Defines a cryptographic key management compliance standard used for handling CA keys.
Default: FIPS_140_2_LEVEL_3_OR_HIGHER
Note: AWS Region ap-northeast-3 supports only FIPS_140_2_LEVEL_2_OR_HIGHER. You must explicitly specify this parameter and value when creating a CA in that Region. Specifying a different value (or no value) results in an InvalidArgsException with the message \"A certificate authority cannot be created in this region with the specified security standard.\"
Specifies a cryptographic key management compliance standard used for handling CA keys.
Default: FIPS_140_2_LEVEL_3_OR_HIGHER
Note: AWS Region ap-northeast-3 supports only FIPS_140_2_LEVEL_2_OR_HIGHER. You must explicitly specify this parameter and value when creating a CA in that Region. Specifying a different value (or no value) results in an InvalidArgsException with the message \"A certificate authority cannot be created in this region with the specified security standard.\"
Specifies a cryptographic key management compliance standard used for handling CA keys.
Default: FIPS_140_2_LEVEL_3_OR_HIGHER
Note: FIPS_140_2_LEVEL_3_OR_HIGHER is not supported in Region ap-northeast-3. When creating a CA in the ap-northeast-3, you must provide FIPS_140_2_LEVEL_2_OR_HIGHER as the argument for KeyStorageSecurityStandard. Failure to do this results in an InvalidArgsException with the message, \"A certificate authority cannot be created in this region with the specified security standard.\"
S3 key that uniquely identifies the report file in your S3 bucket.
" } }, + "S3ObjectAcl": { + "base": null, + "refs": { + "CrlConfiguration$S3ObjectAcl": "Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. If you choose PUBLIC_READ, the CRL will be accessible over the public internet. If you choose BUCKET_OWNER_FULL_CONTROL, only the owner of the CRL S3 bucket can access the CRL, and your PKI clients may need an alternative method of access.
If no value is specified, the default is PUBLIC_READ.
Note: This default can cause CA creation to fail in some circumstances. If you have have enabled the Block Public Access (BPA) feature in your S3 account, then you must specify the value of this parameter as BUCKET_OWNER_FULL_CONTROL, and not doing so results in an error. If you have disabled BPA in S3, then you can specify either BUCKET_OWNER_FULL_CONTROL or PUBLIC_READ as the value.
For more information, see Blocking public access to the S3 bucket.
" + } + }, "SigningAlgorithm": { "base": null, "refs": { @@ -807,7 +813,7 @@ "String3To255": { "base": null, "refs": { - "CrlConfiguration$S3BucketName": "Name of the S3 bucket that contains the CRL. If you do not provide a value for the CustomCname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You can change the name of your bucket by calling the UpdateCertificateAuthority action. You must specify a bucket policy that allows ACM Private CA to write the CRL to your bucket.
" + "CrlConfiguration$S3BucketName": "Name of the S3 bucket that contains the CRL. If you do not provide a value for the CustomCname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You can change the name of your bucket by calling the UpdateCertificateAuthority action. You must specify a bucket policy that allows ACM Private CA to write the CRL to your bucket.
" } }, "String40": { diff --git a/models/apis/cloudfront/2020-05-31/docs-2.json b/models/apis/cloudfront/2020-05-31/docs-2.json index 03fcf160f54..0118d92f522 100644 --- a/models/apis/cloudfront/2020-05-31/docs-2.json +++ b/models/apis/cloudfront/2020-05-31/docs-2.json @@ -2942,7 +2942,7 @@ "CloudFrontOriginAccessIdentity$S3CanonicalUserId": "The Amazon S3 canonical user ID for the origin access identity, used when giving the origin access identity read permission to an object in Amazon S3.
", "CloudFrontOriginAccessIdentityAlreadyExists$Message": null, "CloudFrontOriginAccessIdentityConfig$CallerReference": "A unique value (for example, a date-time stamp) that ensures that the request can't be replayed.
If the value of CallerReference is new (regardless of the content of the CloudFrontOriginAccessIdentityConfig object), a new origin access identity is created.
If the CallerReference is a value already sent in a previous identity request, and the content of the CloudFrontOriginAccessIdentityConfig is identical to the original request (ignoring white space), the response includes the same information returned to the original request.
If the CallerReference is a value you already sent in a previous request to create an identity, but the content of the CloudFrontOriginAccessIdentityConfig is different from the original request, CloudFront returns a CloudFrontOriginAccessIdentityAlreadyExists error.
An optional comment to describe the origin access identity. The comment cannot be longer than 128 characters.
", + "CloudFrontOriginAccessIdentityConfig$Comment": "A comment to describe the origin access identity. The comment cannot be longer than 128 characters.
", "CloudFrontOriginAccessIdentityInUse$Message": null, "CloudFrontOriginAccessIdentityList$Marker": "Use this when paginating results to indicate where to begin in your list of origin access identities. The results include identities in the list that occur after the marker. To get the next page of results, set the Marker to the value of the NextMarker from the current page's response (which is also the ID of the last identity on that page).
If IsTruncated is true, this element is present and contains the value you can use for the Marker request parameter to continue listing your origin access identities where they left off.
Attaches an EBS volume to a running or stopped instance and exposes it to the instance with the specified device name.
Encrypted EBS volumes must be attached to instances that support Amazon EBS encryption. For more information, see Amazon EBS encryption in the Amazon Elastic Compute Cloud User Guide.
After you attach an EBS volume, you must make it available. For more information, see Making an EBS volume available for use.
If a volume has an AWS Marketplace product code:
The volume can be attached only to a stopped instance.
AWS Marketplace product codes are copied from the volume to the instance.
You must be subscribed to the product.
The instance type and operating system of the instance must support the product. For example, you can't detach a volume from a Windows instance and attach it to a Linux instance.
For more information, see Attaching Amazon EBS volumes in the Amazon Elastic Compute Cloud User Guide.
", "AttachVpnGateway": "Attaches a virtual private gateway to a VPC. You can attach one virtual private gateway to one VPC at a time.
For more information, see AWS Site-to-Site VPN in the AWS Site-to-Site VPN User Guide.
", "AuthorizeClientVpnIngress": "Adds an ingress authorization rule to a Client VPN endpoint. Ingress authorization rules act as firewall rules that grant access to networks. You must configure ingress authorization rules to enable clients to access resources in AWS or on-premises networks.
", - "AuthorizeSecurityGroupEgress": "[VPC only] Adds the specified egress rules to a security group for use with a VPC.
An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 CIDR address ranges, or to the instances associated with the specified destination security groups.
You specify a protocol for each rule (for example, TCP). For the TCP and UDP protocols, you must also specify the destination port or port range. For the ICMP protocol, you must also specify the ICMP type and code. You can use -1 for the type or code to mean all types or all codes.
Rule changes are propagated to affected instances as quickly as possible. However, a small delay might occur.
For more information about VPC security group limits, see Amazon VPC Limits.
", - "AuthorizeSecurityGroupIngress": "Adds the specified ingress rules to a security group.
An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 CIDR address ranges, or from the instances associated with the specified destination security groups.
You specify a protocol for each rule (for example, TCP). For TCP and UDP, you must also specify the destination port or port range. For ICMP/ICMPv6, you must also specify the ICMP/ICMPv6 type and code. You can use -1 to mean all types or all codes.
Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.
For more information about VPC security group limits, see Amazon VPC Limits.
", + "AuthorizeSecurityGroupEgress": "[VPC only] Adds the specified outbound (egress) rules to a security group for use with a VPC.
An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 CIDR address ranges, or to the instances that are associated with the specified destination security groups.
You specify a protocol for each rule (for example, TCP). For the TCP and UDP protocols, you must also specify the destination port or port range. For the ICMP protocol, you must also specify the ICMP type and code. You can use -1 for the type or code to mean all types or all codes.
You can optionally add a tag to the security group rule.
Rule changes are propagated to affected instances as quickly as possible. However, a small delay might occur.
For information about VPC security group quotas, see Amazon VPC Limits.
", + "AuthorizeSecurityGroupIngress": "Adds the specified inbound (ingress) rules to a security group.
An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 CIDR address ranges, or from the instances that are associated with the specified destination security groups.
You specify a protocol for each rule (for example, TCP). For TCP and UDP, you must also specify the destination port or port range. For ICMP/ICMPv6, you must also specify the ICMP/ICMPv6 type and code. You can use -1 to mean all types or all codes.
[VPC Only] You can optionally add a tag to the security group rule.
Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.
For information about VPC security group quotas, see Amazon VPC Limits.
", "BundleInstance": "Bundles an Amazon instance store-backed Windows instance.
During bundling, only the root device volume (C:\\) is bundled. Data on other instance store volumes is not preserved.
This action is not applicable for Linux/Unix instances or Windows instances that are backed by Amazon EBS.
Cancels a bundling operation for an instance store-backed Windows instance.
", "CancelCapacityReservation": "Cancels the specified Capacity Reservation, releases the reserved capacity, and changes the Capacity Reservation's state to cancelled.
Instances running in the reserved capacity continue running until you stop them. Stopped instances that target the Capacity Reservation can no longer launch. Modify these instances to either target a different Capacity Reservation, launch On-Demand Instance capacity, or run in any open Capacity Reservation that has matching attributes and sufficient capacity.
", @@ -247,6 +247,7 @@ "DescribeScheduledInstanceAvailability": "Finds available schedules that meet the specified criteria.
You can search for an available schedule no more than 3 months in advance. You must meet the minimum required duration of 1,200 hours per year. For example, the minimum daily schedule is 4 hours, the minimum weekly schedule is 24 hours, and the minimum monthly schedule is 100 hours.
After you find a schedule that meets your needs, call PurchaseScheduledInstances to purchase Scheduled Instances with that schedule.
", "DescribeScheduledInstances": "Describes the specified Scheduled Instances or all your Scheduled Instances.
", "DescribeSecurityGroupReferences": "[VPC only] Describes the VPCs on the other side of a VPC peering connection that are referencing the security groups you've specified in this request.
", + "DescribeSecurityGroupRules": "Describes one or more of your security group rules.
", "DescribeSecurityGroups": "Describes the specified security groups or all of your security groups.
A security group is for use with instances either in the EC2-Classic platform or in a specific VPC. For more information, see Amazon EC2 Security Groups in the Amazon Elastic Compute Cloud User Guide and Security Groups for Your VPC in the Amazon Virtual Private Cloud User Guide.
", "DescribeSnapshotAttribute": "Describes the specified attribute of the specified snapshot. You can specify only one attribute at a time.
For more information about EBS snapshots, see Amazon EBS snapshots in the Amazon Elastic Compute Cloud User Guide.
", "DescribeSnapshots": "Describes the specified EBS snapshots available to you or all of the EBS snapshots available to you.
The snapshots available to you include public snapshots, private snapshots that you own, and private snapshots owned by other AWS accounts for which you have explicit create volume permissions.
The create volume permissions fall into the following categories:
public: The owner of the snapshot granted create volume permissions for the snapshot to the all group. All AWS accounts have create volume permissions for these snapshots.
explicit: The owner of the snapshot granted create volume permissions to a specific AWS account.
implicit: An AWS account has implicit create volume permissions for all snapshots it owns.
The list of snapshots returned can be filtered by specifying snapshot IDs, snapshot owners, or AWS accounts with create volume permissions. If no options are specified, Amazon EC2 returns all snapshots for which you have create volume permissions.
If you specify one or more snapshot IDs, only snapshots that have the specified IDs are returned. If you specify an invalid snapshot ID, an error is returned. If you specify a snapshot ID for which you do not have access, it is not included in the returned results.
If you specify one or more snapshot owners using the OwnerIds option, only snapshots from the specified owners and for which you have access are returned. The results can include the AWS account IDs of the specified owners, amazon for snapshots owned by Amazon, or self for snapshots that you own.
If you specify a list of restorable users, only snapshots with create snapshot permissions for those users are returned. You can specify AWS account IDs (if you own the snapshots), self for snapshots for which you own or have explicit permissions, or all for public snapshots.
If you are describing a long list of snapshots, we recommend that you paginate the output to make the list more manageable. The MaxResults parameter sets the maximum number of results returned in a single page. If the list of results exceeds your MaxResults value, then that number of results is returned along with a NextToken value that can be passed to a subsequent DescribeSnapshots request to retrieve the remaining results.
To get the state of fast snapshot restores for a snapshot, use DescribeFastSnapshotRestores.
For more information about EBS snapshots, see Amazon EBS snapshots in the Amazon Elastic Compute Cloud User Guide.
", @@ -372,6 +373,7 @@ "ModifyManagedPrefixList": "Modifies the specified managed prefix list.
Adding or removing entries in a prefix list creates a new version of the prefix list. Changing the name of the prefix list does not affect the version.
If you specify a current version number that does not match the true current version number, the request fails.
", "ModifyNetworkInterfaceAttribute": "Modifies the specified network interface attribute. You can specify only one attribute at a time. You can use this action to attach and detach security groups from an existing EC2 instance.
", "ModifyReservedInstances": "Modifies the Availability Zone, instance count, instance type, or network platform (EC2-Classic or EC2-VPC) of your Reserved Instances. The Reserved Instances to be modified must be identical, except for Availability Zone, network platform, and instance type.
For more information, see Modifying Reserved Instances in the Amazon EC2 User Guide.
", + "ModifySecurityGroupRules": "Modifies the rules of a security group.
", "ModifySnapshotAttribute": "Adds or removes permission settings for the specified snapshot. You may add or remove specified AWS account IDs from a snapshot's list of create volume permissions, but you cannot do both in a single operation. If you need to both add and remove account IDs for a snapshot, you must use multiple operations. You can make up to 500 modifications to a snapshot in a single operation.
Encrypted snapshots and snapshots with AWS Marketplace product codes cannot be made public. Snapshots encrypted with your default CMK cannot be shared with other accounts.
For more information about modifying snapshot permissions, see Sharing snapshots in the Amazon Elastic Compute Cloud User Guide.
", "ModifySpotFleetRequest": "Modifies the specified Spot Fleet request.
You can only modify a Spot Fleet request of type maintain.
While the Spot Fleet request is being modified, it is in the modifying state.
To scale up your Spot Fleet, increase its target capacity. The Spot Fleet launches the additional Spot Instances according to the allocation strategy for the Spot Fleet request. If the allocation strategy is lowestPrice, the Spot Fleet launches instances using the Spot Instance pool with the lowest price. If the allocation strategy is diversified, the Spot Fleet distributes the instances across the Spot Instance pools. If the allocation strategy is capacityOptimized, Spot Fleet launches instances from Spot Instance pools with optimal capacity for the number of instances that are launching.
To scale down your Spot Fleet, decrease its target capacity. First, the Spot Fleet cancels any open requests that exceed the new target capacity. You can request that the Spot Fleet terminate Spot Instances until the size of the fleet no longer exceeds the new target capacity. If the allocation strategy is lowestPrice, the Spot Fleet terminates the instances with the highest price per unit. If the allocation strategy is capacityOptimized, the Spot Fleet terminates the instances in the Spot Instance pools that have the least available Spot Instance capacity. If the allocation strategy is diversified, the Spot Fleet terminates instances across the Spot Instance pools. Alternatively, you can request that the Spot Fleet keep the fleet at its current size, but not replace any Spot Instances that are interrupted or that you terminate manually.
If you are finished with your Spot Fleet for now, but will use it again later, you can set the target capacity to 0.
", "ModifySubnetAttribute": "Modifies a subnet attribute. You can only modify one attribute at a time.
", @@ -431,8 +433,8 @@ "RestoreAddressToClassic": "Restores an Elastic IP address that was previously moved to the EC2-VPC platform back to the EC2-Classic platform. You cannot move an Elastic IP address that was originally allocated for use in EC2-VPC. The Elastic IP address must not be associated with an instance or network interface.
", "RestoreManagedPrefixListVersion": "Restores the entries from a previous version of a managed prefix list to a new version of the prefix list.
", "RevokeClientVpnIngress": "Removes an ingress authorization rule from a Client VPN endpoint.
", - "RevokeSecurityGroupEgress": "[VPC only] Removes the specified egress rules from a security group for EC2-VPC. This action does not apply to security groups for use in EC2-Classic. To remove a rule, the values that you specify (for example, ports) must match the existing rule's values exactly.
[Default VPC] If the values you specify do not match the existing rule's values, no error is returned, and the output describes the security group rules that were not revoked.
AWS recommends that you use DescribeSecurityGroups to verify that the rule has been removed.
Each rule consists of the protocol and the IPv4 or IPv6 CIDR range or source security group. For the TCP and UDP protocols, you must also specify the destination port or range of ports. For the ICMP protocol, you must also specify the ICMP type and code. If the security group rule has a description, you do not have to specify the description to revoke the rule.
Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.
", - "RevokeSecurityGroupIngress": "Removes the specified ingress rules from a security group. To remove a rule, the values that you specify (for example, ports) must match the existing rule's values exactly.
