StringFilter>
│ │ │ ├ResourceAwsEc2InstanceImageId: Array<StringFilter>
│ │ │ ├ResourceAwsEc2InstanceIpV4Addresses: Array<IpFilter>
│ │ │ ├ResourceAwsEc2InstanceIpV6Addresses: Array<IpFilter>
│ │ │ ├ResourceAwsEc2InstanceKeyName: Array<StringFilter>
│ │ │ ├ResourceAwsEc2InstanceIamInstanceProfileArn: Array<StringFilter>
│ │ │ ├ResourceAwsEc2InstanceVpcId: Array<StringFilter>
│ │ │ ├ResourceAwsEc2InstanceSubnetId: Array<StringFilter>
│ │ │ ├ResourceAwsS3BucketOwnerId: Array<StringFilter>
│ │ │ ├ResourceAwsS3BucketOwnerName: Array<StringFilter>
│ │ │ ├ResourceAwsIamAccessKeyStatus: Array<StringFilter>
│ │ │ ├ResourceContainerName: Array<StringFilter>
│ │ │ ├ResourceContainerImageId: Array<StringFilter>
│ │ │ ├ResourceContainerImageName: Array<StringFilter>
│ │ │ ├ResourceDetailsOther: Array<MapFilter>
│ │ │ ├ComplianceStatus: Array<StringFilter>
│ │ │ ├VerificationState: Array<StringFilter>
│ │ │ ├WorkflowState: Array<StringFilter>
│ │ │ ├WorkflowStatus: Array<StringFilter>
│ │ │ ├RecordState: Array<StringFilter>
│ │ │ ├RelatedFindingsProductArn: Array<StringFilter>
│ │ │ ├RelatedFindingsId: Array<StringFilter>
│ │ │ ├ResourceApplicationArn: Array<StringFilter>
│ │ │ ├ResourceApplicationName: Array<StringFilter>
│ │ │ ├NoteText: Array<StringFilter>
│ │ │ ├NoteUpdatedBy: Array<StringFilter>
│ │ │ ├Sample: Array<BooleanFilter>
│ │ │ ├ComplianceAssociatedStandardsId: Array<StringFilter>
│ │ │ ├ComplianceSecurityControlId: Array<StringFilter>
│ │ │ ├ComplianceSecurityControlParametersName: Array<StringFilter>
│ │ │ ├ComplianceSecurityControlParametersValue: Array<StringFilter>
│ │ │ ├FindingProviderFieldsRelatedFindingsId: Array<StringFilter>
│ │ │ ├FindingProviderFieldsRelatedFindingsProductArn: Array<StringFilter>
│ │ │ ├FindingProviderFieldsSeverityLabel: Array<StringFilter>
│ │ │ ├FindingProviderFieldsSeverityOriginal: Array<StringFilter>
│ │ │ ├FindingProviderFieldsTypes: Array<StringFilter>
│ │ │ ├ResourceAwsIamAccessKeyPrincipalName: Array<StringFilter>
│ │ │ ├ResourceAwsIamUserUserName: Array<StringFilter>
│ │ │ ├VulnerabilitiesExploitAvailable: Array<StringFilter>
│ │ │ └VulnerabilitiesFixAvailable: Array<StringFilter>
│ │ ├type StringFilter
│ │ │├ documentation: A string filter for filtering AWS Security Hub findings.
│ │ ││ name: StringFilter
│ │ │└ properties
│ │ │ ├Comparison: string (required)
│ │ │ └Value: string (required)
│ │ ├type MapFilter
│ │ │├ documentation: A map filter for filtering AWS Security Hub findings.
│ │ ││ name: MapFilter
│ │ │└ properties
│ │ │ ├Comparison: string (required)
│ │ │ ├Key: string (required)
│ │ │ └Value: string (required)
│ │ ├type IpFilter
│ │ │├ documentation: The IP filter for querying findings.
│ │ ││ name: IpFilter
│ │ │└ properties
│ │ │ └Cidr: string
│ │ └type BooleanFilter
│ │ ├ documentation: Boolean filter for querying findings.
│ │ │ name: BooleanFilter
│ │ └ properties
│ │ └Value: boolean (required)
│ └[+] resource AWS::SecurityHub::ProductSubscription
│ ├ name: ProductSubscription
│ │ cloudFormationType: AWS::SecurityHub::ProductSubscription
│ │ documentation: The AWS::SecurityHub::ProductSubscription resource represents a subscription to a service that is allowed to generate findings for your Security Hub account. One product subscription resource is created for each product enabled.
│ ├ properties
│ │ └ProductArn: string (required, immutable)
│ └ attributes
│ └ProductSubscriptionArn: string
└[~] service aws-wafv2
└ resources
├[~] resource AWS::WAFv2::RuleGroup
│ └ types
│ ├[~] type Body
│ │ └ properties
│ │ └ OversizeHandling: (documentation changed)
│ ├[~] type FieldToMatch
│ │ └ properties
│ │ ├ Body: (documentation changed)
│ │ └ JsonBody: (documentation changed)
│ └[~] type JsonBody
│ └ properties
│ └ OversizeHandling: (documentation changed)
└[~] resource AWS::WAFv2::WebACL
├ properties
│ └ AssociationConfig: (documentation changed)
└ types
├[~] type AssociationConfig
│ ├ - documentation: Specifies custom configurations for the associations between the web ACL and protected resources.
│ │ Use this to customize the maximum size of the request body that your protected resources forward to AWS WAF for inspection. You can customize this setting for CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access resources. The default setting is 16 KB (16,384 bytes).
│ │ > You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .
│ │ For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).
│ │ + documentation: Specifies custom configurations for the associations between the web ACL and protected resources.
│ │ Use this to customize the maximum size of the request body that your protected resources forward to AWS WAF for inspection. You can customize this setting for CloudFront. The default setting is 16 KB (16,384 bytes).
│ │ > You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .
│ │ For regional resources, the limit is fixed at 8 KB (8,192 bytes).
│ └ properties
│ └ RequestBody: (documentation changed)
├[~] type Body
│ └ properties
│ └ OversizeHandling: (documentation changed)
├[~] type FieldToMatch
│ └ properties
│ ├ Body: (documentation changed)
│ └ JsonBody: (documentation changed)
├[~] type JsonBody
│ └ properties
│ └ OversizeHandling: (documentation changed)
└[~] type RequestBodyAssociatedResourceTypeConfig
└ - documentation: Customizes the maximum size of the request body that your protected CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access resources forward to AWS WAF for inspection. The default size is 16 KB (16,384 bytes). You can change the setting for any of the available resource types.
> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .
Example JSON: `{ "API_GATEWAY": "KB_48", "APP_RUNNER_SERVICE": "KB_32" }`
For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).
This is used in the `AssociationConfig` of the web ACL.
+ documentation: Customizes the maximum size of the request body that your protected CloudFront resources forward to AWS WAF for inspection. The default size is 16 KB (16,384 bytes).
> You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see [AWS WAF Pricing](https://docs.aws.amazon.com/waf/pricing/) .
Example JSON: `{ "API_GATEWAY": "KB_48", "APP_RUNNER_SERVICE": "KB_32" }`
For regional resources, the limit is fixed at 8 KB (8,192 bytes).
This is used in the `AssociationConfig` of the web ACL.
```
aws-cdk-automation
added
auto-approve
pr/no-squash
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
aws-cdk-automation
had a problem deploying
to
test-pipeline
GitHub Actions
Failure
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be automatically updated and merged without squashing (do not update manually, and be sure to allow changes to be pushed to your fork). |
This was referenced Mar 25, 2024
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See CHANGELOG