[EC2-Classic , default VPC] If the values you specify do not match the existing rule's values, no error is returned, and the output describes the security group rules that were not revoked.
AWS recommends that you use DescribeSecurityGroups to verify that the rule has been removed.
Each rule consists of the protocol and the CIDR range or source security group. For the TCP and UDP protocols, you must also specify the destination port or range of ports. For the ICMP protocol, you must also specify the ICMP type and code. If the security group rule has a description, you do not have to specify the description to revoke the rule.
Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.
", + "RevokeSecurityGroupEgress": "Removes the specified egress (outbound) rules from a security group for EC2-VPC. This action does not apply to security groups for use in EC2-Classic.
You can specify the rules that you want to remove by using one of the following methods:
The security group rule IDs.
The security group rule properties. Each rule consists of the protocol, from port, to port, and the IPv4 or IPv6 CIDR range or referenced security group or prefix list id. For the TCP and UDP protocols, you must also specify the destination port or range of ports. For the ICMP protocol, you must also specify the ICMP type and code. If the security group rule has a description, you do not have to specify the description to revoke the rule. To remove a rule, the values that you specify (for example, ports) must match the existing rule's values exactly.
[Default VPC] If the values you specify do not match the existing rule's values, no error is returned, and the output describes the security group rules that were not revoked.
AWS recommends that you use DescribeSecurityGroups to verify that the rule has been removed.
Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.
", + "RevokeSecurityGroupIngress": "Removes the specified ingress rules from a security group. To remove a rule, the values that you specify (for example, ports) must match the existing rule's values exactly.
[EC2-Classic, default VPC] If the values you specify do not match the existing rule's values, no error is returned, and the output describes the security group rules that were not revoked.
AWS recommends that you use DescribeSecurityGroups to verify that the rule has been removed.
You can specify the rules that you want to remove by using one of the following methods:
[VPC only] The security group rule IDs.
The security group rule properties. Each rule consists of the protocol, from port, to port, and the IPv4 or IPv6 CIDR range or referenced security group or prefix list id. For the TCP and UDP protocols, you must also specify the destination port or range of ports. For the ICMP protocol, you must also specify the ICMP type and code. If the security group rule has a description, you do not have to specify the description to revoke the rule. To remove a rule, the values that you specify (for example, ports) must match the existing rule's values exactly.
[Default VPC] If the values you specify do not match the existing rule's values, no error is returned, and the output describes the security group rules that were not revoked.
AWS recommends that you use DescribeSecurityGroups to verify that the rule has been removed.
Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.
", "RunInstances": "Launches the specified number of instances using an AMI for which you have permissions.
You can specify a number of options, or leave the default options. The following rules apply:
[EC2-VPC] If you don't specify a subnet ID, we choose a default subnet from your default VPC for you. If you don't have a default VPC, you must specify a subnet ID in the request.
[EC2-Classic] If don't specify an Availability Zone, we choose one for you.
Some instance types must be launched into a VPC. If you do not have a default VPC, or if you do not specify a subnet ID, the request fails. For more information, see Instance types available only in a VPC.
[EC2-VPC] All instances have a network interface with a primary private IPv4 address. If you don't specify this address, we choose one from the IPv4 range of your subnet.
Not all instance types support IPv6 addresses. For more information, see Instance types.
If you don't specify a security group ID, we use the default security group. For more information, see Security groups.
If any of the AMIs have a product code attached for which the user has not subscribed, the request fails.
You can create a launch template, which is a resource that contains the parameters to launch an instance. When you launch an instance using RunInstances, you can specify the launch template instead of specifying the launch parameters.
To ensure faster instance launches, break up large requests into smaller batches. For example, create five separate launch requests for 100 instances each instead of one launch request for 500 instances.
An instance is ready for you to use when it's in the running state. You can check the state of your instance using DescribeInstances. You can tag instances and EBS volumes during launch, after launch, or both. For more information, see CreateTags and Tagging your Amazon EC2 resources.
Linux instances have access to the public key of the key pair at boot. You can use this key to provide secure access to the instance. Amazon EC2 public images use this feature to provide secure access without passwords. For more information, see Key pairs.
For troubleshooting, see What to do if an instance immediately terminates, and Troubleshooting connecting to your instance.
", "RunScheduledInstances": "Launches the specified Scheduled Instances.
Before you can launch a Scheduled Instance, you must purchase it and obtain an identifier using PurchaseScheduledInstances.
You must launch a Scheduled Instance during its scheduled time period. You can't stop or reboot a Scheduled Instance, but you can terminate it as needed. If you terminate a Scheduled Instance before the current scheduled time period ends, you can launch it again after a few minutes. For more information, see Scheduled Instances in the Amazon EC2 User Guide.
", "SearchLocalGatewayRoutes": "Searches for routes in the specified local gateway route table.
", @@ -448,8 +450,8 @@ "UnassignIpv6Addresses": "Unassigns one or more IPv6 addresses from a network interface.
", "UnassignPrivateIpAddresses": "Unassigns one or more secondary private IP addresses from a network interface.
", "UnmonitorInstances": "Disables detailed monitoring for a running instance. For more information, see Monitoring your instances and volumes in the Amazon EC2 User Guide.
", - "UpdateSecurityGroupRuleDescriptionsEgress": "[VPC only] Updates the description of an egress (outbound) security group rule. You can replace an existing description, or add a description to a rule that did not have one previously.
You specify the description as part of the IP permissions structure. You can remove a description for a security group rule by omitting the description parameter in the request.
", - "UpdateSecurityGroupRuleDescriptionsIngress": "Updates the description of an ingress (inbound) security group rule. You can replace an existing description, or add a description to a rule that did not have one previously.
You specify the description as part of the IP permissions structure. You can remove a description for a security group rule by omitting the description parameter in the request.
", + "UpdateSecurityGroupRuleDescriptionsEgress": "[VPC only] Updates the description of an egress (outbound) security group rule. You can replace an existing description, or add a description to a rule that did not have one previously.
You can specify the rule that you want to update by using one of the following methods:
The security group rule descriptions.
The IP permissions structure.
You can remove a description for a security group rule by omitting the description parameter in the request.
", + "UpdateSecurityGroupRuleDescriptionsIngress": "Updates the description of an ingress (inbound) security group rule. You can replace an existing description, or add a description to a rule that did not have one previously.
You can specify the rule that you want to update by using one of the following methods:
[VPC only] The security group rule descriptions.
The IP permissions structure.
You can remove a description for a security group rule by omitting the description parameter in the request.
", "WithdrawByoipCidr": "Stops advertising an address range that is provisioned as an address pool.
You can perform this operation at most once every 10 seconds, even if you specify different address ranges each time.
It can take a few minutes before traffic to the specified addresses stops routing to AWS because of BGP propagation delays.
" }, "shapes": { @@ -1173,11 +1175,21 @@ "refs": { } }, + "AuthorizeSecurityGroupEgressResult": { + "base": null, + "refs": { + } + }, "AuthorizeSecurityGroupIngressRequest": { "base": null, "refs": { } }, + "AuthorizeSecurityGroupIngressResult": { + "base": null, + "refs": { + } + }, "AutoAcceptSharedAssociationsValue": { "base": null, "refs": { @@ -1379,7 +1391,9 @@ "AuthorizeClientVpnIngressRequest$AuthorizeAllGroups": "Indicates whether to grant access to all clients. Specify true to grant all clients who successfully establish a VPN connection access to the network. Must be set to true if AccessGroupId is not specified.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Returns true if the request succeeds; otherwise, returns an error.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Returns true if the request succeeds; otherwise, returns an error.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Returns true if the request succeeds; otherwise, returns an error.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Is true if the request succeeds, and an error otherwise.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Indicates whether there are additional routes available.
", + "SecurityGroupRule$IsEgress": "Indicates whether the security group rule is an outbound rule.
", "SendDiagnosticInterruptRequest$DryRun": "Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Indicates whether requests from other AWS accounts to create an endpoint to the service must first be accepted.
", "ServiceConfiguration$ManagesVpcEndpoints": "Indicates whether the service manages its VPC endpoints. Management of the service VPC endpoints using the VPC endpoint API is restricted.
", @@ -5315,6 +5333,22 @@ "refs": { } }, + "DescribeSecurityGroupRulesMaxResults": { + "base": null, + "refs": { + "DescribeSecurityGroupRulesRequest$MaxResults": "The maximum number of results to return in a single call. To retrieve the remaining results, make another request with the returned NextToken value. This value can be between 5 and 1000. If this parameter is not specified, then all results are returned.
One or more filters.
association.route-table-association-id - The ID of an association ID for the route table.
association.route-table-id - The ID of the route table involved in the association.
association.subnet-id - The ID of the subnet involved in the association.
association.main - Indicates whether the route table is the main route table for the VPC (true | false). Route tables that do not have an association ID are not returned in the response.
owner-id - The ID of the AWS account that owns the route table.
route-table-id - The ID of the route table.
route.destination-cidr-block - The IPv4 CIDR range specified in a route in the table.
route.destination-ipv6-cidr-block - The IPv6 CIDR range specified in a route in the route table.
route.destination-prefix-list-id - The ID (prefix) of the AWS service specified in a route in the table.
route.egress-only-internet-gateway-id - The ID of an egress-only Internet gateway specified in a route in the route table.
route.gateway-id - The ID of a gateway specified in a route in the table.
route.instance-id - The ID of an instance specified in a route in the table.
route.nat-gateway-id - The ID of a NAT gateway.
route.transit-gateway-id - The ID of a transit gateway.
route.origin - Describes how the route was created. CreateRouteTable indicates that the route was automatically created when the route table was created; CreateRoute indicates that the route was manually added to the route table; EnableVgwRoutePropagation indicates that the route was propagated by route propagation.
route.state - The state of a route in the route table (active | blackhole). The blackhole state indicates that the route's target isn't available (for example, the specified gateway isn't attached to the VPC, the specified NAT instance has been terminated, and so on).
route.vpc-peering-connection-id - The ID of a VPC peering connection specified in a route in the table.
tag:<key> - The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
vpc-id - The ID of the VPC for the route table.
The filters.
availability-zone - The Availability Zone (for example, us-west-2a).
instance-type - The instance type (for example, c4.large).
network-platform - The network platform (EC2-Classic or EC2-VPC).
platform - The platform (Linux/UNIX or Windows).
The filters.
availability-zone - The Availability Zone (for example, us-west-2a).
instance-type - The instance type (for example, c4.large).
network-platform - The network platform (EC2-Classic or EC2-VPC).
platform - The platform (Linux/UNIX or Windows).
One or more filters.
group-id - The ID of the security group.
security-group-rule-id - The ID of the security group rule.
tag:<key> - The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
The filters. If using multiple filters for rules, the results include security groups for which any combination of rules - not necessarily a single rule - match all filters.
description - The description of the security group.
egress.ip-permission.cidr - An IPv4 CIDR block for an outbound security group rule.
egress.ip-permission.from-port - For an outbound rule, the start of port range for the TCP and UDP protocols, or an ICMP type number.
egress.ip-permission.group-id - The ID of a security group that has been referenced in an outbound security group rule.
egress.ip-permission.group-name - The name of a security group that is referenced in an outbound security group rule.
egress.ip-permission.ipv6-cidr - An IPv6 CIDR block for an outbound security group rule.
egress.ip-permission.prefix-list-id - The ID of a prefix list to which a security group rule allows outbound access.
egress.ip-permission.protocol - The IP protocol for an outbound security group rule (tcp | udp | icmp, a protocol number, or -1 for all protocols).
egress.ip-permission.to-port - For an outbound rule, the end of port range for the TCP and UDP protocols, or an ICMP code.
egress.ip-permission.user-id - The ID of an AWS account that has been referenced in an outbound security group rule.
group-id - The ID of the security group.
group-name - The name of the security group.
ip-permission.cidr - An IPv4 CIDR block for an inbound security group rule.
ip-permission.from-port - For an inbound rule, the start of port range for the TCP and UDP protocols, or an ICMP type number.
ip-permission.group-id - The ID of a security group that has been referenced in an inbound security group rule.
ip-permission.group-name - The name of a security group that is referenced in an inbound security group rule.
ip-permission.ipv6-cidr - An IPv6 CIDR block for an inbound security group rule.
ip-permission.prefix-list-id - The ID of a prefix list from which a security group rule allows inbound access.
ip-permission.protocol - The IP protocol for an inbound security group rule (tcp | udp | icmp, a protocol number, or -1 for all protocols).
ip-permission.to-port - For an inbound rule, the end of port range for the TCP and UDP protocols, or an ICMP code.
ip-permission.user-id - The ID of an AWS account that has been referenced in an inbound security group rule.
owner-id - The AWS account ID of the owner of the security group.
tag:<key> - The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
vpc-id - The ID of the VPC specified when the security group was created.
The filters.
description - A description of the snapshot.
encrypted - Indicates whether the snapshot is encrypted (true | false)
owner-alias - The owner alias, from an Amazon-maintained list (amazon). This is not the user-configured AWS account alias set using the IAM console. We recommend that you use the related parameter instead of this filter.
owner-id - The AWS account ID of the owner. We recommend that you use the related parameter instead of this filter.
progress - The progress of the snapshot, as a percentage (for example, 80%).
snapshot-id - The snapshot ID.
start-time - The time stamp when the snapshot was initiated.
status - The status of the snapshot (pending | completed | error).
tag:<key> - The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
volume-id - The ID of the volume the snapshot is for.
volume-size - The size of the volume, in GiB.
One or more filters.
availability-zone-group - The Availability Zone group.
create-time - The time stamp when the Spot Instance request was created.
fault-code - The fault code related to the request.
fault-message - The fault message related to the request.
instance-id - The ID of the instance that fulfilled the request.
launch-group - The Spot Instance launch group.
launch.block-device-mapping.delete-on-termination - Indicates whether the EBS volume is deleted on instance termination.
launch.block-device-mapping.device-name - The device name for the volume in the block device mapping (for example, /dev/sdh or xvdh).
launch.block-device-mapping.snapshot-id - The ID of the snapshot for the EBS volume.
launch.block-device-mapping.volume-size - The size of the EBS volume, in GiB.
launch.block-device-mapping.volume-type - The type of EBS volume: gp2 for General Purpose SSD, io1 or io2 for Provisioned IOPS SSD, st1 for Throughput Optimized HDD, sc1for Cold HDD, or standard for Magnetic.
launch.group-id - The ID of the security group for the instance.
launch.group-name - The name of the security group for the instance.
launch.image-id - The ID of the AMI.
launch.instance-type - The type of instance (for example, m3.medium).
launch.kernel-id - The kernel ID.
launch.key-name - The name of the key pair the instance launched with.
launch.monitoring-enabled - Whether detailed monitoring is enabled for the Spot Instance.
launch.ramdisk-id - The RAM disk ID.
launched-availability-zone - The Availability Zone in which the request is launched.
network-interface.addresses.primary - Indicates whether the IP address is the primary private IP address.
network-interface.delete-on-termination - Indicates whether the network interface is deleted when the instance is terminated.
network-interface.description - A description of the network interface.
network-interface.device-index - The index of the device for the network interface attachment on the instance.
network-interface.group-id - The ID of the security group associated with the network interface.
network-interface.network-interface-id - The ID of the network interface.
network-interface.private-ip-address - The primary private IP address of the network interface.
network-interface.subnet-id - The ID of the subnet for the instance.
product-description - The product description associated with the instance (Linux/UNIX | Windows).
spot-instance-request-id - The Spot Instance request ID.
spot-price - The maximum hourly price for any Spot Instance launched to fulfill the request.
state - The state of the Spot Instance request (open | active | closed | cancelled | failed). Spot request status information can help you track your Amazon EC2 Spot Instance requests. For more information, see Spot request status in the Amazon EC2 User Guide for Linux Instances.
status-code - The short code describing the most recent evaluation of your Spot Instance request.
status-message - The message explaining the status of the Spot Instance request.
tag:<key> - The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
type - The type of Spot Instance request (one-time | persistent).
valid-from - The start date of the request.
valid-until - The end date of the request.
The ID of one or more of the VPC's security groups. You cannot specify security groups from a different VPC.
", - "DescribeSecurityGroupsRequest$GroupIds": "The IDs of the security groups. Required for security groups in a nondefault VPC.
Default: Describes all your security groups.
", + "DescribeSecurityGroupsRequest$GroupIds": "The IDs of the security groups. Required for security groups in a nondefault VPC.
Default: Describes all of your security groups.
", "LaunchTemplateInstanceNetworkInterfaceSpecification$Groups": "The IDs of one or more security groups.
", "ModifyInstanceAttributeRequest$Groups": "[EC2-VPC] Replaces the security groups of the instance with the specified security groups. You must specify at least one security group, even if it's just the default security group for the VPC. You must specify the security group ID, not the security group name.
" } @@ -7595,7 +7630,7 @@ "GroupNameStringList": { "base": null, "refs": { - "DescribeSecurityGroupsRequest$GroupNames": "[EC2-Classic and default VPC only] The names of the security groups. You can specify either the security group name or the security group ID. For security groups in a nondefault VPC, use the group-name filter to describe security groups by name.
Default: Describes all your security groups.
", + "DescribeSecurityGroupsRequest$GroupNames": "[EC2-Classic and default VPC only] The names of the security groups. You can specify either the security group name or the security group ID. For security groups in a nondefault VPC, use the group-name filter to describe security groups by name.
Default: Describes all of your security groups.
", "ModifySnapshotAttributeRequest$GroupNames": "The group to modify for the snapshot.
" } }, @@ -8858,6 +8893,10 @@ "ScheduledInstancesNetworkInterface$DeviceIndex": "The index of the device for the network interface attachment.
", "ScheduledInstancesNetworkInterface$Ipv6AddressCount": "The number of IPv6 addresses to assign to the network interface. The IPv6 addresses are automatically selected from the subnet range.
", "ScheduledInstancesNetworkInterface$SecondaryPrivateIpAddressCount": "The number of secondary private IPv4 addresses.
", + "SecurityGroupRule$FromPort": "The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all codes.
", + "SecurityGroupRule$ToPort": "The end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value of -1 indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all codes.
The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all codes.
", + "SecurityGroupRuleRequest$ToPort": "The end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value of -1 indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all codes.
The size of the volume, in GiB.
", "SnapshotInfo$VolumeSize": "Size of the volume from which this snapshot was created.
", "SpotFleetRequestConfigData$TargetCapacity": "The number of units to request for the Spot Fleet. You can choose to set the target capacity in terms of instances or a performance characteristic that is important to your application workload, such as vCPUs, memory, or I/O. If the request type is maintain, you can specify a target capacity of 0 and add capacity later.
The inbound rules that were unknown to the service. In some cases, unknownIpPermissionSet might be in a different format from the request parameter.
The inbound rules associated with the security group.
", "SecurityGroup$IpPermissionsEgress": "[VPC only] The outbound rules associated with the security group.
", - "UpdateSecurityGroupRuleDescriptionsEgressRequest$IpPermissions": "The IP permissions for the security group rule.
", - "UpdateSecurityGroupRuleDescriptionsIngressRequest$IpPermissions": "The IP permissions for the security group rule.
" + "UpdateSecurityGroupRuleDescriptionsEgressRequest$IpPermissions": "The IP permissions for the security group rule. You can either specify this parameter, or the SecurityGroupRuleDescriptions parameter.
The IP permissions for the security group rule. You can either specify this parameter, or the SecurityGroupRuleDescriptions parameter.
The key pair names.
Default: Describes all your key pairs.
" + "DescribeKeyPairsRequest$KeyNames": "The key pair names.
Default: Describes all of your key pairs.
" } }, "KeyPair": { @@ -10300,6 +10339,16 @@ "refs": { } }, + "ModifySecurityGroupRulesRequest": { + "base": null, + "refs": { + } + }, + "ModifySecurityGroupRulesResult": { + "base": null, + "refs": { + } + }, "ModifySnapshotAttributeRequest": { "base": null, "refs": { @@ -11510,6 +11559,8 @@ "PrefixListResourceIdStringList$member": null, "ReplaceRouteRequest$DestinationPrefixListId": "The ID of the prefix list for the route.
", "RestoreManagedPrefixListVersionRequest$PrefixListId": "The ID of the prefix list.
", + "SecurityGroupRule$PrefixListId": "The ID of the prefix list.
", + "SecurityGroupRuleRequest$PrefixListId": "The ID of the prefix list.
", "TransitGatewayPrefixListReference$PrefixListId": "The ID of the prefix list.
", "TransitGatewayRoute$PrefixListId": "The ID of the prefix list used for destination matches.
" } @@ -11885,6 +11936,12 @@ "ReservedInstancesOffering$RecurringCharges": "The recurring charge tag assigned to the resource.
" } }, + "ReferencedSecurityGroup": { + "base": "Describes the security group that is referenced in the security group rule.
", + "refs": { + "SecurityGroupRule$ReferencedGroupInfo": "Describes the security group that is referenced in the rule.
" + } + }, "Region": { "base": "Describes a Region.
", "refs": { @@ -12903,7 +12960,7 @@ } }, "SecurityGroup": { - "base": "Describes a security group
", + "base": "Describes a security group.
", "refs": { "SecurityGroupList$member": null } @@ -12916,11 +12973,14 @@ "ClientVpnSecurityGroupIdSet$member": null, "DeleteSecurityGroupRequest$GroupId": "The ID of the security group. Required for a nondefault VPC.
", "GroupIds$member": null, + "ModifySecurityGroupRulesRequest$GroupId": "The ID of the security group.
", "RequestSpotLaunchSpecificationSecurityGroupIdList$member": null, "RevokeSecurityGroupEgressRequest$GroupId": "The ID of the security group.
", "RevokeSecurityGroupIngressRequest$GroupId": "The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.
", "ScheduledInstancesSecurityGroupIdSet$member": null, "SecurityGroupIdStringList$member": null, + "SecurityGroupRule$GroupId": "The ID of the security group.
", + "SecurityGroupRuleRequest$ReferencedGroupId": "The ID of the security group that is referenced in the security group rule.
", "UpdateSecurityGroupRuleDescriptionsEgressRequest$GroupId": "The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.
", "UpdateSecurityGroupRuleDescriptionsIngressRequest$GroupId": "The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.
", "VpcEndpointSecurityGroupIdList$member": null @@ -12974,6 +13034,70 @@ "DescribeSecurityGroupReferencesResult$SecurityGroupReferenceSet": "Information about the VPCs with the referencing security groups.
" } }, + "SecurityGroupRule": { + "base": "Describes a security group rule.
", + "refs": { + "SecurityGroupRuleList$member": null + } + }, + "SecurityGroupRuleDescription": { + "base": "Describes the description of a security group rule.
You can use this when you want to update the security group rule description for either an inbound or outbound rule.
", + "refs": { + "SecurityGroupRuleDescriptionList$member": null + } + }, + "SecurityGroupRuleDescriptionList": { + "base": null, + "refs": { + "UpdateSecurityGroupRuleDescriptionsEgressRequest$SecurityGroupRuleDescriptions": "The description for the egress security group rules. You can either specify this parameter, or the IpPermissions parameter.
[VPC only] The description for the ingress security group rules. You can either specify this parameter, or the IpPermissions parameter.
The ID of the security group rule.
", + "Ipv6Range$SecurityGroupRuleId": "The ID of the security group rule.
", + "PrefixListId$SecurityGroupRuleId": "The ID of the security group rule.
", + "SecurityGroupRule$SecurityGroupRuleId": "The ID of the security group rule.
", + "SecurityGroupRuleUpdate$SecurityGroupRuleId": "The ID of the security group rule.
", + "UserIdGroupPair$SecurityGroupRuleId": "The ID of the security group rule.
" + } + }, + "SecurityGroupRuleIdList": { + "base": null, + "refs": { + "DescribeSecurityGroupRulesRequest$SecurityGroupRuleIds": "The IDs of the security group rules.
", + "RevokeSecurityGroupEgressRequest$SecurityGroupRuleIds": "The IDs of the security group rules.
", + "RevokeSecurityGroupIngressRequest$SecurityGroupRuleIds": "The IDs of the security group rules.
" + } + }, + "SecurityGroupRuleList": { + "base": null, + "refs": { + "AuthorizeSecurityGroupEgressResult$SecurityGroupRules": "Information about the outbound (egress) security group rules that were added.
", + "AuthorizeSecurityGroupIngressResult$SecurityGroupRules": "Information about the inbound (ingress) security group rules that were added.
", + "DescribeSecurityGroupRulesResult$SecurityGroupRules": "Information about security group rules.
" + } + }, + "SecurityGroupRuleRequest": { + "base": "Describes a security group rule.
You can only use one of the following to specify the rule:
CidrIpv4
CidrIpv6
PrefixListId
ReferencedGroupId
When you run the ModifySecurityGroupRules command, you cannot change the rule type. For example if the rules references CidrIpv4, then you must use CidrIpv4 to reference the rule.
Information about the security group rule.
" + } + }, + "SecurityGroupRuleUpdate": { + "base": "Describes an update to a security group rule.
", + "refs": { + "SecurityGroupRuleUpdateList$member": null + } + }, + "SecurityGroupRuleUpdateList": { + "base": null, + "refs": { + "ModifySecurityGroupRulesRequest$SecurityGroupRules": "Information about the security group properties to update.
" + } + }, "SecurityGroupStringList": { "base": null, "refs": { @@ -13579,7 +13703,7 @@ "AuthorizeSecurityGroupEgressRequest$SourceSecurityGroupName": "Not supported. Use a set of IP permissions to specify a destination security group.
", "AuthorizeSecurityGroupEgressRequest$SourceSecurityGroupOwnerId": "Not supported. Use a set of IP permissions to specify a destination security group.
", "AuthorizeSecurityGroupIngressRequest$CidrIp": "The IPv4 address range, in CIDR format. You can't specify this parameter when specifying a source security group. To specify an IPv6 address range, use a set of IP permissions.
Alternatively, use a set of IP permissions to specify multiple rules and a description for the rule.
", - "AuthorizeSecurityGroupIngressRequest$IpProtocol": "The IP protocol name (tcp, udp, icmp) or number (see Protocol Numbers). To specify icmpv6, use a set of IP permissions.
[VPC only] Use -1 to specify all protocols. If you specify -1 or a protocol other than tcp, udp, or icmp, traffic on all ports is allowed, regardless of any ports you specify.
Alternatively, use a set of IP permissions to specify multiple rules and a description for the rule.
", + "AuthorizeSecurityGroupIngressRequest$IpProtocol": "The IP protocol name (tcp, udp, icmp) or number (see Protocol Numbers). To specify icmpv6, use a set of IP permissions.
[VPC only] Use -1 to specify all protocols. If you specify -1 or a protocol other than tcp, udp, or icmp, traffic on all ports is allowed, regardless of any ports that you specify.
Alternatively, use a set of IP permissions to specify multiple rules and a description for the rule.
", "AuthorizeSecurityGroupIngressRequest$SourceSecurityGroupName": "[EC2-Classic, default VPC] The name of the source security group. You can't specify this parameter in combination with the following parameters: the CIDR IP address range, the start of the port range, the IP protocol, and the end of the port range. Creates rules that grant full ICMP, UDP, and TCP access. To create a rule with a specific IP protocol and port range, use a set of IP permissions instead. For EC2-VPC, the source security group must be in the same VPC.
", "AuthorizeSecurityGroupIngressRequest$SourceSecurityGroupOwnerId": "[nondefault VPC] The AWS account ID for the source security group, if the source security group is in a different account. You can't specify this parameter in combination with the following parameters: the CIDR IP address range, the IP protocol, the start of the port range, and the end of the port range. Creates rules that grant full ICMP, UDP, and TCP access. To create a rule with a specific IP protocol and port range, use a set of IP permissions instead.
", "AvailabilityZone$RegionName": "The name of the Region.
", @@ -13960,6 +14084,8 @@ "DescribeScheduledInstanceAvailabilityResult$NextToken": "The token required to retrieve the next set of results. This value is null when there are no more results to return.
The token for the next set of results.
", "DescribeScheduledInstancesResult$NextToken": "The token required to retrieve the next set of results. This value is null when there are no more results to return.
The token for the next page of results.
", + "DescribeSecurityGroupRulesResult$NextToken": "The token to use to retrieve the next page of results. This value is null when there are no more results to return.
The token to request the next page of results.
", "DescribeSecurityGroupsResult$NextToken": "The token to use to retrieve the next page of results. This value is null when there are no more results to return.
The ID of the EBS snapshot.
", @@ -14282,7 +14408,7 @@ "ImportInstanceVolumeDetailItem$StatusMessage": "The status information or errors related to the disk image.
", "ImportKeyPairRequest$KeyName": "A unique name for the key pair.
", "ImportKeyPairResult$KeyFingerprint": "The MD5 public key fingerprint as specified in section 4 of RFC 4716.
", - "ImportKeyPairResult$KeyName": "The key pair name you provided.
", + "ImportKeyPairResult$KeyName": "The key pair name that you provided.
", "ImportKeyPairResult$KeyPairId": "The ID of the resulting key pair.
", "ImportSnapshotRequest$ClientToken": "Token to enable idempotency for VM import requests.
", "ImportSnapshotRequest$Description": "The description string for the import snapshot task.
", @@ -14633,6 +14759,11 @@ "PurchaseRequest$PurchaseToken": "The purchase token.
", "PurchaseReservedInstancesOfferingResult$ReservedInstancesId": "The IDs of the purchased Reserved Instances.
", "PurchaseScheduledInstancesRequest$ClientToken": "Unique, case-sensitive identifier that ensures the idempotency of the request. For more information, see Ensuring Idempotency.
", + "ReferencedSecurityGroup$GroupId": "The ID of the security group.
", + "ReferencedSecurityGroup$PeeringStatus": "The status of a VPC peering connection, if applicable.
", + "ReferencedSecurityGroup$UserId": "The AWS account ID.
", + "ReferencedSecurityGroup$VpcId": "The ID of the VPC.
", + "ReferencedSecurityGroup$VpcPeeringConnectionId": "The ID of the VPC peering connection.
", "Region$Endpoint": "The Region service endpoint.
", "Region$RegionName": "The name of the Region.
", "Region$OptInStatus": "The Region opt-in status. The possible values are opt-in-not-required, opted-in, and not-opted-in.
The ID of your security group.
", "SecurityGroupReference$ReferencingVpcId": "The ID of the VPC with the referencing security group.
", "SecurityGroupReference$VpcPeeringConnectionId": "The ID of the VPC peering connection.
", + "SecurityGroupRule$GroupOwnerId": "The ID of the AWS account that owns the security group.
", + "SecurityGroupRule$IpProtocol": "The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers).
Use -1 to specify all protocols.
The IPv4 CIDR range.
", + "SecurityGroupRule$CidrIpv6": "The IPv6 CIDR range.
", + "SecurityGroupRule$Description": "The security group rule description.
", + "SecurityGroupRuleDescription$SecurityGroupRuleId": "The ID of the security group rule.
", + "SecurityGroupRuleDescription$Description": "The description of the security group rule.
", + "SecurityGroupRuleIdList$member": null, + "SecurityGroupRuleRequest$IpProtocol": "The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers).
Use -1 to specify all protocols.
The IPv4 CIDR range. To specify a single IPv4 address, use the /32 prefix length.
", + "SecurityGroupRuleRequest$CidrIpv6": "The IPv6 CIDR range. To specify a single IPv6 address, use the /128 prefix length.
", + "SecurityGroupRuleRequest$Description": "The description of the security group rule.
", "ServiceConfiguration$ServiceId": "The ID of the service.
", "ServiceConfiguration$ServiceName": "The name of the service.
", "ServiceConfiguration$PrivateDnsName": "The private DNS name for the service.
", @@ -15312,6 +15455,7 @@ "ReservedInstancesListing$Tags": "Any tags assigned to the resource.
", "RouteTable$Tags": "Any tags assigned to the route table.
", "SecurityGroup$Tags": "Any tags assigned to the security group.
", + "SecurityGroupRule$Tags": "The tags applied to the security group rule.
", "ServiceConfiguration$Tags": "Any tags assigned to the service.
", "ServiceDetail$Tags": "Any tags assigned to the service.
", "Snapshot$Tags": "Any tags assigned to the snapshot.
", @@ -15352,6 +15496,8 @@ "refs": { "AllocateAddressRequest$TagSpecifications": "The tags to assign to the Elastic IP address.
", "AllocateHostsRequest$TagSpecifications": "The tags to apply to the Dedicated Host during creation.
", + "AuthorizeSecurityGroupEgressRequest$TagSpecifications": "The tags applied to the security group rule.
", + "AuthorizeSecurityGroupIngressRequest$TagSpecifications": "[VPC Only] The tags applied to the security group rule.
", "CopySnapshotRequest$TagSpecifications": "The tags to apply to the new snapshot.
", "CreateCapacityReservationRequest$TagSpecifications": "The tags to apply to the Capacity Reservation during launch.
", "CreateCarrierGatewayRequest$TagSpecifications": "The tags to associate with the carrier gateway.
", diff --git a/models/apis/ec2/2016-11-15/paginators-1.json b/models/apis/ec2/2016-11-15/paginators-1.json index fde6975e311..e1d041efc2c 100755 --- a/models/apis/ec2/2016-11-15/paginators-1.json +++ b/models/apis/ec2/2016-11-15/paginators-1.json @@ -374,6 +374,12 @@ "output_token": "NextToken", "result_key": "ScheduledInstanceSet" }, + "DescribeSecurityGroupRules": { + "input_token": "NextToken", + "limit_key": "MaxResults", + "output_token": "NextToken", + "result_key": "SecurityGroupRules" + }, "DescribeSecurityGroups": { "input_token": "NextToken", "limit_key": "MaxResults", diff --git a/models/apis/ecs/2014-11-13/api-2.json b/models/apis/ecs/2014-11-13/api-2.json index 0b2253df7ad..43b9dd3ee5b 100644 --- a/models/apis/ecs/2014-11-13/api-2.json +++ b/models/apis/ecs/2014-11-13/api-2.json @@ -1103,7 +1103,8 @@ "type":"string", "enum":[ "EC2", - "FARGATE" + "FARGATE", + "EXTERNAL" ] }, "CompatibilityList":{ @@ -2023,7 +2024,8 @@ "type":"string", "enum":[ "EC2", - "FARGATE" + "FARGATE", + "EXTERNAL" ] }, "LimitExceededException":{ diff --git a/models/apis/ecs/2014-11-13/docs-2.json b/models/apis/ecs/2014-11-13/docs-2.json index 78aaa1a7c22..75dd36418f6 100644 --- a/models/apis/ecs/2014-11-13/docs-2.json +++ b/models/apis/ecs/2014-11-13/docs-2.json @@ -27,11 +27,11 @@ "ListAttributes": "Lists the attributes for Amazon ECS resources within a specified target type and cluster. When you specify a target type and cluster, ListAttributes returns a list of attribute objects, one for each attribute on each resource. You can filter the list of results to a single attribute name to only return results that have that name. You can also filter the results by attribute name and value, for example, to see which container instances in a cluster are running a Linux AMI (ecs.os-type=linux).
Returns a list of existing clusters.
", "ListContainerInstances": "Returns a list of container instances in a specified cluster. You can filter the results of a ListContainerInstances operation with cluster query language statements inside the filter parameter. For more information, see Cluster Query Language in the Amazon Elastic Container Service Developer Guide.
Lists the services that are running in a specified cluster.
", + "ListServices": "Returns a list of services. You can filter the results by cluster, launch type, and scheduling strategy.
", "ListTagsForResource": "List the tags for an Amazon ECS resource.
", "ListTaskDefinitionFamilies": "Returns a list of task definition families that are registered to your account (which may include task definition families that no longer have any ACTIVE task definition revisions).
You can filter out task definition families that do not contain any ACTIVE task definition revisions by setting the status parameter to ACTIVE. You can also filter the results with the familyPrefix parameter.
Returns a list of task definitions that are registered to your account. You can filter the results by family name with the familyPrefix parameter or by status with the status parameter.
Returns a list of tasks for a specified cluster. You can filter the results by family name, by a particular container instance, or by the desired status of the task with the family, containerInstance, and desiredStatus parameters.
Recently stopped tasks might appear in the returned results. Currently, stopped tasks appear in the returned results for at least one hour.
", + "ListTasks": "Returns a list of tasks. You can filter the results by cluster, task definition family, container instance, launch type, what IAM principal started the task, or by the desired status of the task.
Recently stopped tasks might appear in the returned results. Currently, stopped tasks appear in the returned results for at least one hour.
", "PutAccountSetting": "Modifies an account setting. Account settings are set on a per-Region basis.
If you change the account setting for the root user, the default settings for all of the IAM users and roles for which no individual account setting has been specified are reset. For more information, see Account Settings in the Amazon Elastic Container Service Developer Guide.
When serviceLongArnFormat, taskLongArnFormat, or containerInstanceLongArnFormat are specified, the Amazon Resource Name (ARN) and resource ID format of the resource type for a specified IAM user, IAM role, or the root user for an account is affected. The opt-in and opt-out account setting must be set for each Amazon ECS resource separately. The ARN and resource ID format of a resource will be defined by the opt-in status of the IAM user or role that created the resource. You must enable this setting to use Amazon ECS features such as resource tagging.
When awsvpcTrunking is specified, the elastic network interface (ENI) limit for any new container instances that support the feature is changed. If awsvpcTrunking is enabled, any new container instances that support the feature are launched have the increased ENI limits available to them. For more information, see Elastic Network Interface Trunking in the Amazon Elastic Container Service Developer Guide.
When containerInsights is specified, the default setting indicating whether CloudWatch Container Insights is enabled for your clusters is changed. If containerInsights is enabled, any new clusters that are created will have Container Insights enabled unless you disable it during cluster creation. For more information, see CloudWatch Container Insights in the Amazon Elastic Container Service Developer Guide.
Modifies an account setting for all IAM users on an account for whom no individual account setting has been specified. Account settings are set on a per-Region basis.
", "PutAttributes": "Create or update an attribute on an Amazon ECS resource. If the attribute does not exist, it is created. If the attribute exists, its value is replaced with the specified value. To delete an attribute, use DeleteAttributes. For more information, see Attributes in the Amazon Elastic Container Service Developer Guide.
", @@ -758,7 +758,7 @@ "DesiredStatus": { "base": null, "refs": { - "ListTasksRequest$desiredStatus": "The task desired status with which to filter the ListTasks results. Specifying a desiredStatus of STOPPED limits the results to tasks that Amazon ECS has set the desired status to STOPPED. This can be useful for debugging tasks that are not starting properly or have died or finished. The default status filter is RUNNING, which shows tasks that Amazon ECS has set the desired status to RUNNING.
Although you can filter results based on a desired status of PENDING, this does not return any results. Amazon ECS never sets the desired status of a task to that value (only a task's lastStatus may have a value of PENDING).
The task desired status to use when filtering the ListTasks results. Specifying a desiredStatus of STOPPED limits the results to tasks that Amazon ECS has set the desired status to STOPPED. This can be useful for debugging tasks that are not starting properly or have died or finished. The default status filter is RUNNING, which shows tasks that Amazon ECS has set the desired status to RUNNING.
Although you can filter results based on a desired status of PENDING, this does not return any results. Amazon ECS never sets the desired status of a task to that value (only a task's lastStatus may have a value of PENDING).
The launch type on which to run your service. The accepted values are FARGATE and EC2. For more information, see Amazon ECS launch types in the Amazon Elastic Container Service Developer Guide.
When a value of FARGATE is specified, your tasks are launched on AWS Fargate On-Demand infrastructure. To use Fargate Spot, you must use a capacity provider strategy with the FARGATE_SPOT capacity provider.
When a value of EC2 is specified, your tasks are launched on Amazon EC2 instances registered to your cluster.
If a launchType is specified, the capacityProviderStrategy parameter must be omitted.
The infrastructure on which to run your service. For more information, see Amazon ECS launch types in the Amazon Elastic Container Service Developer Guide.
The FARGATE launch type runs your tasks on AWS Fargate On-Demand infrastructure.
Fargate Spot infrastructure is available for use but a capacity provider strategy must be used. For more information, see AWS Fargate capacity providers in the Amazon ECS User Guide for AWS Fargate.
The EC2 launch type runs your tasks on Amazon EC2 instances registered to your cluster.
The EXTERNAL launch type runs your tasks on your on-premise server or virtual machine (VM) capacity registered to your cluster.
A service can use either a launch type or a capacity provider strategy. If a launchType is specified, the capacityProviderStrategy parameter must be omitted.
The launch type that new tasks in the task set will use. For more information, see Amazon ECS Launch Types in the Amazon Elastic Container Service Developer Guide.
If a launchType is specified, the capacityProviderStrategy parameter must be omitted.
The launch type the tasks in the service are using. For more information, see Amazon ECS Launch Types in the Amazon Elastic Container Service Developer Guide.
", - "ListServicesRequest$launchType": "The launch type for the services to list.
", - "ListTasksRequest$launchType": "The launch type for services to list.
", - "RunTaskRequest$launchType": "The launch type on which to run your task. The accepted values are FARGATE and EC2. For more information, see Amazon ECS Launch Types in the Amazon Elastic Container Service Developer Guide.
When a value of FARGATE is specified, your tasks are launched on AWS Fargate On-Demand infrastructure. To use Fargate Spot, you must use a capacity provider strategy with the FARGATE_SPOT capacity provider.
When a value of EC2 is specified, your tasks are launched on Amazon EC2 instances registered to your cluster.
If a launchType is specified, the capacityProviderStrategy parameter must be omitted.
The launch type on which your service is running. If no value is specified, it will default to EC2. Valid values include EC2 and FARGATE. For more information, see Amazon ECS Launch Types in the Amazon Elastic Container Service Developer Guide.
The launch type on which your task is running. For more information, see Amazon ECS Launch Types in the Amazon Elastic Container Service Developer Guide.
", + "ListServicesRequest$launchType": "The launch type to use when filtering the ListServices results.
The launch type to use when filtering the ListTasks results.
The infrastructure on which to run your standalone task. For more information, see Amazon ECS launch types in the Amazon Elastic Container Service Developer Guide.
The FARGATE launch type runs your tasks on AWS Fargate On-Demand infrastructure.
Fargate Spot infrastructure is available for use but a capacity provider strategy must be used. For more information, see AWS Fargate capacity providers in the Amazon ECS User Guide for AWS Fargate.
The EC2 launch type runs your tasks on Amazon EC2 instances registered to your cluster.
The EXTERNAL launch type runs your tasks on your on-premise server or virtual machine (VM) capacity registered to your cluster.
A task can use either a launch type or a capacity provider strategy. If a launchType is specified, the capacityProviderStrategy parameter must be omitted.
The infrastructure on which your service is running. For more information, see Amazon ECS launch types in the Amazon Elastic Container Service Developer Guide.
", + "Task$launchType": "The infrastructure on which your task is running. For more information, see Amazon ECS launch types in the Amazon Elastic Container Service Developer Guide.
", "TaskSet$launchType": "The launch type the tasks in the task set are using. For more information, see Amazon ECS launch types in the Amazon Elastic Container Service Developer Guide.
" } }, @@ -1624,7 +1624,7 @@ "base": null, "refs": { "CreateServiceRequest$schedulingStrategy": "The scheduling strategy to use for the service. For more information, see Services.
There are two service scheduler strategies available:
REPLICA-The replica scheduling strategy places and maintains the desired number of tasks across your cluster. By default, the service scheduler spreads tasks across Availability Zones. You can use task placement strategies and constraints to customize task placement decisions. This scheduler strategy is required if the service is using the CODE_DEPLOY or EXTERNAL deployment controller types.
DAEMON-The daemon scheduling strategy deploys exactly one task on each active container instance that meets all of the task placement constraints that you specify in your cluster. The service scheduler also evaluates the task placement constraints for running tasks and will stop tasks that do not meet the placement constraints. When you're using this strategy, you don't need to specify a desired number of tasks, a task placement strategy, or use Service Auto Scaling policies.
Tasks using the Fargate launch type or the CODE_DEPLOY or EXTERNAL deployment controller types don't support the DAEMON scheduling strategy.
The scheduling strategy for services to list.
", + "ListServicesRequest$schedulingStrategy": "The scheduling strategy to use when filtering the ListServices results.
The scheduling strategy to use for the service. For more information, see Services.
There are two service scheduler strategies available:
REPLICA-The replica scheduling strategy places and maintains the desired number of tasks across your cluster. By default, the service scheduler spreads tasks across Availability Zones. You can use task placement strategies and constraints to customize task placement decisions.
DAEMON-The daemon scheduling strategy deploys exactly one task on each active container instance that meets all of the task placement constraints that you specify in your cluster. The service scheduler also evaluates the task placement constraints for running tasks and will stop tasks that do not meet the placement constraints.
Fargate tasks do not support the DAEMON scheduling strategy.
You can filter the results of a ListContainerInstances operation with cluster query language statements. For more information, see Cluster Query Language in the Amazon Elastic Container Service Developer Guide.
The nextToken value returned from a ListContainerInstances request indicating that more results are available to fulfill the request and further calls will be needed. If maxResults was provided, it is possible the number of results to be fewer than maxResults.
This token should be treated as an opaque identifier that is only used to retrieve the next items in a list and not for other programmatic purposes.
The nextToken value to include in a future ListContainerInstances request. When the results of a ListContainerInstances request exceed maxResults, this value can be used to retrieve the next page of results. This value is null when there are no more results to return.
The short name or full Amazon Resource Name (ARN) of the cluster that hosts the services to list. If you do not specify a cluster, the default cluster is assumed.
", + "ListServicesRequest$cluster": "The short name or full Amazon Resource Name (ARN) of the cluster to use when filtering the ListServices results. If you do not specify a cluster, the default cluster is assumed.
The nextToken value returned from a ListServices request indicating that more results are available to fulfill the request and further calls will be needed. If maxResults was provided, it is possible the number of results to be fewer than maxResults.
This token should be treated as an opaque identifier that is only used to retrieve the next items in a list and not for other programmatic purposes.
The nextToken value to include in a future ListServices request. When the results of a ListServices request exceed maxResults, this value can be used to retrieve the next page of results. This value is null when there are no more results to return.
The Amazon Resource Name (ARN) that identifies the resource for which to list the tags. Currently, the supported resources are Amazon ECS tasks, services, task definitions, clusters, and container instances.
", @@ -1949,12 +1949,12 @@ "ListTaskDefinitionsRequest$familyPrefix": "The full family name with which to filter the ListTaskDefinitions results. Specifying a familyPrefix limits the listed task definitions to task definition revisions that belong to that family.
The nextToken value returned from a ListTaskDefinitions request indicating that more results are available to fulfill the request and further calls will be needed. If maxResults was provided, it is possible the number of results to be fewer than maxResults.
This token should be treated as an opaque identifier that is only used to retrieve the next items in a list and not for other programmatic purposes.
The nextToken value to include in a future ListTaskDefinitions request. When the results of a ListTaskDefinitions request exceed maxResults, this value can be used to retrieve the next page of results. This value is null when there are no more results to return.
The short name or full Amazon Resource Name (ARN) of the cluster that hosts the tasks to list. If you do not specify a cluster, the default cluster is assumed.
", - "ListTasksRequest$containerInstance": "The container instance ID or full ARN of the container instance with which to filter the ListTasks results. Specifying a containerInstance limits the results to tasks that belong to that container instance.
The name of the family with which to filter the ListTasks results. Specifying a family limits the results to tasks that belong to that family.
The short name or full Amazon Resource Name (ARN) of the cluster to use when filtering the ListTasks results. If you do not specify a cluster, the default cluster is assumed.
The container instance ID or full ARN of the container instance to use when filtering the ListTasks results. Specifying a containerInstance limits the results to tasks that belong to that container instance.
The name of the task definition family to use when filtering the ListTasks results. Specifying a family limits the results to tasks that belong to that family.
The nextToken value returned from a ListTasks request indicating that more results are available to fulfill the request and further calls will be needed. If maxResults was provided, it is possible the number of results to be fewer than maxResults.
This token should be treated as an opaque identifier that is only used to retrieve the next items in a list and not for other programmatic purposes.
The startedBy value with which to filter the task results. Specifying a startedBy value limits the results to tasks that were started with that value.
The name of the service with which to filter the ListTasks results. Specifying a serviceName limits the results to tasks that belong to that service.
The name of the service to use when filtering the ListTasks results. Specifying a serviceName limits the results to tasks that belong to that service.
The nextToken value to include in a future ListTasks request. When the results of a ListTasks request exceed maxResults, this value can be used to retrieve the next page of results. This value is null when there are no more results to return.
The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set.
A target group ARN is only specified when using an Application Load Balancer or Network Load Balancer. If you are using a Classic Load Balancer the target group ARN should be omitted.
For services using the ECS deployment controller, you can specify one or multiple target groups. For more information, see Registering Multiple Target Groups with a Service in the Amazon Elastic Container Service Developer Guide.
For services using the CODE_DEPLOY deployment controller, you are required to define two target groups for the load balancer. For more information, see Blue/Green Deployment with CodeDeploy in the Amazon Elastic Container Service Developer Guide.
If your service's task definition uses the awsvpc network mode (which is required for the Fargate launch type), you must choose ip as the target type, not instance, when creating your target groups because tasks that use the awsvpc network mode are associated with an elastic network interface, not an Amazon EC2 instance.
The name of the load balancer to associate with the Amazon ECS service or task set.
A load balancer name is only specified when using a Classic Load Balancer. If you are using an Application Load Balancer or a Network Load Balancer the load balancer name parameter should be omitted.
", diff --git a/models/apis/mwaa/2020-07-01/api-2.json b/models/apis/mwaa/2020-07-01/api-2.json index 4edeb476ccf..58cc685f580 100644 --- a/models/apis/mwaa/2020-07-01/api-2.json +++ b/models/apis/mwaa/2020-07-01/api-2.json @@ -277,6 +277,7 @@ "PluginsS3Path":{"shape":"RelativePath"}, "RequirementsS3ObjectVersion":{"shape":"S3ObjectVersion"}, "RequirementsS3Path":{"shape":"RelativePath"}, + "Schedulers":{"shape":"Schedulers"}, "SourceBucketArn":{"shape":"S3BucketArn"}, "Tags":{"shape":"TagMap"}, "WebserverAccessMode":{"shape":"WebserverAccessMode"}, @@ -364,6 +365,7 @@ "PluginsS3Path":{"shape":"RelativePath"}, "RequirementsS3ObjectVersion":{"shape":"S3ObjectVersion"}, "RequirementsS3Path":{"shape":"RelativePath"}, + "Schedulers":{"shape":"Schedulers"}, "ServiceRoleArn":{"shape":"IamRoleArn"}, "SourceBucketArn":{"shape":"S3BucketArn"}, "Status":{"shape":"EnvironmentStatus"}, @@ -658,6 +660,11 @@ "max":1024, "min":1 }, + "Schedulers":{ + "type":"integer", + "box":true, + "max":5 + }, "SecurityGroupId":{ "type":"string", "max":1024, @@ -837,6 +844,7 @@ "PluginsS3Path":{"shape":"RelativePath"}, "RequirementsS3ObjectVersion":{"shape":"S3ObjectVersion"}, "RequirementsS3Path":{"shape":"RelativePath"}, + "Schedulers":{"shape":"Schedulers"}, "SourceBucketArn":{"shape":"S3BucketArn"}, "WebserverAccessMode":{"shape":"WebserverAccessMode"}, "WeeklyMaintenanceWindowStart":{"shape":"WeeklyMaintenanceWindowStart"} diff --git a/models/apis/mwaa/2020-07-01/docs-2.json b/models/apis/mwaa/2020-07-01/docs-2.json index cc31f4234e8..159f3ef2150 100644 --- a/models/apis/mwaa/2020-07-01/docs-2.json +++ b/models/apis/mwaa/2020-07-01/docs-2.json @@ -3,16 +3,16 @@ "service": "This section contains the Amazon Managed Workflows for Apache Airflow (MWAA) API reference documentation. For more information, see What Is Amazon MWAA?.
", "operations": { "CreateCliToken": "Create a CLI token to use Airflow CLI.
", - "CreateEnvironment": "JSON blob that describes the environment to create.
", + "CreateEnvironment": "Creates an Amazon Managed Workflows for Apache Airflow (MWAA) environment.
", "CreateWebLoginToken": "Create a JWT token to be used to login to Airflow Web UI with claims based Authentication.
", - "DeleteEnvironment": "Delete an existing environment.
", - "GetEnvironment": "Get details of an existing environment.
", - "ListEnvironments": "List Amazon MWAA Environments.
", - "ListTagsForResource": "List the tags for MWAA environments.
", + "DeleteEnvironment": "Deletes an Amazon Managed Workflows for Apache Airflow (MWAA) environment.
", + "GetEnvironment": "Retrieves the details of an Amazon Managed Workflows for Apache Airflow (MWAA) environment.
", + "ListEnvironments": "Lists the Amazon Managed Workflows for Apache Airflow (MWAA) environments.
", + "ListTagsForResource": "Lists the key-value tag pairs associated to the Amazon Managed Workflows for Apache Airflow (MWAA) environment. For example, \"Environment\": \"Staging\".
An operation for publishing metrics from the customers to the Ops plane.
", - "TagResource": "Add tag to the MWAA environments.
", - "UntagResource": "Remove a tag from the MWAA environments.
", - "UpdateEnvironment": "Update an MWAA environment.
" + "TagResource": "Associates key-value tag pairs to your Amazon Managed Workflows for Apache Airflow (MWAA) environment.
", + "UntagResource": "Removes key-value tag pairs associated to your Amazon Managed Workflows for Apache Airflow (MWAA) environment. For example, \"Environment\": \"Staging\".
Updates an Amazon Managed Workflows for Apache Airflow (MWAA) environment.
" }, "shapes": { "AccessDeniedException": { @@ -23,21 +23,21 @@ "AirflowConfigurationOptions": { "base": null, "refs": { - "Environment$AirflowConfigurationOptions": "The Airflow Configuration Options of the Amazon MWAA Environment.
" + "Environment$AirflowConfigurationOptions": "A list of key-value pairs containing the Apache Airflow configuration options attached to your environment. To learn more, see Apache Airflow configuration options.
" } }, "AirflowVersion": { "base": null, "refs": { - "CreateEnvironmentInput$AirflowVersion": "The Apache Airflow version you want to use for your environment.
", - "Environment$AirflowVersion": "The AirflowV ersion of the Amazon MWAA Environment.
", - "UpdateEnvironmentInput$AirflowVersion": "The Airflow Version to update of your Amazon MWAA environment.
" + "CreateEnvironmentInput$AirflowVersion": "The Apache Airflow version for your environment. For example, v1.10.12. If no value is specified, defaults to the latest version. Valid values: v1.10.12.
The Apache Airflow version on your environment. For example, v1.10.12.
The Apache Airflow version for your environment. For example, v1.10.12. If no value is specified, defaults to the latest version. Valid values: v1.10.12.
Provides the ARN for the CloudWatch group where the logs will be published.
" + "ModuleLoggingConfiguration$CloudWatchLogGroupArn": "The Amazon Resource Name (ARN) for the CloudWatch Logs group where the Apache Airflow log type (e.g. DagProcessingLogs) is published. For example, arn:aws:logs:us-east-1:123456789012:log-group:airflow-MyMWAAEnvironment-MwaaEnvironment-DAGProcessing:*.
The Created At date of the Amazon MWAA Environment.
" + "Environment$CreatedAt": "The day and time the environment was created.
" } }, "DeleteEnvironmentInput": { @@ -124,66 +124,66 @@ } }, "Environment": { - "base": "An Amazon MWAA environment.
", + "base": "The Amazon Managed Workflows for Apache Airflow (MWAA) environment.
", "refs": { - "GetEnvironmentOutput$Environment": "A JSON blob with environment details.
" + "GetEnvironmentOutput$Environment": "An object containing all available details about the environment.
" } }, "EnvironmentArn": { "base": null, "refs": { - "CreateEnvironmentOutput$Arn": "The resulting Amazon MWAA envirnonment ARN.
", - "Environment$Arn": "The ARN of the Amazon MWAA Environment.
", - "ListTagsForResourceInput$ResourceArn": "The ARN of the MWAA environment.
", - "TagResourceInput$ResourceArn": "The tag resource ARN of the MWAA environments.
", - "UntagResourceInput$ResourceArn": "The tag resource ARN of the MWAA environments.
", - "UpdateEnvironmentOutput$Arn": "The ARN to update of your Amazon MWAA environment.
" + "CreateEnvironmentOutput$Arn": "The Amazon Resource Name (ARN) returned in the response for the environment.
", + "Environment$Arn": "The Amazon Resource Name (ARN) of the Amazon MWAA environment.
", + "ListTagsForResourceInput$ResourceArn": "The Amazon Resource Name (ARN) of the Amazon MWAA environment. For example, arn:aws:airflow:us-east-1:123456789012:environment/MyMWAAEnvironment.
The Amazon Resource Name (ARN) of the Amazon MWAA environment. For example, arn:aws:airflow:us-east-1:123456789012:environment/MyMWAAEnvironment.
The Amazon Resource Name (ARN) of the Amazon MWAA environment. For example, arn:aws:airflow:us-east-1:123456789012:environment/MyMWAAEnvironment.
The Amazon Resource Name (ARN) of the Amazon MWAA environment. For example, arn:aws:airflow:us-east-1:123456789012:environment/MyMWAAEnvironment.
The environment class you want to use for your environment. The environment class determines the size of the containers and database used for your Apache Airflow services.
", - "Environment$EnvironmentClass": "The Environment Class (size) of the Amazon MWAA Environment.
", - "UpdateEnvironmentInput$EnvironmentClass": "The Environment Class to update of your Amazon MWAA environment.
" + "CreateEnvironmentInput$EnvironmentClass": "The environment class type. Valid values: mw1.small, mw1.medium, mw1.large. To learn more, see Amazon MWAA environment class.
The environment class type. Valid values: mw1.small, mw1.medium, mw1.large. To learn more, see Amazon MWAA environment class.
The environment class type. Valid values: mw1.small, mw1.medium, mw1.large. To learn more, see Amazon MWAA environment class.
The list of Amazon MWAA Environments.
" + "ListEnvironmentsOutput$Environments": "Returns the list of Amazon MWAA environments.
" } }, "EnvironmentName": { "base": null, "refs": { "CreateCliTokenRequest$Name": "Create a CLI token request for a MWAA environment.
", - "CreateEnvironmentInput$Name": "The name of your MWAA environment.
", + "CreateEnvironmentInput$Name": "The name of the Amazon MWAA environment. For example, MyMWAAEnvironment.
Create an Airflow Web UI login token request for a MWAA environment.
", - "DeleteEnvironmentInput$Name": "The name of the environment to delete.
", - "Environment$Name": "The name of the Amazon MWAA Environment.
", + "DeleteEnvironmentInput$Name": "The name of the Amazon MWAA environment. For example, MyMWAAEnvironment.
The name of the Amazon MWAA environment. For example, MyMWAAEnvironment.
The name of the environment to retrieve.
", + "GetEnvironmentInput$Name": "The name of the Amazon MWAA environment. For example, MyMWAAEnvironment.
Publishes environment metric data to Amazon CloudWatch.
", - "UpdateEnvironmentInput$Name": "The name of your Amazon MWAA environment that you wish to update.
" + "UpdateEnvironmentInput$Name": "The name of your Amazon MWAA environment. For example, MyMWAAEnvironment.
The status of the Amazon MWAA Environment.
" + "Environment$Status": "The status of the Amazon MWAA environment. Valid values:
CREATING - Indicates the request to create the environment is in progress.
CREATE_FAILED - Indicates the request to create the environment failed, and the environment could not be created.
AVAILABLE - Indicates the request was successful and the environment is ready to use.
UPDATING - Indicates the request to update the environment is in progress.
DELETING - Indicates the request to delete the environment is in progress.
DELETED - Indicates the request to delete the environment is complete, and the environment has been deleted.
UNAVAILABLE - Indicates the request failed, but the environment was unable to rollback and is not in a stable state.
UPDATE_FAILED - Indicates the request to update the environment failed, and the environment has rolled back successfully and is ready to use.
We recommend reviewing our troubleshooting guide for a list of common errors and their solutions. To learn more, see Amazon MWAA troubleshooting.
" } }, "ErrorCode": { "base": null, "refs": { - "UpdateError$ErrorCode": "Error code of update.
" + "UpdateError$ErrorCode": "The error code that corresponds to the error with the last update.
" } }, "ErrorMessage": { "base": null, "refs": { - "UpdateError$ErrorMessage": "Error message of update.
" + "UpdateError$ErrorMessage": "The error message that corresponds to the error code.
" } }, "GetEnvironmentInput": { @@ -206,10 +206,10 @@ "IamRoleArn": { "base": null, "refs": { - "CreateEnvironmentInput$ExecutionRoleArn": "The Amazon Resource Name (ARN) of the execution role for your environment. An execution role is an AWS Identity and Access Management (IAM) role that grants MWAA permission to access AWS services and resources used by your environment. For example, arn:aws:iam::123456789:role/my-execution-role. For more information, see Managing access to Amazon Managed Workflows for Apache Airflow.
The Execution Role ARN of the Amazon MWAA Environment.
", - "Environment$ServiceRoleArn": "The Service Role ARN of the Amazon MWAA Environment.
", - "UpdateEnvironmentInput$ExecutionRoleArn": "The Executio Role ARN to update of your Amazon MWAA environment.
" + "CreateEnvironmentInput$ExecutionRoleArn": "The Amazon Resource Name (ARN) of the execution role for your environment. An execution role is an AWS Identity and Access Management (IAM) role that grants MWAA permission to access AWS services and resources used by your environment. For example, arn:aws:iam::123456789:role/my-execution-role. To learn more, see Amazon MWAA Execution role.
The Amazon Resource Name (ARN) of the execution role in IAM that allows MWAA to access AWS resources in your environment. For example, arn:aws:iam::123456789:role/my-execution-role. To learn more, see Amazon MWAA Execution role.
The Amazon Resource Name (ARN) for the service-linked role of the environment. To learn more, see Amazon MWAA Service-linked role.
", + "UpdateEnvironmentInput$ExecutionRoleArn": "The Amazon Resource Name (ARN) of the execution role in IAM that allows MWAA to access AWS resources in your environment. For example, arn:aws:iam::123456789:role/my-execution-role. To learn more, see Amazon MWAA Execution role.
The AWS Key Management Service (KMS) key to encrypt and decrypt the data in your environment. You can use an AWS KMS key managed by MWAA, or a custom KMS key (advanced). For more information, see Customer master keys (CMKs) in the AWS KMS developer guide.
", - "Environment$KmsKey": "The Kms Key of the Amazon MWAA Environment.
" + "CreateEnvironmentInput$KmsKey": "The AWS Key Management Service (KMS) key to encrypt the data in your environment. You can use an AWS owned CMK, or a Customer managed CMK (advanced). To learn more, see Get started with Amazon Managed Workflows for Apache Airflow.
", + "Environment$KmsKey": "The Key Management Service (KMS) encryption key used to encrypt the data in your environment.
" } }, "LastUpdate": { - "base": "Last update information for the environment.
", + "base": "The status of the last update on the environment, and any errors that were encountered.
", "refs": { "Environment$LastUpdate": null } @@ -244,7 +244,7 @@ "ListEnvironmentsInputMaxResultsInteger": { "base": null, "refs": { - "ListEnvironmentsInput$MaxResults": "The maximum results when listing MWAA environments.
" + "ListEnvironmentsInput$MaxResults": "The maximum number of results to retrieve per page. For example, 5 environments per page.
The Logging Configuration of your Amazon MWAA environment.
", + "base": "Defines the Apache Airflow logs to send to CloudWatch Logs: DagProcessingLogs, SchedulerLogs, TaskLogs, WebserverLogs, WorkerLogs.
The Logging Configuration of the Amazon MWAA Environment.
" + "Environment$LoggingConfiguration": "The Apache Airflow logs being sent to CloudWatch Logs: DagProcessingLogs, SchedulerLogs, TaskLogs, WebserverLogs, WorkerLogs.
The Logging Configuration of your Amazon MWAA environment.
", + "base": "Defines the Apache Airflow logs to send to CloudWatch Logs: DagProcessingLogs, SchedulerLogs, TaskLogs, WebserverLogs, WorkerLogs.
The Apache Airflow logs you want to send to Amazon CloudWatch Logs.
", - "UpdateEnvironmentInput$LoggingConfiguration": "The Logging Configuration to update of your Amazon MWAA environment.
" + "CreateEnvironmentInput$LoggingConfiguration": "Defines the Apache Airflow logs to send to CloudWatch Logs: DagProcessingLogs, SchedulerLogs, TaskLogs, WebserverLogs, WorkerLogs.
Defines the Apache Airflow logs to send to CloudWatch Logs: DagProcessingLogs, SchedulerLogs, TaskLogs, WebserverLogs, WorkerLogs.
Defines that the logging module is enabled.
", - "ModuleLoggingConfigurationInput$Enabled": "Defines that the logging module is enabled.
" + "ModuleLoggingConfiguration$Enabled": "Indicates whether to enable the Apache Airflow log type (e.g. DagProcessingLogs) in CloudWatch Logs.
Indicates whether to enable the Apache Airflow log type (e.g. DagProcessingLogs) in CloudWatch Logs.
Defines the log level, which can be CRITICAL, ERROR, WARNING, or INFO.
", - "ModuleLoggingConfigurationInput$LogLevel": "Defines the log level, which can be CRITICAL, ERROR, WARNING, or INFO.
" + "ModuleLoggingConfiguration$LogLevel": "Defines the Apache Airflow logs to send for the log type (e.g. DagProcessingLogs) to CloudWatch Logs. Valid values: CRITICAL, ERROR, WARNING, INFO.
Defines the Apache Airflow logs to send for the log type (e.g. DagProcessingLogs) to CloudWatch Logs. Valid values: CRITICAL, ERROR, WARNING, INFO.
The maximum number of workers that you want to run in your environment. MWAA scales the number of Apache Airflow workers and the Fargate containers that run your tasks up to the number you specify in this field. When there are no more tasks running, and no more in the queue, MWAA disposes of the extra containers leaving the one worker that is included with your environment.
", - "Environment$MaxWorkers": "The maximum number of workers to run in your Amazon MWAA Environment.
", - "UpdateEnvironmentInput$MaxWorkers": "The maximum number of workers to update of your Amazon MWAA environment.
" + "CreateEnvironmentInput$MaxWorkers": "The maximum number of workers that you want to run in your environment. MWAA scales the number of Apache Airflow workers up to the number you specify in the MaxWorkers field. For example, 20. When there are no more tasks running, and no more in the queue, MWAA disposes of the extra workers leaving the one worker that is included with your environment, or the number you specify in MinWorkers.
The maximum number of workers that run in your environment. For example, 20.
The maximum number of workers that you want to run in your environment. MWAA scales the number of Apache Airflow workers up to the number you specify in the MaxWorkers field. For example, 20. When there are no more tasks running, and no more in the queue, MWAA disposes of the extra workers leaving the one worker that is included with your environment, or the number you specify in MinWorkers.
The minimum number of workers that you want to run in your environment. MWAA scales the number of Apache Airflow workers and the Fargate containers that run your tasks up to the number you specify in the MaxWorkers field. When there are no more tasks running, and no more in the queue, MWAA disposes of the extra containers leaving the worker count you specify in the MinWorkers field.
The minimum number of workers to run in your Amazon MWAA Environment.
", - "UpdateEnvironmentInput$MinWorkers": "The minimum number of workers to update of your Amazon MWAA environment.
" + "CreateEnvironmentInput$MinWorkers": "The minimum number of workers that you want to run in your environment. MWAA scales the number of Apache Airflow workers up to the number you specify in the MaxWorkers field. When there are no more tasks running, and no more in the queue, MWAA disposes of the extra workers leaving the worker count you specify in the MinWorkers field. For example, 2.
The minimum number of workers that run in your environment. For example, 2.
The minimum number of workers that you want to run in your environment. MWAA scales the number of Apache Airflow workers up to the number you specify in the MaxWorkers field. When there are no more tasks running, and no more in the queue, MWAA disposes of the extra workers leaving the worker count you specify in the MinWorkers field. For example, 2.
A JSON blob that provides configuration to use for logging with respect to the various Apache Airflow services: DagProcessingLogs, SchedulerLogs, TaskLogs, WebserverLogs, and WorkerLogs.
", + "base": "Defines the type of logs to send for the Apache Airflow log type (e.g. DagProcessingLogs). Valid values: CloudWatchLogGroupArn, Enabled, LogLevel.
A JSON blob that provides configuration to use for logging with respect to the various Apache Airflow services: DagProcessingLogs, SchedulerLogs, TaskLogs, WebserverLogs, and WorkerLogs.
", + "base": "Defines the type of logs to send for the Apache Airflow log type (e.g. DagProcessingLogs). Valid values: CloudWatchLogGroupArn, Enabled, LogLevel.
Provide the security group and subnet IDs for the workers and scheduler.
", + "base": "The VPC networking components used to secure and enable network traffic between the AWS resources for your environment. To learn more, see About networking on Amazon MWAA.
", "refs": { - "CreateEnvironmentInput$NetworkConfiguration": "The VPC networking components you want to use for your environment. At least two private subnet identifiers and one VPC security group identifier are required to create an environment. For more information, see Creating the VPC network for a MWAA environment.
", + "CreateEnvironmentInput$NetworkConfiguration": "The VPC networking components used to secure and enable network traffic between the AWS resources for your environment. To learn more, see About networking on Amazon MWAA.
", "Environment$NetworkConfiguration": null } }, "NextToken": { "base": null, "refs": { - "ListEnvironmentsInput$NextToken": "The Next Token when listing MWAA environments.
", - "ListEnvironmentsOutput$NextToken": "The Next Token when listing MWAA environments.
" + "ListEnvironmentsInput$NextToken": "Retrieves the next page of the results.
", + "ListEnvironmentsOutput$NextToken": "Retrieves the next page of the results.
" } }, "PublishMetricsInput": { @@ -364,15 +364,15 @@ "RelativePath": { "base": null, "refs": { - "CreateEnvironmentInput$DagS3Path": "The relative path to the DAG folder on your Amazon S3 storage bucket. For example, dags. For more information, see Importing DAGs on Amazon MWAA.
The relative path to the plugins.zip file on your Amazon S3 storage bucket. For example, plugins.zip. If a relative path is provided in the request, then PluginsS3ObjectVersion is required. For more information, see Importing DAGs on Amazon MWAA.
The relative path to the requirements.txt file on your Amazon S3 storage bucket. For example, requirements.txt. If a relative path is provided in the request, then RequirementsS3ObjectVersion is required. For more information, see Importing DAGs on Amazon MWAA.
The Dags S3 Path of the Amazon MWAA Environment.
", - "Environment$PluginsS3Path": "The Plugins.zip S3 Path of the Amazon MWAA Environment.
", - "Environment$RequirementsS3Path": "The Requirement.txt S3 Path of the Amazon MWAA Environment.
", - "UpdateEnvironmentInput$DagS3Path": "The Dags folder S3 Path to update of your Amazon MWAA environment.
", - "UpdateEnvironmentInput$PluginsS3Path": "The Plugins.zip S3 Path to update of your Amazon MWAA environment.
", - "UpdateEnvironmentInput$RequirementsS3Path": "The Requirements.txt S3 Path to update of your Amazon MWAA environment.
" + "CreateEnvironmentInput$DagS3Path": "The relative path to the DAGs folder on your Amazon S3 bucket. For example, dags. To learn more, see Adding or updating DAGs.
The relative path to the plugins.zip file on your Amazon S3 bucket. For example, plugins.zip. If specified, then the plugins.zip version is required. To learn more, see Installing custom plugins.
The relative path to the requirements.txt file on your Amazon S3 bucket. For example, requirements.txt. If specified, then a file version is required. To learn more, see Installing Python dependencies.
The relative path to the DAGs folder on your Amazon S3 bucket. For example, dags. To learn more, see Adding or updating DAGs.
The relative path to the plugins.zip file on your Amazon S3 bucket. For example, plugins.zip. To learn more, see Installing custom plugins.
The relative path to the requirements.txt file on your Amazon S3 bucket. For example, requirements.txt. To learn more, see Installing Python dependencies.
The relative path to the DAGs folder on your Amazon S3 bucket. For example, dags. To learn more, see Adding or updating DAGs.
The relative path to the plugins.zip file on your Amazon S3 bucket. For example, plugins.zip. If specified, then the plugins.zip version is required. To learn more, see Installing custom plugins.
The relative path to the requirements.txt file on your Amazon S3 bucket. For example, requirements.txt. If specified, then a file version is required. To learn more, see Installing Python dependencies.
The Amazon Resource Name (ARN) of your Amazon S3 storage bucket. For example, arn:aws:s3:::airflow-mybucketname.
The Source S3 Bucket ARN of the Amazon MWAA Environment.
", - "UpdateEnvironmentInput$SourceBucketArn": "The S3 Source Bucket ARN to update of your Amazon MWAA environment.
" + "CreateEnvironmentInput$SourceBucketArn": "The Amazon Resource Name (ARN) of the Amazon S3 bucket where your DAG code and supporting files are stored. For example, arn:aws:s3:::my-airflow-bucket-unique-name. To learn more, see Create an Amazon S3 bucket for Amazon MWAA.
The Amazon Resource Name (ARN) of the Amazon S3 bucket where your DAG code and supporting files are stored. For example, arn:aws:s3:::my-airflow-bucket-unique-name. To learn more, see Create an Amazon S3 bucket for Amazon MWAA.
The Amazon Resource Name (ARN) of the Amazon S3 bucket where your DAG code and supporting files are stored. For example, arn:aws:s3:::my-airflow-bucket-unique-name. To learn more, see Create an Amazon S3 bucket for Amazon MWAA.
The plugins.zip file version you want to use.
The requirements.txt file version you want to use.
The Plugins.zip S3 Object Version of the Amazon MWAA Environment.
", - "Environment$RequirementsS3ObjectVersion": "The Requirements.txt file S3 Object Version of the Amazon MWAA Environment.
", - "UpdateEnvironmentInput$PluginsS3ObjectVersion": "The Plugins.zip S3 Object Version to update of your Amazon MWAA environment.
", - "UpdateEnvironmentInput$RequirementsS3ObjectVersion": "The Requirements.txt S3 ObjectV ersion to update of your Amazon MWAA environment.
" + "CreateEnvironmentInput$PluginsS3ObjectVersion": "The version of the plugins.zip file on your Amazon S3 bucket. A version must be specified each time a plugins.zip file is updated. To learn more, see How S3 Versioning works.
", + "CreateEnvironmentInput$RequirementsS3ObjectVersion": "The version of the requirements.txt file on your Amazon S3 bucket. A version must be specified each time a requirements.txt file is updated. To learn more, see How S3 Versioning works.
", + "Environment$PluginsS3ObjectVersion": "The version of the plugins.zip file on your Amazon S3 bucket. To learn more, see Installing custom plugins.
", + "Environment$RequirementsS3ObjectVersion": "The version of the requirements.txt file on your Amazon S3 bucket. To learn more, see Installing Python dependencies.
", + "UpdateEnvironmentInput$PluginsS3ObjectVersion": "The version of the plugins.zip file on your Amazon S3 bucket. A version must be specified each time a plugins.zip file is updated. To learn more, see How S3 Versioning works.
", + "UpdateEnvironmentInput$RequirementsS3ObjectVersion": "The version of the requirements.txt file on your Amazon S3 bucket. A version must be specified each time a requirements.txt file is updated. To learn more, see How S3 Versioning works.
" + } + }, + "Schedulers": { + "base": null, + "refs": { + "CreateEnvironmentInput$Schedulers": "The number of Apache Airflow schedulers to run in your environment.
", + "Environment$Schedulers": "The number of Apache Airflow schedulers that run in your Amazon MWAA environment.
", + "UpdateEnvironmentInput$Schedulers": "The number of Apache Airflow schedulers to run in your Amazon MWAA environment.
" } }, "SecurityGroupId": { @@ -408,8 +416,8 @@ "SecurityGroupList": { "base": null, "refs": { - "NetworkConfiguration$SecurityGroupIds": "A JSON list of 1 or more security groups IDs by name, in the same VPC as the subnets.
", - "UpdateNetworkConfigurationInput$SecurityGroupIds": "Provide a JSON list of 1 or more security groups IDs by name, in the same VPC as the subnets.
" + "NetworkConfiguration$SecurityGroupIds": "A list of 1 or more security group IDs. Accepts up to 5 security group IDs. A security group must be attached to the same VPC as the subnets. To learn more, see Security in your VPC on Amazon MWAA.
", + "UpdateNetworkConfigurationInput$SecurityGroupIds": "A list of 1 or more security group IDs. Accepts up to 5 security group IDs. A security group must be attached to the same VPC as the subnets. To learn more, see Security in your VPC on Amazon MWAA.
" } }, "StatisticSet": { @@ -439,7 +447,7 @@ "SubnetList": { "base": null, "refs": { - "NetworkConfiguration$SubnetIds": "Provide a JSON list of 2 subnet IDs by name. These must be private subnets, in the same VPC, in two different availability zones.
" + "NetworkConfiguration$SubnetIds": "A list of 2 subnet IDs. Required to create an environment. Must be private subnets in two different availability zones. A subnet must be attached to the same VPC as the security group.
" } }, "SyntheticCreateCliTokenResponseToken": { @@ -451,7 +459,7 @@ "SyntheticCreateEnvironmentInputAirflowConfigurationOptions": { "base": null, "refs": { - "CreateEnvironmentInput$AirflowConfigurationOptions": "The Apache Airflow configuration setting you want to override in your environment. For more information, see Environment configuration.
" + "CreateEnvironmentInput$AirflowConfigurationOptions": "A list of key-value pairs containing the Apache Airflow configuration options you want to attach to your environment. To learn more, see Apache Airflow configuration options.
" } }, "SyntheticCreateWebLoginTokenResponseToken": { @@ -463,7 +471,7 @@ "SyntheticUpdateEnvironmentInputAirflowConfigurationOptions": { "base": null, "refs": { - "UpdateEnvironmentInput$AirflowConfigurationOptions": "The Airflow Configuration Options to update of your Amazon MWAA environment.
" + "UpdateEnvironmentInput$AirflowConfigurationOptions": "A list of key-value pairs containing the Apache Airflow configuration options you want to attach to your environment. To learn more, see Apache Airflow configuration options.
" } }, "TagKey": { @@ -476,16 +484,16 @@ "TagKeyList": { "base": null, "refs": { - "UntagResourceInput$tagKeys": "The tag resource key of the MWAA environments.
" + "UntagResourceInput$tagKeys": "The key-value tag pair you want to remove. For example, \"Environment\": \"Staging\".
The metadata tags you want to attach to your environment. For more information, see Tagging AWS resources.
", - "Environment$Tags": "The Tags of the Amazon MWAA Environment.
", - "ListTagsForResourceOutput$Tags": "The tags of the MWAA environments.
", - "TagResourceInput$Tags": "The tag resource tag of the MWAA environments.
" + "CreateEnvironmentInput$Tags": "The key-value tag pairs you want to associate to your environment. For example, \"Environment\": \"Staging\". To learn more, see Tagging AWS resources.
The key-value tag pairs associated to your environment. For example, \"Environment\": \"Staging\". To learn more, see Tagging AWS resources.
The key-value tag pairs associated to your environment. To learn more, see Tagging AWS resources.
", + "TagResourceInput$Tags": "The key-value tag pairs you want to associate to your environment. For example, \"Environment\": \"Staging\". To learn more, see Tagging AWS resources.
Time that last update occurred.
" + "LastUpdate$CreatedAt": "The day and time of the last update on the environment.
" } }, "UpdateEnvironmentInput": { @@ -543,21 +551,21 @@ } }, "UpdateError": { - "base": "Error information of update, if applicable.
", + "base": "An object containing the error encountered with the last update: ErrorCode, ErrorMessage.
Error string of last update, if applicable.
" + "LastUpdate$Error": "The error that was encountered during the last update of the environment.
" } }, "UpdateNetworkConfigurationInput": { - "base": "Provide the security group and subnet IDs for the workers and scheduler.
", + "base": "The VPC networking components used to secure and enable network traffic between the AWS resources for your environment. To learn more, see About networking on Amazon MWAA.
", "refs": { - "UpdateEnvironmentInput$NetworkConfiguration": "The Network Configuration to update of your Amazon MWAA environment.
" + "UpdateEnvironmentInput$NetworkConfiguration": "The VPC networking components used to secure and enable network traffic between the AWS resources for your environment. To learn more, see About networking on Amazon MWAA.
" } }, "UpdateStatus": { "base": null, "refs": { - "LastUpdate$Status": "Status of last update of SUCCESS, FAILED, CREATING, DELETING.
" + "LastUpdate$Status": "The status of the last update on the environment. Valid values: SUCCESS, PENDING, FAILED.
The networking access of your Apache Airflow web server. A public network allows your Airflow UI to be accessed over the Internet by users granted access in your IAM policy. A private network limits access of your Airflow UI to users within your VPC. For more information, see Creating the VPC network for a MWAA environment.
", - "Environment$WebserverAccessMode": "The Webserver Access Mode of the Amazon MWAA Environment (public or private only).
", - "UpdateEnvironmentInput$WebserverAccessMode": "The Webserver Access Mode to update of your Amazon MWAA environment.
" + "CreateEnvironmentInput$WebserverAccessMode": "The Apache Airflow Web server access mode. To learn more, see Apache Airflow access modes.
", + "Environment$WebserverAccessMode": "The Apache Airflow Web server access mode. To learn more, see Apache Airflow access modes.
", + "UpdateEnvironmentInput$WebserverAccessMode": "The Apache Airflow Web server access mode. To learn more, see Apache Airflow access modes.
" } }, "WebserverUrl": { "base": null, "refs": { - "Environment$WebserverUrl": "The Webserver URL of the Amazon MWAA Environment.
" + "Environment$WebserverUrl": "The Apache Airflow Web server host name for the Amazon MWAA environment. To learn more, see Accessing the Apache Airflow UI.
" } }, "WeeklyMaintenanceWindowStart": { "base": null, "refs": { - "CreateEnvironmentInput$WeeklyMaintenanceWindowStart": "The day and time you want MWAA to start weekly maintenance updates on your environment.
", - "Environment$WeeklyMaintenanceWindowStart": "The Weekly Maintenance Window Start of the Amazon MWAA Environment.
", - "UpdateEnvironmentInput$WeeklyMaintenanceWindowStart": "The Weekly Maintenance Window Start to update of your Amazon MWAA environment.
" + "CreateEnvironmentInput$WeeklyMaintenanceWindowStart": "The day and time of the week to start weekly maintenance updates of your environment in the following format: DAY:HH:MM. For example: TUE:03:30. You can specify a start time in 30 minute increments only. Supported input includes the following:
MON|TUE|WED|THU|FRI|SAT|SUN:([01]\\\\d|2[0-3]):(00|30)
The day and time of the week that weekly maintenance updates are scheduled. For example: TUE:03:30.
The day and time of the week to start weekly maintenance updates of your environment in the following format: DAY:HH:MM. For example: TUE:03:30. You can specify a start time in 30 minute increments only. Supported input includes the following:
MON|TUE|WED|THU|FRI|SAT|SUN:([01]\\\\d|2[0-3]):(00|30)
Updating or deleting this resource can cause an inconsistent state.
", + "refs": { + } + }, "CreateOutpostInput": { "base": null, "refs": { @@ -81,6 +86,7 @@ "base": null, "refs": { "AccessDeniedException$Message": null, + "ConflictException$Message": null, "InternalServerException$Message": null, "NotFoundException$Message": null, "ServiceQuotaExceededException$Message": null, @@ -224,6 +230,12 @@ "Outpost$OwnerId": null } }, + "ResourceType": { + "base": null, + "refs": { + "ConflictException$ResourceType": "The type of the resource causing the conflict.
" + } + }, "ServiceQuotaExceededException": { "base": "You have exceeded a service quota.
", "refs": { @@ -235,6 +247,13 @@ "siteListDefinition$member": null } }, + "SiteArn": { + "base": "The Amazon Resource Name (ARN) of the site.
", + "refs": { + "Outpost$SiteArn": null, + "Site$SiteArn": null + } + }, "SiteDescription": { "base": "The description of the site.
", "refs": { @@ -256,6 +275,12 @@ "Site$Name": null } }, + "String": { + "base": null, + "refs": { + "ConflictException$ResourceId": "The ID of the resource causing the conflict.
" + } + }, "TagKey": { "base": null, "refs": { diff --git a/models/apis/qldb/2019-01-02/api-2.json b/models/apis/qldb/2019-01-02/api-2.json index 0dabb32f7c4..ba98fbbb9d0 100644 --- a/models/apis/qldb/2019-01-02/api-2.json +++ b/models/apis/qldb/2019-01-02/api-2.json @@ -256,6 +256,19 @@ {"shape":"InvalidParameterException"}, {"shape":"ResourceNotFoundException"} ] + }, + "UpdateLedgerPermissionsMode":{ + "name":"UpdateLedgerPermissionsMode", + "http":{ + "method":"PATCH", + "requestUri":"/ledgers/{name}/permissions-mode" + }, + "input":{"shape":"UpdateLedgerPermissionsModeRequest"}, + "output":{"shape":"UpdateLedgerPermissionsModeResponse"}, + "errors":[ + {"shape":"InvalidParameterException"}, + {"shape":"ResourceNotFoundException"} + ] } }, "shapes":{ @@ -310,6 +323,7 @@ "Arn":{"shape":"Arn"}, "State":{"shape":"LedgerState"}, "CreationDateTime":{"shape":"Timestamp"}, + "PermissionsMode":{"shape":"PermissionsMode"}, "DeletionProtection":{"shape":"DeletionProtection"} } }, @@ -394,6 +408,7 @@ "Arn":{"shape":"Arn"}, "State":{"shape":"LedgerState"}, "CreationDateTime":{"shape":"Timestamp"}, + "PermissionsMode":{"shape":"PermissionsMode"}, "DeletionProtection":{"shape":"DeletionProtection"} } }, @@ -763,7 +778,10 @@ "ParameterName":{"type":"string"}, "PermissionsMode":{ "type":"string", - "enum":["ALLOW_ALL"] + "enum":[ + "ALLOW_ALL", + "STANDARD" + ] }, "ResourceAlreadyExistsException":{ "type":"structure", @@ -966,6 +984,29 @@ "members":{ } }, + "UpdateLedgerPermissionsModeRequest":{ + "type":"structure", + "required":[ + "Name", + "PermissionsMode" + ], + "members":{ + "Name":{ + "shape":"LedgerName", + "location":"uri", + "locationName":"name" + }, + "PermissionsMode":{"shape":"PermissionsMode"} + } + }, + "UpdateLedgerPermissionsModeResponse":{ + "type":"structure", + "members":{ + "Name":{"shape":"LedgerName"}, + "Arn":{"shape":"Arn"}, + "PermissionsMode":{"shape":"PermissionsMode"} + } + }, "UpdateLedgerRequest":{ "type":"structure", "required":["Name"], diff --git a/models/apis/qldb/2019-01-02/docs-2.json b/models/apis/qldb/2019-01-02/docs-2.json index 7382ef152ac..4acf6f91747 100644 --- a/models/apis/qldb/2019-01-02/docs-2.json +++ b/models/apis/qldb/2019-01-02/docs-2.json @@ -20,7 +20,8 @@ "StreamJournalToKinesis": "Creates a journal stream for a given Amazon QLDB ledger. The stream captures every document revision that is committed to the ledger's journal and delivers the data to a specified Amazon Kinesis Data Streams resource.
", "TagResource": "Adds one or more tags to a specified Amazon QLDB resource.
A resource can have up to 50 tags. If you try to create more than 50 tags for a resource, your request fails and returns an error.
", "UntagResource": "Removes one or more tags from a specified Amazon QLDB resource. You can specify up to 50 tag keys to remove.
", - "UpdateLedger": "Updates properties on a ledger.
" + "UpdateLedger": "Updates properties on a ledger.
", + "UpdateLedgerPermissionsMode": "Updates the permissions mode of a ledger.
" }, "shapes": { "Arn": { @@ -38,6 +39,7 @@ "StreamJournalToKinesisRequest$RoleArn": "The Amazon Resource Name (ARN) of the IAM role that grants QLDB permissions for a journal stream to write data records to a Kinesis Data Streams resource.
", "TagResourceRequest$ResourceArn": "The Amazon Resource Name (ARN) to which you want to add the tags. For example:
arn:aws:qldb:us-east-1:123456789012:ledger/exampleLedger
The Amazon Resource Name (ARN) from which you want to remove the tags. For example:
arn:aws:qldb:us-east-1:123456789012:ledger/exampleLedger
The Amazon Resource Name (ARN) for the ledger.
", "UpdateLedgerResponse$Arn": "The Amazon Resource Name (ARN) for the ledger.
" } }, @@ -253,6 +255,8 @@ "ListJournalKinesisStreamsForLedgerRequest$LedgerName": "The name of the ledger.
", "ListJournalS3ExportsForLedgerRequest$Name": "The name of the ledger.
", "StreamJournalToKinesisRequest$LedgerName": "The name of the ledger.
", + "UpdateLedgerPermissionsModeRequest$Name": "The name of the ledger.
", + "UpdateLedgerPermissionsModeResponse$Name": "The name of the ledger.
", "UpdateLedgerRequest$Name": "The name of the ledger.
", "UpdateLedgerResponse$Name": "The name of the ledger.
" } @@ -358,7 +362,11 @@ "PermissionsMode": { "base": null, "refs": { - "CreateLedgerRequest$PermissionsMode": "The permissions mode to assign to the ledger that you want to create.
" + "CreateLedgerRequest$PermissionsMode": "The permissions mode to assign to the ledger that you want to create. This parameter can have one of the following values:
ALLOW_ALL: A legacy permissions mode that enables access control with API-level granularity for ledgers.
This mode allows users who have SendCommand permissions for this ledger to run all PartiQL commands (hence, ALLOW_ALL) on any tables in the specified ledger. This mode disregards any table-level or command-level IAM permissions policies that you create for the ledger.
STANDARD: (Recommended) A permissions mode that enables access control with finer granularity for ledgers, tables, and PartiQL commands.
By default, this mode denies all user requests to run any PartiQL commands on any tables in this ledger. To allow PartiQL commands to run, you must create IAM permissions policies for specific table resources and PartiQL actions, in addition to SendCommand API permissions for the ledger.
We strongly recommend using the STANDARD permissions mode to maximize the security of your ledger data.
The permissions mode of the ledger that you created.
", + "DescribeLedgerResponse$PermissionsMode": "The permissions mode of the ledger.
", + "UpdateLedgerPermissionsModeRequest$PermissionsMode": "The permissions mode to assign to the ledger. This parameter can have one of the following values:
ALLOW_ALL: A legacy permissions mode that enables access control with API-level granularity for ledgers.
This mode allows users who have SendCommand permissions for this ledger to run all PartiQL commands (hence, ALLOW_ALL) on any tables in the specified ledger. This mode disregards any table-level or command-level IAM permissions policies that you create for the ledger.
STANDARD: (Recommended) A permissions mode that enables access control with finer granularity for ledgers, tables, and PartiQL commands.
By default, this mode denies all user requests to run any PartiQL commands on any tables in this ledger. To allow PartiQL commands to run, you must create IAM permissions policies for specific table resources and PartiQL actions, in addition to SendCommand API permissions for the ledger.
We strongly recommend using the STANDARD permissions mode to maximize the security of your ledger data.
The current permissions mode of the ledger.
" } }, "ResourceAlreadyExistsException": { @@ -535,6 +543,16 @@ "refs": { } }, + "UpdateLedgerPermissionsModeRequest": { + "base": null, + "refs": { + } + }, + "UpdateLedgerPermissionsModeResponse": { + "base": null, + "refs": { + } + }, "UpdateLedgerRequest": { "base": null, "refs": { diff --git a/models/endpoints/endpoints.json b/models/endpoints/endpoints.json index b79919478be..9a30fd17d2f 100644 --- a/models/endpoints/endpoints.json +++ b/models/endpoints/endpoints.json @@ -5977,6 +5977,24 @@ "ap-southeast-2" : { }, "eu-central-1" : { }, "eu-west-1" : { }, + "fips-us-east-1" : { + "credentialScope" : { + "region" : "us-east-1" + }, + "hostname" : "session.qldb-fips.us-east-1.amazonaws.com" + }, + "fips-us-east-2" : { + "credentialScope" : { + "region" : "us-east-2" + }, + "hostname" : "session.qldb-fips.us-east-2.amazonaws.com" + }, + "fips-us-west-2" : { + "credentialScope" : { + "region" : "us-west-2" + }, + "hostname" : "session.qldb-fips.us-west-2.amazonaws.com" + }, "us-east-1" : { }, "us-east-2" : { }, "us-west-2" : { } diff --git a/service/acmpca/api.go b/service/acmpca/api.go index 587bae29458..f7841b3a6a2 100644 --- a/service/acmpca/api.go +++ b/service/acmpca/api.go @@ -3571,11 +3571,11 @@ type CreateCertificateAuthorityInput struct { // // Default: FIPS_140_2_LEVEL_3_OR_HIGHER // - // Note: AWS Region ap-northeast-3 supports only FIPS_140_2_LEVEL_2_OR_HIGHER. - // You must explicitly specify this parameter and value when creating a CA in - // that Region. Specifying a different value (or no value) results in an InvalidArgsException - // with the message "A certificate authority cannot be created in this region - // with the specified security standard." + // Note: FIPS_140_2_LEVEL_3_OR_HIGHER is not supported in Region ap-northeast-3. + // When creating a CA in the ap-northeast-3, you must provide FIPS_140_2_LEVEL_2_OR_HIGHER + // as the argument for KeyStorageSecurityStandard. Failure to do this results + // in an InvalidArgsException with the message, "A certificate authority cannot + // be created in this region with the specified security standard." KeyStorageSecurityStandard *string `type:"string" enum:"KeyStorageSecurityStandard"` // Contains a Boolean value that you can use to enable a certification revocation @@ -3888,9 +3888,26 @@ type CrlConfiguration struct { // for the CustomCname argument, the name of your S3 bucket is placed into the // CRL Distribution Points extension of the issued certificate. You can change // the name of your bucket by calling the UpdateCertificateAuthority (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UpdateCertificateAuthority.html) - // action. You must specify a bucket policy that allows ACM Private CA to write - // the CRL to your bucket. + // action. You must specify a bucket policy (https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#s3-policies) + // that allows ACM Private CA to write the CRL to your bucket. S3BucketName *string `min:"3" type:"string"` + + // Determines whether the CRL will be publicly readable or privately held in + // the CRL Amazon S3 bucket. If you choose PUBLIC_READ, the CRL will be accessible + // over the public internet. If you choose BUCKET_OWNER_FULL_CONTROL, only the + // owner of the CRL S3 bucket can access the CRL, and your PKI clients may need + // an alternative method of access. + // + // If no value is specified, the default is PUBLIC_READ. + // + // Note: This default can cause CA creation to fail in some circumstances. If + // you have have enabled the Block Public Access (BPA) feature in your S3 account, + // then you must specify the value of this parameter as BUCKET_OWNER_FULL_CONTROL, + // and not doing so results in an error. If you have disabled BPA in S3, then + // you can specify either BUCKET_OWNER_FULL_CONTROL or PUBLIC_READ as the value. + // + // For more information, see Blocking public access to the S3 bucket (https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#s3-bpa). + S3ObjectAcl *string `type:"string" enum:"S3ObjectAcl"` } // String returns the string representation @@ -3946,6 +3963,12 @@ func (s *CrlConfiguration) SetS3BucketName(v string) *CrlConfiguration { return s } +// SetS3ObjectAcl sets the S3ObjectAcl field's value. +func (s *CrlConfiguration) SetS3ObjectAcl(v string) *CrlConfiguration { + s.S3ObjectAcl = &v + return s +} + // Describes the certificate extensions to be added to the certificate signing // request (CSR). type CsrExtensions struct { @@ -8013,6 +8036,22 @@ func RevocationReason_Values() []string { } } +const ( + // S3ObjectAclPublicRead is a S3ObjectAcl enum value + S3ObjectAclPublicRead = "PUBLIC_READ" + + // S3ObjectAclBucketOwnerFullControl is a S3ObjectAcl enum value + S3ObjectAclBucketOwnerFullControl = "BUCKET_OWNER_FULL_CONTROL" +) + +// S3ObjectAcl_Values returns all elements of the S3ObjectAcl enum +func S3ObjectAcl_Values() []string { + return []string{ + S3ObjectAclPublicRead, + S3ObjectAclBucketOwnerFullControl, + } +} + const ( // SigningAlgorithmSha256withecdsa is a SigningAlgorithm enum value SigningAlgorithmSha256withecdsa = "SHA256WITHECDSA" diff --git a/service/cloudfront/api.go b/service/cloudfront/api.go index 045a8ddbd60..a88341c3863 100644 --- a/service/cloudfront/api.go +++ b/service/cloudfront/api.go @@ -19869,8 +19869,8 @@ type OriginAccessIdentityConfig struct { // CallerReference is a required field CallerReference *string `type:"string" required:"true"` - // An optional comment to describe the origin access identity. The comment cannot - // be longer than 128 characters. + // A comment to describe the origin access identity. The comment cannot be longer + // than 128 characters. // // Comment is a required field Comment *string `type:"string" required:"true"` diff --git a/service/ec2/api.go b/service/ec2/api.go index 8550cffea5e..72a783d1dcb 100644 --- a/service/ec2/api.go +++ b/service/ec2/api.go @@ -2356,29 +2356,29 @@ func (c *EC2) AuthorizeSecurityGroupEgressRequest(input *AuthorizeSecurityGroupE output = &AuthorizeSecurityGroupEgressOutput{} req = c.newRequest(op, input, output) - req.Handlers.Unmarshal.Swap(ec2query.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) return } // AuthorizeSecurityGroupEgress API operation for Amazon Elastic Compute Cloud. // -// [VPC only] Adds the specified egress rules to a security group for use with -// a VPC. +// [VPC only] Adds the specified outbound (egress) rules to a security group +// for use with a VPC. // // An outbound rule permits instances to send traffic to the specified IPv4 -// or IPv6 CIDR address ranges, or to the instances associated with the specified -// destination security groups. +// or IPv6 CIDR address ranges, or to the instances that are associated with +// the specified destination security groups. // // You specify a protocol for each rule (for example, TCP). For the TCP and // UDP protocols, you must also specify the destination port or port range. // For the ICMP protocol, you must also specify the ICMP type and code. You // can use -1 for the type or code to mean all types or all codes. // +// You can optionally add a tag to the security group rule. +// // Rule changes are propagated to affected instances as quickly as possible. // However, a small delay might occur. // -// For more information about VPC security group limits, see Amazon VPC Limits -// (https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html). +// For information about VPC security group quotas, see Amazon VPC Limits (https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html). // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -2447,28 +2447,28 @@ func (c *EC2) AuthorizeSecurityGroupIngressRequest(input *AuthorizeSecurityGroup output = &AuthorizeSecurityGroupIngressOutput{} req = c.newRequest(op, input, output) - req.Handlers.Unmarshal.Swap(ec2query.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) return } // AuthorizeSecurityGroupIngress API operation for Amazon Elastic Compute Cloud. // -// Adds the specified ingress rules to a security group. +// Adds the specified inbound (ingress) rules to a security group. // // An inbound rule permits instances to receive traffic from the specified IPv4 -// or IPv6 CIDR address ranges, or from the instances associated with the specified -// destination security groups. +// or IPv6 CIDR address ranges, or from the instances that are associated with +// the specified destination security groups. // // You specify a protocol for each rule (for example, TCP). For TCP and UDP, // you must also specify the destination port or port range. For ICMP/ICMPv6, // you must also specify the ICMP/ICMPv6 type and code. You can use -1 to mean // all types or all codes. // +// [VPC Only] You can optionally add a tag to the security group rule. +// // Rule changes are propagated to instances within the security group as quickly // as possible. However, a small delay might occur. // -// For more information about VPC security group limits, see Amazon VPC Limits -// (https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html). +// For information about VPC security group quotas, see Amazon VPC Limits (https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html). // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -22869,6 +22869,138 @@ func (c *EC2) DescribeSecurityGroupReferencesWithContext(ctx aws.Context, input return out, req.Send() } +const opDescribeSecurityGroupRules = "DescribeSecurityGroupRules" + +// DescribeSecurityGroupRulesRequest generates a "aws/request.Request" representing the +// client's request for the DescribeSecurityGroupRules operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DescribeSecurityGroupRules for more information on using the DescribeSecurityGroupRules +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DescribeSecurityGroupRulesRequest method. +// req, resp := client.DescribeSecurityGroupRulesRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeSecurityGroupRules +func (c *EC2) DescribeSecurityGroupRulesRequest(input *DescribeSecurityGroupRulesInput) (req *request.Request, output *DescribeSecurityGroupRulesOutput) { + op := &request.Operation{ + Name: opDescribeSecurityGroupRules, + HTTPMethod: "POST", + HTTPPath: "/", + Paginator: &request.Paginator{ + InputTokens: []string{"NextToken"}, + OutputTokens: []string{"NextToken"}, + LimitToken: "MaxResults", + TruncationToken: "", + }, + } + + if input == nil { + input = &DescribeSecurityGroupRulesInput{} + } + + output = &DescribeSecurityGroupRulesOutput{} + req = c.newRequest(op, input, output) + return +} + +// DescribeSecurityGroupRules API operation for Amazon Elastic Compute Cloud. +// +// Describes one or more of your security group rules. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation DescribeSecurityGroupRules for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeSecurityGroupRules +func (c *EC2) DescribeSecurityGroupRules(input *DescribeSecurityGroupRulesInput) (*DescribeSecurityGroupRulesOutput, error) { + req, out := c.DescribeSecurityGroupRulesRequest(input) + return out, req.Send() +} + +// DescribeSecurityGroupRulesWithContext is the same as DescribeSecurityGroupRules with the addition of +// the ability to pass a context and additional request options. +// +// See DescribeSecurityGroupRules for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DescribeSecurityGroupRulesWithContext(ctx aws.Context, input *DescribeSecurityGroupRulesInput, opts ...request.Option) (*DescribeSecurityGroupRulesOutput, error) { + req, out := c.DescribeSecurityGroupRulesRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +// DescribeSecurityGroupRulesPages iterates over the pages of a DescribeSecurityGroupRules operation, +// calling the "fn" function with the response data for each page. To stop +// iterating, return false from the fn function. +// +// See DescribeSecurityGroupRules method for more information on how to use this operation. +// +// Note: This operation can generate multiple requests to a service. +// +// // Example iterating over at most 3 pages of a DescribeSecurityGroupRules operation. +// pageNum := 0 +// err := client.DescribeSecurityGroupRulesPages(params, +// func(page *ec2.DescribeSecurityGroupRulesOutput, lastPage bool) bool { +// pageNum++ +// fmt.Println(page) +// return pageNum <= 3 +// }) +// +func (c *EC2) DescribeSecurityGroupRulesPages(input *DescribeSecurityGroupRulesInput, fn func(*DescribeSecurityGroupRulesOutput, bool) bool) error { + return c.DescribeSecurityGroupRulesPagesWithContext(aws.BackgroundContext(), input, fn) +} + +// DescribeSecurityGroupRulesPagesWithContext same as DescribeSecurityGroupRulesPages except +// it takes a Context and allows setting request options on the pages. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DescribeSecurityGroupRulesPagesWithContext(ctx aws.Context, input *DescribeSecurityGroupRulesInput, fn func(*DescribeSecurityGroupRulesOutput, bool) bool, opts ...request.Option) error { + p := request.Pagination{ + NewRequest: func() (*request.Request, error) { + var inCpy *DescribeSecurityGroupRulesInput + if input != nil { + tmp := *input + inCpy = &tmp + } + req, _ := c.DescribeSecurityGroupRulesRequest(inCpy) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return req, nil + }, + } + + for p.Next() { + if !fn(p.Page().(*DescribeSecurityGroupRulesOutput), !p.HasNextPage()) { + break + } + } + + return p.Err() +} + const opDescribeSecurityGroups = "DescribeSecurityGroups" // DescribeSecurityGroupsRequest generates a "aws/request.Request" representing the @@ -35134,6 +35266,80 @@ func (c *EC2) ModifyReservedInstancesWithContext(ctx aws.Context, input *ModifyR return out, req.Send() } +const opModifySecurityGroupRules = "ModifySecurityGroupRules" + +// ModifySecurityGroupRulesRequest generates a "aws/request.Request" representing the +// client's request for the ModifySecurityGroupRules operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ModifySecurityGroupRules for more information on using the ModifySecurityGroupRules +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ModifySecurityGroupRulesRequest method. +// req, resp := client.ModifySecurityGroupRulesRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ModifySecurityGroupRules +func (c *EC2) ModifySecurityGroupRulesRequest(input *ModifySecurityGroupRulesInput) (req *request.Request, output *ModifySecurityGroupRulesOutput) { + op := &request.Operation{ + Name: opModifySecurityGroupRules, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &ModifySecurityGroupRulesInput{} + } + + output = &ModifySecurityGroupRulesOutput{} + req = c.newRequest(op, input, output) + return +} + +// ModifySecurityGroupRules API operation for Amazon Elastic Compute Cloud. +// +// Modifies the rules of a security group. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation ModifySecurityGroupRules for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ModifySecurityGroupRules +func (c *EC2) ModifySecurityGroupRules(input *ModifySecurityGroupRulesInput) (*ModifySecurityGroupRulesOutput, error) { + req, out := c.ModifySecurityGroupRulesRequest(input) + return out, req.Send() +} + +// ModifySecurityGroupRulesWithContext is the same as ModifySecurityGroupRules with the addition of +// the ability to pass a context and additional request options. +// +// See ModifySecurityGroupRules for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) ModifySecurityGroupRulesWithContext(ctx aws.Context, input *ModifySecurityGroupRulesInput, opts ...request.Option) (*ModifySecurityGroupRulesOutput, error) { + req, out := c.ModifySecurityGroupRulesRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opModifySnapshotAttribute = "ModifySnapshotAttribute" // ModifySnapshotAttributeRequest generates a "aws/request.Request" representing the @@ -40009,23 +40215,26 @@ func (c *EC2) RevokeSecurityGroupEgressRequest(input *RevokeSecurityGroupEgressI // RevokeSecurityGroupEgress API operation for Amazon Elastic Compute Cloud. // -// [VPC only] Removes the specified egress rules from a security group for EC2-VPC. -// This action does not apply to security groups for use in EC2-Classic. To -// remove a rule, the values that you specify (for example, ports) must match -// the existing rule's values exactly. +// Removes the specified egress (outbound) rules from a security group for EC2-VPC. +// This action does not apply to security groups for use in EC2-Classic. // -// [Default VPC] If the values you specify do not match the existing rule's -// values, no error is returned, and the output describes the security group -// rules that were not revoked. +// You can specify the rules that you want to remove by using one of the following +// methods: // -// AWS recommends that you use DescribeSecurityGroups to verify that the rule -// has been removed. +// * The security group rule IDs. // -// Each rule consists of the protocol and the IPv4 or IPv6 CIDR range or source -// security group. For the TCP and UDP protocols, you must also specify the -// destination port or range of ports. For the ICMP protocol, you must also -// specify the ICMP type and code. If the security group rule has a description, -// you do not have to specify the description to revoke the rule. +// * The security group rule properties. Each rule consists of the protocol, +// from port, to port, and the IPv4 or IPv6 CIDR range or referenced security +// group or prefix list id. For the TCP and UDP protocols, you must also +// specify the destination port or range of ports. For the ICMP protocol, +// you must also specify the ICMP type and code. If the security group rule +// has a description, you do not have to specify the description to revoke +// the rule. To remove a rule, the values that you specify (for example, +// ports) must match the existing rule's values exactly. [Default VPC] If +// the values you specify do not match the existing rule's values, no error +// is returned, and the output describes the security group rules that were +// not revoked. AWS recommends that you use DescribeSecurityGroups to verify +// that the rule has been removed. // // Rule changes are propagated to instances within the security group as quickly // as possible. However, a small delay might occur. @@ -40106,18 +40315,30 @@ func (c *EC2) RevokeSecurityGroupIngressRequest(input *RevokeSecurityGroupIngres // the values that you specify (for example, ports) must match the existing // rule's values exactly. // -// [EC2-Classic , default VPC] If the values you specify do not match the existing +// [EC2-Classic, default VPC] If the values you specify do not match the existing // rule's values, no error is returned, and the output describes the security // group rules that were not revoked. // // AWS recommends that you use DescribeSecurityGroups to verify that the rule // has been removed. // -// Each rule consists of the protocol and the CIDR range or source security -// group. For the TCP and UDP protocols, you must also specify the destination -// port or range of ports. For the ICMP protocol, you must also specify the -// ICMP type and code. If the security group rule has a description, you do -// not have to specify the description to revoke the rule. +// You can specify the rules that you want to remove by using one of the following +// methods: +// +// * [VPC only] The security group rule IDs. +// +// * The security group rule properties. Each rule consists of the protocol, +// from port, to port, and the IPv4 or IPv6 CIDR range or referenced security +// group or prefix list id. For the TCP and UDP protocols, you must also +// specify the destination port or range of ports. For the ICMP protocol, +// you must also specify the ICMP type and code. If the security group rule +// has a description, you do not have to specify the description to revoke +// the rule. To remove a rule, the values that you specify (for example, +// ports) must match the existing rule's values exactly. [Default VPC] If +// the values you specify do not match the existing rule's values, no error +// is returned, and the output describes the security group rules that were +// not revoked. AWS recommends that you use DescribeSecurityGroups to verify +// that the rule has been removed. // // Rule changes are propagated to instances within the security group as quickly // as possible. However, a small delay might occur. @@ -41609,8 +41830,14 @@ func (c *EC2) UpdateSecurityGroupRuleDescriptionsEgressRequest(input *UpdateSecu // rule. You can replace an existing description, or add a description to a // rule that did not have one previously. // -// You specify the description as part of the IP permissions structure. You -// can remove a description for a security group rule by omitting the description +// You can specify the rule that you want to update by using one of the following +// methods: +// +// * The security group rule descriptions. +// +// * The IP permissions structure. +// +// You can remove a description for a security group rule by omitting the description // parameter in the request. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -41689,8 +41916,14 @@ func (c *EC2) UpdateSecurityGroupRuleDescriptionsIngressRequest(input *UpdateSec // can replace an existing description, or add a description to a rule that // did not have one previously. // -// You specify the description as part of the IP permissions structure. You -// can remove a description for a security group rule by omitting the description +// You can specify the rule that you want to update by using one of the following +// methods: +// +// * [VPC only] The security group rule descriptions. +// +// * The IP permissions structure. +// +// You can remove a description for a security group rule by omitting the description // parameter in the request. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -45774,6 +46007,9 @@ type AuthorizeSecurityGroupEgressInput struct { // group. SourceSecurityGroupOwnerId *string `locationName:"sourceSecurityGroupOwnerId" type:"string"` + // The tags applied to the security group rule. + TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` + // Not supported. Use a set of IP permissions to specify the port. ToPort *int64 `locationName:"toPort" type:"integer"` } @@ -45849,6 +46085,12 @@ func (s *AuthorizeSecurityGroupEgressInput) SetSourceSecurityGroupOwnerId(v stri return s } +// SetTagSpecifications sets the TagSpecifications field's value. +func (s *AuthorizeSecurityGroupEgressInput) SetTagSpecifications(v []*TagSpecification) *AuthorizeSecurityGroupEgressInput { + s.TagSpecifications = v + return s +} + // SetToPort sets the ToPort field's value. func (s *AuthorizeSecurityGroupEgressInput) SetToPort(v int64) *AuthorizeSecurityGroupEgressInput { s.ToPort = &v @@ -45857,6 +46099,12 @@ func (s *AuthorizeSecurityGroupEgressInput) SetToPort(v int64) *AuthorizeSecurit type AuthorizeSecurityGroupEgressOutput struct { _ struct{} `type:"structure"` + + // Returns true if the request succeeds; otherwise, returns an error. + Return *bool `locationName:"return" type:"boolean"` + + // Information about the outbound (egress) security group rules that were added. + SecurityGroupRules []*SecurityGroupRule `locationName:"securityGroupRuleSet" locationNameList:"item" type:"list"` } // String returns the string representation @@ -45869,6 +46117,18 @@ func (s AuthorizeSecurityGroupEgressOutput) GoString() string { return s.String() } +// SetReturn sets the Return field's value. +func (s *AuthorizeSecurityGroupEgressOutput) SetReturn(v bool) *AuthorizeSecurityGroupEgressOutput { + s.Return = &v + return s +} + +// SetSecurityGroupRules sets the SecurityGroupRules field's value. +func (s *AuthorizeSecurityGroupEgressOutput) SetSecurityGroupRules(v []*SecurityGroupRule) *AuthorizeSecurityGroupEgressOutput { + s.SecurityGroupRules = v + return s +} + type AuthorizeSecurityGroupIngressInput struct { _ struct{} `type:"structure"` @@ -45911,7 +46171,7 @@ type AuthorizeSecurityGroupIngressInput struct { // // [VPC only] Use -1 to specify all protocols. If you specify -1 or a protocol // other than tcp, udp, or icmp, traffic on all ports is allowed, regardless - // of any ports you specify. + // of any ports that you specify. // // Alternatively, use a set of IP permissions to specify multiple rules and // a description for the rule. @@ -45934,6 +46194,9 @@ type AuthorizeSecurityGroupIngressInput struct { // with a specific IP protocol and port range, use a set of IP permissions instead. SourceSecurityGroupOwnerId *string `type:"string"` + // [VPC Only] The tags applied to the security group rule. + TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` + // The end of port range for the TCP and UDP protocols, or an ICMP code number. // For the ICMP code number, use -1 to specify all codes. If you specify all // ICMP types, you must specify all codes. @@ -46007,6 +46270,12 @@ func (s *AuthorizeSecurityGroupIngressInput) SetSourceSecurityGroupOwnerId(v str return s } +// SetTagSpecifications sets the TagSpecifications field's value. +func (s *AuthorizeSecurityGroupIngressInput) SetTagSpecifications(v []*TagSpecification) *AuthorizeSecurityGroupIngressInput { + s.TagSpecifications = v + return s +} + // SetToPort sets the ToPort field's value. func (s *AuthorizeSecurityGroupIngressInput) SetToPort(v int64) *AuthorizeSecurityGroupIngressInput { s.ToPort = &v @@ -46015,6 +46284,12 @@ func (s *AuthorizeSecurityGroupIngressInput) SetToPort(v int64) *AuthorizeSecuri type AuthorizeSecurityGroupIngressOutput struct { _ struct{} `type:"structure"` + + // Returns true if the request succeeds; otherwise, returns an error. + Return *bool `locationName:"return" type:"boolean"` + + // Information about the inbound (ingress) security group rules that were added. + SecurityGroupRules []*SecurityGroupRule `locationName:"securityGroupRuleSet" locationNameList:"item" type:"list"` } // String returns the string representation @@ -46027,6 +46302,18 @@ func (s AuthorizeSecurityGroupIngressOutput) GoString() string { return s.String() } +// SetReturn sets the Return field's value. +func (s *AuthorizeSecurityGroupIngressOutput) SetReturn(v bool) *AuthorizeSecurityGroupIngressOutput { + s.Return = &v + return s +} + +// SetSecurityGroupRules sets the SecurityGroupRules field's value. +func (s *AuthorizeSecurityGroupIngressOutput) SetSecurityGroupRules(v []*SecurityGroupRule) *AuthorizeSecurityGroupIngressOutput { + s.SecurityGroupRules = v + return s +} + // Describes Availability Zones, Local Zones, and Wavelength Zones. type AvailabilityZone struct { _ struct{} `type:"structure"` @@ -69209,7 +69496,7 @@ type DescribeKeyPairsInput struct { // The key pair names. // - // Default: Describes all your key pairs. + // Default: Describes all of your key pairs. KeyNames []*string `locationName:"KeyName" locationNameList:"KeyName" type:"list"` // The IDs of the key pairs. @@ -73218,6 +73505,127 @@ func (s *DescribeSecurityGroupReferencesOutput) SetSecurityGroupReferenceSet(v [ return s } +type DescribeSecurityGroupRulesInput struct { + _ struct{} `type:"structure"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // One or more filters. + // + // * group-id - The ID of the security group. + // + // * security-group-rule-id - The ID of the security group rule. + // + // * tag: